MSR Configuration

H3C MSR Series Routers
Web-Based Configuration Guide
Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com
Software version: MSR-CMW520-R2207
Document version: 20110819-C-1.05
Copyright 2008-2011, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
, Aolynk,
, H3Care,
, TOP G,
, IRF, NetPilot, Neocean, NeoVTL,
H3C,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
This document is the Web-based configuration guide for the H3C MSR series routers, and describes
how to visually manage and maintain the H3C MSR series routers through a Web-based interface.
This preface includes:
Audience
Conventions
About the H3C MSR documentation set
Obtaining documentation
Technical support
Documentation feedback
Audience
This documentation is intended for:
Network planners
Field technical support and servicing engineers
Network administrators working with the MSR series
Conventions
This section describes the conventions used in this documentation set.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention
Description
Symbols
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
NOTE
TIP
An alert that contains additional or supplementary information.

An alert that provides helpful information.
Network topology icons

Represents a generic network device, such as a router.
Represents a routing-capable device, such as a router.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.
About the H3C MSR documentation set

The H3C MSR documentation set includes:
Chapter
Contents
1 Web Overview
How to log in to the Web interface, the layout and basic functions of the Web
interface.
2 Device Informatio
The device summary information and how to use the function.
3 Basic Services
Configuration
How to use the basic configuration wizard.
4 WAN Interface
Configuration
How to configure the WAN interface parameters such as the connection mode
and MTU.
5 VLAN Interface
Configuration
How to configure a VLAN and its VLAN interface, and how to configure WLAN
parameters.
6 Wireless Configuration
How to configure a WLAN.
7 3G Management
How to configure 3G Management.
8 NAT Configuration
How to configure NAT, a NAT server, and application layer protocol check.
9 Security Configuration
How to configuring access control, URL filter and attack protection.
10 Redirection
Configuration
How to configure Web Page Redirection.
11 Route Configuration
How to add and delete IPv4 routes.
12 User-Based Load
Sharing
How to configure user-based load sharing.
13 Traffic Ordering
Configuration
How to configure traffic ordering.
14 DNS Configuration
How to configure DNS and DDNS.
15 DHCP Configuration
How to configure a DHCP address pool.
16 QoS Configuration
How to configure QoS, line rate and IPv4 ACL.
17 SNMP
How to configure SNMP-related parameters.
18 Bridging
Configuration
How to configure basic bridging functionalities.
19 Group Management
How to configure user groups.
20 MSTP Configuration
How to configure CWMP-related parameters.
21 RADIUS Configuration
How to configure RADIUS parameters.
22 Login Control
Configuration
How to configure Login-Control-related parameters.
23 ARP Configuration
How to configure ARP parameters.
24 IPsec VPN
Configuration
How to configure IPsec and IKE parameters.
25 L2TP Configuration
How to configure L2TP parameters.
26 GRE Configuration
How to configuring PKI parameters.
27 Certificate
Management
How to configuring Certificate parameters.
28. System Management
How to configure System Management.
29 SNMP (Lite Version)
How to configure SNMP (Lite Version) parameters.
30. Syslog
How to configure Syslog related parameters.
31 Diagnostic Tools
How to use ping and trace route to locate network faults.
32 WiNet Configuration
How to configure WiNet parameters.
33 Voice
Management-Configurati
on Wizard
How to use the VoIP basic configuration wizard.
34 Voice
Management-Local
Number and Call Route
How to configure the VoIP basic parameters, local number, call route, fax,
modem, voice services, and related advanced parameters.
35 Voice
Management-Dial Plan
Configuration
How to configure the VoIP dial policy.
36 Voice
Management-Call
Connection Configuration
How to configure SIP connection of the registration server and proxy server, and
SIP calls parameters.
37 Voice
Management-SIP Trunk
Management
How to configure SIP trunk,call route for outbound calls related parameters.
38 Voice
Management-Digital Link
Management
How to configure VE1, VT1, and BSV links related parameters.
39 Voice
Management-Line
Management
How to configure FXS, FXO, E&M, and ISDN lines related parameters.
40 Voice
Management-SIP Local
Survival
How to configure SIP local survival related parameters.
41 Voice
Management-IVR
How to configure global key policy,IVR nodes,access number management

related parameters.
42 Voice
How to configure the advanced parameters for local number, call route, and link
Management-Advanced
Configuration
43 Voice
Management-Statistics
management.
How to read the summary information of calls and connections.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] Provides the documentation released with the
software version.
Technical support
customer_service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Web overview 1
Logging in to the web interface1

Logging out of the web interface2
Introduction to the web interface2
User level4
Introduction to the web-based NM functions 4
Common web interface elements 17
Managing web-based NM through CLI 21
Enabling/disabling web-based NM 21
Managing the current web user 21
Configuration guidelines 22
Troubleshooting web browser 22
Failure to access the device through the web interface 22
Device information 26
Displaying device information 26

Device information 28
Broadband connection information 28
3G wireless card state 28
LAN information 30
WLAN information 30
Service information 31
Recent system logs 31
Integrated service management 31
Basic services configuration 32
Basic service overview 32

Configuring basic services 32
Starting the basic configuration wizard 32
Setting WAN interface parameters 33
Setting WLAN interface parameters 39
Setting LAN interface parameters 41
Validating the basic services configuration 42
WAN interface configuration 44

Configuring an Ethernet interface 44
Overview 44
Configuring an Ethernet interface 44
Configuring an SA interface 47
SA interface overview 47
Configuration procedure 47
Configuring an ADSL/G.SHDSL interface 48
ADSL/G.SHDSL interface overview 48
Configuration Procedure 49
Configuring a CE1/PRI interface 52
CE1/PRI interface overview 52
Configuring a CT1/PRI interface 55
CT1/PRI interface overview 55
i
Viewing the general information and statistics of an interface 56
VLAN configuration 58
Overview 58
Configuring a VLAN and its VLAN interface 58
Configuration task lists 58
Creating a VLAN and its VLAN interface 59
Configuring VLAN member ports 60
Configuring parameters for a VLAN interface 60
Wireless configuration overview 63
Overview 63
Configuration task list 63
Wireless service configuration 65
Configuring wireless access service 65

Creating a wireless access service 65
Configuring clear type wireless service 66
Configuring crypto type wireless service 74
Security parameter dependencies 80
Displaying wireless access service 82
Displaying wireless service 82
Displaying client 84
Displaying RF ping information 88
Wireless access configuration examples 89
Wireless service configuration example 89
Access service-based VLAN configuration example 90
PSK authentication configuration example 92
Local MAC authentication configuration example 96
Remote MAC authentication configuration example 99
Remote 802.1x authentication configuration example 105
802.11n configuration example 115
Client mode 118
Enabling the client mode118

Connecting the wireless service119
Displaying statistics 120
Client mode configuration example121
Radio configuration 124
Configuring data transmit rates127

Configuring 802.11b/802.11g rates127
Configuring 802.11n MCS128
Displaying radio130
Displaying wireless services bound to a radio130
Displaying detailed radio information 130
WLAN security configuration 133
Blacklist and white list133

Configuring the blacklist and white list functions 133
Configuring dynamic blacklist 133
Configuring static blacklist 134
Configuring white list 135
User isolation 136
Configuring user isolation 136
ii
WLAN QoS configuration 138
Configuring wireless QoS 138

Enabling wireless QoS138
Setting the SVP service139
Setting CAC admission policy 139
Setting radio EDCA parameters for APs 140
Setting EDCA parameters for wireless clients 141
Display radio statistics 142
Displaying client statistics 144
Setting rate limiting 146
Wireless QoS configuration example147
CAC service configuration example 147
Static rate limiting configuration example 148
Dynamic rate limiting configuration example 149
Advanced configuration 151
District code 151

Setting a district code 151
Channel busy test 151
Configuring a channel busy test 152
3G management 154
Overview154
Managing the 3G modem 154
Displaying the 3G information 154
Managing the pin code 155
NAT configuration 158
Overview158
Configuring NAT158
Configuration overview 158
Configuring dynamic NAT 159
Configuring a DMZ host160
Configuring an internal server 161
Enabling application layer protocol check163
Configuring connection limit 163
NAT configuration examples 164
NAT configuration example I164
Internal server configuration example166
Access control 170

Access control overview 170
Configuring access control 170
Access control configuration example 172
URL filtering 174
URL filtering overview 174

Configuring URL filtering 174
URL filtering configuration example 176
MAC address filtering 178
MAC address filtering overview178

Configuring MAC address filtering178
Configuring the MAC address filtering type 178
Configuring the MAC addresses to be filtered 179
MAC address filtering configuration example 180
iii
Attack protection 182
Attack protection overview182

Blacklist function 182
Intrusion detection function182
Configuring the blacklist function 184
Enabling the blacklist function185
Adding a blacklist entry manually 185
Viewing blacklist entries 186
Configuring intrusion detection 187
Attack protection configuration examples 189
Attack protection configuration example for the MSR 900/20-1X series routers189
For MSR 20/30/50 series routers 192
Application control 196
Application control overview 196

Configuring application control 196
Loading applications196
Configuring a custom application 197
Enabling application control 198
Application control configuration example 199
Web page redirection configuration 202

Overview202
Configuring web page redirection202
Route configuration 204
Overview204
Route configuration 204
Creating an IPv4 static route204
Displaying the active route table 206
Static route configuration example 207
IPv4 static route configuration example 207
Precautions209
User-based load sharing 211
Overview211
Configuring user-based load sharing 211
Traffic ordering 213
Overview213
Configuring traffic ordering 213
Setting the traffic ordering interval 214
Specifying the traffic ordering mode214
Displaying internal interface traffic ordering statistics214
Displaying external interface traffic ordering statistics215
DNS configuration 216
DNS overview 216

Configuring DNS 216
Enabling dynamic domain name resolution 217
Enabling DNS proxy 218
Clearing the dynamic domain name cache 218
Specifying a DNS server 218
iv
Configuring a domain name suffix219

Domain name resolution configuration example 219
DDNS configuration 225
DDNS overview225
Configuration prerequisites226
DDNS configuration example227
DHCP configuration 230
Introduction to DHCP 230

Configuring DHCP 231
Enabling DHCP233
Configuring DHCP interface setup 233
Configuring a static address pool for the DHCP server 234
Configuring a dynamic address pool for the DHCP server 236
Configuring IP addresses excluded from dynamic allocation 238
Configuring a DHCP server group 239
DHCP configuration examples240
DHCP configuration example without DHCP relay agent241
DHCP relay agent configuration example248
ACL configuration 255

ACL overview 255
Configuring an ACL256
Creating an IPv4 ACL 256
Configuring a rule for a basic IPv4 ACL257
Configuring a rule for an advanced IPv4 ACL259
Configuring a rule for an Ethernet frame header ACL 262
QoS configuration 265
Overview265
QoS overview 265
Subnet limit265
Advanced limit265
Advanced queue 266
Configuring QoS266
Configuring subnet limit266
Configuring advanced limit268
Configuring advanced queue 271
QoS configuration examples 275
Subnet limit configuration example 275
Advanced queue configuration example277
Appendix Packet Priorities 280
SNMP 283
SNMP overview283
SNMP agent configuration 284
Enabling the SNMP agent function 285
Configuring an SNMP view 287
Configuring an SNMP community289
Configuring an SNMP group290
v
Configuring an SNMP user 292

Configuring SNMP trap function 294
Displaying SNMP packet statistics 296
SNMP configuration example297
SNMPv1 or SNMPv2c configuration example 297
SNMPv3 configuration example301
Bridging 307
Overview307
Bridging overview 307
Configuring bridging 307
Enabling a bridge set307
Adding an interface to a bridge set308
Bridging configuration example 309
User group configuration 313
Overview313
Configuring user groups313
Configuring a user group 314
Configuring a user 315
Configuring access control316
Configuring application control317
Configuring bandwidth control317
Configuring packet filtering318
Synchronizing user group configuration for wan interfaces320
User group configuration example320
MSTP configuration 328

Overview328
Introduction to STP328
Introduction to RSTP335
Introduction to MSTP 335
Protocols and standards 340
Configuring MSTP 341
Configuring an MST region 341
Configuring MSTP globally 342
Configuring MSTP on a port 345
MSTP configuration example 347
RADIUS configuration 354
Introduction to RADIUS 354

Configuring a RADIUS scheme354
RADIUS configuration example 359
Login control configuration 368
Login control overview368

Configuring login control 368
Login control configuration example369
ARP configuration 371
Gratuitous ARP overview371

Displaying ARP entries371
vi
Creating a static ARP entry 372

Removing ARP entries 372
Enabling learning of dynamic ARP entries 373
Configuring gratuitous ARP374
Static ARP configuration example 374
ARP attack defense configuration 380
Overview380
Configuring periodic sending of gratuitous ARP packets 380
Configuring ARP automatic scanning 381
Configuring fixed ARP 382
IPsec VPN configuration 384
Overview384
Configuring IPsec VPN 385
Configuring an IPsec connection 385
Displaying IPsec VPN monitoring information 392
IPsec VPN configuration example 393
L2TP configuration 397
L2TP overview397
Configuring L2TP398
L2TP configuration task list 398
Enabling L2TP 398
Adding an L2TP group399
Displaying L2TP tunnel information 406
L2TP configuration example406
Client-initiated VPN configuration example 406
GRE configuration 411
GRE overview 411

Introduction to GRE 411
Configuring a GRE over IPv4 tunnel 411
Configuration prerequisites 411
Creating a GRE tunnel 412
GRE over IPv4 tunnel configuration example413
Certificate management 421
Introduction to PKI 421

Operation of PKI422
Configuring PKI 422
Creating a PKI entity 424
Creating a PKI domain 426
Generating an RSA key pair428
Destroying the RSA key pair 429
Retrieving and displaying a certificate 429
Requesting a local certificate 431
Retrieving and displaying a CRL432
PKI configuration examples433
Configuring a PKI entity to request a certificate from a CA (method I) 433
Configuring a PKI entity to request a certificate from a CA (method II) 437
Applying RSA digital signature in IKE negotiation 442
vii
System management 449
Configuration management 449

Save 449
Initialize 450
Backing up configuration 450
Restoring configuration 451
Backing up and restoring device files through the USB port 452
Reboot 453
Service management 453
Overview453
Configuring service management454
User management 456
Creating a user456
Setting the super password for switching to the management level 457
Switching the user access level to the management level458
System time 458
Setting the system time459
Setting the time zone of the system 460
TR-069 configuration 460
TR-069 network framework 461
Basic functions of TR-069 461
TR-069 configuration462
Software upgrade (for the MSR 900/MSR 20-1X series)464
Upgrading software 464
Software upgrade (for the MSR 20/30/50 series) 465
Upgrading software 465
SNMP (lite version) 466
SNMP overview466
SNMP agent configuration 466
SNMP configuration example468
SNMPv1/SNMPv2c configuration example 468
SNMPv3 configuration example470
Syslog 473
Configuring syslog 473

Displaying syslogs 473
Setting the loghost 475
Setting buffer capacity and refresh interval476
Diagnostic tools 477
Overview477
Trace route 477
Ping 477
Tools operations 478
Trace route operation478
Ping operation 478
WiNet configuration 480
Overview480
Configuring WiNet 481
Enabling WiNet 481
Setting the background image for the WiNet topology diagram482
Managing WiNet482
Configuring a RADIUS user485
viii
WiNet configuration example 486

WiNet establishment configuration example 486
WiNet-based RADIUS authentication configuration example 491
Configuration wizard 495
Overview495
Basic service setup 495
Entering the configuration wizard homepage495
Selecting a country495
Configuring local numbers 496
Configuring connection properties 497
Finishing configuration wizard 497
Local number and call route 498

Basic settings 498
Fax and Modem498
Call services498
Advanced settings 498
Basic settings 499

Introduction to basic settings499
Local number499
Call route499
Basic settings 500
Configuring a local number 500
Configuring a call route501
Configuration examples of local number and call route 503
Configuring direct calling for SIP UAs through the SIP protocol (configuring static IP address)503
Configuring direct calling for SIP UAs through the SIP protocol (configuring domain name) 507
Configuring proxy server involved calling for SIP UAs 511
Configuring trunking mode calling518
Fax and Modem 522
FoIP overview 522

Protocols and standards for FoIP 522
Fax flow522
Introduction to fax methods 523
SIP Modem pass-through function 524
Configuring fax and Modem 524
Configuring fax and Modem parameters of a local number 524
Configuring fax and Modem parameters of a call route527
Call services 529
Introduction to call services 529

Call waiting529
Call hold529
Call forwarding 530
Call transfer530
Call backup530
Hunt group 530
Call barring531
Message waiting indication 531
Three-party conference 531
Silent monitor and barge in services531
Calling party control 531
Door opening control532
CID on the FXS voice subscriber line 532
ix
CID on the FXO voice subscriber line 532

Support for SIP voice service of the VCX 533
Configuring call services of a local number533
Configuring call forwarding, call waiting, call hold, call transfer, and three-party conference533
Configuring other voice functions534
Configuring call services of a call route 536
Call services configuration examples538
Configuring call waiting 538
Configuring call forwarding539
Configuring call transfer 541
Configuring hunt group 542
Configuring three-party conference545
Configuring silent monitor and barge in 547
Advanced settings 553
Introduction to advanced settings553

Coding parameters 553
Other parameters 557
Configuring advanced settings of a local number 557
Configuring coding parameters of a local number 557
Configuring other parameters of a local number 559
Configuring advanced settings of a call route560
Configuring coding parameters of a call route560
Configuring other parameters for a call route 561
Advanced settings configuration example 562
Configuring out-of-band DTMF transmission mode for SIP 562
SIP2SIP call settings 564
Configuring codec transparent transmission564
Dial plan 565
Dial plan overview 565

Dial plan process565
Regular expression 566
Introduction to dial plan functions 568
Number match 568
Call control569
Number substitution 569
Configuring dial plan 570
Configuring number match570
Configuring call control 571
Configuring number substitution 574
Dial plan configuration examples 577
Configuring number match mode577
Configuring the match order of number selection rules 579
Configuring entity type selection priority rules582
Configuring call authority control 586
Configuring number substitution 589
Call connection 597

Introduction to SIP 597
Terminology 597
Functions and features of SIP 598
SIP messages599
SIP fundamentals 599
Support for transport layer protocols 602
x
SIP security 602

Signaling encryption 602
Media flow encryption603
TLS-SRTP combinations604
Support for SIP extensions604
SIP connection configuration 605
Configuring connection properties605

Configuring registrar605
Configuring proxy server607
Configuring session properties 607
Configuring source address binding607
Configuring SIP listening 609
Configuring media security 610
Configuring caller identity and privacy 611
Configuring SIP session refresh612
Configuring compatibility 612
Configuring advanced settings614
Configuring registration parameters 614
Configuring voice mailbox server 616
Configuring signaling security 617
Configuring call release cause code mapping618
Configuring PSTN call release cause code mappings 618
Configuring SIP status code mappings 619
SIP connection configuration examples 620
Configuring basic SIP calling features 620
Configuring caller ID blocking620
Configuring SRTP for SIP calls622
Configuring TCP to carry outgoing SIP calls 623
Configuring TLS to carry outgoing SIP calls 624
SIP server group management 626
Configuring a SIP server group 626
SIP trunk configuration 628
Overview628
Background 628
Features 629
Typical applications 629
Protocols and standards 630
Configuring SIP trunk 630
Enabling the SIP trunk function631
Configuring a SIP server group 631
Configuring a SIP trunk account 632
Configuring a call route for outbound calls 633
Configuring a call route for a SIP trunk account633
Configuring fax and Modem parameters of the call route of a SIP trunk account635
Configuring advanced settings of the call route of a SIP trunk account635
Configuring codec transparent transmission 637
Configuring a call route for inbound calls 637
SIP trunk configuration examples 637
Configuring a SIP server group with only one member server637
Configuring a SIP server group with multiple member servers644
Configuring call match rules 647
xi
Data link management 650
Introduction to data link management 650

Overview650
E1 and T1 interfaces 651
Features of E1 and T1652
Introduction to BSV interface653
Configuring digital link management 653
Configuring VE1 line653
Configuring VT1 line658
Configuring BSV line661
Displaying ISDN link state666
E1 and T1 voice configuration example 666
Configuring E1 voice DSS1 signaling 666
Line management 669
Line management overview 669

FXS voice subscriber line 669
FXO voice subscriber line669
E&M subscriber line 669
One-to-one binding between FXS and FXO voice subscriber lines670
Echo adjustment function671
Adjusting echo duration 671
Adjusting echo cancellation parameters671
Enabling the nonlinear function of echo cancellation 672
Line management configuration 672
Configuring an FXS voice subscriber line672
Configuring an FXO voice subscriber line675
Configuring an E&M subscriber line 678
Configuring an ISDN line681
Configuring a paging line683
Configuring an MoH line 684
Line management configuration examples 685
Configuring an FXO voice subscriber line685
Configuring one-to-one binding between FXS and FXO 686
SIP local survival 694
Introduction 694
Configuring SIP local survival 695
Service configuration 695
User management 696
Trusted nodes 697
Call-out route697
Area prefix 698
Call authority control699
SIP local survival configuration examples 700
Configuring local SIP server to operate in alone mode 700
Configuring local SIP server to operate in alive mode703
Configuring call authority control 705
Configuring an area prefix 710
Configuring a call-out route713
IVR 716
Overview716
Advantages716
Customizable voice prompts 716
Various codecs 716
xii
Flexible node configuration716

Customizable process 716
Successive jumping 717
Error processing methods 717
Timeout processing methods 717
Various types of secondary calls 717
Configuring IVR 717
Uploading media resource files717
Importing a media resource through an MOH audio input port718
Configuring the global key policy719
Configuring IVR nodes720
Configuring a call node720
Configure a jump node 723
Configure a service node 725
Configuring access number management726
Configuring an access number 726
Configuring advanced settings for the access number 727
IVR configuration examples 728
Configure a secondary call on a call node (match the terminator of numbers) 728
Configure a secondary call on a call node (match the number length) 732
Configure a secondary call on a call node (match a number) 735
Configure an extension secondary call on a call node 737
Configure a jump node 739
Configure an immediate secondary call on a service node741
Configure a secondary call on a service node 743
Configure a call node, jump node, and service node 745
Customizing IVR services751
Create a menu 752
Bind an access number757
Customize IVR services 758
Custom IVR service configuration examples759
Advanced configuration 771
Global configuration771
Batch configuration 772
Local number772
Call route779
Line management 782
SIP local survival services 786
States and statistics 788
Line states788
Displaying detailed information about analog voice subscriber lines789
Displaying detailed information about digital voice subscriber lines789
Call statistics 790
Displaying active call summary 791
Displaying history call summary 791
SIP UA states792
Displaying TCP connection information 792
Displaying TLS connection information 792
Displaying number register status793
Displaying number subscription status 793
Local survival service states794
SIP trunk account states 795
Server group information 795
xiii
IVR information 796

Displaying IVR call states796
Displaying IVR play states 797
Index 798
xiv
Web overview
The device provides the web-based network management function to facilitate the operations and
maintenance of network devices. Through this function, the administrator can visually manage and
maintain network devices through the web interfaces.
Figure 1 Web-based network management operating environment
Logging in to the web interface

The device is provided with the default web login information. You can use the default information to log
in to the web interface. The default web login information is:
Username: admin
Password: admin
IP address of the device: 192.168.1.1.
You can follow the steps below to log in to the device through the web interface.
1.
Connect the device and PC
Connect the Ethernet interface Ethernet 0/0 of the device to the PC using a crossover Ethernet cable.
2.
Configure an IP address for the PC and ensure that the PC and device can communicate with each
other properly.
Modify the IP address of the PC to one that within the network segment 192.168.1.0/24 (except for
192.168.1.1), for example, 192.168.1.2.
3.
Open the browser, and input the login information.
On the PC, open the browser, type the IP address http://192.168.1.1 in the address bar, press Enter and
you can enter the login page of the web interface, as shown in Figure 2. Input the username and
password admin, and the verification code, select the language (English and Chinese are supported at
present), and click Login.
Figure 2 Login page of the web interface
CAUTION:
The PC in Figure 1 is the one where you configure the device, but not necessarily the web-based network
management terminal. The web-based network management terminal is a PC (or another terminal)
used to log in to the web interface and is required to be reachable to the device.
After logging in to the web interface, you can create a new user and configure the IP address of the
interface connecting the user and the device.
If you click the verification code displayed on the web login page, you can get a new verification code.
Up to 24 users can concurrently log in to the device through the web interface.
Logging out of the web interface

Click Logout in the upper-right corner of the web interface to quit web-based network management.
The system will not save the current configuration before you log out of the web interface. Save the current
configuration before logout.
CAUTION:
A logged-in user cannot automatically log out by directly closing the browser.
Introduction to the web interface

The web-based interface is composed of three parts: navigation area, title area, and body area, as
shown in Figure 3.
Figure 3 Initial page of the web interface
(1) Navigation area
(2) Title area
(3) Body area
Navigation area: Organizes the web function menus in the form of a navigation tree, where you
can select function menus as needed. The result is displayed in the body area.
Title area: On the left, displays the path of the current configuration interface in the navigation area;
on the right, provides the Save button to quickly save the current configuration, the Help button to
display the web related help information, and the Logout button to log out of the web interface.
Body area: The area where you can configure and display a function.
User level
Web user levels, ranging from low to high, are visitor, monitor, configure, and management.
Visitor: Users of this level can perform the ping and traceroute operations, but can neither access
the device data nor configure the device.
Monitor: Users of this level can only access the device data but cannot configure the device.
Configure: Users of this level can access data from the device and configure the device, but they
cannot upgrade the host software, add/delete/modify users, or back up/restore the application
file.
Management: Users of this level can perform any operations for the device.
Introduction to the web-based NM functions

NOTE:
User level in Table 1 indicates that users of this level or users of a higher level can perform the
corresponding operations.
Table 1 Description of web-based NM functions
Function menu
Device Information
Device Information
Integrated Service
Management
Wizard
Interface
Setup
Basic Configuration Wizard
WAN Interface
Setup
WAN Interface Setup
Description
User level
View and refresh device

information, broadband
connection information, 3G
wireless card state, LAN
information, WLAN
information, services
information, and recent system
logs.
Monitor
View the URL address on a

card.
Monitor
Change the URL address of a

card, and log in to the web
interface of the card.
Configure
Perform the basic service

configuration of routers.
Configure
View the configuration

information of a WAN
interface, and interface
statistics.
Monitor
Modify WAN interface

configuration, and clear the
statistics of a WAN interface.
Configure
Function menu
VLAN Setup
LAN Interface
Setup
VLAN Interface Setup
Summary
Access Service
Radio
Wireless
Configuration
Security
Wireless QoS
Country Code
3G Information
3G
PIN Code Management
Description
User level

information of a VLAN.
Monitor
Configure a VLAN.
Configure

information of a VLAN
interface.
Monitor
Configure a VLAN interface.
Configure
View wireless service, radio

and client information.
Monitor
View wireless service, radio

and client information; clear
radio statistics; clear client
statistics, disconnect a
connection, and add a client to
a blacklist.
Configure
View configuration information

about an access service.
Monitor
Create and configure an

access service.
Configure
View radio parameters and

radio rate settings.
Monitor
Set radio parameters,

802.11a/b/g rates, and
803.11n MCS.
Configure

of blacklist, whitelist, and user
isolation.
Monitor
Configure blacklist, whitelist,

and user isolation.
Configure
View wireless QoS and rate

limiting settings, and radio and
client information.
Monitor
Configure wireless QoS and

rate limiting, and clear radio
and client information.
Configure

of the country code.
Monitor
Set the country code.
Configure
View 3G modem information,

UIM card information, and 3G
network information.
Monitor
View UIM card status.
Monitor
Manage PIN codes.
Configure
Function menu
Dynamic NAT
DMZ HOST
NAT
Configuratio
n
NAT
Configuration
NAT Server Setup
ALG
Nat Outbound Setup
Security
Setup
Access
URL Filter
MAC Address Filtering
Blacklist
Attack Defend
Intrusion Detection
Application
Control
Application Control
Description
User level
View information about the

NAT configurations.
Monitor
Configure NAT.
Configure
Create a DMZ host.
Monitor
Enable DMZ host on an

interface.
Configure
View configurations of the

internal server.
Monitor
Configure the internal server.
Configure

application layer protocol
check function.
Monitor
Configure the application layer

protocol check function.
Configure

about the number of
connections displayed.
Monitor
Configure connection limit.
Configure
View the access control

configuration information.
Monitor
Configure access control.
Configure
View information about URL

filtering conditions.
Monitor
Add or delete URL filtering

conditions.
Configure
View information about MAC

address filtering conditions.
Monitor
Set MAC address filtering

types, add or delete MAC
addresses to be filtered.
Configure
View and refresh the blacklist

information and whether the
blacklist filtering is enabled or
not.
Monitor
Add, modify, delete and clear

blacklist entries, and set
whether to enable or disable
blacklist filtering.
Configure
View intrusion detection

Monitor
Configure the intrusion

detection function.
Configure
View application control

Monitor
Function menu
Description
User level
Configure application control.
Configure
Load an application and view

the loaded application.
Configure
View custom application

information.
Monitor
Add, modify, and delete a

custom application.
Configure

information of redirection.
Monitor
Add, modify, or remove the

redirection configuration on an
interface.
Configure
Summary
View IPv4 route summary

information.
Monitor
Create
Create IPv4 static routes.
Configure
Remove
Delete IPv4 static routes.
Configure
View the IP address, mask, and

load sharing information of an
interface.
Monitor
Modify the load sharing status

and shared bandwidth of an
interface.
Configure
View IP addresses, traffic

ordering mode and traffic
ordering interval for interfaces.
Monitor
Configure the traffic ordering

mode and interval.
Configure
Statistics of Inbound
Interfaces
View inbound interface traffic

ordering statistics.
Monitor
Statistics of Outbound
Interfaces
View outbound interface traffic

ordering statistics.
Monitor
View DNS configurations.
Monitor
Configure DNS.
Configure
View DDNS configurations.
Monitor

DDNS entry.
Configure
View whether DHCP is globally

enabled or disabled.
Monitor
Enable or disable DHCP.
Configure
Load Application
Custom Application
Advance
Redirection
Route Setup
User-based-sharing
Config
Traffic Ordering
DNS Configuration
DNS Setup
DDNS Configuration
DHCP Setup
DHCP Enable
Function menu
Description
User level
View DHCP server, relay, or

client configurations on an
interface.
Monitor
Enable the DHCP server, relay,

or client on an interface.
Configure
Summary
View summary IPv4 ACL

information.
Monitor
Create
Create an IPv4 ACL.
Configure
Basic Config
Configure a basic rule for an

IPv4 ACL.
Configure
Advanced Config
Configure an advanced rule for

an IPv4 ACL.
Configure
Link Config
Configure a link layer rule for

an IPv4 ACL.
Configure
Remove
Remove an IPv4 ACL.
Configure
View the subnet limit

Monitor
add, modify or delete subnet

limit rules.
Configure
View the advanced limit

Monitor
Add, modify, or delete

advanced limit rules.
Configure
View advanced queue

Monitor
Configure interface
bandwidth, add, modify, or
delete bandwidth guarantee
policies.
Configure
Summary
View classifier information.
Monitor
Create
Create a classifier.
Configure
Setup
Configure classification rules

for a classifier.
Configure
Remove
Remove a classifier.
Configure
Summary
View behavior information.
Monitor
Create
Create a behavior.
Configure
Setup
Configure actions for a

behavior.
Configure
Remove
Remove a behavior.
Configure
Summary
View QoS policy information.
Monitor
Create
Create a QoS policy.
Configure
DHCP Interface Setup
ACL IPv4
Subnet Limit
Advanced Limit
Advanced Queue
Classifier
Behavior
Policy
Function menu
Port Policy
Description
User level
Setup
Configure classifier-behavior
associations.
Configure
Remove
Remove a QoS policy.
Configure
Summary
View QoS policy application

information of a port.
Monitor
Setup
Apply a QoS policy to a port.
Configure
Remove
Remove a QoS policy from a

port.
Configure
View and refresh SNMP

configuration information and
statistics.
Monitor
Configure SNMP.
Configure
View the brief information of

SNMP communities.
Monitor
Create, modify and remove an

SNMP community.
Configure

SNMP groups.
Monitor
Create, modify, and remove an

SNMP group.
Configure

SNMP users.
Monitor

SNMP user.
Configure
View the status (enabled or

disabled) of the SNMP trap
function and target host
information.
Monitor
Enable or disable the SNMP

trap function; create, modify,
and remove a target host.
Configure

SNMP views.
Monitor

SNMP view.
Configure
Global Config
View and set global bridging

information.
Configure
Config Interface
View and set interface bridging

information.
Configure
View user group configuration.
Monitor
Configure user groups.
Configure
View user configuration.
Monitor
View users.
Configure
Setup
Community
Group
SNMP (supported
on the MSR 20,
MSR 30, and MSR
50)
User
Trap
View
Bridge
Security
UserGro
up
Group
User
Function menu
WAN
Synchroni
zation
Connection Control
Description
User level
Synchronize the user group

configuration to a WAN
interface.
Configure
View configuration of access

control.
Monitor
Configure time range-based

access control.
Configure
View custom application

configuration.
Monitor
Customize applications.
Configure
View bandwidth management

configuration.
Monitor
Configure bandwidth control.
Configure
View packet filtering rules.
Monitor
Configure packet filtering rules.
Configure
Configure the MST

region-related parameters and
VLAN-to-MSTI mappings.
Monitor
Modify the MST region-related

parameters and VLAN-to-MSTI
mappings.
Configure
View MSTP port parameters.
Monitor
Modify MSTP port parameters.
Configure
View MSTP parameters

globally.
Configure
View and add, modify, and

delete a RADIUS scheme.
Manageme
nt
View information about login

control rules.
Monitor
Add and delete a login control

rule.
Configure
View information of an ARP

table.
Monitor
Add, modify, and delete ARP

entries.
Configure
View gratuitous ARP

Monitor
Configure gratuitous ARP.
Configure
Application Control
Bandwidth
Packet Filter
Region
MSTP
Port
Global
RADIUS
Access
ARP
Management
ARP Table
Gratuitous ARP
10
Function menu
Description
User level
View the number of dynamic

ARP entries that an interface
can learn.
Monitor
Enable or disable an interface

to or from learning dynamic
ARP entries, and change the
number of dynamic ARP entries
that an interface can learn.
Configure
Specify the interface

performing ARP automatic
scanning.
Monitor
Start or stop ARP scanning.
Configure
View all static and dynamic

ARP entries.
Monitor
Convert all dynamic ARP

entries to static ones or delete
all static ARP entries.
Configure
View IPsec connection

configuration.
Monitor
Add, modify, delete, enable, or

disable an IPsec connection.
Configure
View configuration and status

information of IPsec
connections, and tunnel
information of IPsec
connections.
Monitor
Delete tunnels that are set up

with configuration of an IPsec
connection, and delete all
ISAKMP SAs of an IPsec
connection.
Configure
View the L2TP status and L2TP

group configuration
information.
Monitor
Configure the L2TP status, add,

modify or delete an L2TP
group.
Configure
View L2TP tunnel information.
Monitor
View GRE tunnel information.
Monitor
Add, modify, or delete a GRE

tunnel.
Configure
View PKI entity information.
Monitor
Entity
Add, change, and delete PKI

entities.
Configure
Domain
View PKI domain information.
Monitor
Dynamic Entry
Scan
ARP Anti-Attack
Fix
IPsec Connection
IPsec VPN
Monitoring Information
VPN
L2TP
L2TP Configuration
Tunnel Info
GRE
Certificate
Managemen
t
11
Function menu
Description
User level
Add, change, and delete PKI

domains.
Configure
View PKI certificates and

details of the certificate.
Monitor
Create keys, retrieve

certificates, apply for
certificates, and delete
certificates.
Configure
View CRLs.
Monitor
Retrieve CRLs.
Configure
Save the current configuration

to the configuration file to be
used at the next startup.
Configure
Save the current configuration

as the factory default
configuration.
Manageme
nt
Initialize
Restore all configurations on

the device to the factory default
configuration.
Configure
Backup Configuration
Upload the current startup

configuration file of the device
to the TFTP server for backup.
Manageme
nt
Restore Configuration
Download the configuration

file saved on the TFTP server to
the current configuration file of
the device.
Manageme
nt
View device files.
Monitor
Back up files on the device to

the destination device through
a universal serial bus (USB)
port; transfer files from the
device where the files are
backed up to the local device
through a USB port.
Configure
Reboot the device.
Configure
View related configuration of

system services.
Configure
Set whether to enable different

services and set related
parameters.
Manageme
nt
User Summary

users.
Monitor
Super Password
Set the supper password for

switching to the management
level.
Manageme
nt
Certificate
CRL
System
Managemen
t
Save
Configuration
Backup and Restore
Reboot
Service Management
Users
12
Function menu
Description
User level
Create User
Create a user.
Manageme
nt
Modify User
Modify user account.
Manageme
nt
Remove User
Remove a user.
Manageme
nt
Switch To Management
Switch the user access level to

the management level.
Visitor
View SNMP configuration

information.
Monitor
Configure SNMP.
Configure
View the current system time

and its configurations.
Monitor
Set the system time.
Configure
View TR-069 configurations.
Monitor
Set TR-069.
Configure
Upgrade software of the

device.
Manageme
nt
View detailed information of

system logs.
Monitor
Clear the log buffer.
Configure

specified loghost.
Monitor
Set the IP address of the

loghost.
Configure
View the number of logs that

can be stored in the log buffer;
set the refresh period on the log
information displayed on the
web interface.
Monitor
Set the number of logs that can

be stored in the log buffer.
Configure
Ping
Execute the ping command and

view the result.
Visitor
Trace Route
Execute the trace route

command and view the result.
Visitor
View and refresh the WiNet

topology diagram and view the
detailed device information.
Monitor
SNMP (supported on the MSR 900 series and

MSR20-1X series)
System Time
System Time
TR-069
Software Upgrade
Loglist
Loghost
Syslog
Other
Logset
Diagnostic
Tools
WiNet
WiNet Management
13
Function menu
Setup
User Management
Voice
Managemen
t
Configuration Wizard
Local Number
Call Route
Number Match
Dial Plan
Call Authority Control
Number Substitution
Call Connection
SIP Connection
14
Description
User level
Manually trigger the collection

of topology information, save
the current WiNet topology as
the baseline topology, restore
the configuration to factory
defaults and restart the
member.
Configure
Configure WiNet.
Configure
View RADIUS user information.
Monitor

RADIUS user.
Configure

about the configuration
wizard.
Monitor
Configure voice basic

parameters through the
configuration wizard.
Configure
View local number

Monitor
Create, set, and delete a local

number.
Configure
View call route configuration

information.
Monitor
Create, set, and delete a call

route.
Configure
View number match

Monitor
Configure number match

parameters.
Configure
View call number groups, and

the maximum number of call
connections in a set.
Monitor
Configure a call number group,

and the maximum number of
call connections in a set.
Configure
View number substitution

Monitor
Configure number substitution.
Configure
View connection properties,

session properties, advanced
settings, and call release cause
code mappings.
Monitor
Configure connection
properties, session properties,
advanced settings, and call
release cause code mappings.
Configure
Function menu
SIP Server Group
Management
Digital Link Management
Line Management
Service Configuration
SIP Trunk
Management
Account Management
Call Route
SIP Local
Survival
Service Configuration
User Management
Trust Nodes
Call-Out Route
Area Prefix
Call Authority Control
15
Description
User level
View SIP server group

configuration.
Monitor
Configure a SIP server group.
Configure
View VE1, VT1, and BSV line

configuration information, and
line state.
Monitor
View and configure a VE1,

VT1, and BSV line.
Configure
View FXS, FXO, E&M, and

ISDN configuration information
and state.
Monitor
Configure an FXS, FXO, E&M,

and ISDN line, and query their
state.
Configure
View SIP trunk status.
Monitor
Enable the SIP trunk function.
Configure
View SIP account

configuration.
Monitor
Add, modify, and delete a SIP

account.
Configure
View call route configuration.
Monitor
Add, modify, and delete a call

route.
Configure
View SIP local survival

configuration.
Monitor
Configure SIP local survival.
Configure
View registered user

configuration.
Monitor

registered user.
Configure
View trust node configuration.
Monitor
Add, modify, and delete a trust

node.
Configure
View call-out route

configuration.
Monitor

call-out route.
Configure
View area prefix configuration.
Monitor
Add and delete an area prefix.
Configure
View call authority control

configuration and application.
Monitor
Function menu
Media Resources
Management
Access Number
Management
IVR Services
Processing Methods
Customization
Advanced Settings
Global Configuration
Advanced
Configuration
Batch Configuration
States and
Statistics
Line States
Call Statistics
SIP UA States
16
Description
User level
Add and delete a call rule set

and apply the call rule set
globally or to registered users.
Configure
View media resources

configuration.
Monitor
Upload media resource files or

configure an MOH audio input
port.
Configure
View access number

configuration.
Monitor
Add, modify, and delete an

access number.
Configure
View processing methods

customization configuration.
Monitor
Configure processing methods

customization configuration.
Configure
View service node and global

key policy configuration.
Monitor
Configure service node and

global key policy
configuration.
Configure
View global configuration

information.
Monitor
Perform global configurations.
Configure
View batch configuration

information.
Monitor
Create local numbers, call

routes, manage lines, and
configure SIP local survival in
batches.
Configure
View information about all

voice subscriber lines.
Monitor
View and refresh active and

history call statistics.
Monitor
View and refresh active and

history call statistics and clear
history call statistics.
Configure

TCP-based call connections,
TLS-based call connections,
number register information,
and subscription status
information.
Monitor
Function menu
Local Survival Service

States
Description
User level

TCP-based call connections,
TLS-based call connections,
number register information,
and subscription status
information, and terminate
specified TCP and TLS
connections.
Configure
View and refresh registration

and subscription status.
Monitor
Common web interface elements

Common buttons and icons
Table 2 Common buttons and icons
Button and icon
Description
Validates the configuration.
Cancels the configuration, and goes to the corresponding display page or
device information page.
Refreshes the current page.
Clears all statistics or items in a list.
Adds an item.
Deletes entries on a list.
Selects all the entries on a list or all ports on a device panel.
Clears all the entries on a list or all ports on a device panel.
Typically locating at the Operation column of a display page, it allows you
to enter the modify page of a corresponding entry to display or modify the
configurations of the entry.
Typically locating at the Operation column of a display page, it allows you
to remove an entry.
Content display by pages

The web interface can display contents by pages, as shown in Figure 4. You can set the number of entries
displayed per page, and view the contents on the first, previous, next, and last pages, or go to any page
that you want to check.
17
Figure 4 Content display by pages
Searching function
The web interface provides you with the basic and advanced searching functions to display only the
entries that match specific searching criteria.
Basic search: As shown in Figure 4, input the keyword in the text box above the list, select a search
item from the drop-down list and click the Search button to display the entries that match the criteria.
Figure 5 shows an example of searching for entries with VLAN ID being 2.
Figure 5 Basic search function example
Advanced search: Advanced search function: As shown in Figure 4, you can click the Advanced
Search link to open the advanced search page, as shown in Figure 6. Specify the search criteria,
and click Apply to display the entries that match the criteria.
18
Figure 6 Advanced search
Take the ARP table shown in Figure 4 as an example. If you want to search for the ARP entries with
interface being Ethernet 0/4, and IP address range being 192.168.1.50 to 192.168.1.59, follow these
steps:
1.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 7, and click Apply. The ARP entries with interface being Ethernet 0/4 are displayed.
Figure 7 Advanced search function example (I)
2.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 8, and click Apply. The ARP entries with interface being Ethernet 0/4 and IP address
range being 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure 9.
19
Figure 8 Advanced searching function example (II)
Figure 9 Advanced searching function example (III)
Sorting function
The web interface provides you with the basic sorting function to display entries in certain orders.
Basic sorting function: On a list page, you can click the blue heading item of each column to sort the
entries based on the heading item you selected. After your clicking, the heading item is displayed with
an arrow beside it as shown in Figure 10. The upward arrow indicates the ascending order, and the
downward arrow indicates the descending order.
20
Figure 10 Basic sorting function example (based on IP address in the descending order)
Managing web-based NM through CLI

Enabling/disabling web-based NM
Table 3 Enable/disable the web-based NM service
To do
Use the command
Enable the web-based NM service
ip http enable
Disable the web-based NM service
undo ip http enable
Managing the current web user

Table 4 Manage the current web user
To do
Use the command
Display the current login users
display web users
Log out the specified user or all users
free web-users { all | user-id userid | user-name

username }
21
Configuration guidelines
The web-based configuration interface supports the operating systems of Windows XP, Windows
2000, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition,
Windows Vista, Linux and MAC OS.
The web-based configuration interface supports the browsers of Microsoft Internet Explorer 6.0 SP2
and higher, Mozilla Firefox 3.0 and higher, and Google Chrome 2.0.174.0 and higher.
The web-based configuration interface does not support the Back, Next, Refresh buttons provided
by the browser. Using these buttons may result in abnormal display of web pages.
The Windows firewall limits the number of TCP connections, when you use IE to log in to the web
interface, sometimes you may be unable to open the web interface. To avoid this problem, turn off
the Windows firewall before login.
If the software version of the device changes, clear the cache data on the browser before logging
in to the device through the web interface; otherwise, the web page content may not be displayed
correctly.
You can display at most 20,000 entries that support content display by pages.
Troubleshooting web browser

Failure to access the device through the web interface
Symptom
You can ping the device successfully, and log in to the device through telnet. HTTP is enabled and the
operating system and browser version meet the web interface requirements. However, you cannot access
the web interface of the device.
Analysis
If you use the Microsoft Internet Explorer, you can access the web interface only when the following
functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for
scripting and active scripting.
If you use the Mozilla Firefox, you can access the web interface only when JavaScript is enabled.
Configuring the Internet Explorer settings

1.
Open the Internet Explorer, and then select Tools > Internet Options.
2.
Click the Security tab, and then select a web content zone to specify its security settings, as shown
in Figure 11.
22
Figure 11 Internet Explorer setting (I)
3.
Click Custom Level, and a dialog box Security Settings appears.
4.
As shown in Figure 12, enable these functions: Run ActiveX controls and plug-ins, script ActiveX
controls marked safe for scripting and active scripting.
23
Figure 12 Internet Explorer Setting (II)
5.
Click OK in the Security Settings dialog box.
Configuring Firefox Web browser settings

1.
Open the Firefox web browser, and then select Tools > Options.
2.
Click the Content tab, select the Enable JavaScript check box, and click OK, as shown in Figure
13.
24
Figure 13 Firefox web browser setting
25
Device information
Displaying device information
You can view the following information on the Device Info menu:
Device information
Broadband connection information
3G wireless card state
LAN information
WLAN information
Services information
Recent system logs (Recent five system logs are displayed)
After logging in to the web interface, you will enter the Device Info page, as shown in Figure 14.
NOTE:
The Device Info page contains five parts, which correspond to the five tabs below the figure on the page
except the Services Information and Recent System Logs tabs. When you put your cursor on a part of the
figure, the system prompts you for the tab of the corresponding information, and you can jump to the tab
by clicking this part.
26
Figure 14 Device information
27
Select the refresh mode in the Refresh Period drop-down box.
If you select a specific period, the system periodically refreshes the Device Info page;
If you select Manual, you need to click Refresh to refresh the page.
Device information
Table 5 Device information fields
Field
Description
Device Model
Device name
Device ID
Device ID
Software Version
Software version of the device
Firmware Version
Firmware version of the device
Hardware Version
Hardware version of the device
Running Time
Running time after the latest boot of the device
CPU Usage
Real-time CPU usage
Memory Usage
Real-time memory usage
Broadband connection information

Table 6 Broadband connection information fields
Field
Description
Interface
Interface name
Session Type
Connection type of the interface
Network-Side Connection
State
Connection state at the network side of the interface
IP Address/Mask
IP address and mask of the interface
DNS Server
IP address of the DNS server
Uplink Rate (Kbits/Second)
Average rate in the outgoing direction on the interface in recent 300 seconds
Downlink Rate
(Kbits/Second)
Average rate in the incoming direction on the interface in recent 300 seconds
Work Mode
Rate and duplex mode of the interface
3G wireless card state

To display the detailed information about the 3G wireless card state, click the More link in the 3G
Wireless Card State area. The information includes 3G modem information, UIM card information, and
3G network information, as shown in Figure 15.
28
Figure 15 3G wireless card state
Table 7 Fields for 3G wireless card state

Field
Description
3G Modem Information
Connection state of the 3G network

State of the 3G modem, which can be:
3G Modem State
Normal: A 3G modem is connected to the router.

Absent or unrecognized modem: No 3G modem is connected to the router
or the modem cannot be recognized.
Model
Model of the 3G modem
Manufacturer
Manufacturer of the 3G modem
CMII ID
CMII ID of the 3G modem
Serial Number
Serial number of the 3G modem
Hardware Version
Hardware version of the 3G modem
Firmware Version
Firmware version of the 3G modem
PRL Version
Preferred roaming list (PRL) version of the 3G modem
29
Field
Description
State of the UIM card, which can be:
UIM Card State
Absent
Being initialized
Fault
Destructed
PIN code protection is disabled.
PIN code protection is enabled. Enter the PIN code for authentication.
PIN code protection is enabled, and the PIN code has passed the
authentication.
The PIN code has been blocked. Enter the PUK code to unblock it.
IMSI
International Mobile Subscriber Identity (IMSI) of the UIM card
Voltage
Power voltage of the UIM card
Mobile Network
3G network where the UIM card resides

State of the 3G network where the UIM card resides, which can be:
Network Type
RSSI
No Service
CDMA
HDR
CDMA/HDR HYBRID
Unknown
Received signal strength indication (RSSI) of the 3G network
LAN information
Table 8 Fields for LAN information
Field
Description
Interface
Interface name
Link State
Link state of the interface
Work Mode
Rate and duplex mode of the interface
WLAN information
Table 9 Fields for WLAN information
Field
Description
SSID (WLAN Name)
Name of the WLAN service
Service Status
Whether the service is enabled or not
Number of PCs Connected
Number of PCs connected to the WLAN service
30
Service information
Table 10 Fields for service information
Field
Description
Service
Name of the service
Status
Status of the service
Recent system logs

Table 11 Recent system log fields
Field
Description
Time
Time when the system logs are generated
Level
Level of the system logs
Description
Contents of the system logs
Integrated service management

For devices with a card installed, if the card provides the web interface access function, after specifying
the URL address of the card on the integrated service management page, you can log in from the
integrated service management page to the web interface of the card to manage the card.
After logging in to the web interface of the device, you enter the Device Info page by default. Click the
Integrated Service Management tab to enter the page displaying card information of the device, as
shown in Figure 16.
Figure 16 Integrated service management
To change the URL address of the card, click

of the target card, as shown in Figure 17. Type the
URL address in the text box and click
to apply the configuration or click
to cancel the
modification.
Properly set the URL address of the card, and then connect the card to the LAN to which the
administrator belongs. On the page as shown in Figure 16, click the Manage button, a page linked
to the specified URL address pops up, and then you can log in to the web interface of this card to
manage it.
Figure 17 Change card URL address
31
Basic services configuration

You can do the following to configure basic services on the web interface:
Setting WAN interface parameters
Setting WLAN interface parameters
Setting LAN interface parameters
Basic service overview

This document guides you through quick configuration of basic services of routers, including configuring
WAN interface parameters, WLAN interface parameters, and LAN interface parameters.
NOTE:
For more information about WAN interfaces, the chapter WAN interface configuration.
For more information about WLAN interfaces, see the chapter Wireless configuration.
For more information about LAN interfaces, see the chapter VLAN interface configuration.
Configuring basic services

Starting the basic configuration wizard
From the navigation tree, select Wizard > Basic Configuration Wizard to enter the basic configuration
wizard page, as shown in Figure 18.
Figure 18 Basic configuration wizard
32
Setting WAN interface parameters

On the basic configuration wizard page, click Next to enter the page for configuring WAN interface
parameters.
The page for configuring WAN interface parameters varies with the interface type. You are allowed to
set Ethernet, SA, ADSL/G.SHDSL, CE1/PR1, and CT1/PR1 interface parameters. To do so, see the
following.
Ethernet interface
Figure 19 Set Ethernet interface parameters
Table 12 Configuration items of Ethernet interface parameters (in auto mode)

Item
Description
WAN Interface
Select the Ethernet interface to be configured.
Connect Mode: Auto
Select the Auto connect mode to automatically obtain an IP address.

Specify the MAC address of the Ethernet interface in Either of the two ways:
Use the MAC address of the device: Use the default MAC address of the
MAC Address
Ethernet interface, which is displayed in the brackets.
Use the customized MAC address: Assign a MAC address in the field to the
Ethernet interface.
Table 13 Configuration items of Ethernet interface parameters (in manual mode)

Item
Description
WAN Interface
Connect Mode: Manual
Select the Manual connect mode to configure an IP address.
TCP-MSS
Set the maximum TCP segment length of an interface
MTU
Set the MTU of an interface

33
Item
Description
IP Address
Specify the IP address of the Ethernet interface.
Subnet Mask
Select a subnet mask for the Ethernet interface.
Gateway Address
Configure the next hop of a static route.
DNS1
Specify a DNS server IP address for the interface. Note that DNS server 1 is used
before DNS server 2.
DNS2
To configure the global DNS server on the page you enter, select Advanced > DNS
Setup > DNS Configuration. The global DNS server is prior to the DNS servers of
the interfaces. In other words, the DNS query is sent to the global DNS server first.
If the query fails, the DNS query is sent to the DNS server of the interface until the
query succeeds.
Specify the MAC address of the Ethernet interface in either of the two ways:
MAC Address
Ethernet interface.
Table 14 Configuration items of Ethernet interface parameters (in PPPoE mode)

Item
Description
WAN Interface

Select the PPPoE connect mode.
Connect Mode: PPPoE
In PPPoE mode, a user name and password should be provided by the local
Internet Service Provider (ISP).When the device connects to the ISP server, the ISP
server initiates PPPoE authentication. When the device passes the authentication,
the ISP server will send the IP address, subnet mask, gateway IP address, and DNS
server IP address to the device.
User Name
Specify the user name for identity authentication.
Password
Specify the password for identity authentication.
TCP-MSS
MTU
Online for all time

Online according to the
Idle Timeout value
Idle timeout
Select an idle timeout interval, and you have two choices:
Online for all time: The device is always online.

Online according to the idle timeout value: The device disconnects from the
server if no data exchange occurs between it and the server within the specified
time. Then, it automatically establishes the connection upon receiving a request
for accessing the Internet from the LAN.
When Online according to the Idle Timeout value is enabled, you need to specify
an idle timeout value.
Specify the MAC address of the Ethernet interface in either of the two ways:
MAC Address
Ethernet interface.
34
SA interface
Figure 20 Set SA parameters
Table 15 Configuration items of SA interface parameters

Item
Description
WAN Interface
Select the SA interface to be configured.
User Name
Password
TCP-MSS
MTU
IP Address
Specify the IP address of the SA interface.
Subnet Mask
Select a subnet mask for the SA interface.
ADSL/G.SHDSL interface
Figure 21 Set ADSL/G.SHDSL parameters
35
Table 16 Configuration items of ADSL/G.SHDSL interface parameters (in IPoA mode)

Item
Description
WAN Interface
Select the ADSL/G.SHDSL interface to be configured.
Connect Mode: IPoA
Select the IPoA connect mode.
PVC
Specify the VPI/VCI value for PVC.
TCP-MSS
MTU
IP Address
Specify the IP address of the ADSL/G.SHDSL interface.
Subnet Mask
Select a subnet mask for the ADSL/G.SHDSL interface.
Map IP
Specify the peer destination IP address of the mapped PVC.
Table 17 Configuration items of ADSL/G.SHDSL interface parameters (in IPoEoA mode)

Item
Description
WAN Interface
Connect Mode: IPoEoA
Select the IPoEoA connect mode.
PVC
TCP-MSS
MTU
IP Address
Specify the IP address of the ADSL/G.SHDSL interface.
Subnet Mask
Select a subnet mask for the ADSL/G.SHDSL interface.
Table 18 Configuration items of ADSL/G.SHDSL interface parameters (in PPPoA mode)

Item
Description
WAN Interface
Connect Mode: PPPoA
Select the PPPoA connect mode.
PVC
User Name
Password
TCP-MSS
Set the maximum TCP segment length of an interface.
MTU
Set the MTU of an interface.
Table 19 Configuration items of ADSL/G.SHDSL interface parameters (in PPPoEoA mode)

Item
Description
WAN Interface
Connect Mode: PPPoEoA
Select the PPPoEoA connect mode.
PVC
User Name

36
Item
Description
Password
TCP-MSS
MTU
Online for all time

Idle Timeout value
Idle timeout
Select an idle timeout value from either of the following:
Online for all time: The device is always online.

Online according to the idle timeout value: The device disconnects from the
server if no data exchange occurs between it and the server within the specified
time. After that, it automatically establishes the connection upon receiving a
request for accessing the Internet from the LAN.
When Online according to the Idle Timeout value is enabled, you need to specify
an idle timeout value.
CE1/PR1 interface
The CE1/PR1 interface works in two modes: E1 mode and CE1 mode.
1.
In E1 mode
Figure 22 Set CE1/PR1 interface parameters (in E1 mode)
Table 20 Configuration items of CE1/PR1 interface parameters (in E1 mode)

Item
Description
WAN Interface
Select the CE1/PR1 interface to be configured.
Work Mode: E1
Select the E1 work mode.
User Name
Password
TCP-MSS
MTU
2.
In CE1 mode
37
Figure 23 Set CE1/PR1 interface parameters (in CE1 mode)
Table 21 Configuration items of CE1/PR1 interface parameters (in CE1 mode)

Item
Description
WAN Interface
Select the CE1/PR1 interface to be configured.
Work Mode: CE1
Select the CE1 work mode.

Select one of the following two operation actions:
Operation
Create: Binds timeslots.

Remove: Unbinds timeslots.
Serial
Select a number for the created Serial interface.
Timeslot-List
Specify the timeslot(s) to be bound or unbound.
User Name
Password
TCP-MSS
MTU
38
CT1/PR1 interface
Figure 24 Set CT1/PR1 parameters
Table 22 Configuration items of CT1/PR1 interface parameters

Item
Description
WAN Interface
Select the CT1/PR1 interface to be configured.
Work Mode: E1
Select the CT1 work mode.

Select one of the following two operation actions:
Operation
Create: Binds timeslots.

Remove: Unbind timeslots.
Serial
Select the number for the created serial interface.
Timeslot-List
Specify the timeslot (s) to be bound or unbound.
User Name
Password
TCP-MSS
MTU
Setting WLAN interface parameters

After finishing the previous configuration, click Next to enter the page for configuring WLAN interface
parameters, as shown in Figure 25.
39
Figure 25 Set WLAN parameters
Table 23 Configuration items of WLAN parameters

Item
Description
WLAN Setting
Select whether to make WLAN settings.
Network Name
(SSID)
Specify a wireless network name.
Network Hide
Select whether to hide the network name.
Radio Unit
Select a radio unit supported by the AP, which can be 1 or 2.

Which value is supported varies with device models.
Select whether to enable data encryption.
Enable Encrypt
With data encryption enabled, data transmission between wireless client and wireless
device can be secured.
Encrypt Act
Select an encryption mode for the wireless network, WEP40 or WEP104.

Select a key format.
When you select WEP40, the key can be a 5-character string or 10-digit hexadecimal
Key Mode
number.
When you select WEP104, the key can be a 13-character string or a 26-digit
hexadecimal number.
Key Seed
You can either use a key seed to generate keys or type keys manually. Then, you can
choose one of the configured keys.
Key 1
When you select WEP40 and ASCII, the generated or input key is a 5-character
Key 2
string.
When you select WEP40 and HEX, the generated or input key is a 10-digit
40
Item
Description
hexadecimal number.
Key 3
When you select WEP104 and ASCII, the generated or input key is a 13-character
Key 4
When you select WEP104 and HEX, the generated or input key is a 26-digit
string.
hexadecimal number.
Setting LAN interface parameters

After finishing the previous configuration, click Next to enter the page for configuring LAN interface
parameters, as shown in Figure 26.
Figure 26 Set LAN parameters
Table 24 Configuration items of LAN interface parameters

Item
Description
Displays the ID of the VLAN interface to be configured.
VLAN Interface
IP Address
Subnet Mask
DHCP Server
Start IP Address
IMPORTANT:
By default, the VLAN interface on the device that has the smallest number is displayed. If no
VLAN interface is available on the device, the system automatically creates an interface
numbered 1 and displays it.
Specify the IP address and a subnet mask for the VLAN interface.
Select whether to enable DHCP server.
If you enable DHCP server, the configuration items of the DHCP server will be displayed.
Specify the IP address range for dynamic allocation in an extended address pool.
41
Item
Description
IMPORTANT:
End IP Address
If the extended address pool is configured on an interface, when a DHCP client's request
arrives at the interface, the server assigns an IP address from this extended address pool
only. Thus, the client cannot obtain an IP address if no IP address is available in the
extended address pool.
Specify a gateway IP address in the DHCP address pool for DHCP clients.
Gateway IP
Address
DNS Server 1
DNS Server 2
When accessing a server or host that is not in its network segment, a DHCP client needs
the gateway to forward data for it. When you specify a gateway IP address in the
address pool, the DHCP server sends an IP address as well as the gateway IP address to
a requesting client.
Specify a DNS server IP address in the DHCP address pool for DHCP clients. Note that
DNS server 1 is used before DNS server 2.
To allow DHCP clients to access the Internet through domain names, the DHCP server
needs to send an IP address as well as a DNS server IP address to clients.
Validating the basic services configuration

After finishing basic services configuration, click Next to enter the page shown in Figure 27 to validate
your configuration.
Figure 27 Check the basic service configuration
This page shows the configurations that you have made through the previous steps. Check the
configurations, and click Finish to validate them. To make any modification, click Back to go to previous
pages and edit the settings.
42
The page also provides an option Save Current Configuration for you to save the configurations to the
configuration file (both the .cfg file and the .xml file) to be used at the next startup of the device. If the
option is selected, the configurations you make survive a device reboot.
43
WAN interface configuration

The WAN interfaces that you can configure on the Web interface include Ethernet interfaces, SA
interfaces, ADSL/G.SHDSL interfaces, CE1/PRI interfaces, and CT1/PRI interfaces.
Configuring an Ethernet interface

Overview
An Ethernet interface supports the following connection modes:
Auto: The interface acts as a DHCP client to obtain an IP address through DHCP.
Manual: The IP address and subnet mask are configured manually for the interface.
PPPoE: The interface acts as a PPPoE (Point-to-Point Protocol) client. PPPoE provides access to the
Internet for hosts in an Ethernet through remote access devices. It also implements access control
and accounting on a per-host basis. Because it is cost-effective, PPPoE gains popularity in various
applications, such as residential networks.`
Configuring an Ethernet interface

Select Interface Setup > WAN Interface Setup from the navigation tree to enter the WAN interface
configuration page, which displays the name, connection type, IP address, mask, status, and operation
icon ( ) of each interface, as shown in Figure 28.
Figure 28 WAN Interface Setup
Click the
icon corresponding to an Ethernet interface to enter the page for configuring the Ethernet
interface, as shown in Figure 29.
44
Figure 29 Configure an Ethernet interface
Table 25 Ethernet interface configuration items (auto mode)

Item
Description
WAN Interface
Displays the name of the Ethernet interface to be configured.

Display and set the interface status:
If this item shows as Connected, indicating that the current interface is up and
connected, you can click the Disable button to shut down the interface.
Interface Status
If this item shows as Not connected, indicating that the current interface is up but
not connected, you can click the Disable button to shut down the interface.
If this item shows as Administratively Down, indicating that the current interface
is shut down by a network administrator, you can click the Enable button to bring
up the interface.
Connect Mode: Auto
Select Auto as the connection mode. The interface will obtain an IP address
automatically.
Set the MAC address of the Ethernet interface using one of these available options:
Use the MAC address of the device: Use the default MAC address of the Ethernet
MAC Address
interface, which is displayed in the following brackets.
Use the customized MAC address: Manually set the MAC address of the Ethernet
interface. When this option is selected, you need to type a MAC address in the
text box below.
45
Table 26 Ethernet interface configuration items (manual mode)

Item
Description
WAN Interface

Interface Status
up the interface.
Connect Mode: Manual
Select Manual as the connection mode. In this mode, you must assign an IP address
and subnet mask for the interface manually.
TCP-MSS
Configure the TCP maximum segment size (MSS) on the interface.
MTU
Configure the maximum transmission unit (MTU) on the interface.
IP Address
Configure an IP address for the interface.
IP Mask
Configure the subnet mask for the interface.
Gateway IP Address
Configure the next hop for the static route.
DNS1
Assign an IP address to the DNS servers. DNS1 has a higher precedence than
DNS2.
DNS2
To configure a global DNS server, select Advanced > DNS Setup > DNS
Configuration from the navigation tree. The global DNS server has a higher
precedence than all the DNS servers configured on the interfaces. That is, an
interface first sends a query request to the global DNS server. If failing to receive a
response, it sends query requests to the DNS servers configured on the interfaces
one by one.
Set the MAC address of the Ethernet interface using one of these available options:
MAC Address
text box below.
Table 27 Ethernet interface configuration items (PPPoE mode)

Item
Description
WAN Interface

Interface Status
up the interface.
Connect Mode: PPPoE
Select PPPoE as the connection mode.

46
Item
Description
User Name
Configure the user name for authentication.
Password
Configure the password for authentication.
TCP-MSS
Configure the TCP MSS on the interface.
MTU
Configure the MTU on the interface.
Online for all time

Idle Timeout value
Idle timeout
Set the idle timeout value for a connection.
If Online for all time is selected, the connection will be maintained until being
disconnected manually or upon an anomaly.
If Online according to the Idle Timeout value is selected, the connection will be
disconnected automatically if no traffic is transmitted or received on the link for a
period of time. The connection will be re-set up when an access to the Internet
request is received.
If the Online according to the Idle Timeout value is selected, the Idle timeout value
must be specified.
Set the MAC address of the Ethernet interface by using one of these available
options:
MAC Address
text box below.
Configuring an SA interface
SA interface overview
The synchronous/asynchronous serial (SA) interface supports PPP connection mode.
Point-to-Point Protocol (PPP) is a link layer protocol that carries packets over point-to-point links. It has
been widely used because it can provide user authentication and allows for easy extension while
supporting synchronous/asynchronous communication.
PPP contains a set of protocols, including a link control protocol (LCP), a network control protocol (NCP),
and authentication protocols such as Password Authentication Protocol (PAP) and Challenge Handshake
Authentication Protocol (CHAP). Among these protocols,
The LCP is responsible for establishing, tearing down, and monitoring data links.
The NCP is used for negotiating the packet format and type of data links.
PAP and CHAP are for network security.
Configuration procedure
configuration page. Click the
icon corresponding to the SA interface you want to configure to enter
the SA interface configuration page, as shown in Figure 30.
47
Figure 30 Configure an SA interface
Table 28 SA interface configuration items

Item
Description
WAN Interface
Displays the name of the interface to be configured.

Interface Status
If this item shows as Not connected, indicating that the current interface is up but not
If this item shows as Administratively Down, indicating that the current interface is
shut down by a network administrator, you can click the Enable button to bring up the
interface.
User Name
Password
TCP-MSS
MTU
IP Address
Configure the IP address for the interface.
IP Mask
Configure the subnet mask for the interface
Configuring an ADSL/G.SHDSL interface

ADSL/G.SHDSL interface overview
The asymmetric digital subscriber line (ADSL) interface and the G.Single-pair high-speed digital
subscriber line (G.SHDSL) interface support IPoA, IPoEoA, PPPoA, and PPPoEoA.
48
IPoA
IP over ATM (IPoA) enables IP packets to traverse an ATM network. In an IPoA implementation, ATM
provides the data link layer for the IP hosts on the same network to communicate with one another and
IP packets must be adapted in order to traverse the ATM network.
IPoA makes full use of the advantages of ATM, including high speed point-to-point connections, which
help improve the bandwidth performance of an IP network, excellent network performance, and
complete, mature QoS services.
IPoEoA
IPoE over ATM (IPoEoA) adopts a three-layer architecture, with IP encapsulation at the uppermost layer,
IP over Ethernet (IPoE) in the middle, and IPoEoA at the bottom.
IPoEoA is suitable where Ethernet packets are to be forwarded through an ATM interface, for example,
when a network device forwards traffic from an Ethernet across an ATM PVC to a network access server.
PPPoA
PPP over ATM (PPPoA) enables ATM to carry PPP protocol packets. With PPPoA, PPP packets, in which IP
packets or other protocols packets can be encapsulated, are encapsulated in ATM cells. In this case,
ATM can be simply viewed as the carrier of PPP packets. As the communication process of PPPoA is
managed by PPP, PPPoA inherits the flexibility and comprehensive applications of PPP.
PPPoEoA
PPPoE over ATM (PPPoEoA) enables ATM to carry PPPoE (PPP over Ethernet) protocol packets. With
PPPoEoA, Ethernet packets are encapsulated in ATM cells, through which you can use a PVC to simulate
all the functions of Ethernet. To allow ATM to carry Ethernet frames, the interface management module
provides the virtual Ethernet (VE) interface. The VE interface has Ethernet characteristics and can be
dynamically created through configuration commands. The following is the protocol stack adopted by
the VE interface.
ATM PVC at the bottom layer
Ethernet at the link layer
Protocols the same as those for a common Ethernet interface at the network layer and upper layers
Configuration Procedure
icon corresponding to the ADSL/G.SHDSL interface you want to
configure to enter the ADSL/G.SHDSL interface configuration page, as shown in Figure 31.
49
Figure 31 Configure an ADSL/G.SHDSL interface
Table 29 ADSL/G.SHDSL interface configuration items (IPoA)

Item
Description
WAN Interface
Displays the name of the ADSL/G.SHDSL interface to be configured.

Interface Status
If this item shows as Not connected, indicating that the current interface is up
but not connected, you can click the Disable button to shut down the interface.
If this item shows as Administratively Down, indicating that the current

interface is shut down by a network administrator, you can click the Enable
button to bring up the interface.
Connect Mode: IPoA
Select IPoA as the connection mode.
PVC
Set the VPI/VCI value for the PVC.
TCP-MSS
MTU
IP Address
IP Mask
Map IP
Set the remote IP address for the IPoA mapping.
Table 30 ADSL/G.SHDSL interface configuration items (IPoEoA)

Item
Description
WAN Interface
50
Item
Description
Interface Status

Connect Mode: IPoEoA
Select IPoEoA as the connection mode.
PVC
TCP-MSS
MTU
IP Address
IP Mask
Table 31 ADSL/G.SHDSL interface configuration items (PPPoA)

Item
Description
WAN Interface

Interface Status

Connect Mode: PPPoA
Select PPPoA as the connection mode.
PVC
User Name
Password
TCP-MSS
MTU
Table 32 ADSL/G.SHDSL interface configuration items (PPPoEoA)

Item
Description
WAN Interface
51
Item
Description
Interface Status

Connect Mode: PPPoEoA
Select PPPoEoA as the connection mode.
PVC
User Name
Password
TCP-MSS
MTU
Online for all time

Idle Timeout value
Idle timeout
Set the idle timeout value for a connection.
If Online for all time is selected, the connection will be maintained until being
disconnected manually or upon an anomaly.
If Online according to the Idle Timeout value is selected, the connection will be
disconnected automatically if no traffic is transmitted or received on the link for
a period of time. The connection will be re-set up when an access to the
Internet request is received.
If the Online according to the Idle Timeout value is selected, the Idle timeout value
must be specified.
Configuring a CE1/PRI interface

CE1/PRI interface overview
The CE1/PRI interface supports PPP connection mode. For details about PPP, refer to section Configuring
an SA interface.
The CE1/PRI interface can work in either E1 mode (also called non-channelized mode) and CE1 mode
(that is, channelized mode).
A CE1/PRI interface in E1 mode equals an interface of 2048 Mbps data bandwidth, on which no
timeslots are divided. Its logical features are the same as those of a synchronous serial interface. It
supports link layer protocols such as PPP, FR, LAPB and X.25 and network protocols such as IP and
IPX.
A CE1/PRI interface in CE1 mode is physically divided into 32 timeslots numbered 0 to 31. Among
them, timeslot 0 is used for transmitting synchronizing information. All the timeslots except timeslot
0 can be randomly divided into multiple channel sets and each set can be used as an interface
upon timeslot bundling. Its logical features are the same as those of a synchronous serial interface.
It supports link layer protocols such as PPP, HDLC, FR, LAPB and X.25, and network protocols such
as IP.
52
icon corresponding to the CE1/PRI interface you want to configure to
enter the CE1/PRI interface configuration page, which varies with the operating mode of the CE1/PRI
interface.
Configure a CE1/PRI interface in E1 mode

Figure 32 Configure a CE1/PRI interface in E1 mode
Table 33 CE1/PRI interface configuration items (in E1 mode)

Item
Description
WAN Interface
Displays the name of the CE1/PRI interface to be configured.

Interface Status
up the interface.
Work Mode: E1
Select E1 as the work mode.
User Name
Password
TCP-MSS
MTU
53
Configure a CE1/PRI interface in CE1 mode

Figure 33 Configure a CE1/PRI interface in CE1 mode
Table 34 CE1/PRI configuration items (in CE1 mode)

Item
Description
WAN Interface
Displays the name of the CE1/PRI interface to be configured.

Interface Status
If this item shows as Not connected, indicating that the current interface is up but not
shut down by a network administrator, you can click the Enable button to bring up
the interface.
Work Mode: CE1
Select CE1 as the work mode.

Select to add or remove timeslots.
Operation
Create: Adds timeslots to form a channel set.

Delete: Removes timeslots from a channel set.
Serial
Specify the serial interface number of the channel set.
Timeslot-List
Set the timeslots to add or remove.
User Name
Password
TCP-MSS
MTU

54
Configuring a CT1/PRI interface

CT1/PRI interface overview
The CT1/PRI interface supports PPP connection mode. For details about PPP, refer to section Configuring
an SA interface.
When it is working as a CT1 interface, all the timeslots (numbered 1 to 24) can be randomly divided into
groups. Each of these groups can form one channel set for which the system automatically creates an
interface logically equivalent to a synchronous serial interface. This interface supports link layer protocols
such as PPP, HDLC, FR, LAPB, and X.25, and network protocols such as IP and IPX.
icon corresponding to the CT1/PRI interface you want to configure to
enter the CT1/PRI interface configuration page, as shown in Figure 34.
Figure 34 Configure a CT1/PRI interface
Table 35 CT1/PRI interface configuration items

Item
Description
WAN Interface
Displays the name of the CT1/PRI interface to be configured.
55
Item
Description
Interface Status
shut down by a network administrator, you can click the Enable button to bring up
the interface.
Work Mode: CT1
Select CT1 as the word mode.

Select to add or remove timeslots.
Operation
Create: Adds timeslots to form a channel set.

Delete: Removes timeslots from a channel set.
Serial
Specify the serial interface number of the channel set.
Timeslot-List
Set the timeslots to add or remove.
User Name
Password
TCP-MSS
MTU
Viewing the general information and statistics of an

interface
On the WAN Interface Setup page as shown in Figure 28, you can view the name, connection type, IP
address, mask, and status of each interface. To view the statistics of an interface, click the interface name
to display the page shown in Figure 35.
56
Figure 35 Statistics of an interface
57
VLAN configuration
You can configure the following port-based VLAN and VLAN interface functions through the web
interface:
Create or delete VLANs.
Add/remove member ports to/from a VLAN.
Create or delete VLAN interfaces.
Configure VLAN interface parameters.
Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect
(CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on
Ethernet networks. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into
separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all
broadcast traffic is contained within it.
For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform Layer 3
forwarding. To achieve this, VLAN interfaces are used. VLAN interfaces are virtual interfaces used for
Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For
each VLAN, you can create one VLAN interface. You can configure VLAN interfaces to forward traffic at
the network layer.
NOTE:
For more information about VLANs and VLAN interfaces, see the H3C MSR Series Routers Layer 2LAN
Switching Configuration Guide.
Configuring a VLAN and its VLAN interface

Configuration task lists
Configuring a VLAN
VLAN configuration task list
Task
Remarks
Creating a VLAN and its VLAN interface
Required
Configuring VLAN member ports
Required
58
Configuring a VLAN interface

Table 36 VLAN interface configuration task list
Task
Remarks
Creating a VLAN and its

VLAN interface
Required
Optional
Configuring parameters
for a VLAN interface
Configure an IP address and MAC address for a VLAN interface; select whether to
enable the DHCP server function for a VLAN interface, and if yes, configure
related parameters.
IMPORTANT:
You can also configure the DHCP server function in Advanced > DHCP Setup. For
more information, see the chapter DHCP configuration. This chapter only
describes the DHCP server configuration in the LAN Setup module.
Creating a VLAN and its VLAN interface

Select Interface Setup > LAN Interface Setup from the navigation tree. The system goes to the default
page, VLAN Setup page, as shown in Figure 36.
Figure 36 VLAN Setup page
59
Table 37 Configuration items of configuring a VLANs and its VLAN interface

Item
Description
VLAN Create And Remove
Set the operation type to Create or Remove.
VLAN IDs
Input the ID of the VLAN (or VLAN interface) to be created or removed. You can
create or remove multiple VLANs at a time.
Create VLAN Interface
You can create a VLAN interface when a VLAN is created.
Only Remove VLAN

Interface
You can remove the VLAN interface of a VLAN without removing the VLAN.
Return to VLAN configuration task list.

Return to VLAN interface configuration task list.
Configuring VLAN member ports

NOTE:
The ports that you assign to a VLAN in the Web interface can only be set to untagged type.
The VLAN member port list displayed on the VLAN Setup page includes both tagged and untagged
member ports.
You can configure a VLAN by assigning ports to it or removing ports from it.
Select Interface Setup > LAN Interface Setup from the navigation tree. The system goes to the default
page, VLAN Setup page, as shown in Table 38.
Table 38 Configuration items of configuring VLAN member ports
Item
Description
VLAN ID
Select the ID of the VLAN that you want to assign ports to or remove ports from.
Port list
Select the port(s) you want to add or remove.
Add
Click Add to assign the selected ports to the VLAN.
Remove
Click Remove to remove the selected ports from the VLAN.
Return to VLAN configuration task list.
Configuring parameters for a VLAN interface

Select Interface Setup > LAN Interface Setup from the navigation tree, and then select the VLAN Interface
Setup tab to enter the page for configuring parameters for VLAN interfaces, as shown in Figure 37.
60
Figure 37 VLAN Interface Setup page
Table 39 Configuration items of configuring parameters for a VLAN interface

Item
Description
VLAN ID
Select the ID of the VLAN interface you want to configure.
IP Address
Subnet Mask
Set the VLAN interfaces IP address and subnet mask.
61
Item
Description
Set the MAC address of the VLAN interface using one of these available options:
Use the MAC address of the device: Use the default MAC address of the VLAN
MAC Address
Use the customized MAC address: Manually set the MAC address of the VLAN
interface. When this option is selected, you must type a MAC address in the text
box below.
Select whether the VLAN interface operates in DHCP server mode or not.
DHCP Server
If you select to enable DHCP server on the interface, you can continue to configure
related DHCP server parameters.
Set an extended DHCP address pool used for dynamic IP address allocation. The IP
address range is defined by a start IP address and an end IP address.
Start IP Address
End IP Address
IMPORTANT:
If an extended address pool is configured on the port that receives the DHCP request
packet, the server allocates an IP address in the extended address pool to the client,
regardless of whether a common address pool (static binding or dynamic allocation) is
also configured on the port. If no IP address is available in the pool, the server will not
be able to allocate an IP address to the client.
Set the gateway IP address allocated to the DHCP clients from the DHCP address pool.
Gateway IP Address
DNS Server 1
DNS Server 2
When DHCP clients access servers or hosts on other network segments, their data
needs to be forwarded through the gateway. After specifying a gateway IP address,
the server sends the gateway IP address to the clients along with the IP addresses
allocated to them.
Assign an IP address in the address pool for the DNS server allocated to the DHCP
clients on the local network segment. DNS Server 1 has a higher preference than DNS
Server 2.
To enable DHCP clients to access hosts on the Internet by domain names, the DHCP
server needs to specify the local DNS servers IP address when assigning IP addresses
to these DHCP clients.
Set the IP addresses that are not to be auto assigned in the DHCP address pool.
Reserved IP Address
An IP address that is already assigned (gateway IP address or FTP server IP address

for example) should not be assigned to another client; otherwise, IP address conflict
will occur.
After you specify an IP address configured in a static binding as not to be auto
assigned, this address can still be assigned to the client in the static binding.
Return to VLAN interface configuration task list.
When configuring VLANs, follow these guidelines:
As the default VLAN, VLAN 1 can neither be created nor removed manually.
You cannot manually create or remove VLANs reserved for special purposes.
You cannot directly remove protocol-reserved VLANs, voice VLANs, management VLANs, or
dynamically learned VLANs. To remove them, you must remove relevant configurations first.
62
Wireless configuration overview

The device allows you to perform the following configuration in the web interface:
Configuring wireless access service
Displaying wireless access service
Configuring data transmit rates
Displaying radio
Configuring the blacklist and white list functions
Configuring user isolation
Configuring wireless QoS
Setting a district code
After these configurations, you can build an integrated, stable, secure, effective wireless network.
Overview
Wireless Local Area Network (WLAN) is popular nowadays. Compared with wired LANs, WLANs are
easier and cheaper to implement because only one or several access points (APs) can provide wireless
access for an entire building or area. A WLAN does not necessarily mean that everything is wireless. The
servers and backbones still reside on wired networks. WLANs mainly provide the following services:
Authentication and encryption to secure wireless access.
Wireless access and mobility to free users from the restrictions of wires and cables.
Configuration task list

Perform the tasks in Table 40 to perform wireless configuration.
Table 40 Wireless configuration task list
Task
Remarks
Required
Wireless service configuration
Allows you to create a wireless service and configure

its attributes.
Optional
Radio configuration
Allows you configure radio rates to adjust the

capabilities of wireless devices.
Optional
WLAN security configuration
Allows you to control client access to enhance

wireless security.
Optional
WLAN QoS configuration
Allows you to configure WLAN QoS to make full use

of wireless resources.
63
Task
Remarks
Optional
Advanced configuration
Allows you to configure district codes as needed to

meet the specific country regulations.
64
Wireless service configuration

NOTE:
For more information about WLAN user access, see the see the H3C MSR Series Routers WLAN
Configuration Guide.
Configuring wireless access service

Creating a wireless access service
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page for
configuring access service, as shown in Figure 38:
Figure 38 Configure access service
Click Add to enter the page for creating a wireless access service, as shown in Figure 39:
Figure 39 Create a wireless service
65
Table 41 Configuration items of creating a wireless access service

Item
Description
Radio Unit
Radio ID, 1 or 2. The actual value range depends on

your device model.
Mode
Displays the radio mode, which depends on your device

model.
Set the service set identifier (SSID).
An SSID should be as unique as possible. For security,
the company name should not be contained in the SSID.
Meanwhile, H3C does not recommend you to use a
long random string as the SSID, because it only adds the
Beacon frame length and usage complexity, without any
improvement to wireless security.
Wireless Service Name
Select the wireless service type:
clear: Indicates the SSID will not be encrypted.

crypto: Indicates the SSID will be encrypted.
Wireless Service Type
Configuring clear type wireless service

Basic configuration of clear type wireless service
Select Interface Setup > Wireless > Access Service from the navigation tree, find the clear type wireless
service in the list, and click the corresponding
icon to enter the page for configuring wireless service,
as shown in Figure 40.
Figure 40 Configure clear type wireless service
Table 42 Configuration items of basic configuration of clear type wireless service

Item
Description
Wireless Service
Displays the selected Service Set Identifier (SSID).
VLAN (Untagged)
Input the ID of the VLAN whose packets are to be sent untagged.

VLAN (Untagged) indicates that the port sends the traffic of the
VLAN with the VLAN tag removed.
66
Item
Description
Set the default VLAN of a port.
Default VLAN
Delete VLAN
By default, the default VLAN of all ports is VLAN 1. After you set
the new default VLAN, VLAN 1 is the ID of the VLAN whose
packets are to be sent untagged.
Removes the IDs of the VLANs whose packets are to be sent
untagged and tagged.
Enable: Disables the advertisement of the SSID in beacon

frames.
Disable: Enables the advertisement of the SSID in beacon

frames.
By default, the SSID in beacon frames is advertised.
SSID HIDE
IMPORTANT:
If the advertising of the SSID in beacon frames is disabled, the

SSID must be configured for the clients to associate with the
device.
Disabling the advertising of the SSID in beacon frames does

little good to wireless security. Allowing the advertising of the
SSID in beacon frames enables a client to discover an AP more
easily.
Advanced configuration of clear type wireless service

icon to enter the page for advanced configuration, as
shown in Figure 41.
Figure 41 Advanced configuration of a clear type wireless service
Table 43 Configuration items of basic configuration of clear type wireless service

Item
Description
Maximum number of clients of an SSID to be associated with the
same radio of the AP
Client Max Users
IMPORTANT:
When the number of clients of an SSID to be associated with the
same radio of the AP reaches the maximum, the SSID is
automatically hidden.
67
Item
Description
Web interface management right of online clients
Management Right
Disable: Disables the web interface management right of

online clients.
Enable: Enables the web interface management right of

online clients.
Security configuration of clear type wireless service

icon to enter the page for configuring clear type
wireless service security.
Table 44 Configuration items of security configuration of clear type wireless service
Item
Description
Authentication Type
For the clear type wireless service, you can select Open-System only.
68
Item
Description
mac-authentication: Performs MAC address authentication on users.
mac-else-userlogin-secure: This mode is the combination of the
mac-authentication and userlogin-secure modes, with MAC
authentication having a higher priority. Upon receiving a non-802.1X
frame, a port in this mode performs only MAC authentication; upon
receiving an 802.1X frame, the port performs MAC authentication and
then, if MAC authentication fails, 802.1X authentication.
mac-else-userlogin-secure-ext: This mode is similar to the

mac-else-userlogin-secure mode, except that it supports multiple 802.1X
and MAC authentication users on the port.
userlogin-secure: In this mode, port-based 802.1X authentication is

performed for users; multiple 802.1X authenticated users can access the
port, but only one user can be online.
userlogin-secure-or-mac: This mode is the combination of the

userlogin-secure and mac-authentication modes, with 802.1X
authentication having a higher priority. For a wireless user, 802.1X
authentication is performed first. If 802.1X authentication fails, MAC
authentication is performed.
userlogin-secure-or-mac-ext: This mode is similar to the

Port Mode
userlogin-secure-or-mac mode, except that it supports multiple 802.1X

and MAC authentication users on the port.
userlogin-secure-ext: In this mode, a port performs 802.1X

authentication on users in macbased mode and supports multiple
802.1X users.
IMPORTANT:
There are multiple security modes. To remember them easily, follow these
rules to understand part of the port security modes:
userLogin indicates port-based 802.1X authentication.

mac indicates MAC address authentication.
The authentication mode before Else is used preferentially. If the
authentication fails, the authentication after Else may be used
depending on the protocol type of the packets to be authenticated.
The authentication mode before Or and that after Or have the same
priority. The device determines the authentication mode according to
the protocol type of the packets to be authenticated. For wireless users,
the 802.1X authentication mode is used preferentially.
userLogin together with Secure indicates MAC-based 802.1X

authentication.
A security mode with Ext allows multiple 802.1X users to pass the
authentication. A security mode without Ext allows only one 802.1X user
to pass the authentication.
Max User
1.
Maximum number of users that can be connected to the network through a

specific port.
Configure MAC authentication
69
Figure 42 MAC authentication configuration
Table 45 MAC authentication configuration items

Item
Description
Port Mode
mac-authentication: MAC-based authentication is

performed on access users.
Max User
Control the maximum number of users allowed to access the

network through the port.
MAC Authentication
Select the MAC Authentication option.

Select an existing domain from the drop-down list.
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the
Domain Setup tab, and type a new domain name in the
Domain Name combo box.
The selected domain name applies to only the current
Domain
wireless service, and all clients accessing the wireless

service use this domain for authentication, authorization,
and accounting.
Do not delete a domain name in use. Otherwise, the

clients that access the wireless service will be logged
out.
2.
Configure userlogin-secure/userlogin-secure-ext
70
Figure 43 userlogin-secure/userlogin-secure-ext port security configuration page (userlogin-secure is

taken for example)
Table 46 userlogin-secure/userlogin-secure-ext port security configuration items

Item
Description
userlogin-secure: Perform port-based 802.1X authentication
Port Mode
for access users. In this mode, multiple 802.1X authenticated

users can access the port, but only one user can be online.
userlogin-secure-ext: Perform MAC-based 802.1X

authentication for access users. In this mode, the port supports
multiple 802.1X users.
Max User
Control the maximum number of users allowed to access the

network through the port.
Mandatory Domain
The default domain is system. To create a domain, select

Authentication > AAA from the navigation tree, click the Domain
Setup tab, and type a new domain name in the Domain Name
combo box.
The selected domain name applies to only the current wireless

service, and all clients accessing the wireless service use this
domain for authentication, authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients

that access the wireless service will be logged out.
EAP: Use the Extensible Authentication Protocol (EAP). With
Authentication Method
EAP authentication, the authenticator encapsulates 802.1X

user information in the EAP attributes of RADIUS packets and
sends the packets to the RADIUS server for authentication; it
does not need to repackage the EAP packets into standard
RADIUS packets for authentication.
CHAP: Use the Challenge Handshake Authentication Protocol

(CHAP). By default, CHAP is used. CHAP transmits only user
names rather than passwords over the network. Therefore this
method is safer.
PAP: Use the Password Authentication Protocol (PAP). PAP

transmits passwords in plain text.
71
Item
Description
Enable: Enable the online user handshake function so that the
Handshake
device can periodically send handshake messages to a user to

check whether the user is online. By default, the function is
enabled.
Disable: Disable the online user handshake function.

Enable: Enable the multicast trigger function of 802.1X to send
multicast trigger messages to the clients periodically for
initiating authentication. By default, the multicast trigger
function is enabled.
Disable: Disable the 802.1X multicast trigger function.

Multicast Trigger
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the
AP can discover users and trigger authentication. Therefore, the
ports do not need to send 802.1X multicast trigger messages
periodically for initiating authentication. H3C recommends you to
disable the multicast trigger function in a WLAN because the
multicast trigger messages consume bandwidth.
3.
Configure the other four port security modes
Figure 44 Port security configuration page for the other four security modes (mac-else-userlogin-secure
is taken for example)
72
Table 47 Configuration items of the other four security modes

Item
Description
mac-else-userlogin-secure: This mode is the
combination of the mac-authentication and

userlogin-secure modes, with MAC authentication
having a higher priority. Upon receiving a
non-802.1X frame, a port in this mode performs
only MAC authentication; upon receiving an
802.1X frame, the port performs MAC
authentication and then, if MAC authentication
fails, 802.1X authentication.
mac-else-userlogin-secure-ext: This mode is similar

to the mac-else-userlogin-secure mode, except that
it supports multiple 802.1X and MAC
authentication users on the port.
Port Mode
userlogin-secure-or-mac: This mode is the

combination of the userlogin-secure and
mac-authentication modes, with 802.1X
authentication having a higher priority. For a
wireless user, 802.1X authentication is performed
first. If 802.1X authentication fails, MAC
authentication is performed.
userlogin-secure-or-mac-ext: This mode is similar to

the userlogin-secure-or-mac mode, except that it
supports multiple 802.1X and MAC authentication
users on the port.
Control the maximum number of users allowed to
access the network through the port.
Max User

After a mandatory domain is configured, all 802.1X
users accessing the port are forced to use the
mandatory domain for authentication, authorization,
and accounting.
Mandatory Domain
The default domain is system. To create a domain,

select Authentication > AAA from the navigation tree,
click the Domain Setup tab, and type a new domain
name in the Domain Name combo box.
EAP: Use the Extensible Authentication Protocol

(EAP). With EAP authentication, the authenticator
encapsulates 802.1X user information in the EAP
attributes of RADIUS packets and sends the
packets to the RADIUS server for authentication; it
does not need to repackage the EAP packets into
standard RADIUS packets for authentication.
CHAP: Use the Challenge Handshake

Authentication Protocol (CHAP). By default, CHAP
is used. CHAP transmits only usernames but not
passwords over the network. Therefore this method
is safer.
PAP: Use the Password Authentication Protocol

(PAP). PAP transmits passwords in plain text.
73
Item
Description
Enable: Enable the online user handshake function
so that the device can periodically send handshake
messages to a user to check whether the user is
online. By default, the function is enabled.
Handshake
Disable: Disable the online user handshake

function.
Enable: Enable the multicast trigger function of

802.1X to send multicast trigger messages to the
clients periodically for initiating authentication. By
default, the multicast trigger function is enabled.
Disable: Disable the 802.1X multicast trigger

function.
IMPORTANT:
Multicast Trigger
For a WLAN, the clients can actively initiate

authentication, or the AP can discover users and trigger
authentication. Therefore, the ports do not need to send
802.1X multicast trigger messages periodically for
initiating authentication. H3C recommends you to
disable the multicast trigger function in a WLAN
because the multicast trigger messages consume
bandwidth.
MAC Authentication

The selected domain name applies to only the
Domain
current wireless service, and all clients accessing

the wireless service use this domain for
authentication, authorization, and accounting.
Do not delete a domain name in use. Otherwise,

the clients that access the wireless service will be
logged out.
Configuring crypto type wireless service

Basic configuration of crypto type wireless service
Select Interface Setup > Wireless > Access Service from the navigation tree, find the crypto type wireless
as shown in Figure 45:
74
Figure 45 Crypto type wireless service
See Table 42 for the configuration items of basic configuration of crypto type wireless service.
Advanced configuration of crypto type wireless service

as shown in Figure 46:
Figure 46 Advanced configuration of crypto type wireless service
Table 48 Configuration items of advanced configuration of crypto type wireless service

Item
Description
Maximum number of clients of an SSID to be
associated with the same radio of the AP
IMPORTANT:
Client Max Users
When the number of clients of an SSID to be associated

with the same radio of the AP reaches the maximum,
the SSID is automatically hidden.
Set the pairwise transient key (PTK) lifetime. A PTK is
generated through a four-way handshake.
PTK Life Time
75
Item
Description
Set the TKIP countermeasure time.
By default, the TKIP countermeasure time is 0 seconds,
that is, the TKIP countermeasure policy is disabled.
If the TKIP countermeasure time is set to a value other
than 0, the TKIP countermeasure policy is enabled.
Message integrity check (MIC) is designed to avoid
hacker tampering. It uses the Michael algorithm and
is extremely secure. When failures occur to MIC, the
data may have been tampered, and the system may
be under attack. In this case, TKIP will enable the
countermeasure policy to prevent hackers from
attacking. With the countermeasure policy enabled, if
more than two MIC failures occur within the specified
time, the TKIP disassociates all connected wireless
clients and no new associations are allowed within
the TKIP countermeasure time.
TKIP CM Time
Web interface management right of online clients
Disable: Disables the web interface management

right of online clients.
Management Right
Enable: Enables the web interface management

right of online clients.
An AC generates a group transient key (GTK) and
sends the GTK to a client during the authentication
process between an AP and the client through group
key handshake/the 4-way handshake. The client uses
the GTK to decrypt broadcast and multicast packets.
If Time is selected, the GTK will be refreshed after a
GTK Rekey Method
specified period of time.
If Packet is selected, the GTK will be refreshed after

a specified number of packets are transmitted.
By default, the GTK rekeying method is time-based,
and the interval is 86400 seconds.
Enable refreshing the GTK when some client goes
offline.
GTK User Down Status
By default, the GTK is not refreshed when a client

goes off-line.
Security configuration of crypto type wireless service

icon to enter the page for configuring crypto type
wireless service, as shown in Figure 47.
76
Figure 47 Security configuration of crypto type wireless service
Table 49 Configuration items of security configuration of crypto type wireless service

Item
Description
Link authentication method, which can be:
Open-System: Namely, no authentication. With this

authentication mode enabled, all the clients will pass the
authentication.
Authentication Type
Shared-Key: The two parties need to have the same shared key
configured for this authentication mode. You can select this
option only when WEP encryption mode is used.
Open-System and Shared-Key: It indicates that you can select

both open-system and shared-key authentication.
Encryption mechanisms supported by the wireless service, which
can be:
CCMP: Encryption mechanism based on the AES encryption

Cipher Suite
algorithm.
TKIP: Encryption mechanism based on the RC4 algorithm and

dynamic key management.
CCMP and TKIP: It indicates that you can select both CCMP
and TKIP encryption.
Wireless service type (IE information carried in the beacon or
probe response frame):
WPA: Wi-Fi Protected Access, a security mechanism before the

802.11i protocol.
Security IE
WPA2: Security mechanism defined in 802.11i, also known as

the Robust Security Network (RSN) security mechanism, which
is more secure than WEP and WPA.
WPA and WPA2: It indicates that you can select both WPA and
WPA2.
Encryption
WEP
wep40: Indicates the WEP40 key option.

77
Item
Description
Configure the key index, which can be:
Key ID
1: Key index 1.
2: Key index 2.
3: Key index 3.
4: Key index 4.
There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4.

The key corresponding to the specified key index will be used for
encrypting and decrypting broadcast and multicast frames.
Key length.
For wep40, the key is a string of 5 alphanumeric characters or

a 10-digit hexadecimal number.
Key Length
For wep104, the key is a string of 13 alphanumeric characters

or a 26-digit hexadecimal number.
For wep128, the key is a string of 16 alphanumeric characters

or a 32-digit hexadecimal number.
WEP Key
Configure the WEP key.

See Table 44.
Parameters such as authentication type and encryption type
determine the port mode. For details, see Table 52.
After you select the Cipher Suite option, the following four port
security modes are added:
mac and psk: MAC-based authentication must be performed on

Port Security
access users first. If MAC-based authentication succeeds, an

access user has to use the pre-configured PSK to negotiate with
the device. Access to the port is allowed only after the
negotiation succeeds.
psk: An access user must use the pre-shared key (PSK) that is
pre-configured to negotiate with the device. The access to the
port is allowed only after the negotiation succeeds.
userlogin-secure-ext: Perform MAC-based 802.1X

authentication for access users. In this mode, the port supports
multiple 802.1X users.
1.
Configure mac and psk
78
Figure 48 mac and psk port security configuration page
Table 50 mac and psk port security configuration items

Item
Description
Port Mode
mac and psk: MAC-based authentication must be

performed on access users first. If MAC-based
authentication succeeds, an access user has to use the
pre-configured PSK to negotiate with the device. Access
to the port is allowed only after the negotiation
succeeds.
Max User

MAC Authentication

The selected domain name applies to only the
Domain
current wireless service, and all clients accessing the

wireless service use this domain for authentication,
authorization, and accounting.
Do not delete a domain name in use. Otherwise, the

clients that access the wireless service will be logged
out.
pass-phrase: Enter a PSK in the form of a character

string. You should enter a string that can be
displayed and is of 8 to 63 characters.
Preshared Key
raw-key: Enter a PSK in the form of a hexadecimal

number. You should input a valid 64-bit
hexadecimal number.
79
2.
Configure psk
Figure 49 psk port security configuration page
Table 51 psk port security configuration items

Item
Description
Port Mode
psk: An access user must use the pre-shared key (PSK)

that is pre-configured to negotiate with the device. The
access to the port is allowed only after the negotiation
succeeds.
Max User

pass-phrase: Enter a PSK in the form of a character

string. You should enter a string that can be
displayed and is of 8 to 63 characters.
Preshared Key
raw-key: Enter a PSK in the form of a hexadecimal

number. You should input a valid 64-bit
hexadecimal number.
3.
Configure userlogin-secure-ext
Perform the configurations as shown in Configure userlogin-secure/userlogin-secure-ext.
Security parameter dependencies

In a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are
described in Table 52.
80
Table 52 Security parameter dependencies

Service
type
Authenticat
ion mode
Encryption
type
Security IE
WEP
encryption
/key ID
Port mode
mac-authentication
mac-else-userlogin-secure
Clear
Open-Syste
m
mac-else-userlogin-secure-ext
Unavailable
Unavailable
Unavailable
userlogin-secure
userlogin-secure-ext
userlogin-secure-or-mac
userlogin-secure-or-mac-ext
Selected
Required
Open-Syste
m
Unselected
Crypto
Shared-Key
Unavailable
Selected
Unavailable
Unavailable
Required
Open-Syste
m and
Shared-Key
Unselected
Unavailable
81
WEP
encryption is
available
mac and psk
The key ID
can be 1, 2,
3, or 4
WEP
encryption is
required
The key ID
can be 1, 2,
3 or 4
WEP
encryption is
required
The key ID
can be 1, 2,
3 or 4
psk
mac-authentication
mac-authentication
WEP
encryption is
required
mac and psk
The key ID
can be 2, 3
or 4
WEP
encryption is
required
The key ID
can be 1, 2,
3 or 4
psk
mac-authentication
Displaying wireless access service

Displaying wireless service
Select Interface Setup > Wireless > Summary from the navigation tree and click the name of the specified
wireless service to view the detailed information, statistics, or connection history.
Displaying detailed information about wireless service

The detailed information of wireless service (clear type) is as shown in Figure 50.
Figure 50 Display detailed information of wireless service (clear type)
Table 53 Fields of detailed information of the wireless service (clear type)

Field
Description
Service Template Number
Current service template number
SSID
Service set identifier (SSID) for the ESS
Service Template Type
Service template type

Type of authentication used
Wireless service of the clear type only uses open

system authentication
Disable: The SSID is advertised in beacon frames.

Enable: Disables the advertisement of the SSID in
SSID-hide
beacon frames.
Status of service template:
Service Template Status
Enable: Enables wireless service.

Disable: Disables wireless service.
Maximum clients per BSS
Maximum number of associated clients per BSS
The detailed information of wireless service (crypto type) is as shown in Figure 51.
82
Figure 51 Display detailed information of wireless service (crypto type)
Table 54 Fields of detailed information of the wireless service (crypto type)

Field
Description
Service Template Number
Current service template number
SSID
SSID for the ESS
Service Template Type
Service template type
Security IE
Security IE: WPA or RSN
Authentication method: open system or shared key
SSID-hide
Disable: The SSID is advertised in beacon frames.

Enable: Disables the advertisement of the SSID in
beacon frames.
Cipher Suite
Cipher suite: CCMP, TKIP, WEP40, WEP104, or

WEP128
TKIP Countermeasure Time(s)
TKIP countermeasure time in seconds
PTK Life Time(s)
PTK lifetime in seconds
GTK Rekey
GTK rekey configured
GTK Rekey Method
GTK rekey method configured: packet based or time

based
Time for GTK rekey in seconds
If Time is selected, the GTK will be refreshed after a

specified period of time.
GTK Rekey Time(s)
If Packet is selected, the GTK will be refreshed after

a specified number of packets are transmitted.
Status of service template:
Service Template Status
Enable: Enables wireless service

Disable: Disables wireless service
Maximum clients per BSS
Maximum number of associated clients per BSS
83
Displaying statistics of wireless service

Figure 52 Display wireless service statistics
Displaying connection history information of wireless service

Figure 53 Display the connection history information of wireless service
Displaying client
Displaying client detailed information
Select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab to enter
the Client page. Then click the Detail Information tab on the page, and click the name of the specified
client to view the detailed information of the client.
The detailed information of a client is as shown in Figure 54. For the description of the fields in the client
detailed information, see Table 56.
84
Figure 54 Display client
Table 55 Client RSSI

Field
Description
: Indicates that 0 < RSSI <= 20.
Client RSSI

: Indicates that 40 < RSSI.
Table 56 Description on fields of client information

Field
Description
MAC address
MAC address of the client
AID
Association ID of the client

Username of the client:
The field is displayed as -NA- if the client adopts

plain-text authentication or cipher-text authentication
with no username.
User Name
The field is irrelevant to the portal authentication

method. If the client uses the portal authentication
method, the field does not display the portal username
of the client.
Radio Interface
WLAN radio interface
SSID
SSID of the device
BSSID
MAC address of the device
Port
WLAN-DBSS interface associated with the client
VLAN
Number of the VLAN interface to which the client belongs
State
State of the client such as running

85
Field
Description
Power Save Mode
Clients power save mode: active or sleep
Wireless Mode
Wireless mode such as 802.11b, 802.11g, 802.11gn
QoS Mode
Whether the device supports the WMM function
Listen Interval (Beacon Interval)
Number of times the client has been activated to listen to

beacon frames
RSSI
Received signal strength indication. This value indicates

the client signal strength detected by the AP.
SNR
Signal to Noise Ratio
Rx/Tx Rate
Represents the reception/transmission rate of the last

frame
Client Type
Client type such as RSN, WPA, or Pre-RSN
Authentication method such as open system or shared key
AKM Method
AKM suite used such as Dot1X or PSK

Displays either of the 4-way handshake states:
IDLE: Displayed in initial state.

PTKSTART: Displayed when the 4way handshake is
initialized.
4-Way Handshake State
PTKNEGOTIATING: Displayed after valid message 3

was sent.
PTKINITDONE: Displayed when the 4-way handshake

is successful.
Displays the group key state:
IDLE: Displayed in initial state.

REKEYNEGOTIATE: Displayed after the AC sends the
Group Key State
initial message to the client.
REKEYESTABLISHED: Displayed when re-keying is

successful.
Encryption Cipher
Encryption cipher: clear or crypto.
Roam Status
Displays the roam status: Normal or Fast Roaming
Up Time
Time for which the client has been associated with the
device
Table 57 Description on the fields of client information

Field
Description
Refresh
Refresh the current page.
Add to Blacklist
Add the selected client to the static blacklist, which you

can display by selecting Security > Filter from the
navigation tree.
Reset Statistic
Delete all items in the list or clear all statistics.
Disconnect
Log off the selected client.
86
Displaying client statistics

Select Interface Setup > Wireless > Summary from the navigation tree, and then click the Client tab to
enter the Client page, click the Statistic Information tab on the page, and click the name of the specified
client to view the statistics of the client.
The statistics of a client is as shown in Figure 55. For the description of the fields in the client statistics, see
Table 58.
Figure 55 Display client statistics
Table 58 Client statistics description

Field
Description
AP Name
Name of the associated access point
Radio Id
Radio ID
SSID
SSID of the device
BSSID
MAC address of the device
MAC Address
MAC Address of the client
RSSI
Received signal strength indication. This value

indicates the client signal strength detected by the
device.
Transmitted Frames
Number of transmitted frames
Back Ground(Frames/Bytes)
Statistics of background traffic, in frames or in

bytes.
Best Effort(Frames/Bytes)
Statistics of best effort traffic, in frames or in bytes.
Video(Frames/Bytes)
Statistics of video traffic, in frames or in bytes.
Voice(Frames/Bytes)
Statistics of voice traffic, in frames or in bytes.
Received Frames
Number of received frames
Discarded Frames
Number of discarded frames
87
Displaying RF ping information

Radio Frequency Ping (RF Ping) is a ping function performed on wireless links. This function enables you
to get the connection information between the AP and its associated clients, such as signal strength,
packet re-transmission attempts, and round trip time (RTT).
Select Summary > Client from the navigation tree to enter the Client page, click the Link Test Information
tab on the page, and click the name of the specified client to view the link test information of the client,
as shown in Figure 56. For the description of the fields in the client link test information, see Table 59.
Figure 56 View link test information
Table 59 Description of fields of link test information

Field
Description
No./MCS
Rate number for a non-802.11n client

MCS value for an 802.11n client.
Rate(Mbps)
Rate at which the radio interface sends wireless ping frames
TxCnt
Number of wireless ping frames that the radio interface sent
RxCnt
Number of wireless ping frames that the radio interface received from the client
RSSI
Received signal strength indication. This value indicates the client signal strength
detected by the AP.
Retries
Total number of retransmitted ping frames
RTT(ms)
Round trip time
88
Wireless access configuration examples

Wireless service configuration example
Network requirement
As shown in Figure 57, it is required to enable the wireless function on the device to enable the client to
access the internal network resources at any time. More specifically:
The device provides plain-text wireless access service with SSID service1.
802.11g is adopted.
Figure 57 Wireless service configuration
1.
Configure a wireless service
# Create a wireless service.

Select Interface Setup > Wireless > Access Service from the navigation tree, and click Add to enter the
page for creating a wireless service, as shown in Figure 58:
Select the radio unit 1.
Set the service name to service1.
Select the wireless service type clear.
Click Apply.
2.
Enable the wireless service
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page for enabling
wireless service, as shown in Figure 59:
89
Figure 59 Enable the wireless service
Set the service1 option.
Click Enable.
3.
Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional.)
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the Radio Setup page,
as shown in Figure 60. Make sure that 802.11g radio is enabled.
Figure 60 Enable 802.11g radio
Configuration verification
If you select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab, you
can view the online clients.
Note the following guidelines when configuring a wireless service:
Select a correct district code.
Make sure that the radio unit is enabled.
Access service-based VLAN configuration example

Network requirements
An AP can provide multiple wireless access services. Different wireless access services can use different
wireless security policies, and can be bound to different VLANs to implement wireless access user
isolation.
As shown in Figure 61, configure wireless VLANs to satisfy the following requirements:
Set up a wireless access service named research, and configure it to use the PSK authentication.
Clients that access the wireless network are in VLAN 2.
Set up a wireless access service named office, and configure it to use the clear text authentication.
Clients that access the wireless network are in VLAN 3.
90
Figure 61 Network diagram for access service-based VLAN configuration
SSIDresearch
VLAN2
Client0040-96b3-8a77
IP network
Router
SSIDoffice
VLAN3
Client0014-6c8a-43ff
1.
Configure a wireless service named research.

Select Interface Setup > Wireless > Access Service from the navigation tree, and click Create to enter the
page for creating a wireless service.
Configure the name of the wireless service as research.
Select the wireless service type crypto.
Click Apply.
# After the wireless service is created, the system is automatically navigated to the wireless service page,
where you can perform the VLAN settings (before this operation, select Network > VLAN and create
VLAN 2 first).
Figure 62 Set the VLANs
Type 2 in the VLAN (Untagged) input box.
Type 2 in the Default VLAN input box.
Type 1 in the Delete VLAN input box.
NOTE:
For PSK-related configuration, see PSK authentication configuration example. You can strictly follow
the configuration example to configure the PSK configuration.
2.
Configure a wireless service named office.
91
page for creating a wireless service.
Configure the wireless service name as office.
Click Apply.
# After the wireless service is created, the system is automatically navigated to the wireless service page,
where you can configure the VLANs (first select Network > VLAN from the navigation tree, and create
VLAN 3).
Figure 63 Set the VLANs
Type 3 in the VLAN (Untagged) input box.
Type 3 in the Default VLAN input box.
Type 1 in the Delete VLAN input box.
Click Apply.
3.
Verify the configuration
On this page, you can see that the client 0014-6c8a-43ff, which accesses the SSID office, is in VLAN 3,
while the client 0040-96b3-8a77, which accesses the SSID research, is in VLAN 2. Because the two
clients are in different VLANs, they cannot access each other.
PSK authentication configuration example

As shown in Figure 64, it is required that the client access the wireless network by passing PSK
authentication. The PSK key configuration on the client is the same as that on the AP, that is, 12345678.
Figure 64 Network diagram for PSK authentication configuration
1.

92
Set the service name to psk.
Click Apply.
2.
Configure PSK authentication
After you create a wireless service, you will enter the wireless service configuration page. You need to
perform security setup when configuring PSK authentication, as shown in Figure 66:
Figure 66 Security setup
Select the Open-System from the Authentication Type drop-down list.
Select the Cipher Suite option, select CCMP and TKIP (select an encryption type as needed), and
then select WPA from the Security IE drop-down list.
Select the Port Set option, and select psk from the Port Mode drop-down list.
Select pass-phrase from the Preshared Key drop-down list, and type key ID 12345678.
Click Apply.
3.

93
a wireless service, as shown in Figure 67:
Select the psk option.
Click Enable.
4.
Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional. )
Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure
that 802.11g radio is enabled.
5.
Configure the client
Launch the client, and refresh the network list. Select the configured service in Choose a wireless network
(PSK in this example), and click Connect. In the popup dialog box, type the key (12345678 in this
example), and then click Connect, as shown in Figure 68.
94
Figure 68 Configure the client
The client has the same preshared PSK key as the AP, so the client can associate with the AP.
95
Figure 69 The client is associated with the AP
The same PSK pre-shared key is configured on the client. The client can successfully associate with
the device and can access the WLAN network.
If you select Interface Setup > Wireless > Access Service from the navigation tree, and then click the
Client tab, you can view the online clients.
Local MAC authentication configuration example

As shown in Figure 70, it is required to perform MAC authentication on the client.
Figure 70 Network diagram for local MAC authentication configuration
1.
96
Set the service name to mac-auth.
Click Apply.
2.
Configure local MAC address authentication
After you have created a wireless service, you will enter the wireless service configuration page. You
need to perform security setup when configuring MAC authentication, as shown in Figure 72:
Select the Open-System from the Authentication Type drop-down list.
Select the Port Set option, and select mac-authentication from the Port Mode drop-down list.
Select the MAC Authentication option, and select system from the Domain drop-down list.
97
Click Apply.
3.
Select the mac-auth option.
Click Enable.
4.
Configure a MAC authentication list
Select Interface Setup > Wireless > Access Service from the navigation tree, and click MAC
Authentication List to enter the page for configuring a MAC authentication list, as shown in Figure 74:
Figure 74 Add a MAC authentication list
Add a local user in the MAC Address box. 00-14-6c-8a-43-ff is used in this example.
Click Add.
5.
Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional. )
that 802.11g is enabled.
6.
Configure the client
Launch the client, and refresh the network list. Select the configured service in Choose a wireless network
(mac-auth in this example), and click Connect, as shown in Figure 75. If the MAC address of the client is
in the MAC address list, the client can pass the MAC authentication and access the wireless network.
98
Figure 75 Configure the client
If the MAC address of the client is in the MAC authentication list, the client can pass authentication and
access the WLAN network. If you select Interface Setup > Wireless > Access Service from the navigation
tree, and then click the Client tab, you can view the online clients.
Remote MAC authentication configuration example

It is required to perform remote MAC authentication on the client. More specifically,
Use the intelligent management center (iMC) as the RADIUS server for authentication, authorization,
and accounting (AAA). On the RADIUS server, configure the clients username and password as
the MAC address of the client and the shared key as expert. The IP address of the RADIUS server
is 10.18.1.88.
99
The IP address of the device is 10.18.1.1. On the device, configure the shared key for communication
with the RADIUS server as expert, and configure the device to remove the domain name of a
username before sending it to the RADIUS server.
Figure 76 Remote MAC authentication
1.
Configure wireless service

Select radio unit 1.
Set the wireless service name as mac-auth.
Click Apply.
2.
Configure MAC authentication
After you create a wireless service, the wireless service configuration page appears. Then you can
configure MAC authentication on the Security Setup area, as shown in Figure 78:
100
Select Open-System from the Authentication Type drop-down list.
Select the Port Set option, and select mac-authentication from the Port Mode drop-down list.
Select the MAC Authentication option, and select system from the Domain drop-down list.
Click Apply.
3.
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page as shown
in the following figure.
Select the mac-auth option.
Click Enable.
4.
Enable 802.11g radio (By default, the 802.11g radio is enabled. Therefore, this step is optional.)
5.
Configure the RADIUS server (iMC v3)
NOTE:
The following takes the iMC (iMC PLAT 3.20-R2602 and iMC UAM 3.60-E6102) as an example to
illustrate the basic configuration of the RADIUS server.
101
# Add an access device.

Log in to the iMC management platform. Select the Service tab, and then select Access Service > Access
Device from the navigation tree to enter the access device configuration page. Click Add on the page to
enter the configuration page as shown in Figure 80:
Input expert as the Shared Key.
Add ports 1812, and 1813 for Authentication Port and Accounting Port respectively.
Select LAN Access Service for Service Type.
Select H3C for Access Device Type.
Select or manually add the access device with the IP address 10.18.1.1.
Figure 80 Add access device
# Add service.
Select the Service tab, and then select Access Service > Service Configuration from the navigation tree to
enter the add service page. Then click Add on the page to enter the following configuration page. Set the
service name as mac, and keep the default values for other parameters.
Figure 81 Add service
# Add an account.
102
Select the User tab, and then select User > All Access Users from the navigation tree to enter the user
page. Then, click Add on the page to enter the page as shown in Figure 82.
Enter username 00-14-6c-8a-43-ff.
Set the account name and password both as 00-14-6c-8a-43-ff.
Select the service mac.
Figure 82 Add account
6.
NOTE:
The following takes the iMC (iMC PLAT 5.0 and iMC UAM 5.0) as an example to illustrate the basic
configuration of the RADIUS server.
Input expert as the Shared Key. keep the default values for other parameters.
103
# Add service.
enter the add service page. Then click Add on the page to enter the following configuration page. Set the
service name as mac, and keep the default values for other parameters.
Figure 84 Add service
# Add an account.
page. Then, click Add on the page to enter the page as shown in Figure 82.
Enter username 00-14-6c-8a-43-ff.
Set the account name and password both as 00-14-6c-8a-43-ff.
Select the service mac.
104
During authentication, the user does not need to input the username or password. After passing MAC
authentication, the client can associate with the device and access the WLAN. You can view the online
clients by selecting Interface Setup > Wireless > Summary from the navigation tree and then clicking the
Client tab.
Remote 802.1x authentication configuration example

It is required to perform remote 802.1X authentication on the client. More specifically,
Use the CAMS or iMC as a RADIUS server for AAA. On the RADIUS server, configure the clients
username as user, password as dot1x, and shared key as expert. The IP address of the RADIUS
server is 10.18.1.88.
On the device, configure the shared key as expert, and configure the device to remove the domain
name of a username before sending it to the RADIUS server. The IP address of the device is
10.18.1.1.
105
Figure 86 Remote 802.1X authentication

RADIUS server
10.18.1.88
10.18.1.1
IP network
SSIDdot1x
Switch
Router
Client
1.
Configure wireless service

Select radio unit 1.
Set the service name as dot1x.
Click Apply.
2.
Configure 802.1X authentication
After you create a wireless service, the wireless service configuration page appears. Then you can
configure 802.1X authentication on the Security Setup area, as shown in Figure 88:
106
Select Open-System from the Authentication Type drop-down list.
Select the Cipher Suite option, select CCMP from the Cipher Suite drop-down list, and select WPA2
from the Security IE drop-down list.
Select the Port Set option, and select userlogin-secure-ext from the Port Mode drop-down list.
Select system from the Mandatory Domain drop-down list.
Select EAP from the Authentication Method drop-down list.
Disable Handshake and Multicast Trigger (recommended).
Click Apply.
3.
Select Interface Setup > Wireless > Access Service from the navigation tree.
Select the dot1x option.
Click Enable.
4.
Enable 802.11g radio (By default, the 802.11g radio is enabled. Therefore, this step is optional.)
5.
NOTE:
The following takes the iMC (iMC PLAT 3.20-R2602 and iMC UAM 3.60-E6102) as an example to
illustrate the basic configuration of the RADIUS server.
107
Input expert as the Shared Key.
Add ports 1812, and 1813 for Authentication Port and Accounting Port respectively.
Select LAN Access Service for Service Type.
Select H3C for Access Device Type.
# Add a service.
enter the add service page. Then click Add on the page to enter the following configuration page.
Set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN.
108
Figure 90 Add a service
# Add an account.
page. Then, click Add on the page to enter the page shown in Figure 91.
Enter username user.
Set the account name as user and password as dot1x.
Select the service dot1x.
6.
109
NOTE:
The following takes the iMC (iMC PLAT 5.0 and iMC UAM 5.0) as an example to illustrate the basic
configuration of the RADIUS server.
Input expert as the Shared Key. Keep the default values for other parameters.
# Add a service.
enter the add service page. Then click Add on the page to enter the following configuration page.
Set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN.
110
Figure 93 Add a service
# Add an account.
page. Then, click Add on the page to enter the page shown in Figure 91.
Enter username user.
Set the account name as user and password as dot1x.
Select the service dot1x.
111
7.
Configure the wireless card
Double click the

icon at the bottom right corner of your desktop. The Wireless Network Connection
Status window appears. Click the Properties button in the General tab. The Wireless Network
Connection Properties window appears. In the Wireless Networks tab, select wireless network with the
SSID dot1x, and then click Properties. The dot1x Properties window appears. Then, in the
Authentication tab, select Protected EAP (PEAP) from the EAP type drop-down list, and click Properties. In
the popup window, clear Validate server certificate, and click Configure. In the popup dialog box, clear
Automatically use my Windows logon name and password (and domain if any). The configuration
procedure is as shown in Figure 95 through Figure 97.
112
Figure 95 Configure the wireless card (I)
113
Figure 96 Configure the wireless card (II)
114
Figure 97 Configure the wireless card (III)
After you input username user and password dot1x in the popup dialog box, the client can
associate with the device and access the WLAN.
You can view the online clients by selecting Interface Setup > Wireless > Summary from the
navigation tree, and then clicking the Client tab.
802.11n configuration example

As shown in Figure 98, configure the 802.11n-capable AP to allow the 802.11n client to access the
wireless network at a high rate.
Figure 98 Network diagram for wireless service configuration
1.

115

Set the service name to 11nservice.
Click Apply.
2.
Select the 11nservice option.
Click Enable.
3.
Enable 802.11n(2.4GHZ) radio (By default, 802.11n(2.4GHZ) radio is enabled. Therefore, this
step is optional. )
Among these online clients, 0014-6c8a-43ff is an 802.11g client, and 001e-c144-473a is a 802.11n
client. In this example, client types are not restricted. Therefore, both 802.11g and 802.11n clients can
access the wireless network. If Client 802.11n Only is configured, only 001e-c144-473a can access the
wireless network.
116
When configuring 802.11n, note that:
Select Interface Setup > Wireless > Radio from the navigation tree, select the radio unit to be
icon to enter the radio configuration page, where you
configured, and click the corresponding
can modify the 802.11n-related parameters, including Bandwidth Mode, A-MSDU, A-MPDU, Short
GI, and Client 802.11n Only (permitting only 802.11n users to access the wireless network).
Make sure that 802.11n(2.4GHZ) is enabled.
Select Interface Setup > Wireless > Radio from the navigation tree to modify the 802.11n rate
117
Client mode
The client mode means that a router operating accesses the wireless network as a client. Multiple hosts
or printers in the wired network can access the wireless network through the router.
Figure 101 Client mode
Enabling the client mode

Select Interface Setup > Wireless Service > Client Mode from the navigation tree and click Connect Setup
to enter the page shown in Figure 102.
Figure 102 Enable the client mode
Select the radio unit to be enabled, and then click Enable.
118
NOTE:
Support for radio mode types depends on your device model.
You cannot enable an access service or WDS service on a radio interface with the client mode enabled.
To modify the radio mode, select Radio > Radio from the navigation tree, find the radio to be configured
in the list, click the corresponding
icon, and change the radio mode in the Radio Mode option.
If the 802.11(2.4GHz) client mode is used, the client can scan 802.11(2.4GHz) wireless services.
With the client mode enabled, you can check the existing wireless services in the wireless service list.
Figure 103 Check the wireless service list
Connecting the wireless service

1.
Method 1: Click the Connect icon of the wireless service
Click the Connect icon of the wireless service in the wireless service list, and a SET CODE dialog box
shown in Figure 104 appears.
Figure 104 Set a code
The following authentication modes are supported:
Open System
Shared key
119
RSN + PSK
Table 60 Configuration items of connecting the wireless service

Item
Remarks
Specify the network authentication mode, which can be:
Open System: open system authentication, namely, no

authentication
AuthMode
Shared Key: shared key authentication, which requires the

client and the device to be configured with the same shared
key.
RSN+PSK: PSK authentication

Set the data encryption mode, which can be:
CipherSuite
Clear: no encryption
WEP: WEP encryption
TKIP/CCMP: TKIP/CCMP encryption
Password
Configure the WEP key
KeyID
There are four static keys in WEP. Their key indexes are 1, 2, 3,
and 4. The key corresponding to the specified key index will be
used for encrypting and decrypting frames.
2.
Method II: associating the specified wireless service
You can also input a wireless service to specify the wireless service to be connected on the page
displayed after clicking the Connect icon of the wireless service.
Figure 105 Associate the specified wireless service
Input the specified wireless service in the input box, and click Connect. Then the dialog box in Figure 104
appears. Set the options on the dialog box according to the specified wireless service type.
Displaying statistics
Select Interface Setup > Wireless Service > Client Mode from the navigation tree and click Statistic
Information to enter the page shown in Figure 106.
Figure 106 Display statistics
120
Client mode configuration example

As shown in Figure 107, the router accesses the wireless network as a client. The Ethernet interface of the
router connects to multiple hosts or printers in the wired network, and thus the wired network is connected
to the wireless network through the router. More specifically:
The AP accesses the wired LAN, and the router accesses the AP as a client.
The router accesses the wireless service psk by passing the RSN(CCMP)+PSK authentication.
Client with MAC address 0014-6c8a-43ff also accesses the wireless service psk.
Figure 107 Network diagram for client mode configuration
1.
Enable the client mode
Select Interface Setup > Wireless Service > Client Mode from the navigation tree and click Connect Setup
to enter the page shown in Figure 108.
121
Figure 108 Enable the client mode
Select the option corresponding to 802.11g and click Enable. With the client mode enabled, you can
check the existing wireless services in the wireless service list.
Figure 109 Check the wireless service list
2.
Connect the wireless service
Click the Connect icon of the wireless service psk in the wireless service list, and a SET CODE dialog box
shown in Figure 110 appears.
Figure 110 Set a code
Specify the AuthMode as RSN+PSK.
Specify the CipherSuite as CCMP/AES.
Set the Password to that on the AP, 12345678.
Click Apply.
122
On the AP shown in Figure 107, select Interface Setup > Wireless Service > Summary > Client from the
navigation tree to enter the page shown in Figure 111, where you can check that the router is online.
Figure 111 Check that the workgroup bridge is online
You can see that the client with MAC address 0014-6c8a-43ff and the router with MAC address
000f-e2333-5510 have been successfully associated with the AP.
The wired devices on the right (such as printers and PCs) can access the wireless network through
the router.
As shown in Figure 112, if the router uses two radio interfaces at the same time, the client connecting to
radio 2 can access the AP through the router.
Figure 112 Network diagram for the router using two radio interfaces at the same time
123
Radio configuration
802.11b/g/n operates in 2.4 GHz band. Each band can be divided into multiple channels for wireless
communication. You can configure and adjust the channels to achieve optimal performance.
To configure a radio, select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio
page, select the desired AP, and click the
icon to enter the page for AP radio setup page, as shown
in Figure 113:
Figure 113 Radio setup
Table 61 Configuration items of radio setup

Item
Description
Radio Unit
Displays the selected radios
Radio Mode
Displays the selected radio mode.
Transmit Power
Maximum radio transmission power, which varies with country codes,

channels, radio modes and antenna types. If you adopt the 802.11n mode,
the maximum transmit power of the radio also depends on the bandwidth
mode.
Specify the working channel of the radio, which varies with radio types and
country codes.
Channel
auto: The working channel is automatically selected. If you select this mode,
the AP checks the channel quality in the WLAN network, and selects the
channel of the best quality as its working channel.
If you modify the working channel configuration, the transmit power will be
automatically adjusted.
802.11n
IMPORTANT:
The option is available only when the device supports 802.11n.
124
Item
Description
802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can
work separately with one acting as the primary channel and the other acting
as the secondary channel or work together as a 40-MHz channel. This
provides a simple way of doubling the data rate.
bandwidth mode
By default, the channel bandwidth of the 802.11n radio (2.4GHz) is 20 MHz.

IMPORTANT:
If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz channel

is used as the working channel. If no 40 MHz channel is available, a 20
MHz channel is used. For the specifications, see IEEE P802.11n D2.00.
If you modify the bandwidth mode configuration, the transmit power will be
automatically adjusted.
client dot11n-only
If you select the client dot11n-only option, non-802.11n clients are prohibited
from access. If you want to provide access for all 802.11b/g clients, you need
to disable this function.
Selecting the A-MSDU option enables A-MSDU.
A-MSDU
Multiple MAC Service Data Units (MSDU) can be aggregated into a single
A-MSDU. This reduces the MAC header overhead and thus improves MAC
layer forwarding efficiency.
At present, only A-MSDUs can be received.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MSDU configuration.
Selecting the A-MPDU option enables A-MPDU.
A-MPDU
802.11n introduces the A-MPDU frame format. By using only one PHY header,
each A-MPDU can accommodate multiple Message Protocol Data Units
(MPDUs) which have their PHY headers removed. This reduces the overhead in
transmission and the number of ACK frames to be used, and thus improves
network throughput.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MSDU configuration.
Selecting the short GI option enables short GI.
short GI
Delays may occur during receiving radio signals due to factors like multi-path
reception. Therefore, a subsequently sent frame may interfere with a
previously sent frame. The GI function is used to avoid such interference. It
increases the throughput by 10 percent.
The short GI function is independent of bandwidth and thus supports both
20MHz and 40MHz bandwidths.
125
Figure 114 Radio setup (advanced setup)
Table 62 Configuration items of radio setup

Item
Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data. There are two different kinds of
preambles:
Preamble
Short preamble. A short preamble improves network performance.

Therefore, this option is always selected.
Long preamble. A long preamble ensures compatibility between access

point and some legacy client devices. Therefore, you can select this option
to make legacy client devices support short preamble.
Transmit Distance
Maximum coverage of a radio
ANI
Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device
automatically adjusts the noise immunity level according to the surrounding
signal environment to eliminate RF interference.
Client Max Count
Maximum number of clients that can be associated with one radio
Enable: Enables ANI.

Disable: Disables ANI.
Specifies the maximum length of frames that can be transmitted without
fragmentation. When the length of a frame exceeds the specified fragment
threshold value, it is fragmented.
In a wireless network where error rate is high, you can decrease the
Fragment Threshold
fragment threshold by a rational value. In this way, when a fragment of a

frame is not received, only this fragment rather than the whole frame needs
to be retransmitted, and thus the throughput of the wireless network is
improved.
In a wireless network where no collision occurs, you can increase the

fragment threshold by a rational value to decrease acknowledgement
packets and thus increase network throughput.
126
Item
Description
Beacon Interval
Interval for sending beacon frames. Beacon frames are transmitted at a regular
interval to allow mobile clients to join the network. Beacon frames are used for
a client to identify nearby APs or network control devices.
Request to send (RTS) threshold length. If a frame is larger than this value, the
RTS mechanism will be used.
RTS is used to avoid data collisions in a WLAN.
RTS Threshold
A smaller RTS threshold causes RTS packets to be sent more often, thus
consuming more available bandwidth. However, the more often RTS packets
are sent, the quicker the system can recover from interference or collisions.
In a high-density WLAN, you can decrease the RTS threshold by a rational
value to reduce collisions in the network.
IMPORTANT:
The RTS mechanism occupies bandwidth. Therefore, this mechanism applies only
to data frames larger than the RTS threshold.
DTIM Period
Number of beacon intervals between delivery traffic indication message

(DTIM) transmissions. The device sends buffered broadcast/multicast frames
when the DTIM counter reaches 0.
Long Retry Threshold
Number of retransmission attempts for unicast frames larger than the RTS
threshold.
Short Retry Threshold
Number of retransmission attempts for unicast frames smaller than the RTS
threshold if no acknowledgment is received for it.
Max Receive Duration
Interval for which a frame received by a device can stay in the buffer memory
Configuring data transmit rates

Configuring 802.11b/802.11g rates
Select Interface Setup > Wireless > Radio from the navigation tree, and click the Rate tab to enter the
page shown in Figure 115:
127
Figure 115 Set 802.11b/802.11g rates
Table 63 Configuration items of setting 802.11a/802.11b/802.11g rates

Item
Description
Configure rates (in Mbps) for 802.11b.
By default:
802.11b
Mandatory rates are 1 and 2;

Supported rates are 5.5 and 11;
Multicast rate: Automatically selected from the mandatory rates. The
transmission rate of multicasts in a BSS is selected from the mandatory rates
supported by all the clients.
Configure rates (in Mbps) for 802.11g.
By default:
802.11g
Mandatory rates are 1, 2, 5.5, and 11;

Supported rates are 6, 9, 12, 18, 24, 36, 48, and 54;
Multicast rate: Automatically selected from the mandatory rates. The
transmission rate of multicasts in a BSS is selected from the mandatory rates
supported by all the clients.
Configuring 802.11n MCS

Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum
Modulation and Coding Scheme (MCS) index.
Select Interface Setup > Wireless > Radio from the navigation tree, and click the Rate tab to enter the
page shown in Figure 116:
Figure 116 Set 802.11n rate
128
Table 64 Configuration items of setting 802.11n rate

Item
Description
Set the maximum MCS index for 802.11n mandatory rates.
Mandatory Maximum MCS
IMPORTANT:
If you select the client dot11n-only option, you must configure the mandatory
maximum MCS.
Set the multicast MCS for 802.11n.
Multicast MCS
The multicast MCS is adopted only when all the clients use 802.11n. If a non
802.11n client exists, multicast traffic is transmitted at a mandatory MCS data
rate.
IMPORTANT:
When the multicast MCS takes effect, the corresponding data rates defined for
20 MHz are adopted no matter whether the 802.11n radio operates in 40 MHz
mode or in 20 MHz mode.
Supported Maximum MCS
Set the maximum MCS index for 802.11n supported rates.
129
NOTE:
For more information about MCS, see the H3C MSR Series Routers WLAN Configuration Guide.
Displaying radio
Displaying wireless services bound to a radio
Select Interface Setup > Wireless > Summary from the navigation tree, click the Radio tab, click the
specified radio unit, and select the Wireless Service tab to view the wireless services bound to the radio.
Figure 117 Display wireless services bound to the radio
NOTE:
The Noise Floor item in the table indicates various random electromagnetic waves during the wireless
communication. For the environment with a high noise floor, you can improve the signal-to-noise ration
(SNR) by increasing the transmit power or reducing the noise floor.
Displaying detailed radio information

Select Interface Setup > Wireless > Summary from the navigation tree, and click the Radio tab. Then click
the specified radio unit, and select the Detail Info tab to view the corresponding detailed information.
130
Figure 118 Display detailed radio information
Table 65 Fields of detailed radio information

Field
Description
WLAN-Radio1/0 current state: UP
The state of the radio interface
IP Packet Frame Type
Output frame encapsulation type
Hardware Address
MAC address of the radio interface
Radio-type dot11g
WLAN protocol type used by the interface

Channel used by the interface. The keyword auto
means the channel is automatically selected.
channel
If the channel is manually configured, the field will be

displayed in the format of channel
configured-channel.
power(dBm)
Transmit power of the interface (in dBm).
Received: 2 authentication frames, 2 association

frames
Number of authentication and association frames

received
Sent out: 2 authentication frames, 2 association

frames
Number of authentication and association frames sent
Stations: 0 associating, 2 associated
Number of stations being associating and stations

having been associated
131
Field
Description
Input packet statistics of the interface:
Number of packets, number of bytes

Number of unicast packets, number of bytes of
Input : 70686 packets, 6528920 bytes

: 255 unicasts, 34440 bytes
: 70461 multicasts/broadcasts, 6494480 bytes
unicast packets
Number of multicasts/broadcast packets, number

of bytes of multicasts/broadcast packets
: 0 fragmented
Number of fragmented packets

Number of discarded packets, number of
: 414 discarded, 26629 bytes

: 0 duplicates, 3785 FCS errors
discarded bytes
: 0 decryption errors
Number of duplicate frames, number of FCS errors

Number of encryption errors
Output packet statistics of the interface:
Number of packets, number of bytes

Number of unicast packets, number of bytes of
Output: 3436 packets, 492500 bytes
unicast packets
: 3116 unicasts, 449506 bytes

: 320 multicasts/broadcasts, 42994 bytes
: 0 fragmented
Number of multicasts/broadcast packets, number

of bytes of multicasts/broadcast packets
Number of fragmented packets

Number of discarded packets, number of
: 948 discarded, 100690 bytes

: 0 failed RTS, 1331 failed ACK
discarded bytes
: 4394 transmit retries, 1107 multiple transmit

retries
Number of failed RTS packets, number of failed

ACK packets
Number of retransmitted frames, number of

transmission retries
132
WLAN security configuration

When it comes to security, a WLAN is inherently weaker than a wired LAN because all the wireless
devices use the air as the transmission media, which means that the data transmitted by one device can
be received by any other device within the coverage of the WLAN. To enhance WLAN security, you can
use white and black lists and user isolation to control user access and behavior.
Blacklist and white list

You can configure the blacklist and white list functions to filter frames from WLAN clients and thereby
implement client access control.
The WLAN client access control is accomplished through the following three types of lists.
White list: Contains the MAC addresses of all clients allowed to access the WLAN. If the whitelist
is used, only permitted clients can access the WLAN, and all frames from other clients will be
discarded.
Static blacklist: Contains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.
Dynamic blacklist: Contains MAC addresses of clients whose frames will be dropped. A client is
dynamically added to the list if it is considered sending attacking frames until the timer of the entry
expires.
When a device receives an 802.11 frame, it checks the source MAC address of the frame and processes
the frame as follows:
1.
If the source MAC address does not match any entry in the white list, it is dropped. If there is a
match, the frame is considered valid and will be further processed.
2.
If no white list entries exist, the static and dynamic blacklists are searched.
If the source MAC address matches an entry in any of the two lists, it is dropped.
If there is no match, or no blacklist entries exist, the frame is considered valid and will be further
processed.
Configuring the blacklist and white list functions

Configuring dynamic blacklist
Select Interface Setup > Wireless > Security from the navigation tree, and then select the Blacklist tab to
enter the dynamic blacklist configuration page, as shown in Figure 119.
133
Figure 119 Dynamic blacklist configuration page
Table 66 Dynamic blacklist configuration items

Item
Description
Enable: Enables dynamic blacklist.
Disable: Disables dynamic blacklist.
Dynamic Blacklist
IMPORTANT:
Before enabling the dynamic blacklist function, you need to select the Flood Attack
Detect option in the WIDS Setup page.
Lifetime
Configure the lifetime of the entries in the blacklist. When the lifetime of an entry
expires, the entry is removed from the blacklist.
NOTE:
At present, these attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood,
Disassoc-Flood, ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.
Configuring static blacklist

On the blacklist configuration page as shown in Figure 119, select the Static tab to enter the static blacklist
configuration page, as shown in Figure 120. Click Add Static to enter the static blacklist configuration
page.
134
Figure 120 Static blacklist configuration
Table 67 Static blacklist configuration items

Item
Description
You can configure a static blacklist in the following two ways:

MAC Address
Select the MAC Address option, and then add a MAC address to the static black
list.
Select Current Connect

Client
If you select the option, the table below lists the current existing clients. Select the
options of the clients to add their MAC addresses to the static blacklist.
Configuring white list

Select Interface Setup > Wireless > Security from the navigation tree, and then select the Whitelist tab.
Click Add to enter the white list configuration page, as shown in Figure 121.
Figure 121 White list configuration
Table 68 White list configuration items

Item
Description
You can configure a white list in the following two ways:

135
Item
Description
MAC Address
Select the MAC Address option and then add a MAC address to the white list.
Select Current Connect

Client
If you select the option, the table below lists the current existing clients. Select the
check boxes of the clients to add their MAC addresses to the white list.
User isolation
If a device has the user isolation feature enabled, clients associated with it are isolated at Layer 2.
As shown in Figure 122, after user isolation is enabled on the device, all the clients cannot ping each
other or learn each other's MAC or IP addresses, because they cannot exchange Layer 2 packets.
Figure 122 Network diagram for user isolation
Configuring user isolation

Select Interface Setup > Wireless > Security from the navigation tree, and click the User Isolate tab to
enter the page as shown in Figure 123.
Figure 123 User isolation configuration
136
Table 69 User isolation configuration item

Item
Description
Enable: Enables user isolation on the AP to isolate the clients associated with it
User Isolate
at Layer 2.
Disable: Disables the user isolation.

By default, wireless user isolation is disabled.
137
WLAN QoS configuration

An 802.11 network offers wireless access based on the carrier sense multiple access with collision
avoidance (CSMA/CA) channel contention. All clients accessing the WLAN have equal channel
contention opportunities, and all applications carried on the WLAN use the same channel contention
parameters. A live WLAN, however, is required to provide differentiated access services to address
diversified requirements of applications for bandwidth, delay, and jitter.
To provide applications with QoS services, IEEE developed 802.11e for the 802.11-based WLAN
architecture.
While IEEE 802.11e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM)
standard to allow QoS provision devices of different vendors to interoperate. WMM makes a WLAN
network capable of providing QoS services.
NOTE:
For introduction to the WLAN QoS terminology and the WMM protocol, see the H3C MSR Series Routers
WLAN Configuration Guide..
Configuring wireless QoS

Enabling wireless QoS
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and select the QoS Service
tab to enter the page displaying the QoS, as shown in Figure 124.
Figure 124 Wireless QoS
Select the check box in front of the radio unit to be configured, and click Enable. By default, wireless QoS
is enabled.
NOTE:
The WMM protocol is the foundation of the 802.11n protocol. Therefore, when the radio works in
802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated 802.11n clients may
fail to communicate.
138
Setting the SVP service

Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left of the interface, and
then select QoS Service to enter the page for displaying wireless QoS, as shown in Figure 125.
Figure 125 Wireless QoS
Find the desired radio in the AP list, and click the

setting SVP mapping, as shown in Figure 126.
icon in the Operation column to enter the page for
Figure 126 Set the SVP mapping AC
Table 70 Configuration items of setting SVP mapping AC

Item
Description
Radio
Displays the selected radio

Select the SVP Mapping option, and then select the mapping AC to be used by
the SVP service:
SVP Mapping
AC-VO
AC-VI
AC-BE
AC-BK
NOTE:
SVP mapping is applicable to only non-WMM client access.
Setting CAC admission policy

Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left of the interface,
select the QoS Service tab, find the desired radio in the list, and click the corresponding icon in the
Operation column to enter the page for setting CAC admission policy, as shown in Figure 127.
139
Figure 127 Set CAC admission policy
Table 71 Configuration items of setting CAC admission policy

Item
Description
Client Number
Users-based admission policy, namely, maximum number of clients allowed to

be connected. A client is counted only once, even if it is using both AC-VO and
AC-VI.
By default, the users-based admission policy applies, with the maximum
number of users being 20.
Channel Utilization
Channel utilization-based admission policy, namely, the rate of the medium

time of the accepted AC-VO and AC-VI traffic to the valid time during the unit
time. The valid time is the total time during which data is transmitted.
Setting radio EDCA parameters for APs

Operation column to enter the page for configuring wireless QoS. Find the priority type (AC_BK is taken
for example here) to be modified in the radio EDCA list, and click the corresponding icon in the
Operation column to enter the page for setting radio EDCA parameters.
Figure 128 Set radio EDCA parameters
Table 72 Configuration items of setting AP EDCA

Item
Description
Radio
Priority type
Displays the priority type
AIFSN
Arbitration inter-frame spacing number used by the device

140
Item
Description
TXOP Limit
Transmission opportunity limit used by the device
ECWmin
Exponent form of CWmin used by the device
ECWmax
Exponent form of CWmax used by the device
No ACK
If you select the checkbox before No ACK, the No ACK policy is used by the
device.
By default, the normal ACK policy is used by the device.
Table 73 Default radio EDCA parameters

AC
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
AC-VI
94
AC-VO
47
NOTE:
ECWmin cannot be greater than ECWmax.
On a device operating in 802.11b radio mode, H3C recommends you to set the TXOP-Limit to 0, 0, 188,
and 102 for AC-BK, AC-BE, AC-VI, and AC-VO.
Setting EDCA parameters for wireless clients

Operation column to enter the page for setting wireless QoS. In the Client EDCA list, find the priority type
(AC_BK is taken for example here) to be modified, and click the corresponding icon in the Operation
column to enter the page for setting client EDCA parameters, as shown in Figure 129.
Figure 129 Set client EDCA parameters
Table 74 Configuration items of setting client EDCA

Item
Description
Radio
Priority type
Displays the priority type
AIFSN
Arbitration inter-frame spacing number used by clients
141
Item
Description
TXOP Limit
Transmission opportunity limit used by clients
ECWmin
Exponent form of CWmin used by clients
ECWmax
Exponent form of CWmax used by clients

Enable CAC.
Enable: Enables CAC.

Disable: Disables CAC.
CAC
AC-VO and AC-VI support CAC, which is disabled by default. This item is not
available for AC-BE or AC-BK, because they do not support CAC.
Table 75 Default EDCA parameters for clients

AC
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
10
AC-VI
94
AC-VO
47
NOTE:
ECWmin cannot be greater than ECWmax.
If all clients operate in 802.11b radio mode, H3C recommends you to set TXOPLimit to 188 and 102 for
AC-VI and AC-VO.
If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in the
network, the TXOPLimit parameters in Table 75 are recommended.
Once you enable CAC for an AC, it is enabled automatically for all ACs with higher priority. For
example, if you enable CAC for AC-VI, CAC is also enabled for AC-VO. However, enabling CAC for
AC-VO does not enable CAC for AC-VI.
Display radio statistics

Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and select the Radio Statistics
tab to enter the page displaying radio statistics. Click a radio to see its details.
142
Figure 130 Display radio statistics
Table 76 Description on the output of a radio

Field
Description
Radio interface
WLAN radio interface
Client EDCA update count
Number of client EDCA parameter updates
QoS mode
WMM indicates that QoS mode is enabled; None

indicates that QoS mode is not enabled.
Radio chip QoS mode
Radio chips support for the QoS mode
Radio chip max AIFSN
Maximum AIFSN allowed by the radio chip
Radio chip max ECWmin
Maximum ECWmin allowed by the radio chip
Radio chip max TXOPLimit
Maximum TXOPLimit allowed by the radio chip
Radio chip max ECWmax
Maximum ECWmax allowed by the radio chip
Client accepted
Number of clients that have been admitted to access

the radio, including the number of clients that have
been admitted to access the AC-VO and the AC-VI
Total request mediumtime(us)
Total requested medium time, including that of the

AC-VO and the AC-VI
Calls rejected due to insufficient resource
Number of requests rejected due to insufficient

resources
Calls rejected due to invalid parameters
Number of requests rejected due to invalid

parameters
Calls rejected due to invalid mediumtime
Number of requests rejected due to invalid medium

time
Calls rejected due to invalid delaybound
Number of requests rejected due to invalid delay

bound
Admission Control Policy
Admission control policy
Threshold
Threshold used by the admission control policy
143
Field
Description
Response policy adopted for CAC-disabled ACs
CAC-Free's AC Request Policy
Response Success indicates that the response is

successful.
Policy of processing frames unauthorized by CAC,
which can be:
Discard: Drops frames.

Downgrade: Decreases the priority of frames.
Disassociate: Disassociates with the client.
CAC Unauthed Frame Policy
CAC Medium Time Limitation(us)
Maximum medium time allowed by the CAC policy (in

microseconds)
CAC AC-VO's Max Delay(us)
Maximum voice traffic delay allowed by the CAC

policy (in microseconds)
CAC AC-VI's Max Delay(us)
Maximum video traffic delay allowed by the CAC

policy (in microseconds)
SVP packet mapped AC number
Number of the AC to which SVP packets are mapped
ECWmin
ECWmax
AIFSN
TXOPLimit
Ack Policy
ACK policy adopted by an AC
CAC
Indicates whether an AC is controlled by CAC:

Disabled indicates that the AC is not controlled by
CAC, Enabled indicates that the AC is controlled by
CAC.
Displaying client statistics

Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and select the Client Statistics
tab to enter the page displaying client statistics. Click a client name to see its details.
144
Figure 131 Display client statistics
Table 77 Description on the output of a client

Field
Description
MAC address
MAC address of the client
SSID
Service set ID (SSID)

QoS mode, which can be:
QoS Mode
WMM: Indicates that the client is a QoS client.

None: Indicates that the client is a non-QoS client.
Max SP length
Maximum service period
AC
Access category
APSD attribute of an AC, which can be:
State
T: The AC is trigger-enabled.
D: The AC is delivery-enabled.
T | D: The AC is both trigger-enabled and delivery-enabled.
L: The AC is of legacy attributes.
Assoc State
APSD attribute of the four ACs when a client accesses the AP
Uplink CAC packets
Number of uplink CAC packets
Uplink CAC bytes
Number of uplink CAC bytes
Downlink CAC packets
Number of downlink CAC packets
Downlink CAC bytes
Number of downlink CAC bytes
Downgrade packets
Number of downgraded packets
Downgrade bytes
Number of downgraded bytes
Discard packets
Number of dropped packets
Discard bytes
Number of dropped bytes
145
Setting rate limiting

The WLAN provides limited bandwidth for each device. As the bandwidth is shared by wireless clients
attached to the device, aggressive use of bandwidth by a client will affect other clients. To ensure fair use
of bandwidth, you can rate limit traffic of clients in either of the following two approaches:
Configure the total bandwidth shared by all clients in the same BSS. This is called dynamic mode.
The rate limit of a client is the configured total rate/the number of online clients. For example, if the
configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
Configure the maximum bandwidth that can be used by each client in the BSS. This is called static
mode. For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth
provided by the device, no clients can get the guaranteed bandwidth.
Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left, select the Client
Rate Limit tab, and click Add to enter the page for setting rate limiting, as shown in Figure 132.
Figure 132 Set rate limiting
Table 78 Configuration items of setting rate limiting

Item
Description
Wireless Service
Display an existing wireless service

Inbound or outbound
Direction
Inbound: from clients to the device

Outbound: from the device to clients
Both: Includes inbound (from clients to the device) and outbound
(from the device to clients)
Rate limiting mode, dynamic or static
Mode
Dynamic mode
Static mode
Set the rate of the clients
If you select the static mode, static rate is displayed, and the rate is
Rate
the bandwidth of each client.
If you select the dynamic mode, share rate is displayed, and the rate
is the total bandwidth of all clients.
146
Wireless QoS configuration example

CAC service configuration example
As shown in Figure 133, an AP with WMM enabled accesses the Ethernet. Enable CAC for the AC-VO
and AC-VI queues of the clients of the fat AP. Use the user number-based admission policy to limit the
number of access users to 10, so that the clients using high-priority queues (including the AC-VO and
AC-VI queues) can be guaranteed of enough bandwidth.
Figure 133 Network diagram for CAC service configuration
1.
Configure the access service
For related configurations, see Wireless access configuration examples. You can strictly follow the
steps in the related configuration example to configure the wireless service.
2.
Configure wireless QoS
# Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and select the QoS Service
tab to enter the page shown in Figure 134. Make sure that WMM is enabled.
Figure 134 Wireless QoS configuration page
# Select the radio unit to be configured in the list and click the corresponding
icon in the Operation
column to enter the page for configuring wireless QoS. In the Client EDCA list, select the priority type
(AC_VO is taken for example here) to be modified, and click the corresponding
column to enter the page for setting client EDCA parameters.
Figure 135 Enable CAC
Select Enable from the CAC drop-down list.

147
Click Apply.
# Enable CAC for AC_VI in the same way.

# Select Interface Setup > Wireless > Wireless QoS from the navigation tree, select the QoS Service tab,
find the radio unit to be configured in the list, and click the corresponding
column to enter the page for configuring wireless QoS.
Figure 136 The page for setting CAC client number
Select the Client Number option, and then input 10.
Click Apply.
Verifying the configuration

If the number of existing clients in the high-priority ACs plus the number of clients requesting access is
smaller than or equal to the user-defined maximum number of users allowed in high-priority ACs, which
is 10 in this example, the request is allowed. Otherwise, the request is rejected.
Static rate limiting configuration example

As shown in Figure 137, two clients access the WLAN through a SSID named service1. Limit the
maximum bandwidth per client to 128 kbps on the device.
Figure 137 Network diagram for static rate limiting configuration
Client 1
IP network
Router
Client 2
1.
Configure the access service
For the configuration procedure, see Wireless access configuration examples. You can strictly follow
the related configuration example to configure the wireless service.
148
2.
Configure static rate limiting
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, click Client Rate Limit, and
click Add to enter the page for configuring rate limit settings for clients, as shown in Figure 138.
Figure 138 Configure static rate limiting
Select service1 from the Wireless Service drop-down list.
Select inbound from the direction drop-down list.
Select static from the mode drop-down list.
Input 128000 in the static rate input box.
Click Apply.
Client 1 and Client 2 access the WLAN through an SSID named service1.
Check that traffic from Client 1 is rate limited to around 128 kbps, so is traffic from Client 2.
Dynamic rate limiting configuration example

As shown in Figure 139, clients access the WLAN through a SSID named service2. Configure all clients
to share 8000 kbps of bandwidth in any direction.
Figure 139 Network diagram for dynamic rate limiting configuration
1.
Configure the wireless service
For the configuration procedure, see Wireless access configuration examples. You can strictly follow
the related configuration example to configure the wireless service.
149
2.
Configure dynamic rate limiting
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, click Client Rate Limit, and
click Add to enter the page for configuring rate limit settings for clients, as shown in Figure 140.
Figure 140 Configure dynamic rate limiting
Select service2 from the Wireless Service drop-down list.
Select both from the direction drop-down list.
Select dynamic from the mode drop-down list.
Input 8000 in the share rate input box.
Click Apply.

Check the following:
1.
When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a
rate as high as 8000 kbps.
2.
When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can
each pass through at a rate as high as 4000 kbps.
150
District code
Radio frequencies for countries and regions vary based on country regulations. A district code
determines characteristics such as frequency range, channel, and transmit power level. Configure the
valid country code or area code for a WLAN device to meet the specific country regulations.
Setting a district code

Select Interface Setup > Wireless > District Code from the navigation tree to enter the page for setting a
district code, as shown in Figure 141.
Figure 141 Set a district code
Table 79 District code configuration item

Item
Description
Select a district code.
District Code
Configure the valid district code for a WLAN device to

meet the country regulations.
NOTE:
If the drop-down list is grayed out, the setting is preconfigured to meet the requirements of the target
market and is locked. It cannot be changed.
Support for district code depends on your device model.
Channel busy test

A channel busy test is a tool to test how busy a channel is. It tests channels supported by the district code
one by one, and provides a busy rate for each channel. This avoids the situation that some channels are
heavily loaded and some are idle.
During a channel busy test, routers do not provide any WLAN services. All the connected clients are
disconnected and WLAN packets are discarded.
151
Configuring a channel busy test

Select Interface Setup > Wireless Service > Advanced > Channel Busy Test from the navigation tree to
enter the channel busy test configuration page, as shown in Figure 142.
Figure 142 Channel busy test configuration page
Click the
icon of a target AP to enter channel busy testing page, as shown in Figure 143.
Figure 143 Test busy rate of channels
Click Start to start the testing.

Table 80 Configuration items of configuring channel busy test
Item
Description
Radio Unit
Displays the radio unit, which takes the value of 1 or 2.
Radio Mode
Displays the radio mode of the router.
152
Item
Test time per channel
Description
Set a time period in seconds within which a channel is tested.
Defaults to 3 seconds.
153
3G management
Overview
You can connect a router to a 3G modem via the USB interface on the main board of the router. After
connected to an external UIM card, the 3G modem can access the wireless network provided by China
Telecom and carry out 3G wireless communications.
The router supports 3G modems provided by different venders. As a peripheral, the 3G modem is not a
part of the router. However, you can maintain and manage the 3G modem through the Web interface
of the router.
Managing the 3G modem

Displaying the 3G information
Select 3G > 3G Information from the navigation tree to enter the configuration page as shown in Figure
144. The status information of the 3G modem, UIM card and 3G network is displayed on the page.
Figure 144 3G information
Table 81, Table 82 and Table 83 describe the 3G modem information, UIM card information, and 3G
network information, respectively.
154
Table 81 3G modem information

Item
Description
State of the 3G modem, which can be
Normal: A 3G modem is connected to the router.

Absent or unrecognized modem: No 3G modem is connected to the router or
3G Modem State
the modem cannot be recognized.

Model
Model of the 3G modem
Manufacturer
Manufacturer of the 3G modem
CMII ID
CMII ID of the 3G modem
Serial Number
Serial number of the 3G modem
Hardware Version
Hardware version of the 3G modem
Firmware Version
Firmware version of the 3G modem
PRL Version
Preferred roaming list (PRL) version of the 3G modem
Table 82 UIM card information

Item
Description
State of the UIM card, which can be
UIM Card
State
Absent
Being initialized
Fault
Destructed
PIN code protection is disabled.
PIN code protection is enabled. Enter the PIN code for authentication.
PIN code protection is enabled, and the PIN code has passed the authentication.
The PIN code has been blocked. Enter the PUK code to unblock it.
IMSI
International Mobile Subscriber Identity (IMSI) of the UIM card
Voltage
Power voltage of the UIM card
Table 83 3G network information

Item
Description
Mobile Network
3G network where the UIM card resides

State of the 3G network where the UIM card resides, which can be
Network Type
RSSI
No Service
CDMA
HDR
CDMA/HDR HYBRID
Unknown
Received signal strength indication (RSSI) of the 3G network
Managing the pin code

155
CAUTION:
If the PIN code is entered incorrectly many times that exceed the maximum attempts allowed by the
device, the PIN code is blocked. To unblock the PIN code, you must enter the correct PUK code.
If the PUK code is entered incorrectly many times that exceed the maximum attempts allowed by the
device, the UIM card is destructed. Be cautious when entering the PUK code.
Select 3G > PIN Code Management from the navigation tree to enter the PIN code management page.
The PIN code allows you to perform different operations depending on the UIM card status.
When the UIM card is abnormal

Figure 145 shows the PIN code management page in the case that the UIM card is absent, being
initialized, faulty, or destructed. In such cases, you cannot manage the PIN code.
Figure 145 PIN code management page I
When the PIN code protection is disabled for the UIM card
Figure 146 shows the PIN code management page in the case that the PIN code protection for the UIM
card is disabled. To enable the PIN code protection, type the PIN code correctly and click Apply. A pin
code comprises of four to eight figures.
Figure 146 PIN code management page II
When the PIN code needs to be entered for authentication

Figure 147 shows the PIN code management page in the case that the PIN code protection has been
enabled for the UIM card and the PIN code needs to be entered for authentication. To unblock the PIN
code protection, type the PIN code correctly and click Apply.
Figure 147 PIN code management page III
When the UIM card has passed the PIN code authentication
Figure 148 shows the PIN code management page in the case that the UIM card has passed the PIN
code authentication. You can do the following operations:
156
In the Disable PIN Code Protection field, type the PIN code correctly and click Apply to disable the
PIN code protection for the UIM card.
In the PIN Code Modification field, type the current PIN code correctly and the new PIN code twice,
and then click Apply to modify the current PIN code.
Figure 148 PIN code management page IV
When the PUK code needs to be entered to unblock the PIN code of the UIM card
Figure 149 shows the PIN code management page in the case that the PIN code of the UIM card has
been locked and the PUK code needs to be entered. To unblock the PIN code of the UIM card and set
a new PIN code, enter the PUK code correctly and the new PIN code twice, and then click Apply.
Figure 149 PIN code management page V
157
NAT configuration
You can do the following to configure NAT on the web interface:
Configure dynamic NAT.
Configure one-to-one static NAT.
Configure an internal server.
Enable application layer protocol check.
Configure connection limit.
Overview
Network Address Translation (NAT) provides a way of translating an IP address to another IP address for
a packet. In practice, NAT is primarily used to allow private hosts to access public networks. With NAT,
a few public IP addresses are used to translate a large number of internal IP addresses, effectively solving
the IP address depletion problem.
NOTE:
For more information about NAT, see the H3C MSR Series Routers Layer 3IP Services Configuration
Guide.
Configuring NAT
Configuration overview
Table 84 NAT configuration task list
Task
Remarks
Configuring dynamic NAT
Use either approach.
Dynamic NAT: A dynamic NAT entry is generated dynamically.

Configuring a DMZ host
Dynamic NAT is applicable to the network environment where a

large number of internal users need to access the Internet.
Static NAT: Mappings between external and internal network

addresses are manually configured. Static NAT enables a few
users to use fixed IP addresses to access the Internet.
Required
Configuring an internal server
Enabling application layer protocol

check
You can configure an internal server by mapping a public IP

address and port number to the private IP address and port number
of the internal server.
Optional
Enable NAT to check specified application layer protocols.
By default, all application layer protocols are checked by NAT.
158
Task
Remarks
Configuring connection limit
Optional
Limit the number of connections from a source IP address.
Configuring dynamic NAT

Select NAT Configuration > NAT Configuration from the navigation tree to enter the default Dynamic NAT
page as shown in Figure 150.
Figure 150 Dynamic NAT Configuration
Table 85 Dynamic NAT configuration items

Item
Description
Interface
Specify an interface on which the NAT policy is to be enabled.

Select an address translation mode:
Interface Address: In this mode, the NAT gateway directly uses an interfaces public
Translation Mode
IP address as the translated IP address. You do not need to configure any address
pool for this mode.
PAT: In this mode, both IP addresses and port numbers of packets are translated. You
need to configure an address pool for this mode.
No-PAT: In this mode, only IP addresses of packets are translated. You need to
configure an address pool for this mode.
159
Item
Description
Specify the start and the end IP addresses for the NAT address pool.
The start IP address must be lower than the end IP address. If the end IP address and the
start IP address are the same, you specify only one IP address.
Start IP Address
End IP Address
IMPORTANT:
Only one translation mode can be selected for the same address pool.
NAT address pools used by some device models cannot be those used by other
address translation policies, IP addresses of interfaces with Easy IP enabled, or
external IP addresses of internal servers.
Return to NAT configuration task list.
Configuring a DMZ host

1.
Create a DMZ host
Select NAT Configuration > NAT Configuration from the navigation tree, and click the DMZ HOST tab to
enter the page as shown in Figure 151.
Figure 151 Create a DMZ host
Table 86 DMZ host configuration items

Item
Description
Host IP Address
Specify the internal IP address in a one-to-one static NAT mapping.
Global IP Address
Specify the external IP address in a one-to-one static NAT mapping.

2.
Enabling the DMZ host on an interface
Select NAT Configuration > NAT Configuration from the navigation tree, and click the DMZ HOST tab to
enter the page as shown in Figure 152. You can enable or disable the DMZ host on interfaces.
The icon indicates that the DMZ host is disabled on the corresponding interface. Click the Enable
link next to the interface to enable DMZ host on the interface.
The icon indicates that DMZ host is enabled on the corresponding interface. Click the Disable
link next to the interface to disable the DMZ host on the interface.
160
Figure 152 Enable the DMZ host on interfaces
Configuring an internal server

Select NAT Configuration > NAT Configuration from the navigation tree, and then click the NAT Server
Setup tab to enter the internal server configuration page as shown in Figure 153.
161
Figure 153 Internal server configuration page
Table 87 Internal server configuration items

Item
Description
Interface
Specify an interface on which the NAT policy is to be enabled.
Protocol
Type of the protocol carried by IP, which can be TCP or UDP.
Global IP Address
Public IP address for the internal server.

You can use the IP address of the current interface, or manually specify an IP address.
Global port number for the internal server.
From the drop-down list, you can:
Global Port
Select Other and then type a port number. If you type 0, all types of services are
provided. That is, only a static binding between the external IP address and the
internal IP address is established.
Select a service and the corresponding port number is provided. You cannot modify
the port number displayed.
Host IP Address
Internal IP address for the internal server.
162
Item
Description
Internal port number for the internal server.
From the drop-down list, you can:
Host Port
Select Other and then type a port number. If you type 0, all types of services are
provided. That is, only a static binding between the external IP address and the
internal IP address is created.
Select a service and the corresponding port number is provided. You cannot modify
the port number displayed.
Enabling application layer protocol check

Select NAT Configuration > NAT Configuration from the navigation tree, and then click the ALG tab to
enter the application layer protocol check configuration page as shown in Figure 154.
Figure 154 Application layer protocol check
Table 88 Application layer protocol check configuration items

Item
Description
Protocol Type
Enable/disable checking the specified application layer protocol(s), including DNS, FTP,
PPTP, NBT, ILS, H.323, and SIP.
Configuring connection limit

Select NAT Configuration > NAT Configuration from the navigation tree, and then click the Nat
Outbound Setup tab to enter the connection limit configuration page as shown in Figure 155.
163
Figure 155 Connection limit
Table 89 Connection limit configuration items

Item
Description
Enable connection limit
Enable/disable connection limit.
Max Connections
Set the maximum number of connections that can be initiated from a source IP
address.
NAT configuration examples

NAT configuration example I
As shown in Figure 156, a company has three public IP addresses ranging from 202.38.1.1/24 to
202.38.1.2/24, and internal network address is 10.110.0.0/16. Specifically, the company has the
following requirements:
The internal users can access the Internet by using public addresses 202.38.1.2 and 202.38.1.3.
Configure the upper limit of connections as 1000 based on the source IP address.
Figure 156 NAT network diagram I
164
Configure the IP address of each interface. (Omitted)
# Configure dynamic NAT on Ethernet 0/2.
Select NAT Configuration > NAT Configuration to enter the dynamic NAT configuration page, as
shown in Figure 157.
Figure 157 Configure dynamic NAT
Select Ethernet0/2 from the Interface drop-down list.
Select PAT from the Translation Mode drop-down list.
Type 202.38.1.2 in the Start IP Address filed.
Type 202.38.1.3 in the End IP Address filed.
Click Apply.
# Configure the connection limit.
Click the Connection Limit tab to enter the connection limit configuration page, as shown in Figure
158.
Figure 158 Configure connection limit
165
Select Enable connection limit.
Type 1000 in Max Connections.
Click Apply.
Internal server configuration example

A company provides one FTP server and two Web servers for external users to access. The internal
network address is 10.110.0.0/16. The internal network address for the FTP server is 10.110.10.3/16,
and that for Web server 1 is 0.110.10.1/16, for Web server 2 is 10.110.10.2/16. The company has three
public IP addresses ranging from 202.38.1.1/24 to 202.38.1.3/24. Specifically, the company has the
following requirements:
External hosts can access the company internal servers.
202.38.1.1 is used as the public IP address for the internal servers and port number 8080 is used
for Web server 2.
Figure 159 Internal server configuration network diagram

10.110.10.1/16
10.110.10.2/16
Web server 1
Web server 2
Eth0/1
10.110.10.10/16
Eth0/2
202.38.1.1/24
Internet
Host
Router
FTP server
10.110.10.3/16
# Configure the FTP server.
Select NAT Configuration > NAT Configuration from the navigation tree and click the Internal
Server tab to enter the internal server configuration page, as shown in Figure 160.
166
Figure 160 Configure the FTP server
Click on the TCP radio button in the Protocol field.
Click on the radio button next to the text box in the Global IP Address filed, and then type
202.38.1.1.
Select ftp from the Global Port drop-down list.
Type 10.110.10.3 in the Host IP Address field.
Select ftp from the Host Port drop-down list.
Click Apply.
# Configure Web server 1.
167
Figure 161 Configure Web server 1
As shown in Figure 161, select Ethernet0/2 from the Interface drop-down list.
Click on the TCP radio button in the Protocol field. .
202.38.1.1.
Select http from the Global Port drop-down list..
Select http from the Host Port drop-down list.
Click Apply.
# Configure Web server 2.
Click Add in the internal server configuration page.
168
Figure 162 Configure Web server 2
Click on the TCP radio button in the Protocol field.
202.38.1.1.
Type 8080 in the Global Port field.
Type 8080 in the Host Port field.
Click Apply.
169
Access control
Access control overview
Access control allows you to control access to the Internet from the LAN by setting the time range, IP
addresses of computers in the LAN, port range, and protocol type. All data packets matching these
criteria will be denied to access the Internet.
Up to ten access control policies can be configured and they are matched in ascending order of
sequence number. The comparison stops immediately after one match is found.
NOTE:
The ten access control policies correspond to ACL 3980 through 3989 respectively in ascending order of
sequence number. Modifying these ACLs may impact the corresponding access control policies.
Access control is effective to only the outgoing direction of WAN interfaces.
Configuring access control

Select Security Setup > Access from the navigation tree, and then select the Access Control tab to enter
the page as shown in Figure 163.
170
Figure 163 Access control
Table 90 Access control configuration items

Item
Description
Begin-End Time
Set the time range of a day for the rule to

take effect. The start time must be earlier
than the end time.
Week
Select the days of a week for the rule to

take effect.
IMPORTANT:
Set both types of time ranges or set neither
of them. To set neither of them, make sure
the Begin-End Time is 00:00 - 00:00 and
no days of a week are selected. Setting
neither of them means take effect all the
time.
Specify to control accesses based on the protocol used for data transmission.
Protocol
Three options are available: TCP, UDP, and IP.

For which services use which protocols, see Table 91.
Source IP Address
Destination Port
Configure the IP address range of computers. To control a single IP address, type the
address in the two text boxes.
Set the port range to be filtered.
For example, to control Telnet access, type 23 in the two text boxes.
Action to be taken for matching packets.
Operation
The action is Deny, which means all packets matching the access control policies are
not allowed to pass.
171
Table 91 Commonly used services and their ports

Service
Transport layer protocol
Port number
FTP
TCP
21
Telnet
TCP
23
TFTP
UDP
69
Web
TCP
80
Access control configuration example

As shown Figure 164, internal users of a company, Host A to Host D, access the Internet through the router.
Configure an access control policy so that:
Host A to Host C cannot access the Internet from 09:00 to 18:00 every Monday to Friday and can
access the Internet for all the rest of time.
Host D can access the Internet all the time.

Figure 164 Network diagram for access control configuration
Internet
Eth0/1
Router
Host A
10.1.1.1
Host B
10.1.1.2
Host C
10.1.1.3
Host D
10.1.1.4
# Configure an access control policy to prohibit Host A to Host C from accessing the Internet during work
time.
Select Security Setup > Access from the navigation tree and then perform the configurations shown in
Figure 165.
172
Figure 165 Configure an access control policy
Set the Begin-End Time to 09:00 - 18:00.
Select the check boxes for Monday to Friday.
Select the Protocol of IP.
Enter source IP address range 10.1.1.1 - 10.1.1.3.
Click Apply.
173
URL filtering
URL filtering overview
The URL filtering function allows you to deny access to certain Internet web pages from the LAN by setting
keywords and URL addresses.
NOTE:
The URL filtering function applies to only the outbound direction of WAN interfaces.
Configuring URL filtering

Select Security Setup > URL Filter from the navigation tree to enter the page as shown in Figure 166. Then,
click Add to enter the URL filtering configuration page, as shown in Figure 167.
Figure 166 URL filtering entries
174
Figure 167 URL filtering configuration page
Table 92 URL filter configuration items

Item
Description
URL
Set the URL addresses to be filtered. You

can input a regular expression.
Keyword
Set the keywords to be filtered. You can

input a regular expression.
Import
filter list
file
File Name
IMPORTANT:
The URL and keyword are in OR relation.
When both are configured, the system
generates two URL filtering conditions.
If the Import filter list file check box is selected, you can import filtering rules from a
file.
Specify the name and path of the file in the local host from which you obtain the file.
For description of the content format of filter list files, see Figure 167.
175
URL filtering configuration example

As shown in Figure 168, internal users access the Internet through Router. Configure the URL filtering
function to disallow access of all internal users to Internet website www.webflt.com.
Figure 168 Network diagram for URL filtering configuration
Internet
Eth0/1
Router
# Configure the URL filtering function.
Select Security Setup > URL Filter from the navigation tree. Click Add and then perform the
following configurations, as shown in Figure 169.
176
Figure 169 Configure the URL filtering function
Select the check box before URL and then type www.webflt.com in the textbox.
Click Apply.
177
MAC address filtering

MAC address filtering overview
MAC address filtering is used to match MAC addresses of hosts accessing the network through the
device, and deny or permit hosts with matched MAC addresses to access the network through the device.
NOTE:
MAC address filtering is only applicable to the outgoing direction of Layer 3 Ethernet interfaces and dialer
interfaces.
Configuring MAC address filtering

Configuring the MAC address filtering type
Select Security Setup > MAC Address Filtering from the navigation tree to enter the MAC address filtering
configuration page, as shown in Figure 170.
Figure 170 MAC address filtering
Table 93 MAC address filtering configuration item

Item
Description
Select a MAC address filtering type:
Disable MAC address filtering

Permit access to the Internet: Enables MAC address filtering to permit only the hosts
whose MAC addresses are on the MAC address list below to access the network
through the device.
filtering type
Deny access to the Internet: Enables MAC address filtering to deny the hosts whose
MAC addresses are on the MAC address list below from accessing the network
through the device.
IMPORTANT:
A MAC address list will be displayed at the lower part of the page after you select Permit
access to the Internet or Deny access to the Internet.
178
Configuring the MAC addresses to be filtered

Select Security Setup > MAC Address Filtering from the navigation tree to enter the MAC address filtering
configuration page, as shown in Figure 170. Select Permit access to the Internet or Deny access to the
Internet, the permitted or denied MAC addresses are listed in the lower part of the page, as shown in
Figure 171. Click Add to enter the Add MAC Address page, as shown in Figure 172.
Figure 171 MAC address filtering (permit access to the Internet)
Figure 172 Add MAC addresses
179
Table 94 Configuration items for adding the MAC addresses to be filtered

Item
Description
Use the customized MAC address
Type the MAC addresses to be filtered or select them from the learned
MAC addresses list.
Use the learned MAC addresses
NOTE:
If you select Permit access to the Internet or Deny access to the Internet as the filtering type, the selected
filtering type will take effect as long as you add the MAC addresses for this type, no matter whether or not
you click Apply at the filtering type configuration area on the MAC Address Filtering page.
MAC address filtering configuration example

As shown in Figure 173, internal users access the Internet through Router. Configure the MAC address
filtering function to deny users whose MAC addresses are 000d-88f8-0dd7 and 000d-88f7-b8d6 from
accessing the Internet.
Figure 173 Network diagram for MAC address filtering configuration
Internet
Eth0/1
Router
000d-88f8-0dd7
192.168.1.17
000d-88f7-b8d6
192.168.1.18
# Configure the MAC address filtering function.
Select Security Setup > MAC Address Filtering from the navigation tree and then perform the
180
Figure 174 Select MAC address filtering type
Select Deny access to the Internet as the filtering type.
Click Add and then perform the following configurations, as shown in Figure 175.
Figure 175 Specify the MAC addresses to be denied access to the Internet
Select Use the learned MAC addresses.
Select 000d-88f8-0dd7 and 000d-88f7-b8d6 from the Learned MAC Addresses list, and then click
the << button to add them to the Selected MAC Addresses list.
Click Apply.
181
Attack protection
Complete the following tasks to configure attack protection functions in the web interface:
Enabling the blacklist function
Adding a blacklist entry manually
Viewing blacklist entries
Configuring intrusion detection
Attack protection overview

Attack protection is an important network security feature. It can determine whether received packets are
attack packets according to the packet contents and behaviors and, if detecting an attack, take measures
to deal with the attack. Protection measures include logging the event, dropping packets, updating the
session status, and blacklisting the source IP address.
Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address. Compared
with Access Control List (ACL) packet filtering, blacklist filtering is simpler in matching packets and
therefore can filer packets at a high speed. Blacklist filtering is very effective in filtering packets from
certain IP addresses.
One outstanding benefit of the blacklist function is that it allows the device to add and delete blacklist
entries dynamically. This is done by working in conjunction with the scanning attack protection function.
When the device detects a scanning attack according to the packet behavior, it adds the IP address of
the attacker to the blacklist. Thus, packets from the IP address will be filtered. Blacklist entries added
dynamically will be aged in a specified period of time.
The blacklist function also allows you to add and delete blacklist entries manually. Blacklist entries added
manually can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry will
always exist in the blacklist unless you delete it manually. You can configure the aging time of a
non-permanent entry. After the timer expires, the device automatically deletes the blacklist entry, allowing
packets from the corresponding IP address to pass.
Intrusion detection function
The device can defend against two categories of network attacks: single-packet attacks and abnormal
traffic, and the later fall into two sub-categories: scanning attacks and flood attacks, according to attack
characteristics.
Protection against single-packet attacks

Single-packet attack is also called malformed packet attack. Such an attack is formed when:
The attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system so that the target system malfunctions or crashes when processing such
packets.
The attacker sends large quantities of such packets to the network to use up the network bandwidth.
182
Table 95 lists the types of single-packet attacks that can be prevented by the device.
Table 95 Types of single-packet attacks
Single-packet attack
Description
Fraggle
A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port
number of 7) or Chargen packets (with the UDP port number of 19) to a subnet
broadcast address. This will cause a large quantity of responses in the network, using
up the network bandwidth of the subnet or crashing the target host.
LAND
A LAND attacker forges large amounts of TCP SYN packets with both the source
address and destination address being the IP address of the target, causing the target
to send SYN ACK messages to itself and establish half-open connections as a result.
In this way, the attacker may deplete the half-open connection resources of the target,
making it unable to work normally.
WinNuke
A WinNuke attacker sends Out-of-Band (OOB) data packets to the NetBIOS port
(139) of a target running a Windows system. The pointer fields of these attack packets
are overlapped, resulting in NetBIOS fragment overlaps. This will cause the target
host that has established TCP connections with other hosts to crash when it processes
these NetBIOS fragments.
TCP Flag
Different operating systems process abnormal TCP flags differently. The attacker
sends TCP packets with abnormal TCP flags to the target host to probe its operating
system. If the operating system cannot process such packets properly, the host will
crash down.
ICMP Unreachable
Upon receiving an ICMP unreachable packet, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an attacker can cut off the
connection between the target host and the network.
ICMP Redirect
An ICMP Redirect attacker sends ICMP redirect messages to hosts on a subnet to

request the hosts to change their routing tables, interfering with the normal forwarding
of IP packets.
Tracert
The Tracert program usually sends UDP packets with a large destination port number
and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when
the packet passes each router. Upon receiving a packet with a TTL of 0, a router sends
an ICMP time exceeded message back to the source IP address of the packet. A
Tracert attacker exploits the Tracert program to figure out the network topology.
Smurf
A Smurf attacker sends ICMP echo requests to the broadcast address of the target
network. As a result, all hosts on the target network will reply to the requests, causing
the network congested and hosts on the target network unable to provide services.
Source Route
A Source Route attacker probes the network structure through the Source Route option
in IP packets.
Route Record
A Route Record attacker probes the network structure through the Record Route option
in IP packets.
Large ICMP
For some hosts and devices, large ICMP packets will cause memory allocation error
and thus crash down the protocol stack. An attacker can make a target crash down by
sending large ICMP packets to it.
The single-packet attack protection function takes effect to only incoming packets. It analyzes the
characteristics of incoming packets to determine whether the packets are offensive and, if they are
offensive, logs the events and discards the packets. For example, if the length of an ICMP packet reaches
183
or exceeds 4000 bytes, the device considers the packet a large ICMP attack packet, outputs a warning
log, and discards the packet.
Protection against scanning attacks

Scanning attackers usually use some scanning tools to scan host addresses and ports in a network, so as
to find possible targets and the services enabled on the targets and figure out the network topology,
preparing for further attacks to the target hosts.
The scanning attack protection function takes effect to only incoming packets. It monitors the rate at which
an IP address initiates connections to destination systems. If the rate reaches or exceeds 4000
connections per second, it logs the event, adds the IP address to the blacklist, and discards subsequent
packets from the IP address.
Protection against flood attacks

Flood attackers send a large number of forged requests to the targets in a short time, so that the target
systems will be too busy to provide services for legal users, resulting in denial of services.
The device can defend against three types of flood attacks:
SYN flood attack
Because of the limited resources, the TCP/IP stack permits only a limited number of TCP connections. A
SYN flood attacker sends a great quantity of SYN packets to a target server, using a forged address as
the source address. After receiving the SYN packets, the server replies with SYN ACK packets. As the
destination address of the SYN ACK packets is unreachable, the server can never receive the expected
ACK packets, resulting in large amounts of half-open connections. In this way, the attacker exhausts the
system resources, making the server unable to service normal clients.
ICMP flood attack
An ICMP flood attacker sends a large number of ICMP requests to the target in a short time by, for
example, using the ping program, causing the target too busy to process normal services.
UDP flood attack
A UDP flood attacker sends a large number of UDP messages to the target in a short time, so that the
target gets too busy to process normal services.
The flood attack protection function takes effect to only outgoing packets. It is mainly used to protect
servers. It monitors the connection establishment rate and number of half-open connections of a server.
If the rate reaches or exceeds 1000 connections per second or the number of half-open connections
reaches or exceeds 10000 (only SYN flood attack protection supports restriction of half-open
connections), it logs the event, and discards subsequent connection requests to the server.
Configuring the blacklist function

Table 96 Blacklist function configuration task list
Task
Remarks
Required
By default, the blacklist function is disabled.
184
Task
Remarks
Configuring the scanning attack

protection function to add blacklist
entries automatically
Required
Perform at least one of the two tasks.

You can add blacklist entries manually, or enable the blacklist function
globally, configure the scanning attack protection function, and
enable the blacklist function for scanning attack protection to allow the
device to add the IP addresses of detected scanning attackers to the
blacklist automatically. For configuration of scanning attack
protection, see Configuring intrusion detection.
By default, no blacklist entry exists.
IMPORTANT:
Modifying an automatically added entry will change the type of the
entry to Manual.
Optional

From the navigation tree, select Security Setup > Attack Defend > Blacklist to enter the page shown in
Figure 176, where all manually configured or automatically generated blacklist entries are listed. Select
the check box before Enable Blacklist and click Apply to enable the blacklist filtering function.
Figure 176 Blacklist page
Return to Blacklist function configuration task list.

On the blacklist page shown in Figure 176, click Add to configure a blacklist entry, as shown in Figure
177.
185
Figure 177 Add a blacklist entry
Table 97 Blacklist entry configuration items

Item
Description
IP Address
Specify the IP address to be added to the blacklist. This IP address cannot be a

broadcast address, a class D address, a class E address, 127.0.0.0/8, or
255.0.0.0/8.
Hold Time
Configure the entry as a non-permanent entry and specify the hold time of the
blacklist entry.
Permanence
Configure the entry as a permanent entry.

Select Security Setup > Attack Defend > Blacklist from the navigation to view blacklist entries.
Table 98 Fields of the blacklist entry list
Field
Description
IP Address
IP address of the blacklist entry

The way in which the blacklist entry was added, Manual or Automatic.
Manual: The entry was added manually or has been modified after being
added automatically.
Add Method
Automatic: The entry was added automatically by the scanning attack

protection function.
IMPORTANT:
Modifying an automatically added entry will change the type of the entry to Manual.
Start Time
The time when the blacklist entry was added
Hold Time
Duration for which the blacklist entry will be held in the blacklist.
Dropped Count
Number of packets matching the blacklist entry and therefore dropped by the
device
186
Configuring intrusion detection

On the MSR 900/20-1X series routers
Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree to enter the intrusion
detection configuration page, as shown in Figure 178. Select the check box before Enable attack defense
policy and then select the specific attack protection functions to be enabled. Then, click Apply to finish the
configuration.
Figure 178 Intrusion detection configuration page
On the MSR 20/30/50 series routers

Select Security Setup > Attack Defend > Intrusion Detection to enter the page shown in Figure 179. Click
Add to enter the page for adding a new intrusion detection policy, as shown in Figure 180. Select an
interface and select the attack protection functions to be enabled, and then click Apply. The selected
attack protection functions will be enabled on the selected interface.
187
Figure 179 Intrusion detection policy list
Figure 180 Add an intrusion detection policy
188
Attack protection configuration examples

Attack protection configuration example for the MSR
900/20-1X series routers
As shown in Figure 181, internal users Host A, Host B, and Host C access the Internet through Router. The
network security requirements are as follows:
Router always drops packets from Host D, an attacker.
Router denies packets from Host C for 50 minutes for temporary access control of Host C.
Router provides scanning attack protection and automatically adds detected attackers to the
blacklist.
Router provides Land attack protection and Smurf attack protection.
Figure 181 Network diagram for attack protection configuration
# Configure IP addresses for the interfaces (omitted).
# Enable the blacklist function.
Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the
189
Figure 182 Enable the blacklist function
Select the check box before Enable Blacklist.
Click Apply.
# Add blacklist entries manually.
Click Add and then perform the following configurations, as shown in Figure 183:
Figure 183 Add a blacklist entry for Host D
Type IP address 5.5.5.5, the IP address of Host D.
Select Permanence for this blacklist entry.
Click Apply.
190
Figure 184 Add a blacklist entry for Host C
Type IP address 192.168.1.5, the IP address of Host C.
Select Hold Time and set the hold time of this blacklist entry to 50 minutes.
Click Apply.
# Configure intrusion detection: Enable scanning attack protection, and enable blacklist function for it;
enable Land attack protection and Smurf attack protection.
Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree and then
perform the following configurations, as shown in Figure 185.
Figure 185 Configure intrusion detection
191
Select Enable Attack Defense Policy.
Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack
Detection, and Add Source IP Address to the Blacklist. Leave all other options unselected.
Click Apply.
Verification
Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist.
Router drops all packets from Host D unless you remove Host D from the blacklist.
Router drops packets from Host C within 50 minutes. Then, Router forwards packets from Host C
normally.
Upon detecting the scanning attack, Router outputs an alarm log and adds the IP address of the
attacker to the blacklist. You can view the added blacklist entry by selecting Security Setup > Attack
Defend > Blacklist.
Upon detecting the Land or Smurf attack, Router outputs an alarm log and drops the attack packet.
For MSR 20/30/50 series routers

As shown in Figure 186, internal users Host A, Host B, and Host C access the Internet through Router. The
network security requirements are as follows:
Router always drops packets from Host D, an attacker.
Router denies packets from Host C for 50 minutes for temporary access control of Host C.
Router provides scanning attack protection and automatically adds detected attackers to the
blacklist on interface Ethernet 0/2, the interface connecting the Internet.
Router provides Land attack protection and Smurf attack protection on Ethernet 0/2.
Figure 186 Network diagram for attack protection configuration
# Configure IP addresses for the interfaces (omitted).
# Enable the blacklist function.
Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the
192
Figure 187 Enable the blacklist function
Select the check box before Enable Blacklist.
Click Apply.
# Add blacklist entries manually.
Figure 188 Add a blacklist entry for Host D
Type IP address 5.5.5.5, the IP address of Host D.
Select Permanence for this blacklist entry.
Click Apply.
193
Figure 189 Add a blacklist entry for Host C
Type IP address 192.168.1.5, the IP address of Host C.
Select Hold Time and set the hold time of this blacklist entry to 50 minutes.
Click Apply.
# Configure intrusion detection on Ethernet 0/2: Enable scanning attack protection, and enable blacklist
function for it; enable Land attack protection and Smurf attack protection.
Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree. Click Add and
then perform the following configurations, as shown in Figure 190.
194
Figure 190 Configure intrusion detection
Select interface Ethernet0/2.
Select Enable Attack Defense Policy.
Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack
Detection, and Add Source IP Address to the Blacklist. Leave all other options unselected.
Click Apply.
Verification
Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist.
Router drops all packets from Host D unless you remove Host D from the blacklist.
Router drops packets from Host C within 50 minutes. Then, Router forwards packets from Host C
normally.
Upon detecting the scanning attack on Ethernet 0/2, Router outputs an alarm log and adds the IP
address of the attacker to the blacklist. You can view the added blacklist entry by selecting Security
Setup > Attack Defend > Blacklist.
Upon detecting the Land or Smurf attack on Ethernet 0/2, Router outputs an alarm log and drops
the attack packet.
195
Application control
Complete the following tasks to configure application control in the web interface:
Loading applications
Configuring a custom application
Enabling application control
Application control overview

Application control allows you to control which applications and protocols users can access on the
Internet by specifying the destination IP address, protocol, operation type, and port. Application control
can be based on a group of users or all users in a LAN. This chapter describes the application control
based on all users. For application control based on user group, see the chapter Group management.
NOTE:
The application control function applies to only the outbound direction of WAN interfaces.
Configuring application control

Table 99 Application control task list
Task
Remarks
Optional
Load the signature file that contains the application control rules to the
device.
IMPORTANT:
If you perform this configuration for multiple times, only the last file
loaded to the device takes effect.
Optional
Add a custom application and configure the match rules.
Required
Enable application control for specified applications or protocols

globally.
Select Security Setup > Application Control from the navigation tree, and then select the Load
Application tab to enter the page for loading applications, as shown in Figure 191.
196
To load an application control file from the device, select From Device, select the application control
file, and then click Apply.
To load an application control file from the local host to the device, select From Local, click Browse
to find the file, and then click Apply.
After the file is loaded to the device successfully, all the loaded applications will be displayed at the
lower part of the page.
Figure 191 Load applications
Return to Application control task list.

Select Security Setup > Application Control from the navigation tree, and then select the Custom
Application tab to enter the custom application list page, as shown in Figure 192. Click Add to enter the
page for configuring a custom application, as shown in Figure 193.
Figure 192 Custom applications
197
Figure 193 Add a custom application
Table 100 Custom application configuration items

Item
Description
Application Name
Specify the name for the custom application.
Protocol
Specify the protocol to be used for transferring packets, including TCP, UDP, and All.
All means all IP carried protocols.
IP Address
Specify the IP address of the server of the applications to be controlled.
Match Rule
Port
Start Port
Specify the port numbers of the applications to be controlled.

When you select TCP or UDP for the Protocol parameter, the port configuration is
available:
If you do not want to limit port numbers, leave the match rule unselected. In this
case, you do not need to enter the start port and end port.
End Port
If you want to limit a range of ports, select Range for the match rule, and then enter
the start port and end port to specify the port range.
If you select other options of the match rule, you just need to enter the start port.

Select Security Setup > Application Control from the navigation tree and the page of the Application
Control tab is displayed by default, as shown in Figure 194. Select the applications and protocols to be
controlled from the Loaded Applications, Predefined Applications, and Custom Applications areas as
needed, and then click Apply.
198
Figure 194 Application Control
Application control configuration example

As shown in Figure 195, internal users access the Internet through Router. Configure application control
on Router, so that no user can use MSN.
Figure 195 Network diagram for application control configuration
Internet
Eth0/1
Router
# Load the application control file (assume that signature file p2p_default.mtd, which can prevent using
of MSN, is stored on the device).
Application tab and perform the following configurations, as shown in Figure 196.
199
Figure 196 Load the application signature file
Select the radio button before From Device, select file p2p_default.
Click Apply. Figure 197 shows the loaded applications.
Figure 197 Loaded applications
# Enable application control.
Click the Application Control tab and then perform the following configurations, as shown in Figure
198.
200
Figure 198 Configure application control
Select MSN from the Loaded Applications area.
Click Apply.
201
Web page redirection configuration

Overview
With web page redirection configured on an interface, a user accessing a web page through the
interface for the first time is forcibly led to a specified web page. That is, the web access request of the
user is redirected to the specified URL. After that, the user can access network resources normally. If the
user sends a web access request after a specified time interval, the specified web page is displayed
again.
This feature is applicable to scenarios where a hotel or carrier wants to push an advertisement web page
periodically to users.
Configuring web page redirection

CAUTION:
Currently, web page redirection is ineffective on the interface with the portal function enabled. It is not
recommended to configure both functions on an interface.
Select Advanced > Redirection from the navigation tree to enter the page shown in Figure 199. The web
page redirection configuration information is displayed on the page. Click Add to enter the configuration
page shown in Figure 200.
Figure 199 Redirection page
202
Figure 200 Redirection URL configuration page
Table 101 describes the redirection URL configuration items.

Table 101 Redirection URL configuration items
Item
Description
Interface
Select an interface on which web page redirection is to be enabled.
Redirection URL
Type the address of the web page to be displayed, that is, the URL to which the web
access request is redirected. For example, http://192.0.0.1.
Interval
Type the time interval at which web page redirection is triggered.
203
Route configuration
NOTE:
The term router in this document refers to both routers and Layer 3 switches.
This chapter mainly describes IPv4 route configuration.
You can perform the following route configurations through the web interface:
Creating a static route
Displaying the active route table
Overview
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it then
forwards the packet to the destination host.
Routing provides the path information that guides the forwarding of packets.
A router selects optimal routes from the routing table, and sends them to the forwarding information base
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.
You can manually configure routes. Such routes are called static routes.
NOTE:
For more information about the routing table and static routes, see the H3C MSR Series Routers Layer
3IP Routing Configuration Guide.
Route configuration
Creating an IPv4 static route
Select Advanced > Route Setup from the navigation tree and then click the Create tab to enter the static
route configuration page, as shown in Figure 201.
204
Figure 201 Static route configuration page
Table 102 Static route configuration items

Item
Description
Destination IP Address
Type the destination IP address of the static route, in

dotted decimal notation.
Type the mask of the destination IP address.
Mask
You can type a mask length or a mask in dotted

decimal notation.
Type a preference value for the static route. The
smaller the number, the higher the preference.
For example, specifying the same preference for
multiple static routes to the same destination enables
load sharing on the routes, while specifying different
preferences enables route backup.
Preference
Type the next hop IP address of the static route, in

dotted decimal notation.
Next Hop
Select the outgoing interface of the static route.

Interface
If you select Null 0, the destination IP address is

unreachable.
205
Displaying the active route table

Select Advanced > Route Setup from the navigation tree to display the Summary tab, as shown in Figure
202.
Figure 202 Active route table
Table 103 Description of the fields of the active route table

Field
Description
Destination IP address of the route
Mask
Mask of the destination IP address
Protocol
Routing protocol that discovered the route, including

static route, direct route, and various dynamic routing
protocols.
Preference
Preference for the route
Next Hop
Next hop address of the route
Interface
Output interface of the route. Packets destined for the

destination IP address will be forwarded out the
interface.
206
Static route configuration example

IPv4 static route configuration example
The routers interfaces and the hosts IP addresses and masks are shown in Figure 203. Configure static
routes on the routers for any two hosts to communicate with each other.
Figure 203 Network diagram for static route configuration
Configuration considerations
1.
Configure a default route with Router B as the next hop on Router A.
2.
On Router B, configure one static route with Router A as the next hop and the other with Router C
as the next hop.
3.
Configure a default route with Router B as the next hop on Router C.
1.
Configure the IP addresses of the interfaces (omitted).
2.
Configure static routes on the routers.
# Configure a default route on Router A.
Select Advanced > Route Setup from the navigation tree of Router A, and then click the Create tab
to perform the following settings on the page as shown in Figure 204.
Type 0.0.0.0 for Destination IP Address.
Type 0 for Mask.
Type 1.1.4.2 for Next Hop.
Click Apply.
207
Figure 204 Configure a default route on Router A
The newly created static route will be listed at the lower part of the page.
# Configure two static routes on Router B.
Select Advanced > Route Setup from the navigation tree of Router B, and then click the Create tab
Type 24 for Mask.
Click Apply.
Type 24 for Mask.
Click Apply.
# Configure a default route on Router C.
Select Advanced > Route Setup from the navigation tree or Router C, and then click the Create tab
Type 0 for Mask.
Click Apply.
3.
Configure the IP addresses and default gateways of hosts.
As shown in Figure 203, configure the IP addresses of the hosts and configure the default gateways of
Host A, B, and C as 1.1.2.3, 1.1.6.1, and 1.1.3.1 respectively. The detailed configuration steps are not
covered.
# Display the active route table.
208
From the navigation tree of Router A, Router B, and Router C respectively, select Advanced > Route Setup
to display the Summary tab. Verify that the newly created static routes are displayed in the active route
table.
# Ping Host A from Host B (assuming both hosts run Windows XP).
C:\Documents and Settings\Administrator>ping 1.1.2.2
Pinging 1.1.2.2 with 32 bytes of data:

Reply from 1.1.2.2: bytes=32 time=1ms TTL=128
Ping statistics for 1.1.2.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
# Use the tracert command on Host B to check the reachability to Host A.

C:\Documents and Settings\Administrator>tracert 1.1.2.2
Tracing route to 1.1.2.2 over a maximum of 30 hops
<1 ms
<1 ms
<1 ms
1.1.6.1
<1 ms
<1 ms
<1 ms
1.1.4.1
1 ms
<1 ms
<1 ms
1.1.2.2
Trace complete.
Precautions
1.
If you do not specify the preference when configuring a static route, the default preference will be
used. Reconfiguration of the default preference applies only to newly created static routes.
Currently, the Web interface does not support configuration of the default preference.
2.
When configuring a static route, the static route does not take effect if you specify the next hop
address first and then configure it as the IP address of a local interface, such as an Ethernet
interface and VLAN interface.
3.
When specifying the output interface, note the following:
If Null 0 or a loopback interface is specified as the output interface, there is no need to configure
the next hop.
If a point-to-point interface is specified as the output interface, you do not need to specify the next
hop, and there is no need to change the configuration after the peer address has changed. For
example, a PPP interface obtains the peers IP address through PPP negotiation, and therefore you
only need to specify it as the output interface.
If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint networks,
the IP address-to-link layer address mapping must be established. H3C recommends specifying the
next hop when you configure it as the output interface.
209
If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or VLAN
interface) as the output interface, which can have multiple next hops, you must specify the next hop
at the same time.
210
User-based load sharing

You can configure user-based load sharing in the web interface.
Overview
A routing protocol can have multiple equal-cost routes to the same destination. These routes have the
same preference and will all be used to accomplish load sharing if no route with a higher preference is
available.
The device supports user-based load sharing based on the user information (source IP addresses) of
packets.
Configuring user-based load sharing

Select Advanced > User-based-sharing from the navigation tree to enter the page shown in Figure 205,
where interface configuration is displayed. Click the
icon to enter the Modify configuration page, as
Figure 205 User-based load sharing
Figure 206 Modify configuration
Table 104 Configuration items of user-based load sharing

Item
Description
Interface
Name of the interface where user-based load sharing will be configured
Status of
user-based-sharing
Set whether to enable user-based load sharing on the interface.

211
Item
Description
Set the bandwidth of the interface.
Bandwidth
The load ratio of each interface is calculated based on the bandwidth of each
interface. For example, if the bandwidth of Ethernet 0/0 is set to 200 kbps, and that
of Ethernet 0/1 is set to 100 kbps, then the load ratio is 2:1.
212
Traffic ordering
You can do the following to configure traffic ordering on the web interface:
Setting the traffic ordering interval
Specifying the traffic ordering mode
Displaying internal interface traffic ordering statistics
Displaying external interface traffic ordering statistics
Overview
When multiple packet flows (classified by their source addresses) are received or sent by a device, you
can configure IP traffic ordering on the device to collect statistics of the flows in the inbound/outbound
direction and then rank the statistics. The network administrator can use the traffic ordering statistics to
analyze the network usage for network management.
An interface can be specified as an external or internal interface to collect traffic statistics:
An internal interface collects both inbound and outbound traffic statistics, including total traffic
statistics, total inbound/outbound traffic statistics, inbound/outbound TCP packet statistics,
inbound/outbound UDP packet statistics, and inbound/outbound ICMP packet statistics.
An external interface collects only the total inbound traffic statistics.
Configuring traffic ordering

Table 105 Traffic ordering configuration task list
Task
Remarks
Optional
The default traffic ordering interval is 10 seconds.
Required
Specify an interface as an internal or external interface to

collect traffic statistics.
By default, an interface does not collect traffic statistics.
Displaying internal interface traffic ordering

statistics
Displaying external interface traffic ordering
statistics
Optional
You can view the traffic ordering statistics of internal or
external interfaces.
213

Select Advanced > Traffic Ordering from the navigation tree to enter the default configuration page, as
shown in Figure 207. You can set the interval for collecting traffic statistics in the lower part of the page.
Figure 207 Traffic ordering configuration page
Return to Traffic ordering configuration task list.

Select Advanced > Traffic Ordering from the navigation tree to enter the page as shown in Figure 207.
You can view and configure the interface for collecting traffic statistics in the upper part of the page.
Select one or more check boxes in front of the interfaces in the list:
Click Internal interface to set the interface(s) as the internal interface(s) to collect traffic statistics.
Click External interface to set the interface(s) as the external interface(s) to collect traffic statistics.
Click Disable statistics collecting to disable the interface(s) from collecting traffic statistics.
Displaying internal interface traffic ordering statistics

Select Advanced > Traffic Ordering from the navigation tree and click the Statistics of Internal Interfaces
tab to enter the page, as shown in Figure 208.
By default, the system arranges the entries in descending order of the total traffic statistics, and displays
the top five entries. Select one item from the Arrange in drop-down list, type a number in the Number of
entries displayed field, and then click Refresh to display the list as needed.
214
Figure 208 Internal interface traffic ordering statistics page
Displaying external interface traffic ordering statistics

Select Advanced > Traffic Ordering from the navigation tree and click the Statistics of External Interfaces
page to enter the page, as shown in Figure 209.
By default, the system arranges the entries in descending order of the total inbound traffic statistics, and
displays the top five entries. Select one item from the Arrange in drop-down list, type a number in the
Number of entries displayed field, and then click Refresh to display the list as needed.
Figure 209 External interface traffic ordering statistics page
215
DNS configuration
You can do the following to configure DNS on the web interface:
Enabling dynamic domain name resolution
Enabling DNS proxy
Clearing the dynamic domain name cache
Specifying a DNS server
Configuring a domain name suffix
DNS overview
Domain Name System (DNS) is a distributed database that provides TCP/IP applications with the
mappings between host names and IP addresses. With DNS, you can use easy-to-remember host names
in some applications and let the DNS server translate them into correct IP addresses.
NOTE:
For more information about DNS, see the H3C MSR Series Routers Layer 3IP Services Configuration
Guide.
DNS provides the following functions:
Dynamic domain name resolution: Implemented by querying the DNS server.
DNS proxy: Forwards DNS requests and replies between the DNS client and DNS server.
Configuring DNS
Configuring dynamic domain name resolution
Table 106 describes the recommended configuration procedures.
Table 106 Dynamic domain name resolution configuration task list
Task
Remarks
Required
Enable dynamic domain name resolution.
Disabled by default.
Required
Not specified by default.
You can specify up to six DNS servers.
216
Task
Remarks
Optional
A suffix is used when the name to be resolved is
incomplete. The system can supply the missing part.
For example, a user can configure com as the suffix for
aabbcc.com. The user only needs to type aabbcc to
obtain the IP address of aabbcc.com because the
system adds the suffix and delimiter before passing
the name to the DNS server.
Not configured by default.

You can configure up to ten DNS suffixes.
Optional
Clear the dynamic IPv4 domain name cache.
The DNS client stores latest mappings between
domain names and IP addresses in the dynamic
domain name cache. The DNS client searches the
cache for a repeated query rather than sends a
request to the DNS server. The mappings are aged out
from the cache after a certain time. You can also
manually clear the cache.
Enabling DNS proxy

Table 107 DNS proxy configuration task list
Task
Remarks
Required
Enabling DNS proxy
Enable DNS proxy on the device.

Required
Not specified by default.

You can specify up to six DNS servers.

Select Advanced > DNS Setup > DNS Configuration from the navigation tree to enter the configuration
Select Enable for Dynamic DNS and click Apply.
217
Figure 210 Dynamic domain name resolution configuration
Enabling DNS proxy

Select Enable for DNS Proxy and click Apply.

Select the Clear Dynamic DNS cache check box and click Apply.

Click Add IP to enter the page as shown in Figure 211.
218
Figure 211 Add a DNS server address
Table 108 DNS server address configuration items

Item
Description
DNS Server IP Address
Type the IP address of a DNS server.

Click Add Suffix to enter the configuration page as shown in Figure 212.
Figure 212 Add a domain name suffix
Table 109 Domain name suffix configuration items

Item
Description
DNS Domain Name Suffix
Configure a domain name suffix.
Domain name resolution configuration example

As shown in Figure 213, Router B serves as a DNS client and Router A is specified as a DNS server.
Dynamic domain name resolution and the domain name suffix are configured on Router B, and thus
Router B can use domain name host to access the host with the domain name host.com and the IP
address 3.1.1.1/24.
Router A serves as the DNS proxy. The IP address of the actual DNS server is 4.1.1.1/24.
Router B performs domain name resolution via Router A.
219
Figure 213 Network diagram of dynamic domain name resolution

Router B
DNS client
4.1.1.1/24
DNS server
Router A
DNS proxy
2.1.1.1/24
2.1.1.2/24
1.1.1.1/24
IP network
3.1.1.1/24
host.com
Host
NOTE:
Before performing the following configuration, make sure that the device and the host are routable to
each other, and the IP addresses of the interfaces are configured as shown in Figure 213.
This configuration may vary with different DNS servers. The following configuration is performed on a
PC running Windows server 2000.
1.
Configure the DNS server
# Enter the DNS server configuration page.

Select Start > Programs > Administrative Tools > DNS.
# Create zone com.
As shown in Figure 214, right click Forward Lookup Zones, select New zone, and then follow the
instructions to create a new zone named com.
Figure 214 Create a zone
220
# Create a mapping between the host name and the IP address.

Figure 215 Add a host
In Figure 215, right click zone com. and then select New host to bring up a dialog box as shown in Figure
216. Enter host name host and IP address 3.1.1.1.
221
Figure 216 Add a mapping between domain name and IP address
2.
Configure the DNS proxy (Router A).
# Enable DNS proxy on Router A.
Select Advanced > DNS Setup > DNS Configuration from the navigation tree to enter the
Figure 217 Enable DNS proxy on Router A
Select Enable for DNS Proxy.
Click Apply.
# Specify the DNS server address.
222
Figure 218 Specify a DNS server address
Type 4.1.1.1 in DNS Server IP Address.
Click Apply.
3.
Configure the DNS client (Router B).
# Enable dynamic domain name resolution.
Select Advanced > DNS Setup > DNS Configuration from the navigation tree to enter the
Figure 219 Enable dynamic domain name resolution
Select Enable for Dynamic DNS.
Click Apply.
# Specify the DNS server address.
223
Figure 220 Specify the DNS server address
Type 2.1.1.2 in DNS Server IP Address.
Click Apply.
# Configure the domain name suffix.
Click Add suffix to enter the page as shown in Figure 221.
Figure 221 Configure DNS domain name suffix
Type com in DNS Domain Name Suffix.
Click Apply.
Select Other > Diagnostic Tools from the navigation tree and click the Ping tab. Use the ping host
command to verify that the communication between Router B and the host is normal and that the
corresponding destination IP address is 3.1.1.1.
224
DDNS configuration
DDNS overview
Although DNS allows you to access nodes in networks using their domain names, it provides only the
static mappings between domain names and IP addresses. When you use the domain name to access
a node whose IP address has changed, your access will fail because DNS leads you to the IP address
that is no longer where the node resides.
Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names
and IP addresses for DNS servers to direct you to the latest IP address corresponding to a domain name.
Figure 222 DDNS networking application
As shown in Figure 222, DDNS works on the client-server model comprising the DDNS client and the
DDNS server.
DDNS client: A device that needs to update the mapping between the domain name and the IP
address dynamically. An Internet user usually uses the domain name to access an application layer
server such as an HTTP and FTP server. When its IP address changes, the application layer server
runs as a DDNS client that sends a request to the DDNS server for updating the mapping between
the domain name and the IP address.
DDNS server: Informs the DNS server of latest mappings. When receiving the mapping update
request from a DDNS client, the DDNS server tells the DNS server to re-map between the domain
name and IP address of the DDNS client. Therefore, the Internet users can use the same domain
name to access the DDNS client even if the IP address of the DDNS client has changed.
NOTE:
The DDNS update process does not have a unified standard and depends on the DDNS server that the
DDNS client contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn
(also known as the PeanutHull server), and www.dyndns.com.
With the DDNS client configured, a device can dynamically update the latest mapping between its
domain name and IP address on the DNS server through a DDNS server at www.3322.org or
www.oray.cn for example.
225
Configuration prerequisites
Visit the website of a DDNS service provider, register an account, and apply for a domain name for
the DDNS client.
Specify the primary IP address of the interface and make sure that the DDNS server and the
interface can reach each other.
Configure static or dynamic domain name resolution to translate the domain name of the DDNS
server into its IP address.
Select Advanced > DNS Setup > DDNS Configuration from the navigation tree to enter the DDNS page,
as shown in Figure 223. Click Add to configure a DDNS entry, as shown in Figure 223.
Figure 223 DDNS configuration page
Figure 224 Create a DDNS entry
Table 110 DDNS configuration items

Item
Description
Domain Name
Specify the DDNS entry name, which is the only identifier of the DDNS entry.
Server
Server Provider
Select the DDNS server provider, which can be 3322.org or PeanutHull.
226
Item
Description
Settings
Specify the server name of the DDNS server for domain name resolution.
IMPORTANT:
Server Name
After the server provider is selected, the DDNS server name appears
automatically. For example, if the server provider is 3322.org, the server name is
members.3322.org; if the server provider is PeanutHull, the server name is
phservice2.oray.net. H3C recommmends you not to change the server name of
server provider 3322.org, but you can use the server name, such as
phservice2.oray.net, phddns60.oray.net, client.oray.net, or ph031.orat.net for
server provider PeanutHull.
Specify the interval for sending DDNS update requests after DDNS update is
enabled.
IMPORTANT:
A DDNS update request is immediately initiated when the primary IP address

Interval
of the interface changes or the link state of the interface changes from down
to up, no matter whether the interval is reached.
If you specify the interval as 0, your device will not periodically initiate any
DDNS update request, but will initiate a DDNS update request when the
primary IP address of the interface is changed or the link state of the interface
changes from down to up.
Account
Settings
Username
Specify the username used for logging in to the DDNS server.
Password
Specify the password used for logging in to the DDNS server.

Select an interface to which the DDNS policy is applied.
Associated
Interface
The IP address in the host name-to-IP address mapping for update is the primary
IP address of the interface.
IMPORTANT:
You can bind up to four DDNS entries to an interface.
Other
Settings
Specify the Full Qualified Domain Name (FQDN) in the IP-to-FQDN mapping for
update.
If the DDNS service is provided by www.3322.org, the FQDN must be

FQDN
specified; otherwise, DDNS update may fail.
If the DDNS server is a PeanutHull server and no FQDN is specified, the

DDNS server will update all the corresponding domain names of the DDNS
client account; if an FQDN is specified, the DDNS server will update only the
specified IP-to-FQDN mapping.
DDNS configuration example

As shown in Figure 225, Router is a Web server with the domain name whatever.3322.org.
Router acquires an IP address through DHCP. Through DDNS service provided by www.3322.org,
Router informs the DNS server of the latest mapping between its domain name and IP address.
The IP address of the DNS server is 1.1.1.1. Router uses the DNS server to translate www.3322.org
into the corresponding IP address.
227
Figure 225 Network diagram for DDNS
NOTE:
Before configuring DDNS on Router, register at http://www.3322.org/ (username Steven and
password nevets in this example), add Router's host name-to-IP address mapping to the DNS server, and
make sure that the devices are reachable to each other.
# Enable dynamic domain name resolution and set the IP address of the DNS server to 1.1.1.1 (omitted).
# Configure DDNS.
Select Advanced > DNS Setup > DDNS Configuration from the navigation tree, and then click Add
to enter the page, as shown in Figure 226.
Figure 226 Configure DDNS
Type 3322 in Domain Name.
Select 3322.org from the Server Provider drop-down list.
Type steven in Username.

228
Type nevets in Password.
Select Ethernet0/1 from the Associated Interface drop-down list.
Type whatever.3322.org in FQDN.
Click Apply.
After the preceding configuration is completed, Router will notify the DNS server of its new domain
name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its IP
address changes. Therefore, Router can always provide Web service at whatever.3322.org.
229
DHCP configuration
You can do the following to configure DHCP on the web interface:
Enabling DHCP
Configuring DHCP interface setup
Configuring a static address pool for the DHCP server
Configuring a dynamic address pool for the DHCP server
Configuring IP addresses excluded from dynamic allocation
Configuring a DHCP server group
Introduction to DHCP
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 227 shows a typical DHCP application.
Figure 227 A typical DHCP application
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet via a DHCP relay agent, as shown in Figure 228.
230
Figure 228 A typical DCHP relay agent application

DHCP client
DHCP client
IP network
DHCP relay agent
DHCP client
DHCP client
DHCP server
NOTE:
For more information about DHCP, see the H3C MSR Series Routers Layer 3IP Services Configuration
Guide.
Configuring DHCP
Configuring the DHCP server
Perform the tasks in Table 111 to configure the DHCP sever.
Table 111 DHCP server configuration task list
Task
Remarks
Required
Enabling DHCP
Enable DHCP globally.

Optional
For detailed configuration, see Configuring DHCP interface setup.
Enabled by default.
Configuring the DHCP server on an

interface
Configuring a static address pool for the

DHCP server
IMPORTANT:
At present, the DHCP server configuration is supported only on a Layer
3 Ethernet interface (or subinterface), virtual Ethernet interface, VLAN
interface, Layer 3 aggregate interface, serial interface, ATM interface,
MP-group interface, or loopback interface.
Required
An address pool can be either static or dynamic, but not both.
IMPORTANT:
231
Task
Configuring a dynamic address pool for
the DHCP server
Remarks
When a DHCP client tries to obtain an IP address through a DHCP
relay agent, an IP address pool on the same network segment as the
DHCP relay agent interface must be configured. Otherwise, the DHCP
client will fail to obtain an IP address.
Optional
Exclude IP addresses from automatic allocation in the DHCP address
pool.
Configuring IP addresses excluded from

dynamic allocation
To avoid address conflicts, the DHCP server excludes IP addresses

used by the gateway or FTP server from dynamic allocation.
By default, all IP addresses in the address pool, except the IP address
of the DHCP server, can be assigned automatically.
IMPORTANT:
If a static bound IP address is excluded from automatic allocation, it is
still assignable to the bound user.
Configuring the DHCP relay agent

Perform the tasks in Table 112 to configure the DHCP relay agent.
Table 112 DHCP relay agent configuration task list
Task
Remarks
Required
Enabling DHCP
Enable DHCP globally.

Required
To improve reliability, you can specify several DHCP servers as a

group on the DHCP relay agent and correlate a relay agent interface
with the server group. When the interface receives DHCP requests
from clients, the relay agent will forward them to all the DHCP servers
of the group.
Required
For the detailed configuration, see Configuring DHCP interface
setup.
By default, the interface works as DHCP server.
Configure the DHCP relay agent on the

current interface and correlate it with
the DHCP server group.
IMPORTANT:
At present, the DHCP relay agent configuration is supported only

on a Layer 3 Ethernet interface (or subinterface), virtual Ethernet
interface, VLAN interface, Layer 3 aggregate interface, or serial
interface.
If the DHCP relay agent is enabled on an Ethernet subinterface, a

packet received from a client on this interface must contain a VLAN
tag, and the VLAN tag must be consistent with the VLAN ID of the
subinterface. Otherwise, the packet is discarded.
232
Configuring the DHCP client

Perform the tasks in Table 113 to configure the DHCP client.
Table 113 DHCP client configuration task list
Task
Remarks
Required
For detailed configuration, see Configuring DHCP interface
setup.
Configure the DHCP client on an interface
By default, the interface does not obtain an IP address

through DHCP.
IMPORTANT:
At present, the DHCP client configuration is supported only on
a Layer 3 interface (or subinterface), VLAN interface, or Layer
3 aggregate interface. You cannot configure an interface of an
aggregation group as a DHCP client.
Enabling DHCP
Select Advanced > DHCP Setup from the navigation tree to enter the default DHCP Enable page as shown
in Figure 229.
Figure 229 DHCP Enable
Table 114 DHCP global configuration items

Item
Description
DHCP
Enable or disable DHCP globally.
Configuring DHCP interface setup

Select Advanced > DHCP Setup in the navigation tree, and then click the DHCP Interface Setup tab to
enter the DHCP interface setup configuration page as shown in Figure 230.
233
Figure 230 DHCP interface setup
Table 115 DHCP interface setup configuration items

Item
Description
Interface
Select an interface to be configured.

Select a type for the interface, which can be:
None: Upon receiving a DHCP request, the interface does not assign an IP
address to the requesting client nor serves as a DHCP relay agent to forward
the request.
Type
Server: Upon receiving a DHCP request, the interface assigns the requesting
client an IP address from the address pool.
Relay: Upon receiving a DHCP request, the interface forwards the request to
an external DHCP server, which will assign an IP address for the requesting
client.
Client: The interface uses DHCP to obtain an IP address.

Correlate the relay agent interface with a DHCP server group.
DHCP server group
You can correlate a DHCP server group with multiple interfaces and make sure
that you already add DHCP server groups for selection.
Configuring a static address pool for the DHCP server

Click on the Server radio button in the Type field, and then expand the Assignable IP Addresses node.
Click on the Static Binding radio button in the Address Allocation Mode field to expand the static address
pool setup configuration section, as shown in Figure 231.
234
Figure 231 Static address pool setup for the DHCP server
Table 116 DHCP static address pool configuration items

Item
Description
Pool Name
Name of the static DHCP address pool
Address Allocation
Mode: Static Binding
Specify the static address allocation mode for the DHCP address pool.
IP Address
IP address and its subnet mask of the static binding. A natural mask is adopted if no
subnet mask is specified.
IMPORTANT:
Subnet Mask
It cannot be the IP address of the DHCP server interface; otherwise, IP address conflicts
may occur, and the client cannot obtain the IP address.
235
Item
Description
MAC Address
A clients MAC address of the static binding

Specify a domain name suffix for the DHCP client.
Domain Name
After specifying a domain name in the address pool, the DHCP server assigns the
domain name along with an IP address to a client.
Specify a gateway for the DHCP client.
Gateway IP Address
DHCP clients that want to access hosts outside the local subnet needs a gateway to
forward data. After specifying a gateway in the address pool, the DHCP server
assigns the gateway address along with an IP address to a client.
Specify a primary DNS server for the DHCP client.
Primary DNS Server
In order for clients to access the Internet using a domain name, the DHCP server
assigns the specified DNS server address along with an IP address to a client.
Standby DNS Server
Specify a standby DNS server for the DHCP client.
Configuring a dynamic address pool for the DHCP server

Click on the Server radio button in the Type field, and then expand the Assignable IP Addresses node.
Click on the Dynamic Allocation radio button in the Address Allocation Mode field to expand the
dynamic address pool setup configuration section as shown in Figure 232.
236
Figure 232 Dynamic address pool setup for the DHCP server
Table 117 DHCP dynamic address pool configuration items

Item
Description
Pool Name
Name of the dynamic DHCP address pool
Address Allocation Mode:

Dynamic Allocation
Specify the dynamic address allocation mode for the DHCP address pool.
IP Address
Specify an IP address for dynamic address allocation. A natural mask is

adopted if no subnet mask is specified.
IMPORTANT:
Subnet Mask
Make sure the IP address is on the same network segment as the IP address of
the DHCP server interface or the DHCP relay agent interface to avoid wrong IP
address allocation.
237
Item
Description
Specify the lease for IP addresses to be assigned.
NOTE:
Lease Duration
If the lease has an end time specified later than the year 2106, the system
considers it an expired lease.
The lease duration does not have the inherit attribute.

Specify a domain name suffix for the DHCP client.
Domain Name
After specifying a domain name in the address pool, the DHCP server assigns
the domain name along with an IP address to a client.
Specify a gateway for the DHCP client.
Gateway IP Address
DHCP clients that want to access hosts outside the local subnet need a
gateway to forward data. After specifying a gateway in the address pool, the
DHCP server assigns the gateway address along with an IP address to a
client.
Specify a primary DNS server for the DHCP client.
Primary DNS Server
In order for clients to access the Internet using a domain name, the DHCP
server assigns the specified DNS server address along with an IP address to
a client.
Standby DNS Server
Specify a standby DNS server for the DHCP client.
Configuring IP addresses excluded from dynamic allocation

Click on the Server radio button in the Type field, and then expand the Forbidden IP Addresses node, as
238
Figure 233 IP address excluded from dynamic allocation setup
Table 118 Configuration items to exclude IP addresses from dynamic allocation

Item
Description
Start IP Address
Specify the lowest IP address excluded from dynamic allocation.

Specify the highest IP address excluded from dynamic allocation.
End IP Address
The end IP address must not be lower than the start IP address. A higher end IP
address and a lower start IP address specify an IP address range while two identical
IP addresses specify a single IP address.

Select an interface that supports DHCP relay agent, click on the Relay radio button in the Type field, and
then expand the Add DHCP Server Group node, as shown in Figure 234.
239
Figure 234 DHCP server group setup
Table 119 DHCP server group configuration items

Item
Group ID
Description
DHCP server group ID.
You can create at most 20 DHCP server groups.
Specifies the DHCP server IP addresses for the DHCP server group.
Server IP Address
IMPORTANT:
The IP address of a DHCP server cannot be on the same network segment as that of the
DHCP relay agent interface; otherwise, DHCP clients may fail to obtain IP addresses.
DHCP configuration examples

There are two typical DHCP network types:
The DHCP server and clients are on the same subnet and directly exchange DHCP messages.
The DHCP server and clients are not on the same subnet and communicate with each other via a
DHCP relay agent.
The DHCP server configuration for the two types is the same.
240
DHCP configuration example without DHCP relay agent

The DHCP server (Router A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is
subnetted into 10.1.1.0/25 and 10.1.1.128/25.
The IP addresses of Ethernet 0/1 and Ethernet 0/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25
respectively.
In subnet 10.1.1.0/25, the lease is ten days and twelve hours, the domain name suffix is
aabbcc.com, the DNS server address is 10.1.1.2/25, and the gateway address is 10.1.1.126/25.
In subnet 10.1.1.128/25, the lease is five days, the domain name suffix is aabbcc.com, the DNS
server address is 10.1.1.2/25, and the gateway address is 10.1.1.254/25.
Subnets 10.1.1.0/25 and 10.1.1.128/25 have the same domain name suffix and DNS server
address. Therefore, the domain name suffix and DNS server address need to be configured only for
subnet 10.1.1.0/24. Subnet 10.1.1.0/25 and 10.1.1.128/25 can inherit the configuration of subnet
10.1.1.0/24.
Router B (DHCP client) obtains a static IP address, DNS server address, and gateway address from
Router A (DHCP server).
Figure 235 DHCP network without a DHCP relay agent

Client
Client
Client
10.1.1.4/25
Eth0/1
10.1.1.1/25
Gateway A
10.1.1.126/25
Eth0/1
DNS server
Client
Eth0/2
10.1.1.129/25
Gateway B
Router A
DHCP server
Router B
Client
10.1.1.254/25
Client
Client
10.1.1.2/25
1.
Configure the DHCP server (Router A).
# Specify IP addresses for interfaces (omitted).

# Enable DHCP.
Select Advanced > DHCP Setup from the navigation tree of Router A to enter the default DHCP
Enable page and perform the following operations, as shown in Figure 236.
241
Figure 236 Enable DHCP
Click on the Enable radio button in the DHCP field.
Click Apply.
# Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on interface
Ethernet 0/1. This procedure is omitted.)
# Configure a DHCP static address pool, and bind IP address 10.1.1.5 to Router B.
Click the DHCP Interface Setup tab and perform the following operations, as shown in Figure 237.
242
Figure 237 DHCP static address pool configuration
Click on the Server radio button in the Type field.
Expand the Assignable IP Addresses node.
Type pool-static in the Pool Name field.
Click on the Static Binding radio button in the Address Allocation Mode field.
Type 10.1.1.5 in the IP Address field.
Select the Subnet Mask checkbox, and then type 255.255.255.128.
Type 000f-e200-0002 in the MAC Address field.
Select the Gateway IP Address checkbox, and then type 10.1.1.126.
Select the Primary DNS Server checkbox, and then type 10.1.1.2.
Click Apply.
# Configure DHCP address pool 0 (including the address range, client domain name suffix and DNS
server address).
243
Figure 238 DHCP address pool 0 configuration
Type pool0 in the Pool Name field, as shown in Figure 238.
Click on the Dynamic Allocation radio button in the Address Allocation Mode field.
Select the Domain Name checkbox, and then type aabbcc.com.
Click Apply.
# Configure DHCP address pool 1 (including the address range, lease duration, and gateway address).
244
Type poo1 in the Pool Name field, as shown in Figure 239.
Select Dynamic Allocation in the Address Allocation Mode field.
Set the Lease Duration to 10 days, 12 hours, and 0 minutes.
Click Apply.
# Configure DHCP address pool 2 (including the address range, lease duration and gateway IP
address).
245
Type poo2 in the Pool Name field, as shown in Figure 240.
Click Apply.
# Exclude IP addresses from dynamic allocation (DNS server and gateway addresses).
Expand the Forbidden IP Addresses node and perform the following operations, as shown in Figure
241.
246
Figure 241 Exclude IP addresses from dynamic allocation
Type 10.1.1.2 in the Start IP Address field.
Type 10.1.1.2 in the End IP Address field.
Click Apply.
Type 10.1.1.126 in the Start IP Address field, as shown in Figure 241.
Click Apply.
Click Apply.
2.
Configure the DHCP client (Router B)
# Enable the DHCP client on interface Ethernet 0/1.
Select Advanced > DHCP Setup from the navigation tree of Router B, and then click the DHCP
Interface Setup tab and perform the following operations, as shown in Figure 242.
247
Figure 242 Enable the DHCP client on interface Ethernet 0/1
Click on the Client radio button in the Type field.
Click Apply.
3.
Configure the DHCP client (Router C)
Select Advanced > DHCP Setup from the navigation tree of Router C, and then click the DHCP
Interface Setup tab, as shown in Figure 242.
Click Apply.
DHCP relay agent configuration example

Ethernet 0/1 on the DHCP relay agent (Router A) connects to the network where DHCP clients
reside. The IP address of Ethernet 0/1 is 10.10.1.1/24 and IP address of Ethernet 0/2 is 10.1.1.2/24
that connects to the DHCP server 10.1.1.1/24 (Router B).
Router A forwards DHCP messages so that the DHCP clients on the network segment 10.10.1.0/24
can obtain IP addresses, DNS server address and gateway address from the DHCP server. The IP
address lease is seven days, the domain name suffix is aabbcc.com, the DNS server address is
10.10.1.2/24, and the gateway address is 10.10.1.126/24.
248
Figure 243 Network diagram for DHCP relay agent configuration

DHCP client DHCP client
Eth0/1
10.10.1.1/24
Gateway
10.10.1.126/24
Eth0/1
DHCP client
10.10.1.2/24
Eth0/2
10.1.1.2/24
Eth0/1
10.1.1.1/24
Router A
DHCP relay agent
Router B
DHCP server
Router C
DHCP client
1.
Configure the DHCP relay agent (Router A)
# Specify IP addresses for interfaces (omitted).

# Enable DHCP.
Select Advanced > DHCP Setup from the navigation tree of Router A to enter the default DHCP
Enable tab and perform the following operations, as shown in Figure 244.
Figure 244 DHCP enable
Click Apply.
# Create a DHCP server group.
249
Figure 245 DHCP server group creating
Click on the Relay radio button in the Type field.
Expand the Add DHCP Server Group node.
Type 1 in the Group ID field.
Type 10.1.1.1 in the Server IP Address field.
Click Apply.
# Enable the DHCP relay agent on interface Ethernet 0/1.

Figure 246 The page for enabling the DHCP relay agent on interface Ethernet 0/1
Select 1 from the DHCP Server Group drop-down list.
Click Apply.
2.
Configure the DHCP server (Router B)
# Specify addresses for interfaces (omitted).

250
# Enable DHCP.
Select Advanced > DHCP Setup from the navigation tree of Router B to enter the default DHCP
Enable tab, as shown in Figure 247.
Figure 247 Enable DHCP
Click Apply.
# Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on Ethernet
0/1. This procedure is omitted.)
# Configure a dynamic DHCP address pool.
251
Figure 248 Dynamic DHCP address pool configuration
Click on the Server radio button in the Type field.
Expand the Assignable IP Addresses node.
Type pool1 in the Pool Name field.
Select the Domain Name checkbox, and then type aabbcc.com.
Click Apply.
# Exclude IP addresses from dynamic allocation (DNS server and gateway addresses).
Expand the Forbidden IP Addresses node, as shown in Figure 249.
252
Figure 249 IP address excluded from dynamic allocation configuration
Type 10.1.1.2 in the Start IP Address field.
Click Apply.
Click Apply.
3.
Configure the DHCP client (Router C)
Select Advanced > DHCP Setup from the navigation tree of Router C, and then click the DHCP
Interface Setup tab and perform the following operations, as shown in Figure 250Figure 250.
253
Figure 250 Enable the DHCP client on interface Ethernet 0/1
Select Ethernet0/1 in the Interface field.
Click Apply.
1.
If multiple VLAN interfaces sharing one MAC address request IP addresses using DHCP, the DHCP
server cannot be a Windows 2000 server or a Windows 2003 server.
2.
To remove a DHCP server group that is associated with multiple interfaces, you need to cancel the
associations first.
254
ACL configuration
The web interface provides the following ACL configuration functions:
Configuring an IPv4 ACL
Configuring a rule for a basic IPv4 ACL
Configuring a rule for an advanced IPv4 ACL
Configuring a rule for an Ethernet frame header ACL
ACL overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also widely used by many modules, for example, QoS
and IP routing, for traffic identification.
IPv4 ACLs fall into the following categories.
Table 120 IPv4 ACL categories
Category
ACL number
Match criteria
Basic ACLs
2000 to 2999
Source IPv4 address
Advanced ACLs
3000 to 3999
Source/destination IPv4 address, protocols over IPv4, and other

Layer 3 and Layer 4 header fields
Ethernet frame
header ACLs
4000 to 4999
Layer 2 header fields, such as source and destination MAC

addresses, 802.1p priority, and link layer protocol type
NOTE:
For more information about IPv4 ACL, see the H3C MSR Series Routers ACL and QoS Configuration
Guide.
255
Configuring an ACL
Table 121 IPv4 ACL configuration task list
Task
Remarks
Required
Creating an IPv4 ACL
The category of the created ACL depends on the ACL

number that you specify.
Required
Complete one of these tasks according to the ACL

category.
Creating an IPv4 ACL

Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Add tab to enter
the IPv4 ACL configuration page, as shown in Figure 251.
Figure 251 The page for creating an IPv4 ACL
256
Table 122 IPv4 ACL configuration items

Item
Description
Set the number of the IPv4 ACL, which ranges from
2000 to 2999.
TIP:
ACL Number
You can create only basic ACLs (numbered from 2000

to 2999) in the web interface. However, the web
interface can display the advanced ACLs and Ethernet
frame header ACLs, and you can configure rules for
these ACLs.
Set the match order of the ACL. The following match
orders are available:
ConfigPackets are compared against ACL rules

Match Order
in the ascending ACL rule ID order.
AutoPackets are compared against ACL rules in

the depth-first match order, which ensures that any
subset of a rule is always matched before the rule.
Description
Set the description for the ACL.
Return to IPv4 ACL configuration task list.

Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Basic Config tab
to enter the rule configuration page for a basic IPv4 ACL, as shown in Figure 252.
257
Figure 252 The page for configuring an basic IPv4 ACL
Table 123 Configuration items for a basic IPv4 ACL rule

Item
Description
ACL
Select the basic IPv4 ACL for which you want to

configure rules.
ACLs available for selection are basic IPv4 ACLs.
Select the Rule ID option, and type a number for the
rule.
If you do not specify the rule number, the system will
assign one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the
following operations modify the configuration of the
rule.
Select the action to be taken on the IPv4 packets
matching the rule.
Action
Permit: Allows matched packets to pass.

Deny: Drops matched packets.
258
Item
Description
Select this option to apply the rule only to non-first
fragments.
Check Fragment
If you do no select this option, the rule applies to all

fragments and non-fragments.
Select this option to keep a log of matched IPv4
packets.
Check Logging
A log entry contains the ACL rule number, action on

the matched packets, protocol that IP carries,
source/destination address, source/destination port
number, and number of matched packets.
Source IP Address
Select the Source IP Address option, and type a source

IPv4 address and source wildcard, in dotted decimal
notation.
Source Wildcard
Select the time range during which the rule takes

effect.
Time Range
IMPORTANT:
The time ranges available for selection must be created
in the command line interface (CLI).

Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Advanced Config
tab to enter the rule configuration page for an advanced IPv4 ACL, as shown in Figure 253.
259
Figure 253 The page for configuring an advanced IPv4 ACL
260
Table 124 Configuration items for an advanced IPv4 ACL rule

Item
Description
Select the advanced IPv4 ACL for which you want to
configure rules.
You can create advanced IPv4 ACLs only in the CLI. For
more information, see the H3C MSR Series Routers ACL
and QoS Configuration Guide. Additionally, the system
automatically generates advanced IPv4 ACLs when you
configure advanced bandwidth limit and advanced
bandwidth guarantee. For more information, see the
chapter QoS configuration.
ACL
Select the Rule ID option, and type a number for the rule.
If you do not specify the rule number, the system will
assign one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the following
operations modify the configuration of the rule.
Select the action to be performed for IPv4 packets
matching the rule.
Action

Select this option to apply the rule to only non-first
fragments.
Non-First Fragments Only
If you do no select this option, the rule applies to all

fragments and non-fragments.
Select this option to keep a log of matched IPv4 packets.
A log entry contains the ACL rule number, operation for
the matched packets, protocol that IP carries,
source/destination address, source/destination port
number, and number of matched packets.
Logging
Select the Source IP Address option and type a source

IPv4 address and source wildcard, in dotted decimal
notation.
Source IP Address
IP Address Filter
Source Wildcard
Select the Source IP Address option and type a source IP

address and source wildcard, in dotted decimal notation.
Destination Wildcard
Select the protocol to be carried by IP.

If you select 1 ICMP, you can configure the ICMP message
type and code; if you select 6 TCP or 17 UDP, you can
configure the TCP or UDP specific items.
Protocol
ICMP Type
ICMP Message
Specify the ICMP message type and code.
ICMP Type
These items are available only when you select 1 ICMP

from the Protocol drop-down box.
If you select Other from the ICMP Message drop-down
box, you need to type values in the ICMP Type and ICMP
Code fields. Otherwise, the two fields will take the default
values, which cannot be changed.
ICMP Code
261
Item
Description
Select this option to make the rule match packets used for
establishing and maintaining TCP connections.
TCP Connection Established
These items are available only when you select 6 TCP from
the Protocol drop-down box.
A rule with this item configured matches TCP connection
packets with the ACK or RST flag.
TCP/UDP Port
Select the operators and, type the source port numbers

and destination port numbers as required.
Source
These items are available only when you select 6 TCP or

17 UDP from the Protocol drop-down box.
Different operators have different configuration
requirements for the port number fields:
Not CheckThe following port number fields cannot

be configured.
Destination
RangeThe following port number fields must be

configured to define a port range.
Other valuesThe first port number field must be

configured and the second must not.
Precedence
Filter
DSCP
Specify the DSCP priority.
TOS
Specify the ToS preference.
Precedence
Specify the IP precedence.
Time Range
Select the time range during which the rule takes effect.

Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Link Config tab to
enter the rule configuration page for an Ethernet frame header IPv4 ACL, as shown in Figure 254.
262
Figure 254 The page for configuring a rule for an Ethernet frame header ACL
Table 125 Configuration items for an Ethernet frame header IPv4 ACL rule
Item
Description
Select the Ethernet frame header IPv4 ACL for which you want to configure
rules.
ACL
You can create Ethernet frame header IPv4 ACLs only in the CLI. For more
information, see the H3C MSR Series Routers ACL and QoS Configuration
Guide.
Select the Rule ID option, and type a number for the rule.
If you do not specify the rule number, the system will assign one
automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the following operations modify
the configuration of the rule.
Select the action to be performed for IPv4 packets matching the rule.

Action
MAC
Address
Filter
Source MAC
Address
Source Mask
Select the Source MAC Address option, and type a source MAC address
and wildcard.
263
Item
Description
Destination MAC
Address
Destination Mask
COS(802.1p priority)
LSAP Type
Select the Destination MAC Address option, and type a destination MAC
address and wildcard.
Specify the 802.1p priority for the rule.
Select the LSAP Type option, and specify the DSAP and SSAP fields in the
LLC encapsulation by configuring the following items:
LSAP Mask
LSAP Type: Indicates the frame encapsulation format.

LSAP Mask: Indicates the LSAP wildcard.
Protocol Type
Select the Protocol Type option, and specify the link layer protocol type by
configuring the following items:
Type Filter
Protocol Type: Indicates the frame type. It corresponds to the type-code

Protocol Mask
Time Range
field of Ethernet_II and Ethernet_SNAP frames.
Protocol Mask: Indicates the wildcard.

Select the time range during which the rule takes effect.
When configuring an ACL, follow these guidelines:
1.
You cannot create a rule with or modify a rule to have the same permit/deny statement as an
existing rule in the ACL.
2.
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
264
QoS configuration
The web interface provides the following QoS configuration functions:
Configuring subnet limit
Configuring advanced limit
Configuring advanced queue
Overview
QoS overview
Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to
meet customer needs. Generally, QoS focuses on improving services under certain conditions rather than
grading services precisely.
In an internet, QoS evaluates the ability of the network to forward packets of different services. The
evaluation can be based on different criteria because the network may provide various services.
Generally, QoS refers to the ability to provide improved service by solving the core issues such as delay,
jitter, and packet loss ratio in the packet forwarding process.
Through the web interface, you can configure the following QoS features:
Subnet limit
Advanced limit
Advanced queue
Subnet limit
Subnet limit enables you to regulate the specification of traffic entering or leaving a device based on
source/destination IP address. Packets conforming to the specification can pass through, and packets
exceeding the specification are dropped. In this way, the network resources are protected.
Advanced limit
Similar to subnet limit, advanced limit also implements traffic policing at the IP layer. They differ in that:
Advanced limit can classify traffic based on time range, packet precedence, protocol type, and
port number, and provide more granular services.
In addition to permitting traffic conforming to the specification to pass through, advanced limit can
also set IP precedence, differentiated service codepoint (DSCP) value, and 802.1p priority for
packets as required.
NOTE:
For more information about IP precedence, DSCP values, and 802.1p priority, see Appendix Packet
Priorities.
265
Advanced queue
Advanced queue offers the following functions:
Interface bandwidth limit: uses token buckets for traffic control and limits the rate of transmitting
packets (including critical packets) on an interface. When limiting the rate of all packets on an
interface, interface bandwidth limit is a better approach than subnet limit and advanced limit. This
is because working at the IP layer the latter two functions do not take effect on packets not
processed by the IP layer.
Bandwidth guarantee: when congestion occurs to a port, class-based queuing (CBQ) classifies
packets into different classes according to user-defined match criteria and assigns these classes to
their queues. Before assigning packets to a queue, CBQ performs bandwidth restriction check.
When being dequeued, packets are scheduled by WFQ.
Advanced queue applies to only outgoing packets of interfaces.
Configuring QoS
Configuring subnet limit
Select Advance > QoS Setup > Subnet Limit from the navigation tree to enter the page shown in Figure
255. Click Add to enter the Subnet Limit Setting page, as shown in Figure 256.
Figure 255 Subnet limit
266
Figure 256 Subnet limit setting
Table 126 Subnet limit configuration items

Item
Description
Start Address
Set the address range of the subnet where rate limit is to be performed.
End Address
Interface
Specify the interface to which the subnet limit is to be applied
CIR
Set the average traffic rate allowed

Set the rate limit method, which can be:
ShareLimits the total rate of traffic for all IP addresses on the subnet, and
Type
dynamically allocates bandwidth to an IP address based on traffic size.
Per IPIndividually limits the rate of traffic of each IP address on the subnet to the
configured rate.
Set the direction where the rate limit applies, which can be:
DownloadLimits the rate of incoming packets of the interface based on their

Direction
destination IP addresses.
UploadLimits the rate of outgoing packets of the interface based on their source
IP addresses.
267
Configuring advanced limit

Select Advance > QoS Setup > Advanced Limit from the navigation tree to enter the page shown in Figure
257. Click Add to enter the Advanced Limit Setting page, as shown in Figure 258.
Figure 257 Advanced limit
268
Figure 258 Advanced limit setting
269
Table 127 Advanced limit configuration items

Item
Description
Description
Configure a description for the advanced limit policy for management sake
Interface
Specify the interface to which the advanced limit is to apply

Set the direction where the rate limit applies, which can be:
Direction
DownloadLimits the rate of incoming packets of the interface.

UploadLimits the rate of outgoing packets of the interface.
CIR
Set the average traffic rate allowed

Specify the type of priority to be re-marked for packets conforming to the specification
and allowed to pass through. The priority type can be:
Remark Type
NoneNot re-marks any priority of packets.

802.1pRe-marks the 802.1p priority of packets and specifies the 802.1p priority
value.
IPRe-marks the IP precedence of packets and specifies the IP precedence value.

DSCPRe-marks the DSCP of packets and specifies the DSCP value.
Define a rule to match packets based on their IP addresses.
Add multiple IP addresses/masks to the list box. Click the Add or Delete button to add
or delete IP addresses/masks to/from the list box.
IP Address/Mask
When the direction Download is specified, the source IP address of packets is

matched.
When the direction Upload is specified, the destination IP address of packets is

matched.
Define a rule to match packets based on their IP precedence values.
IP Precedence
You can configure up to eight IP precedence values for an advanced limit policy, and
the relationship between the IP precedence values is OR. If the same IP precedence
value is specified multiple times, the system considers them as one. The defined IP
precedence values are displayed in ascending order automatically.
Define a rule to match packets based on their DSCP values.
DSCP
You can configure up to eight DSCP values for an advanced limit policy, and the
relationship between the DSCP values is OR. If the same DSCP value is specified
multiple times, the system considers them as one. The defined DSCP values are
displayed in ascending order automatically.
Inbound Interface
Define a rule to match packets received on the specified interface.
Time Range
Set the time range when the advanced limit policy takes effect. The begin-end time
and days of the week are required to set.
Define a rule to match packets based on their protocol types.
Protocol Name
The protocol types available for selection include the system-defined protocols and the
protocols loaded through the P2P signature file. To load a P2P signature file, select
Security Setup > Application Control from the navigation tree and click Load
Application.
Custom Type
Define a rule to match packets based on self-defined protocol types.
Source Port
You should select the transport layer protocol type and set the source service port
range and destination service port range.
Destination Port
270
Configuring advanced queue

NOTE:
To use the advanced queue function on tunnel interfaces, sub-interfaces, or VT and dialer interfaces with
PPPoE, PPPoA, PPPoEoA, or PPPoFR at the data link layer, you must configure interface bandwidth for
these interfaces.
Configuring interface bandwidth

Select Advance > QoS Setup > Advanced Queue from the navigation tree to enter the Advanced Queue
page shown in Figure 259. Select an interface from the Interface Name drop-down list, and then
configure and view the CIR of the interface.
Figure 259 Advanced queue
Table 128 Interface bandwidth configuration items

Item
Description
Interface Name
Select the interface to be configured
271
Item
Description
Set the average traffic rate allowed for the interface.
H3C recommends that you configure the interface
bandwidth to be smaller than the actual available
bandwidth of a physical interface or logical link.
IMPORTANT:
If you have specified the interface bandwidth, the
maximum interface bandwidth used for bandwidth
check when CBQ enqueues packets is 1000000 kbps. If
you have not specified the interface bandwidth, the
maximum interface bandwidth varies by interface type
following these rules:
If the interface is a physical one, the actual
Interface Bandwidth
baudrate or rate applies.
If the interface is T1/E1, multilink frame relay (MFR)

or any other type of logical serial interface formed
by timeslots or multiple links, the total bandwidth of
all member channels/links applies.
If the interface is a template interface, such as a

virtual template (VT) interface, a dialer interface, a
BRI interface, or a PRI interface, 1000000 kbps
applies.
If the interface is a virtual interface of any other

type, a tunnel interface for example, 0 kbps
applies.
Configure bandwidth guarantee

Select Advance > QoS Setup > Advanced Queue from the navigation tree to enter the Advanced Queue
page shown in Figure 259. In the Application Bandwidth area, all bandwidth guarantee policies are
displayed. Click Add to enter the page for creating a bandwidth guarantee policy, as shown in Figure
260.
272
Figure 260 Create a bandwidth guarantee policy
273
Table 129 Bandwidth guarantee configuration items

Item
Description
Description
Configure a description for the bandwidth guarantee

policy for management sake
Set the service class queue type, which can be:
EF (Expedited Forwarding)Provides absolutely

preferential queue scheduling for the EF service so
as to ensure low delay for real-time data traffic. In
the mean time, by restricting bandwidth for
high-priority traffic, it can overcome the
disadvantage that some low-priority queues are
not serviced.
Queue Type
AF (Assured Forwarding)Provides a highly

precise bandwidth guarantee and queue
scheduling on the basis of AF service weights for
various AF services.
Specify the interface to which bandwidth guarantee is
to be applied
Interface
Set the bandwidth guarantee for the queue
For the EF queue, the set bandwidth is the

maximum bandwidth.
For the AF queue, the set bandwidth is the

minimum guaranteed bandwidth.
Bandwidth
IMPORTANT:
The sum of the bandwidth specified in the bandwidth
guarantee policies applied to an interface must be no
greater than the available bandwidth of the interface.
Define a rule to match packets based on their IP
addresses.
IP Address/Mask
You can add multiple IP addresses/masks. Click the

Add or Delete button to add or delete IP
addresses/masks to/from the list box.
Define a rule to match packets based on their IP
precedence values.
You can configure up to eight IP precedence values for
a bandwidth guarantee policy, and the relationship
between the IP precedence values is OR. If the same IP
precedence value is specified multiple times, the
system considers them as one. The defined IP
precedence values are displayed in ascending order
automatically.
IP Precedence
274
Item
Description
Define a rule to match packets based on their DSCP
values.
You can configure up to eight DSCP values for a
bandwidth guarantee policy, and the relationship
between the DSCP values is OR. If the same DSCP
value is specified multiple times, the system considers
them as one. After each configuration, The defined
DSCP values are displayed in ascending order
automatically.
DSCP
Inbound Interface
Define a rule to match packets received on the

specified interface.
Time Range
Set the time range when the bandwidth guarantee

policy takes effect. The begin-end time and days of the
week are required to set.
Define a rule to match packets based on protocol
types.
The protocol types available for selection include the
system-defined protocols and the protocols loaded
through the P2P signature file. To load a P2P signature
file, select Security Setup > Application Control from
the navigation tree and click Load Application.
Protocol Name
Define a rule to match packets based on self-defined

protocol types.
Custom Type
Source Port
You should select the transport layer protocol type and

set the service source port range and destination port
range.
Destination Port
QoS configuration examples

Subnet limit configuration example
As shown in Figure 261, limit the rate of packets leaving Ethernet 1/1 of Router.
Perform per-IP rate limiting for traffic sourced from Host A through Host Z, which are on the network
segments 2.1.1.1 through 2.1.1.100, with the per-IP limit being 5 kbps.
275
Figure 261 Network diagram for subnet limit configuration
# Configure the bandwidth limit settings for the network segment.
Select Advance > QoS Setup > Subnet Limit from the navigation tree, and click Add on the
displayed page, and make settings as shown in Figure 262.
Figure 262 Configure subnet limit
Type 2.1.1.1 in the Start Address input box.
Type 2.1.1.100 in the End Address input box.
Select interface Ethernet 1/1.
Input 5 in the CIR input box.
Select Per IP in the Type drop-down list.
Select Upload in the Direction drop-down list.
Click Apply.
276
Advanced queue configuration example

As shown in Figure 263, data traffic from Router C reaches Router D by the way of Router A and then
Router B. The data traffic from Router C is classified into three classes based on DSCP fields of IP packets.
Configure advanced queue to perform the following actions:
Perform AF for traffic with the DSCP fields AF11 and AF22 (DSCP values 10 and 18) and set the
minimum bandwidth to 40 kbps.
Perform EF for traffic with the DSCP field EF (DSCP value 46) and set the maximum bandwidth to
240 kbps.
Before performing the configuration, make sure that:
The route from Router C to Router D through Router A and Router B is reachable.
The DSCP fields have been set for the traffic before the traffic enters Router A.
Figure 263 Network diagram for advanced queue
Configuration on Router A:
# Perform AF for traffic with DSCP fields AF11 and AF21.
Select Advance > QoS Setup > Advanced Queue from the navigation tree, and click Add on the
277
Figure 264 Configure assured forwarding
Type the description test-af.
Select AF (Assured Forwarding) in the Queue Type drop-down list.
Input 40 in the Bandwidth input box.
Input 10, 18 in the DSCP input box.
Click Apply.
# Perform EF for traffic with DSCP field EF.
Select Advance > QoS Setup > Advanced Queue from the navigation tree, and click Add on the
278
Figure 265 Configure expedited forwarding
Type the description test-ef.
Select EF (Expedited Forwarding) in the Queue Type drop-down list.
Input 240 in the Bandwidth input box.
Input 46 in the DSCP input box.
Click Apply.
After the configurations are completed, EF traffic is forwarded preferentially when congestion occurs in
the network.
279
Appendix Packet Priorities

IP precedence and DSCP values
Figure 266 DS field and ToS bytes
As shown in Figure 266, the ToS field of the IP header contains eight bits: the first three bits (0 to 2)
represent IP precedence from 0 to 7; the subsequent four bits (3 to 6) represent a ToS value from 0 to 15.
According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field,
where a DSCP value is represented by the first six bits (0 to 5) and is in the range 0 to 63. The remaining
two bits (6 and 7) are reserved.
Table 130 Description on IP precedence
IP precedence (decimal)
IP precedence (binary)
Keyword
000
routine
001
priority
010
immediate
011
flash
100
flash-override
101
critical
110
internet
111
network
In a network in the Diff-Serve model, traffic is assigned into the following classes, and packets are
processed according to their DSCP values.
Expedited forwarding (EF) class: The switch forwards the packets of this class without considering
whether the link is shared by other traffic. The class is suitable for preferential services requiring low
delay, low packet loss, low jitter, and high bandwidth.
Assured forwarding (AF) class: This class is divided into four subclasses (AF 1 to AF 4), each
containing three drop priorities for more granular classification. The QoS level of the AF class is
lower than that of the EF class.
Class selector (CS) class: This class is derived from the IP ToS field and includes eight subclasses.
Best effort (BE) class: This class is a special CS class that does not provide any assurance. AF traffic
exceeding the limit is degraded to the BE class. All IP network traffic belongs to this class by default.
280
Table 131 Description on DSCP values

DSCP value (decimal)
DSCP value (binary)
Keyword
46
101110
ef
10
001010
af11
12
001100
af12
14
001110
af13
18
010010
af21
20
010100
af22
22
010110
af23
26
011010
af31
28
011100
af32
30
011110
af33
34
100010
af41
36
100100
af42
38
100110
af43
001000
cs1
16
010000
cs2
24
011000
cs3
32
100000
cs4
40
101000
cs5
48
110000
cs6
56
111000
cs7
000000
be(default)
802.1p priority
802.1p priority lies in the Layer 2 packet header and is applicable to occasions where Layer 3 header
analysis is not needed and QoS must be assured at Layer 2.
Figure 267 An Ethernet frame with an 802.1q tag header
As shown in Figure 267, the 4-byte 802.1q tag header consists of the tag protocol identifier (TPID, two
bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length). Figure
268 presents the format of the 802.1q tag header.
281
Figure 268 801.1q tag header
Table 132 Description of 802.1p priority

802.1p priority (decimal)
802.1p priority (binary)
Keyword
000
best-effort
001
background
010
spare
011
excellent-effort
100
controlled-load
101
video
110
voice
111
network-management
The priority in the 802.1q tag header is called 802.1p priority, because its use is defined in IEEE
802.1p.
282
SNMP
NOTE:
Only the MSR 20/30/50 series routers support this function.
For the MSR 900/20-1X series routers, see the chapter SNMP (lite version).
You can do the following to configure the SNMP agent function on the web interface:
Enabling the SNMP agent function
Configuring an SNMP view
Configuring an SNMP community
Configuring an SNMP group
Configuring an SNMP user
Configuring SNMP trap function
Displaying SNMP packet statistics
SNMP overview
The Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a
network management station (NMS) to access and operate the devices (SNMP agents) on a network,
regardless of their vendors, physical characteristics and interconnect technologies.
SNMP enables network administrators to read and set the variables on managed devices to monitor their
operating and health state, diagnose network problems, and collect statistics for management purposes.
H3C SNMP agents support three SNMP versions: SNMPv1, SNMPv2c, and SNMPv3.
SNMPv1 uses password authentication to control access to SNMP agents. SNMPv1 passwords fall
into read only passwords and read and write passwords.
A read password enables reading data from an SNMP agent.
A read and write password enables reading data and setting variables on an SNMP agent.
SNMPv2c also uses password authentication for SNMP agent access control. It is compatible with
SNMPv1, but supports more operation modes, data types, and error codes.
SNMPv3 uses a user-based security model (USM) to secure SNMP communication. You can
configure authentication and privacy mechanisms to authenticate access and encrypt SNMP
packets for integrity, authenticity, and confidentiality.
IMPORTANT:
An NMS and an SNMP agent must use the same SNMP version to communicate with each other.
NOTE:
For more information about SNMP, see the H3C MSR Series Routers Network Management and
Monitoring Configuration Guide.
283
SNMP agent configuration

Because configurations for SNMPv3 differ substantially from those for SNMPv1 and SNMPv2c, their
SNMP functionalities are introduced separately as follows.
Configuring SNMPv1 or SNMPv2c

Table 133 SNMPv1 or SNMPv2c configuration task list
Task
Remarks
Required
The SNMP agent function is disabled by default.
IMPORTANT:
If SNMP the agent function is disabled, all SNMP
agent-related configurations will be removed.
Optional
After creating SNMP views, you can specify an SNMP

view for an SNMP group to limit the MIB objects that
can be accessed by the SNMP group.
Required
Optional
Allows you to configure that the agent can send SNMP
traps to the NMS, and configure information about the
target host of the SNMP traps.
By default, an agent is allowed to send SNMP traps to

the NMS.
Optional
Configuring SNMPv3
Table 134 SNMPv3 configuration task list
Task
Remarks
Required
The SNMP agent function is disabled by default.
IMPORTANT:
If the SNMP agent function is disabled, all SNMP
agent-related configurations will be removed.
Optional
After creating SNMP views, you can specify an SNMP
view for an SNMP group to limit the MIB objects that
can be accessed by the SNMP group.
284
Task
Remarks
Required
After creating an SNMP group, you can add SNMP
users to the group when creating the users. Therefore,
you can realize centralized management of users in the
group through the management of the group.
Required
Before creating an SNMP user, you need to create the

SNMP group to which the user belongs.
Optional
Allows you to configure that the agent can send SNMP
traps to the NMS, and configure information about the
target host of the SNMP traps
By default, an agent is allowed to send SNMP traps to

the NMS.
Optional

Select Advanced > SNMP from the navigation tree to enter the SNMP configuration page, as shown in
Figure 269. On the upper part of the page, you can select to enable or disable the SNMP agent function
and configure parameters such as SNMP version; on the lower part of the page, you can view the SNMP
statistics, which helps you understand the running status of the SNMP after your configuration.
285
Figure 269 Set up
Table 135 Configuration items for enabling the SNMP agent function
Item
Description
SNMP
Specify to enable or disable the SNMP agent function.

Configure the local engine ID.
Local Engine ID
Maximum Packet
Size
The validity of a user after it is created depends on the engine ID of the SNMP agent. If
the engine ID when the user is created is not identical to the current engine ID, the user
is invalid.
Configure the maximum size of an SNMP packet that the agent can receive/send.
286
Item
Description
Set a character string to describe the contact information for system maintenance.
Contact
If the device is faulty, the maintainer can contact the manufacture factory according to
the contact information of the device.
Location
Set a character string to describe the physical location of the device.
SNMP Version
Set the SNMP version run by the system
Return to SNMPv1 or SNMPv2c configuration task list or SNMPv3 configuration task list.

Select Advanced > SNMP from the navigation tree, and click the View tab to enter the page as shown in
Figure 270.
Figure 270 View page
Creating an SNMP view

Click Add, and the Add View window appears as shown in Figure 271. Type the view name and click
Apply, and then you enter the page as shown in Figure 272.
Figure 271 Create an SNMP view (1)
287
Figure 272 Create an SNMP view (2)
Table 136 describes the configuration items for creating an SNMP view. After configuring the parameters
of a rule, click Add to add the rule into the list box at the lower part of the page. After configuring all rules,
click Apply to crate an SNMP view. Note that the view will not be created if you click Cancel.
Table 136 Configuration items for creating an SNMP view
Item
Description
View Name
Set the SNMP view name.
Rule
Select to exclude or include the objects in the view range determined by

the MIB subtree OID and subtree mask.
Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).
MIB Subtree OID
MIB subtree OID identifies the position of a node in the MIB tree, and it can
uniquely identify a MIB subtree.
Set the subtree mask.
Subtree Mask
If no subtree mask is specified, the default subtree mask (all Fs) will be used
for mask-OID matching.
Adding rules to an SNMP view

Click the
icon corresponding to the specified view on the page as shown in Figure 270, the Add rule
for the view ViewDefault window appears as shown in Figure 273. After configuring the parameters,
click Apply to add the rule for the view. Table 136 describes the configuration items for creating an
SNMP view.
288
Figure 273 Add rules to an SNMP view
NOTE:
You can also click the
icon corresponding to the specified view on the page as shown in Figure 270,
and then you can enter the page to modify the view.

Select Advanced > SNMP from the navigation tree, then click the Community tab to enter the page as
shown in Figure 274. Click Add to enter the Add SNMP Community page as shown in Figure 275.
Figure 274 Configure an SNMP community
289
Figure 275 Create an SNMP Community
Table 137 Configuration items for configuring an SNMP community

Item
Description
Community Name
Set the SNMP community name.

Configure SNMP NMS access right
Read only: The NMS can perform read-only

operations to the MIB objects when it uses this
community name to access the agent,
Access Right
Read and write: The NMS can perform both read

and write operations to the MIB objects when it
uses this community name to access the agent.
View
Specify the view associated with the community to

limit the MIB objects that can be accessed by the
NMS.
ACL
Associate the community with a basic ACL to allow or

prohibit the access to the agent from the NMS with the
specified source IP address.
Return to SNMPv1 or SNMPv2c configuration task list.

Select Advanced > SNMP from the navigation tree, then click the Group tab to enter the page as shown
in Figure 276. Click Add to enter the Add SNMP Group page as shown in Figure 277.
290
Figure 276 SNMP group
Figure 277 Crate an SNMP group
Table 138 Configuration items for creating an SNMP group

Item
Description
Group Name
Set the SNMP group name.

Select the security level for the SNMP group. The available security levels are:
Security Level
NoAuth/NoPriv: No authentication no privacy.

Auth/NoPriv: Authentication without privacy.
Auth/Priv: Authentication and privacy.
IMPORTANT:
The security level for an existing SNMP group cannot be modified.
Read View
Select the read view of the SNMP group.

Select the write view of the SNMP group.
Write View
If no write view is configured, the NMS cannot perform the write operations to all MIB
objects on the device.
291
Item
Notify View
ACL
Description
Select the notify view of the SNMP group, that is, the view that can send trap messages.
If no notify view is configured, the agent does not send traps to the NMS.
Associate a basic ACL with the group to restrict the source IP address of SNMP packets,
that is, you can configure to allow or prohibit SNMP packets with a specific source IP
address, so as to restrict the intercommunication between the NMS and the agent.
Return to SNMPv3 configuration task list.

Select Advanced > SNMP from the navigation tree, and then click the User tab to enter the page as
shown in Figure 278. Click Add to enter the Add SNMP User page, as shown in Figure 279.
Figure 278 SNMP user
292
Figure 279 Create an SNMP user
Table 139 Configuration items for creating an SNMP user

Item
Description
User Name
Set the SNMP user name.

Select the security level for the SNMP group. The available security
levels are:
Security Level
NoAuth/NoPriv: No authentication no privacy.

Auth/NoPriv: Authentication without privacy.
Auth/Priv: Authentication and privacy.
Select an SNMP group to which the user belongs.
When the security level is NoAuth/NoPriv, you can select an

SNMP group with no authentication no privacy.
Group Name
When the security level is Auth/NoPriv, you can select an

SNMP group with no authentication no privacy or
authentication without privacy.
When the security level is Auth/Priv, you can select an SNMP

group of any security level.
Authentication Mode
Select an authentication mode (including MD5 and SHA) when the

security level is Auth/NoPriv or Auth/Priv.
Authentication Password
Set the authentication password when the security level is
293
Item
Description
Auth/NoPriv or Auth/Priv.
Confirm Authentication Password
The confirm authentication password must be the same with the

authentication password.
Privacy Mode
Select a privacy mode (including DES56, AES128, and 3DES)

when the security level is Auth/Priv.
Privacy Password
Set the privacy password when the security level is Auth/Priv.
Confirm Privacy Password
The confirm privacy password must be the same with the privacy
password.
ACL
Associate a basic ACL with the user to restrict the source IP address
of SNMP packets, that is, you can configure to allow or prohibit
SNMP packets with a specific source IP address, so as to allow or
prohibit the specified NMS to access the agent by using this user
name.
Return to SNMPv3 configuration task list.

Select Advanced > SNMP from the navigation tree, and click the Trap tab to enter the page as shown in
Figure 280. On the upper part of the page, you can select to enable the SNMP trap function; on the
lower part of the page, you can configure target hosts of the SNMP traps. Click Add to enter the Add Trap
Target Host page, as shown in Figure 281.
Figure 280 Traps configuration
294
Figure 281 Add a target host of SNMP traps
Table 140 Configuration items for adding a target host

Item
Description
Set the destination IP address.
Security Name
Select the IP address type: IPv4/domain name, or IPv6, and then

type the corresponding IP address in the text box according to the IP
address type.
Set the security name, which can be an SNMPv1 community name,

an SNMPv2c community name, or an SNMPv3 user name.
Set UDP port number.

IMPORTANT:
UDP Port
The default port number is 162, which is the SNMP-specified port used
for receiving traps on the NMS. Generally (such as using iMC or MIB
Browser as the NMS), you can use the default port number. To change
this parameter to another value, you need to make sure that the
configuration is the same with that on the NMS.
Select the security model, that is, the SNMP version.
Security Model
IMPORTANT:
The security model must be the same as that running on the NMS;
otherwise, the NMS cannot receive any trap.
295
Item
Description
Security Level
Set the authentication and privacy mode for SNMP traps when the
security model is selected as v3. The available security levels are: no
authentication no privacy, authentication but no privacy, and
authentication and privacy.
If you select v1 or v2c in the Security Model drop-down list, the
Security Level can only be no authentication no privacy, and cannot
be modified.

Select Advanced > SNMP from the navigation tree to enter the Setup tab page. On the lower part of the
page, you can view the SNMP statistics, as shown in Figure 282.
Figure 282 SNMP statistics
296
SNMP configuration example

SNMPv1 or SNMPv2c configuration example
As shown in Figure 283, the NMS connects to the agent through an Ethernet.
The IP address of the NMS is 1.1.1.2/24.
The IP address of the agent is 1.1.1.1/24.
The NMS monitors and manages the agent using SNMPv1 or SNMPv2c. The agent reports errors
or faults to the NMS.
Figure 283 Network diagram for SNMPv1 or SNMPv2c
Agent
1.1.1.1/24
NMS
1.1.1.2/24
1.
Configure the agent.
# Enable SNMP.
Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Perform the
following configuration as shown in Figure 284.
297
Figure 284 Enable SNMP
Select the Enable radio box.
Set the SNMP version to both v1 and v2c.
Click Apply.
# Configure an SNMP community.
Click the Community tab and then click Add. Perform the following configuration as shown in Figure
285.
298
Figure 285 Configure SNMP community named public
Type public in the text box of Community Name.
Select Read only from the Access Right drop-down list.
Click Apply.
Click the Community tab and then click Add. Perform the following configuration as shown in Figure
286.
Figure 286 Configure SNMP community named private
Type private in the text box of Community Name.
Select Read and write from the Access Right drop-down list.
Click Apply.
# Enable Agent to send SNMP traps.

299
Click the Trap tab and perform the following configuration as shown in Figure 287.
Figure 287 Enable Agent to send SNMP traps
Select the Enable SNMP Trap check-box.
Click Apply.
# Add target hosts of SNMP traps.
On the Trap tab page, click Add and perform the following configuration as shown in Figure 288.
Figure 288 Add target hosts of SNMP traps
Select the destination IP address type as IPv4/Domain.
Type the destination address 1.1.1.2.
Type the security username public.

300
Select v1 from the Security Model drop-down list. (This configuration must be the same as that
running on the NMS; otherwise, the NMS cannot receive any trap.)
Click Apply.
2.
Configure the NMS.
NOTE:
The configuration on NMS must be consistent with that on the agent. Otherwise, you cannot perform
With SNMPv1 or SNMP v2c, you need to set both read password and read and write password on the
NMS. Besides, you need to configure the aging time and retry times. You can inquire and configure the
device through the NMS. For more information about NMS configuration, see the manual provided for
NMS.
After the above configuration, an SNMP connection is established between the NMS and the agent.
The NMS can get and configure the values of some parameters on the agent through MIB nodes.
Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding
trap.
SNMPv3 configuration example

As shown in Figure 289, the NMS connects to the agent through an Ethernet.
The IP address of the NMS is 1.1.1.2/24.
The IP address of the agent is 1.1.1.1/24.
The NMS monitors and manages the interface status of the agent using SNMPv3, and only the
NMS is allowed to manage the agent. The agent reports errors or faults to the NMS.
The NMS has to pass the authentication to establish an SNMP connection with the agent; the
authentication protocol is MD5 and the authentication password is authkey.
Packets transmitted between the NMS and the agent need to be encrypted by the privacy protocol
DES, and the privacy password is prikey.
Figure 289 Network diagram for SNMPv3
1.
Configure the agent.
# Enable SNMP.
Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Perform the
following configuration as shown in Figure 290.
301
Figure 290 Enable SNMP
Select the Enable radio box.
Set the SNMP version to v3.
Click Apply.
# Configure an SNMP view.
Click the View tab and then click Add. Perform the following configuration as shown in Figure 291.
302
Figure 291 Set the name of the view to be created
Type view1 in the text box of View Name.
Click Apply and enter the page of view1. Perform the following configuration as shown in Figure
292.
Figure 292 Add a view named view1
Select the Included radio box.
Type the MIB subtree OID interfaces.
Click Add.
Click Apply. A configuration progress dialog box appears, as shown in Figure 293.
303
Figure 293 Configuration progress dialog box
After the configuration process is complete, click Close.
# Configure an SNMP group.
Click the Group tab and then click Add. Perform the following configuration as shown in Figure
294.
Figure 294 Configure an SNMP group
Type group1 in the text box of Group Name.
Select NoAuth/NoPri from the Security Level drop-down list.
Select view1 from the Read View drop-down list.
Select v3 from the Security Level drop-down list.
Click Apply.
# Configure an SNMP user.
Click the User tab and then click Add. Perform the following configuration as shown in Figure 295.
304
Figure 295 Configure an SNMP user
Type user1 in the text box of User Name.
Select NoAuth/NoPri from the Security Level drop-down list.
Select group1 (NoAuth/NoPri) from the Group Name drop-down list.
Click Apply.
# Enable Agent to send SNMP traps.
Click the Trap tab and perform the following configuration as shown in Figure 296.
Select the Enable SNMP Trap check-box.

305
Click Apply.
# Add target hosts of SNMP traps.
On the Trap tab page, click Add and perform the following configuration as shown in Figure 297.
Select the destination IP address type as IPv4/Domain.
Type the destination address 1.1.1.2.
Type the user name user1.
Select v3 from the Security Model drop-down list.
Click Apply.
2.
Configure the NMS.
NOTE:
The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform
SNMPv3 adopts a security mechanism of authentication and privacy. You need to configure username
and security level. According to the configured security level, you need to configure the related
authentication mode, authentication password, privacy mode, privacy password, and so on.
Besides, you need to configure the aging time and retry times. After the above configurations, you can
configure the device as needed through the NMS. For more information about NMS configuration, see
the manual provided for NMS.
Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding
trap.
306
Bridging
Through the Web interface, you can configure the following transparent bridging functions:
Enabling a bridge set
Adding an interface to a bridge set
Overview
Bridging overview
A bridge is a store-and-forward device that connects and transfers traffic between local area network
(LAN) segments at the data-link layer. In some small-sized networks, especially those with dispersed
distribution of users, the use of bridges can reduce the network maintenance costs, without requiring the
end users to perform special configurations on the devices.
In applications, the following major kinds of bridging technologies apply: transparent bridging,
source-route bridging (SRB), translational bridging, and source-route translational bridging (SR/TLB).
The devices support only transparent bridging.
Transparent bridging bridges LAN segments of the same physical media type, primarily in Ethernet
environments. A transparent bridging device keeps a bridge table, which contains mappings between
destination MAC addresses and outbound interfaces.
NOTE:
For more information about the transparent bridging, see the H3C MSR Series Routers Layer 2WAN
Configuration Guide.
Configuring bridging
Table 141 Basic bridging configuration task list
Task
Adding an interface to a
bridge set
Remarks
Required
No bridge set is enabled by default.
Required
An interface is not in any bridge set by default.

Select Advanced > Bridge from the navigation tree to enter the Global config page, as shown in Figure
298.
307
Figure 298 Global config
Table 142 Configuration items of enabling a bridge set

Item
Remarks
Bridge Group id
Set the ID of the bridge set you want to enable
Return to Basic bridging configuration task list.
Adding an interface to a bridge set

Select Advanced > Bridge from the navigation tree, and click the Config interface tab to enter the page
308
Figure 299 Configure interface
Table 143 Configuration items of adding an interface to a bridge set

Item
Remarks
Interface
Select the interface you want to configure
Bridge Group
Set the ID of the bridge set to which you want add the interface
Enable or disable VLAN transparency on the interface
VLAN Transmit
IMPORTANT:
H3C does not recommend enabling this function on a subinterface.

A VLAN interface does not support this function.
Return to Basic bridging configuration task list.
Bridging configuration example

As shown in Figure 300, office area A and office area B attached to Switch A and Switch B are
connected by Router A and Router B. The trunk ports of Switch A and of Switch B are assigned to the
same VLAN. Enable VLAN transparency on Ethernet interfaces of the two routers, so the two office areas
can communicate within the same VLAN.
309
Figure 300 Network diagram for VLAN ID transparent transmission configuration
1.
Configure Router A
# Enable bridge set 2.
Select Advanced > Bridge from the navigation tree to enter the Global config page. Perform
configuration on the page as shown in Figure 301.
Figure 301 Enable bridge set 2
Type 2 as the bridge group ID.
Click Apply.
# Assign Ethernet 1/1 to bridge set 2, and enable VLAN transparency.
Click the Config interface tab, and perform configuration on the page as shown in Figure 302.
310
Figure 302 Assign Ethernet 1/1 to bridge set 2 and enable VLAN transparency
Select 2 from the Bridge Group drop-down list.
Select Enable from the VLAN Transmit drop-down list.
Click Apply.
# Assign Ethernet 1/2 to bridge set 2, and enable VLAN transparency.

Figure 303 Assign Ethernet 1/2 to bridge set 2 and enable VLAN transparency
Select 2 from the Bridge Group drop-down list.

311
Select Enable from the VLAN Transmit drop-down list.
Click Apply.
2.
Configure Router B
Configure Router A in the same way as you configured Router B.
312
User group configuration

You can do the following to configure user groups on the web interface:
Configuring a user group
Configuring a user
Configuring bandwidth control
Configuring packet filtering
Synchronizing user group configuration for wan interfaces
Overview
You can define the hosts to be managed in the LAN as users and then add them to a user group, so that
you can perform access control, application control, bandwidth control, and packet filtering on a per
user group basis.
Access control: Allows you to deny access from hosts during specific time ranges. All data packets
matching these criteria will be denied to access the Internet.
Application control: Allows you to restrict access to a specific application or protocol (such as Telnet,
DNS, SIP, HTTP, and so on) in the Internet from users in a user group. You can perform application
control based on a user group or all users. For more information about application control, see the
chapter Application control.
Bandwidth control: Allows you to control the bandwidth consumption based on user group. It
evaluates traffic with token buckets and drops the unqualified packets, thus controlling bandwidth
utilization.
Packet filtering: Allows you to filter packets that match specific criteria such as the protocol,
destination IP address, source port, and destination port on a per user group basis.
Configuring user groups

Table 144 User group configuration task list
Task
Remarks
Required
By default, no user groups are configured.
Required
Configuring a user
Add users to the user group.

By default, a user group has no users.
Required
313
Task
Remarks
Use at least one of the approaches.
By default, a user group has no service configured.

Optional
Synchronizing user group

configuration for wan interfaces
If a WAN interface is added or a non-WAN interface becomes a

WAN interface after the user or user group is configured, you need to
synchronize the user group configuration to the WAN interface.
IMPORTANT:
Make sure that at least one user group is in the system before
synchronization.

Select Advanced > Security > Usergroup from the navigation tree. The group configuration page
appears, as shown in Figure 304.
Figure 304 User group configuration
Table 145 User group configuration item

Item
Description
Set the name of the group to be added.
User Group Name
The group name is a character string beginning with letters. The string cannot contain
any question mark (?) or space.
Return to User group configuration task list.
314
Configuring a user
Select Advanced > Security > Usergroup from the navigation tree, and then select the User tab to enter
the page for configuring users, as shown Figure 305.
Figure 305 User configuration
Table 146 User configuration items

Item
Description
Please select a user group
Select the group to which you want to add users.

Set the mode in which the users are added.
Static: In this mode, you need to type the username and IP address manually
Add Mode
in the following text boxes.
Dynamic: The system displays all the devices connected with the device for
you to select.
Set the username.
Username
In static add mode, you need to specify the username manually.

In dynamic add mode, the system automatically generates a username.
Set the IP address.
IP Address
In static add mode, you need to specify the IP address manually.

In dynamic add mode, the system automatically obtains the IP addresses and
MAC addresses of the devices connecting to the device for you to select.
315

Select Advanced > Security > Connec Control from the navigation tree to enter the configuration page,
Figure 306 Access control configuration
Table 147 Access control configuration items

Item
Description
Select a user group for access control.

Days
Time
When there are more than one user group, the option all is available. Selecting
all means that the access control configuration applies to all the user groups.
Set the time range in which access to the Internet is denied.
316

Select Advanced > Security > Application Control from the navigation tree to enter the page as shown in
Figure 307.
Figure 307 Application control
Table 148 Application control configuration items

Item
Please select a user
group
Description
Select a user group for application control.
When there are more than one user group, the option all is available. Selecting all
means that the application control configuration applies to all the user groups.
Select the applications and protocols to be controlled. There are three types of
applications for you to select:
Please select
applications to deny
Loaded applications: Applications contained in the loaded signature file. To load

a signature file, select Security > Application Control.
Predefined applications
Custom applications: To customize applications, select Security > Application
Control.

After logging into the Web interface, select Advanced > Security > Band Width from the navigation tree
to enter the bandwidth control configuration page, as shown in Figure 308.
317
Figure 308 Bandwidth control configuration
Table 149 Bandwidth control configuration items

Item
Please select a user
group
CIR
Description
Set the user group for bandwidth control configuration.
When there are more than one user group, the option all is available. Selecting all
means that the bandwidth control configuration applies to all the user groups.
Set the committed information rate (CIR), namely, the permitted average rate of traffic.
Set the committed burst size (CBS). CBS is the capacity of the token bucket, namely,
the maximum traffic size that is permitted in each burst.
CBS
The CBS value must be greater than the maximum packet size.
IMPORTANT:
By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. If the
number exceeds the value range, the allowed maximum or minimum value is adopted.

Select Advanced > Security > Packet Filter from the navigation tree to enter the Packet Filter page, as
318
Figure 309 Packet filtering configuration
Table 150 Packet filtering configuration items

Item
Description
Select a user group that the packet filtering is to be applied to.
When there are more than one user group, the option all is available.
Selecting all means that the packet filtering configuration applies to all the
user groups.
Protocol
Select a protocol carried by IP.
Destination Wildcard
Operator
Source Port
Port
Set the destination IP address and wildcard mask.

Configure the source port for TCP/UDP packets.
When you select 6 TCP or 17 UDP as the protocol, these parameters can be
configurable.
If you select NotCheck as the operator, port numbers will not be checked
and no ports need to be specified.
If you select Range as the operator, you need to specify both start and
ToPort
end ports to define a port range.
If you select other option as the operator, only a start port needs to be
specified.
Destination Port
Operator
Port
Configure the destination port of TCP/UDP packets.

When you select 6 TCP or 17 UDP as the protocol, these parameters can be
configurable.
If you select NotCheck as the operator, port numbers will not be checked
319
Item
Description
and no ports need to be specified.
If you select Range as the operator, you need to specify both start and
ToPort
end ports to define a port range.
If you select other option as the operator, only a start port needs to be
specified.
Synchronizing user group configuration for wan interfaces

Select Advanced > Security > Usergroup from the navigation tree, and then select the WAN
Synchronization tab to enter the page for user group configuration synchronization, as shown in Figure
310.
Click the Sync button to synchronize the user group configuration for WAN interfaces.
Figure 310 User group configuration synchronization
User group configuration example

As shown in Figure 311, the Router connects the intranet to the Internet. Host A is used by the Manager,
Host B, Host C, and Host D are used by common users. On Router,
Configure access control so that access from common users to the Internet during work time (9:00
to 18:00 from Monday through Friday) is denied while access from the Manager is allowed.
Configure application control so that access from common users to MSN application is denied
while access from the Manager is allowed.
Configure the maximum average rate of Internet access as 8 kbps for common users and 54 kbps
for the Manager.
Configure packet filtering so that access to the server at the address 2.2.2.1 from common users is
denied.
320
Figure 311 Network diagram for user group configuration

Manager
Host A
Host B
IP: 192.168.1.11/24
MAC: 0015-e9ac-2def
IP: 192.168.1.12/24
Eth1/0
192.168.1.1/24
Eth1/0
Internet
Router
Host C
Host D
192.168.1.13/24
192.168.1.14/24
# Create user groups staff (for common users) and manager (for the Manager).
Select Advanced > Security > Usergroup to enter the group configuration page. Perform the
configurations as shown in Figure 312.
Figure 312 Create user groups staff and manager
Type staff as a user group name.
Click Apply.
Type manager as a user group name.
Click Apply.
# Add users to user groups.
Select Advanced > Security > Usergroup, and then select the User tab. Perform the configurations
321
Figure 313 Add users to user group staff
Select staff from the user group drop-down list.
Select Dynamic as the add mode. The following area then displays the IP addresses and MAC
addresses of all the hosts in the intranet that connects to the Router.
Select the entries of Host B, Host C, and Host D.
Click Apply. A configuration progress dialog box appears, as shown in Figure 314.

322
Figure 315 Add users to user group manager
Select manager from the user group drop-down list.
Select Static for Add Mode.

Type hosta as the username.
Type 192.168.1.11 as the IP address.
Click Apply. A configuration progress dialog box appears.
# Configure access control for user group staff.
Select Advanced > Security > Connect Control, and perform the configurations as shown in Figure
316.
323
Figure 316 Configure access control for user group staff

Select the check boxes for Monday through Friday.
Specify 09:00 as the start time.
Specify 18:00 as the end time.
# Load the application control file (assume the signature file is stored on the device).
Application tab. Perform the configurations as shown in Figure 317.
Figure 317 Load the application control file
Select the From Device radio button, and select file p2p_default.
324
Click Apply. Then, you can view MSN is in the loaded applications on the lower part of the page.
# Configure application control for user group staff.
Select Advanced > Security > Application Control from the navigation tree, and perform the
configurations as shown in Figure 318.
Figure 318 Configure application control to user group staff

Select MSN from the Loaded Applications area.
# Configure bandwidth control for user groups staff and manager
Select Advanced > Security > Band Width, and the perform the configurations as shown in Figure
319.
325
Figure 319 Configure bandwidth control to user groups staff and manager
Select the staff user group.

Type 8 for the CIR.

Select the manager user group.
Type 54 for the CIR.
# Configure packet filtering for user group staff.
Select Advanced > Security > Packet Filter, and then perform the configurations as shown in Figure
320.
326
Figure 320 Configure packet filtering for user group staff
Select IP as the protocol.
Select the Destination IP Address check box.
Type 2.2.2.1 as the destination IP address.
Type 0.0.0.0 as the destination wildcard.
327
MSTP configuration
NOTE:
This feature is available only on the MSR 20/30/50 routers.
Overview
As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by
selectively blocking redundant links in a network, and in the mean time, allows for link redundancy.
Like many other protocols, STP evolves as the network grows. The later versions of STP are the Rapid
Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP). This chapter describes
the characteristics of STP, RSTP, and MSTP.
Introduction to STP
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a
local area network (LAN). Devices running this protocol detect loops in the network by exchanging
information with one another and eliminate loops by selectively blocking certain ports to prune the loop
structure into a loop-free tree structure. This avoids proliferation and infinite cycling of packets that would
occur in a loop network and prevents decreased performance of network devices caused by duplicate
packets received.
In the narrow sense, STP refers to the IEEE 802.1d STP; in the broad sense, STP refers to the IEEE 802.1d
STP and various enhanced spanning tree protocols derived from that protocol.
Protocol Packets of STP

STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol
packets.
STP-enabled network devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient
information for the network devices to complete spanning tree calculation.
In STP, BPDUs have the following types:
Configuration BPDUs, used for calculating a spanning tree and maintaining the spanning tree
topology.
Topology change notification (TCN) BPDUs, used for notifying the concerned devices of network
topology changes, if any.
Basic Concepts in STP

1.
Root bridge
A tree network must have a root bridge.

There is only one root bridge in the entire network. The root bridge is not fixed, but can change along
with changes of the network topology.
328
Upon initialization of a network, each device generates and sends out BPDUs periodically with itself as
the root bridge; after network convergence, only the root bridge generates and sends out configuration
BPDUs at a certain interval, and the other devices just forward BPDUs.
2.
Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port is responsible for
communication with the root bridge. Each non-root bridge has one and only one root port. The root
bridge has no root port.
3.
Designated bridge and designated port
Table 151 Description of designated bridges and designated ports:

Classification
Designated bridge
Designated port
For a device
A device directly connected to the local

device and responsible for forwarding
BPDUs to the local device.
The port through which the designated

bridge forwards BPDUs to the local
device.
For a LAN
The device responsible for forwarding

BPDUs to this LAN segment.
The port through which the designated

bridge forwards BPDUs to this LAN
segment.
As shown in Figure 321, AP1 and AP2, BP1 and BP2, and CP1 and CP2 are ports on Device A, Device
B, and Device C respectively.
If Device A forwards BPDUs to Device B through AP1, the designated bridge for Device B is Device
A, and the designated port of Device B is port AP1 on Device A.
Two devices are connected to the LAN: Device B and Device C. If Device B forwards BPDUs to the
LAN, the designated bridge for the LAN is Device B, and the designated port for the LAN is the port
BP2 on Device B.
Figure 321 A schematic diagram of designated bridges and designated ports
NOTE:
All the ports on the root bridge are designated ports.
4.
Path cost
Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively
robust links and blocks redundant links, and finally prunes the network into a loop-free tree.
329
How STP works

The devices on a network exchange BPDUs to identify the network topology. Configuration BPDUs
contain sufficient information for the network devices to complete spanning tree calculation. A
configuration BPDU includes the following important fields:
Root bridge ID: consisting of the priority and MAC address of the root bridge.
Root path cost: the cost of the shortest path to the root bridge.
Designated bridge ID: consisting of the priority and MAC address of the designated bridge.
Designated port ID: designated port priority plus port name.
Message age: age of the configuration BPDU while it propagates in the network.
Max age: maximum age of the configuration BPDU can be maintained on a device.
Hello time: configuration BPDU interval.
Forward delay: the delay used by STP bridges to transit the state of the root and designated ports
to forwarding.
NOTE:
For simplicity, the descriptions and examples in this document involve only the following fields in the
configuration BPDUs:
Root bridge ID (represented by device priority)
Root path cost (related to the rate of the link connecting the port)
Designated bridge ID (represented by device priority)
Designated port ID (represented by port name)
1.
Calculation process of the STP algorithm
Initial state
Upon initialization of a device, each port generates a BPDU with itself as the root bridge, in which the
root path cost is 0, designated bridge ID is the device ID, and the designated port is the local port.
Selection of the optimum configuration BPDU
Each device sends out its configuration BPDU and receives configuration BPDUs from other devices.
Table 152 Selection of the optimum configuration BPDU
Step
Actions
Upon receiving a configuration BPDU on a port, the device performs the following:
If the received configuration BPDU has a lower priority than that of the configuration BPDU
1
generated by the port, the device discards the received configuration BPDU and does not
process the configuration BPDU of this port.
If the received configuration BPDU has a higher priority than that of the configuration BPDU
generated by the port, the device replaces the content of the configuration BPDU generated
by the port with the content of the received configuration BPDU.
2
The device compares the configuration BPDUs of all the ports and chooses the optimum
configuration BPDU.
330
NOTE:
Configuration BPDU comparison uses the following principles:
The configuration BPDU that has the lowest root bridge ID has the highest priority.
If all the configuration BPDUs have the same root bridge ID, their root path costs are compared. For
example, the root path cost in a configuration BPDU plus the path cost of a receiving port is S. The
configuration BPDU with the smallest S value has the highest priority.
If all configuration BPDUs have the same S value, their designated bridge IDs, designated port IDs, and
the IDs of the receiving ports are compared in sequence. The configuration BPDU containing a smaller
ID wins out.
Selection of the root bridge
Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge
ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge
IDs to elect the device with the smallest root bridge ID as the root bridge.
Selection of the root port and designated ports on a non-root device
Table 153 Selection of the root port and designated ports

Step
Description
A non-root device regards the port on which it received the optimum configuration BPDU as
the root port.
Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of the rest ports.
The root bridge ID is replaced with that of the configuration BPDU of the root port.
The root path cost is replaced with that of the configuration BPDU of the root port plus the
path cost of the root port.
The designated bridge ID is replaced with the ID of this device.

The designated port ID is replaced with the ID of this port.
The device compares the calculated configuration BPDU with the configuration BPDU on the
port of which the port role is to be defined, and acts depending on the comparison result:
If the calculated configuration BPDU is superior, the device considers this port as the
3
designated port, and replaces the configuration BPDU on the port with the calculated
configuration BPDU, which will be sent out periodically.
If the configuration BPDU on the port is superior, the device blocks this port without
updating its configuration BPDU. The blocked port can receive BPDUs but cannot send
BPDUs or forward data.
NOTE:
When the network topology is stable, only the root port and designated ports forward traffic, and other
ports are all in the blocked statethey receive BPDUs but do not forward BPDUs or user traffic.
A tree-shape topology forms upon successful election of the root bridge, the root port on each non-root
bridge and the designated ports.
The following is an example of how the STP algorithm works. As shown in Figure 322, the priority of
Device A is 0, the priority of Device B is 1, the priority of Device C is 2, and the path costs of these links
are 5, 10 and 4 respectively.
331
Figure 322 Network diagram for the STP algorithm
Initial state of each device
Table 154 Initial state of each device

Device
Device A
Device B
Device C
Port name
BPDU of port
AP1
{0, 0, 0, AP1}
AP2
{0, 0, 0, AP2}
BP1
{1, 0, 1, BP1}
BP2
{1, 0, 1, BP2}
CP1
{2, 0, 2, CP1}
CP2
{2, 0, 2, CP2}
Comparison process and result on each device
Table 155 Comparison process and result on each device

Device
BPDU of port after

comparison
Comparison process
Port AP1 receives the configuration BPDU of Device B {1, 0, 1,
BP1}. Device A finds that the configuration BPDU of the local
port {0, 0, 0, AP1} is superior to the received configuration
BPDU, and discards the received configuration BPDU.
Port AP2 receives the configuration BPDU of Device C {2, 0, 2,

Device A
CP1}. Device A finds that the BPDU of the local port {0, 0, 0,
AP2} is superior to the received configuration BPDU, and
discards the received configuration BPDU.
Device A finds that both the root bridge and designated bridge
in the configuration BPDUs of all its ports are itself, so it assumes
itself to be the root bridge. It does not make any change to the
configuration BPDU of each port, and starts sending out
configuration BPDUs periodically.
332
AP1: {0, 0, 0, AP1}

AP2: {0, 0, 0, AP2}
Device
BPDU of port after

comparison
Comparison process
Port BP1 receives the configuration BPDU of Device A {0, 0, 0,
AP1}. Device B finds that the received configuration BPDU is
superior to the configuration BPDU of the local port {1, 0, 1,
BP1}, and updates the configuration BPDU of BP1.
Port BP2 receives the configuration BPDU of Device C {2, 0, 2,

CP2}. Device B finds that the configuration BPDU of the local
port {1, 0, 1, BP2} is superior to the received configuration
BPDU, and discards the received configuration BPDU.
BP1: {0, 0, 0, AP1}

BP2: {1, 0, 1, BP2}
Device B compares the configuration BPDUs of all its ports, and

Device B
determines that the configuration BPDU of BP1 is the optimum

configuration BPDU. Then, it uses BP1 as the root port, the
configuration BPDUs of which will not be changed.
Based on the configuration BPDU of BP1 and the path cost of

the root port (5), Device B calculates a designated port
configuration BPDU for BP2 {0, 5, 1, BP2}.
Device B compares the calculated configuration BPDU {0, 5, 1,

BP2} with the configuration BPDU of BP2. If the calculated BPDU
is superior, BP2 will act as the designated port, and the
configuration BPDU on this port will be replaced with the
calculated configuration BPDU, which will be sent out
periodically.
Root port BP1:

{0, 0, 0, AP1}
Designated port BP2:
{0, 5, 1, BP2}
Port CP1 receives the configuration BPDU of Device A {0, 0, 0,

AP2}. Device C finds that the received configuration BPDU is
superior to the configuration BPDU of the local port {2, 0, 2,
CP1}, and updates the configuration BPDU of CP1.
Device C
Port CP2 receives the configuration BPDU of port BP2 of Device

B {1, 0, 1, BP2} before the configuration BPDU is updated.
Device C finds that the received configuration BPDU is superior
to the configuration BPDU of the local port {2, 0, 2, CP2}, and
updates the configuration BPDU of CP2.
CP1: {0, 0, 0, AP2}

CP2: {1, 0, 1, BP2}
After comparison:
The configuration BPDU of CP1 is elected as the optimum

configuration BPDU, so CP1 is identified as the root port, the
configuration BPDUs of which will not be changed.
Device C compares the calculated designated port

configuration BPDU {0, 10, 2, CP2} with the configuration
BPDU of CP2, and CP2 becomes the designated port, and the
configuration BPDU of this port will be replaced with the
calculated configuration BPDU.
Root port CP1:

{0, 0, 0, AP2}
Designated port CP2:
{0, 10, 2, CP2}
Then, port CP2 receives the updated configuration BPDU of
Device B {0, 5, 1, BP2}. Because the received configuration

BPDU is superior to its own configuration BPDU, Device C
launches a BPDU update process.
At the same time, port CP1 receives periodic configuration

BPDUs from Device A. Device C does not launch an update
process after comparison.
333
CP1: {0, 0, 0, AP2}

CP2: {0, 5, 1, BP2}
Device
BPDU of port after

comparison
Comparison process
After comparison:
Because the root path cost of CP2 (9) (root path cost of the
BPDU (5) plus path cost corresponding to CP2 (4)) is smaller
than the root path cost of CP1 (10) (root path cost of the BPDU
(0) + path cost corresponding to CP2 (10)), the BPDU of CP2 is
elected as the optimum BPDU, and CP2 is elected as the root
port, the messages of which will not be changed.
After comparison between the configuration BPDU of CP1 and

the calculated designated port configuration BPDU, port CP1 is
blocked, with the configuration BPDU of the port unchanged,
and the port will not receive data from Device A until a
spanning tree calculation process is triggered by a new event,
for example, the link from Device B to Device C going down.
Blocked port CP2:

{0, 0, 0, AP2}
Root port CP2:
{0, 5, 1, BP2}
After the comparison processes described in Table 155, a spanning tree with Device A as the root bridge
is established as shown in Figure 323.
Figure 323 The final calculated spanning tree
NOTE:
The spanning tree calculation process in this example is only a simplified process.
2.
The BPDU forwarding mechanism in STP
Upon network initiation, every device regards itself as the root bridge, generates configuration
BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.
If it is the root port that received a configuration BPDU and the received configuration BPDU is
superior to the configuration BPDU of the port, the device increases the message age carried in the
configuration BPDU following a certain rule and starts a timer to time the configuration BPDU while
sending out this configuration BPDU through the designated port.
If the configuration BPDU received on a designated port has a lower priority than the configuration
BPDU of the local port, the port immediately sends out its own configuration BPDU in response.
If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs
and the old configuration BPDUs will be discarded due to timeout. The device will generate
334
configuration BPDUs with itself as the root. This triggers a new spanning tree calculation process to
establish a new path to restore the network connectivity.
However, the newly calculated configuration BPDU will not be propagated throughout the network
immediately, so the old root ports and designated ports that have not detected the topology change
continue forwarding data along the old path. If the new root ports and designated ports begin to
forward data as soon as they are elected, a temporary loop may occur.
3.
STP timers
STP calculation involves the following timers: forward delay, hello time, and max age.
Forward delay is the delay time for device state transition.
A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the change.
However, the resulting new configuration BPDU cannot propagate throughout the network immediately.
If the newly elected root ports and designated ports start to forward data right away, a temporary loop
is likely to occur.
For this reason, as a mechanism for state transition in STP, the newly elected root ports or designated
ports require twice the forward delay time before transiting to the forwarding state to ensure that the new
configuration BPDU has propagated throughout the network.
Hello time is the time interval at which a device sends hello packets to the surrounding devices to
ensure that the paths are fault-free.
Max age is a parameter used to determine whether a configuration BPDU held by the device has
expired. A configuration BPDU beyond the max age will be discarded.
Introduction to RSTP
Developed based on the 802.1w standard of IEEE, RSTP is an optimized version of STP. It achieves rapid
network convergence by allowing a newly elected root port or designated port to enter the forwarding
state much quicker under certain conditions than in STP.
NOTE:
In RSTP, a newly elected root port can enter the forwarding state rapidly if this condition is met: the old
root port on the device has stopped forwarding data and the upstream designated port has started
forwarding data.
In RSTP, a newly elected designated port can enter the forwarding state rapidly if this condition is met:
the designated port is an edge port or a port connected to a point-to-point link. If the designated port
is an edge port, it can enter the forwarding state directly. If the designated port is connected to a
point-to-point link, it can enter the forwarding state immediately after the device undergoes handshake
with the downstream device and gets a response.
Introduction to MSTP
Why MSTP
1.
STP and RSTP limitations
STP does not support rapid state transition of ports. A newly elected root port or designated port must
wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a
point-to-point link or an edge port, which directly connects to a user terminal rather than to another
device or a shared LAN segment.
335
Although RSTP supports rapid network convergence, it has the same drawback as STPAll bridges
within a LAN share the same spanning tree, so redundant links cannot be blocked based on VLAN, and
the packets of all VLANs are forwarded along the same spanning tree.
2.
Features of MSTP
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP and RSTP. In addition to the
support for rapid network convergence, it also allows data flows of different VLANs to be forwarded
along separate paths, providing a better load sharing mechanism for redundant links.
MSTP includes the following features:
MSTP supports mapping VLANs to MST instances (MSTIs) by means of a VLAN-to-instance

mapping table. MSTP can reduce communication overheads and resource usage by mapping
multiple VLANs to one MSTI.
MSTP divides a switched network into multiple regions, each containing multiple spanning trees
that are independent of one another.
MSTP prunes a loop network into a loop-free tree, avoiding proliferation and endless cycling of
packets in a loop network. In addition, it provides multiple redundant paths for data forwarding,
supporting load balancing of VLAN data.
MSTP is compatible with STP and RSTP.
Basic concepts in MSTP

Figure 324 Basic concepts in MSTP
336
Assume that all devices in Figure 324 are running MSTP. This section explains some basic concepts of
MSTP.
1.
MST region
A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the
network segments among them. These devices have the following characteristics:
All are MSTP-enabled.
They have the same region name.
They have the same VLAN-to-instance mapping configuration.
They have the same MSTP revision level configuration.
They are physically linked with one another.
For example, all the devices in region A0 in Figure 324 have the same MST region configuration.
The same region name.
The same VLAN-to-instance mapping configuration (VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI
2, and the rest to the common and internal spanning tree (CIST or MSTI 0).
The same MSTP revision level (not shown in the figure).
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST
region.
2.
VLAN-to-instance mapping table
As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping
relationships between VLANs and MSTIs. In Figure 324, for example, the VLAN-to-instance mapping
table of region A0 is: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP
achieves load balancing by means of the VLAN-to-instance mapping table.
3.
IST
An internal spanning tree (IST) is a spanning tree that runs in an MST region.
ISTs in all MST regions and the common spanning tree (CST) jointly constitute the common and internal
spanning tree (CIST) of the entire network. An IST is a section of the CIST in an MST region.
In Figure 324, for example, the CIST has a section in each MST region, and this section is the IST in the
respective MST region.
4.
CST
The CST is a single spanning tree that connects all MST regions in a switched network. If you regard each
MST region as a device, the CST is a spanning tree calculated by these devices through STP or RSTP.
CSTs are indicated by red lines in Figure 324.
5.
CIST
Jointly constituted by ISTs and the CST, the CIST is a single spanning tree that connects all devices in a
switched network.
In Figure 324, for example, the ISTs in all MST regions plus the inter-region CST constitute the CIST of the
entire network.
6.
MSTI
Multiple spanning trees can be generated in an MST region through MSTP, one spanning tree being
independent of another. Each spanning tree is referred to as a multiple spanning tree instance (MSTI).
In Figure 324, for example, multiple MSTIs can exist in each MST region, each MSTI corresponding to the
specified VLANs.
337
7.
Regional root bridge
The root bridge of the IST or an MSTI within an MST region is the regional root bridge of the IST or the
MSTI. Based on the topology, different spanning trees in an MST region may have different regional
roots.
For example, in region D0 in Figure 324, the regional root of MSTI 1 is device B, and that of MSTI 2 is
device C.
8.
Common root bridge
The common root bridge is the root bridge of the CIST.

In Figure 324, for example, the common root bridge is a device in region A0.
9.
Boundary port
A boundary port is a port that connects an MST region to another MST region, or to a single
spanning-tree region running STP, or to a single spanning-tree region running RSTP. It is at the boundary
of an MST region.
During MSTP calculation, the role of a boundary port in an MSTI must be consistent with its role in the
CIST. But this is not true with master ports. A master port on MSTIs is a root port on the CIST. For example,
in Figure 324, if a device in region A0 is interconnected to the first port of a device in region D0 and the
common root bridge of the entire switched network is located in region A0, the first port of that device
in region D0 is the boundary port of region D0.
10.
Roles of ports
MSTP calculation involves the following port roles: root port, designated port, master port, boundary port,
alternate port, and backup port.
Root port: a port responsible for forwarding data to the root bridge.
Designated port: a port responsible for forwarding data to the downstream network segment or
device.
Master port: a port on the shortest path from the current region to the common root bridge,
connecting the MST region to the common root bridge. If the region is seen as a node, the master
port is the root port of the region on the CST. The master port is a root port on IST/CIST and still a
master port on the other MSTIs.
Alternate port: the standby port for the root port and the master port. When the root port or master
port is blocked, the alternate port becomes the new root port or master port.
Backup port: the backup port of a designated port. When the designated port is blocked, the
backup port becomes a new designated port and starts forwarding data without delay. A loop
occurs when two ports of the same MSTP device are interconnected. The device will block either of
the two ports, and the backup port is the port to be blocked.
A port can play different roles in different MSTIs.
338
Figure 325 Port roles
In Figure 325, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are
connected to the common root bridge, port 5 and port 6 of device C form a loop, port 3 and port 4 of
Device D are connected downstream to the other MST regions.
11.
Port states
In MSTP, a port may be in one of the following states:
Forwarding: the port learns MAC addresses and forwards user traffic.
Learning: the port learns MAC addresses but does not forward user traffic.
Discarding: the port does not learn MAC addresses or forwards user traffic.
NOTE:
A port can have different port states in different MSTIs.
A port state is not exclusively associated with a port role. Table 156 lists the port state(s) supported by
each port role. ( indicates that the port state is available for the corresponding port role and
indicates that the port state is not available for the corresponding port role.)
Table 156 Ports states supported by different port roles
Port role
Port state
Root
port/master
port
Designated
port
Boundary port
Alternate port
Backup port
Forwarding
Learning
Discarding
339
How MSTP works

MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a
calculated CST. Inside an MST region, multiple spanning trees are calculated, each being an MSTI
(Among these MSTIs, MSTI 0 is called the CIST). Similar to RSTP, MSTP uses configuration BPDUs to
calculate spanning trees. The only difference between the two protocols is that an MSTP BPDU carries the
MSTP configuration on the device from which this BPDU is sent.
1.
CIST calculation
The calculation of a CIST tree is also the process of configuration BPDU comparison. During this process,
the device with the highest priority is elected as the root bridge of the CIST. MSTP generates an IST within
each MST region through calculation, and, at the same time, MSTP regards each MST region as a single
device and generates a CST among these MST regions through calculation. The CST and ISTs constitute
the CIST of the entire network.
2.
MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. MSTP performs a separate calculation process, which is similar to spanning
tree calculation in STP/RSTP, for each spanning tree. For more information, see How STP works.
In MSTP, a VLAN packet is forwarded along the following paths:
Within an MST region, the packet is forwarded along the corresponding MSTI.
Between two MST regions, the packet is forwarded along the CST.
Implementation of MSTP on devices

MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices
running MSTP and used for spanning tree calculation.
In addition to basic MSTP functions, the device provides the following functions for ease of management:
Root bridge hold
Root bridge backup
Root guard
BPDU guard
Loop guard
TC-BPDU guard
Support for hot swapping of interface cards and active/standby changeover
Protocols and standards
IEEE 802.1d, Spanning Tree Protocol
IEEE 802.1w, Rapid Spanning Tree Protocol
IEEE 802.1s, Multiple Spanning Tree Protocol
340
Configuring MSTP
Before configuring MSTP, you need to determine the role of each device in each MSTI: root bridge or leaf
node. In each MSTI, one, and only one device acts as the root bridge, and all others as leaf nodes.
Table 157 MSTP configuration task list
Task
Remarks
Optional
Configuring an MST region
Configure the MST region-related parameters and VLAN-to-instance

mappings.
By default, the MST region-related parameters adopt the default values, and
all VLANs in an MST region are mapped to MSTI 0.
Required
Configuring MSTP globally
Enable MSTP globally and configure MSTP parameters.

By default, MSTP is globally disabled, and all MSTP parameters adopt the
default values.
Optional
Configuring MSTP on a port
Enable MSTP on a port and configure MSTP parameters.

By default, MSTP is enabled on ports, and all MSTP parameters adopt the
default values.
Configuring an MST region

Select Advanced > MSTP > Region from the navigation tree to enter the page as shown in Figure 326.
Figure 326 MST region
Click Modify to enter the MSTP region configuration page, as shown in Figure 327.
341
Figure 327 Modify an MST region
Table 158 Configuration items of configuring an MST region

Item
Description
Region Name
Revision Level
MST region name.

The MST region name is the bridge MAC address of the device by default.
Revision level of the MST region.
Instance ID
Manual
VLAN ID
Manually add VLAN-to-instance mappings. Click Apply to add a

VLAN-to-instance mapping entry to the list.
Apply
Set the modulo value based on which 4094 VLANs are automatically
mapped to the corresponding MSTIs.
Modulo
Activate
With the modulo value set, each VLAN is mapped to the MSTI whose ID is
(VLAN ID1) %modulo + 1, where (VLAN ID-1) %modulo is the modulo
operation for (VLAN ID1). If the modulo value is 15, for example, then
VLAN 1 will be mapped to MSTI 1, VLAN 2 to MSTI 2, VLAN 15 to MSTI
15, VLAN 16 to MSTI 1, and so on.
Validate the VLAN-to- instance mappings, the region name, and the revision
level.
Return to MSTP configuration task list.
Configuring MSTP globally

Select Advanced > MSTP > Global from the navigation tree to enter the Global MSTP Configuration page,
342
Figure 328 Configure MSTP globally
Table 159 Configuration items of configuring MSTP globally

Item
Description
Enable or disable STP globally:
Enable STP Globally
EnableEnable STP globally.

DisableDisable STP globally.
Other MSTP configurations can take effect only after you enable STP globally.
Enable or disable BPDU guard globally:
BPDU Protection
EnableEnable BPDU guard globally.

DisableDisable BPDU guard globally.
BPDU guard can protect the device from malicious BPDU attacks, keeping the
network topology stable.
343
Item
Description
Set the STP operating mode:
STP modeAll ports of the device send out STP BPDUs.

RSTP modeAll ports of the device send out RSTP BPDUs. If the device detects
that it is connected to a legacy STP device, the port connecting to the legacy STP
device will automatically migrate to STP-compatible mode.
Mode
MSTPAll ports of the device send out MSTP BPDUs. If the device detects that it
is connected to a legacy STP device, the port connecting to the legacy STP
device will automatically migrate to STP-compatible mode.
Set the maximum number of hops in an MST region to restrict the region size.
Max Hops
The setting can take effect only when it is configured on the regional root bridge.
Path Cost Standard
Specify the standard for path cost calculation. It can be Legacy, IEEE
802.1D-1998, or IEEE 802.1T.
Any two stations in a switched network are interconnected through a specific path
composed of a series of devices. The bridge diameter (or the network diameter) is
the number of devices on the path composed of the most devices.
Bridge Diameter
After you set the network diameter, you cannot set the timers. Instead, the device
automatically calculates the forward delay, hello time, and max age.
IMPORTANT:
The network diameter applies to only the CIST. It takes effect only after you
configure it on the root bridge. Each MST region is regarded as a device.
After you set the network diameter, you cannot set the timers. Instead, the device
calculates the forward delay, hello time, and max age automatically.
Set the delay for the root and designated ports to transit to
the forwarding state.
Timers
Forward
Delay
The length of the forward delay time is related to the

network diameter of the switched network. The larger the
network diameter is, the longer the forward delay time
should be. If the forward delay setting is too small,
temporary redundant paths may be introduced. If the
forward delay setting is too big, it may take a long time
for the network to converge. H3C recommends that you
use the default setting.
Set the interval at which the device sends hello packets to
the surrounding devices to ensure that the paths are
fault-free.
Hello Time
An appropriate hello time setting enables the device to

timely detect link failures on the network without using
excessive network resources. If the hello time is set too
long, the device will take packet loss as a link failure and
trigger a new spanning tree calculation process. If the
hello time is set too short, the device will send repeated
configuration BPDUs frequently, which adds to the device
burden and wastes network resources. H3C recommends
that you use the default setting.
344
TIP:
The settings of
hello time,
forward delay and
max age must
meet a certain
formula.
Otherwise, the
network topology
will not be stable.
H3C recommends
you to set the
network diameter
and then have the
device
automatically
calculate the
forward delay,
hello time, and
max age.
The bridge
diameter cannot
Item
Description
Set the maximum length of time a configuration BPDU can
be held by the device.
Max Age
Instance ID
If the max age time setting is too small, the network

devices will frequently launch spanning tree calculations
and may take network congestion as a link failure. If the
max age setting is too large, the network may fail to
timely detect link failures and fail to timely launch
spanning tree calculations, reducing the auto-sensing
capability of the network. H3C recommends that you use
the default setting.
be configured
together with the
timers.
ID of the MSTI to be configured.

Role of the device in the MSTI:
Instance
Root Type
Not SetThe device role is not configured.

PrimaryConfigure the device as the root bridge.
SecondaryConfigure the device as a secondary root bridge.
After specifying the current device as the primary root bridge or a secondary root
bridge, you cannot change the priority of the device.
Bridge
Priority
Set the bridge priority of the device, which is one of the factors determining
whether the device can be elected as the root bridge.
Select whether to enable TC-BPDU guard.
TC Protection
When receiving topology change (TC) BPDUs, the device flushes its forwarding
address entries. If someone forges TC-BPDUs to attack the device, the device will
receive a large number of TC-BPDUs within a short time and frequently flushes its
forwarding address entries. This affects network stability.
With the TC-BPDU guard function, you can prevent frequent flushing of forwarding
address entries.
IMPORTANT:
H3C does not recommend you to disable this function.
TC Protection Threshold
Set the maximum number of immediate forwarding address entry flushes the device
can perform within a certain period of time after receiving the first TC-BPDU.
Configuring MSTP on a port

Select Advanced > MSTP > Port from the navigation tree to enter the MSTP Port Configuration page, as
Figure 329 MSTP configuration of a port (1)
345
Click the
icon corresponding to a port to enter the MSTP Port Configuration page of the port, as
Figure 330 MSTP configuration of a port (2)
Table 160 Configuration items of configuring MSTP on a port

Item
Description
Port Number
Select the port you want to configure.

Enable or disable STP on the port:
STP Status
EnableEnable STP on the port.

DisableDisable STP on the port.
Set the type of protection enabled on the port:
Protection Type
Not SetNo protection is enabled on the port.

Edged Port, Root Protection, Loop ProtectionFor more information, see Table
161.
Specify whether the port is connected to a point-to-point link.
Point to Point
Transmit Limit
AutoAutomatically detects whether the link type of the port is point-to-point.

Force FalseSpecifies that the link type for the port is not point-to-point link.
Force TrueSpecifies that the link type for the port is point-to-point link.
Configure the maximum number of MSTP packets that can be sent during each
Hello interval.
The larger the transmit limit is, the more network resources will be occupied. H3C
recommends you to use the default value.
346
Item
Description
In a switched network, if a port on an MSTP device connects to an STP device, this
port will automatically migrate to the STP-compatible mode. However, after the STP
device is removed, whether the port on the MSTP device can migrate automatically
to the MSTP mode depends on which of the following parameter is selected:
mCheck
Enableperforms mCheck. The port automatically migrates back to the MSTP

mode.
Disabledoes not perform mCheck. The port does not automatically migrate
back to the MSTP mode.
Instance ID
Instance
Set the MSTI ID.

Set the priority of the port in the current MSTI.
Port Priority
The priority of a port is an import factor in determining whether the port can be
elected as the root port.
Path Cost
Select to calculate the path cost automatically or set the path cost manually.
Table 161 Protection types

Protection type
Description
Configure the port as an edge port.
Edged Port
Some ports of access layer devices are directly connected to PCs or file servers, which
cannot generate BPDUs. You can set these ports as edge ports to achieve fast transition
for these ports.
H3C recommends you to enable the BPDU guard function in conjunction with the edged
port function to avoid network topology changes when the edge ports receive
configuration BPDUs.
Enable the root guard function.
Root Protection
Configuration errors or attacks may result in configuration BPDUs with their priorities
higher than that of a root bridge, which causes a new root bridge to be elected and
network topology change to occur. The root guard function is used to address such a
problem.
Enable the loop guard function.
Loop Protection
By keeping receiving BPDUs from the upstream device, a device can maintain the state of
the root port and other blocked ports. These BPDUs may get lost because of network
congestion or unidirectional link failures. The device will re-elect a root port, and blocked
ports may transit to the forwarding state, causing loops in the network. The loop guard
function is used to address such a problem.
MSTP configuration example

As shown in Figure 331:
All routers on the network are in the same MST region. Router A and Router B work on the
distribution layer. Router C and Router D work on the access layer.
347
Configure MSTP so that packets of different VLANs are forwarded along different instances:
packets of VLAN 10 along MSTI 1, those of VLAN 30 along MSTI 3, those of VLAN 40 along MSTI
4, and those of VLAN 20 along MSTI 0.
VLAN 10 and VLAN 30 are terminated on the distribution layer routers, and VLAN 40 is terminated
on the access layer routers, so the root bridges of MSTI 1 and MSTI 3 are Router A and Router B
respectively, and the root bridge of MSTI 4 is Router C.
Eth
0/1
Per
mit
0/1
E th
0
3
20,
AN
0/1
Eth it: VL
m
Per
Eth
:V
LA
N 1 0/1
0, 2
0
Figure 331 Network diagram for MSTP configuration
NOTE:
"Permit:" next to a link in the figure is followed by the VLANs the packets of which are permitted to pass
this link.
1.
VLAN and VLAN member port configuration
Create VLAN 10, VLAN 20, and VLAN 30 on Router A and Router B respectively, create VLAN 10,
VLAN 20, and VLAN 40 on Router C, and create VLAN 20, VLAN 30, and VLAN 40 on Router D;
configure the ports on these routers as hybrid ports and assign them to related VLANs; configure the
security zones to which the combinations of these ports and their permitted VLANs belong. The detailed
configuration procedure is omitted.
2.
Configuration on Router A
# Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3,
and MSTI 4 respectively, and configure the revision level of the MST region as 0.
Log in to Router A. Select Advanced > MSTP > Region from the navigation tree, click Modify, and
make the following configurations on the page shown in Figure 332.
348
Figure 332 Configure an MST region on Router A
Configure the region name as example.
Set the revision level to 0.
Select the Manual radio button.
Select 1 in the Instance drop-down list.
Set the VLAN ID to 10.
Click Apply to map VLAN 10 to MSTI 1 and add the VLAN-to-instance mapping entry to the
VLAN-to-instance mapping list.
Repeat the preceding steps to map VLAN 30 to MSTI 3 and VLAN 40 to MSTI 4 and add the
VLAN-to-instance mapping entries to the VLAN-to-instance mapping list.
Click Activate to end the operation.
# Enable MSTP globally and configure the current device as the root bridge of MSTI 1.
Select Advanced > MSTP > Global from the navigation tree, and make the following configurations
on the page shown in Figure 333.
349
Figure 333 Configure global MSTP parameters on Router A
Select Enable in the Enable STP Globally drop-down list.
Select MSTP in the Mode drop-down list.
Select the check box in front of Instance.
Set the Instance ID field to 1.
Set the Root Type field to Primary.
Click Apply to submit the settings.
3.
Configuration on Router B
and MSTI 4 respectively, and configure the revision level of the MST region as 0. (The procedure here is
the same as that of configuring an MST region on Router A.)
on the page similar to that shown in Figure 333.
4.
Configuration on Router C
350
5.
Configuration on Router D
# Enable MSTP globally.
Verifying the configurations

You can use the display stp brief command to display brief spanning tree information on each device
after the network converges.
# Display brief spanning tree information on Router A.
[RouterA] display stp brief
MSTID
Port
Role
STP State
Protection
Ethernet0/1
ALTE
DISCARDING
NONE
Ethernet0/2
DESI
FORWARDING
NONE
Ethernet0/3
ROOT
FORWARDING
NONE
Ethernet0/1
DESI
FORWARDING
NONE
Ethernet0/3
DESI
FORWARDING
NONE
Ethernet0/2
DESI
FORWARDING
NONE
Ethernet0/3
ROOT
FORWARDING
NONE
# Display brief spanning tree information on Router B.

[RouterB] display stp brief
MSTID
Port
Role
STP State
Protection
Ethernet0/1
DESI
FORWARDING
NONE
Ethernet0/2
DESI
FORWARDING
NONE
Ethernet0/3
DESI
FORWARDING
NONE
Ethernet0/2
DESI
FORWARDING
NONE
Ethernet0/3
ROOT
FORWARDING
NONE
351
Ethernet0/1
DESI
FORWARDING
NONE
Ethernet0/3
DESI
FORWARDING
NONE
# Display brief spanning tree information on Router C.

[RouterC] display stp brief
MSTID
Port
Role
STP State
Protection
Ethernet0/1
DESI
FORWARDING
NONE
Ethernet0/2
ROOT
FORWARDING
NONE
Ethernet0/3
DESI
FORWARDING
NONE
Ethernet0/1
ROOT
FORWARDING
NONE
Ethernet0/2
ALTE
DISCARDING
NONE
Ethernet0/3
DESI
FORWARDING
NONE
# Display brief spanning tree information on Router D.

[RouterD] display stp brief
MSTID
Port
Role
STP State
Protection
Ethernet0/1
ROOT
FORWARDING
NONE
Ethernet0/2
ALTE
DISCARDING
NONE
Ethernet0/3
ALTE
DISCARDING
NONE
Ethernet0/1
ROOT
FORWARDING
NONE
Ethernet0/2
ALTE
DISCARDING
NONE
Ethernet0/3
ROOT
FORWARDING
NONE
Based on the above information, you can draw the MSTI corresponding to each VLAN, as shown in
Figure 334.
Figure 334 MSTIs corresponding to different VLANs
Follow these guidelines when configuring MSTP:
352
1.
Two or more MSTP-enabled devices belong to the same MST region only if they are configured
with the same format selector (0 by default, not configurable), MST region name, VLAN-to-instance
mapping entries in the MST region, and MST region revision level, and they are interconnected
through physical links.
2.
After specifying the current device as the root bridge or a secondary root bridge, you cannot
change the priority of the device.
3.
If two or more devices with the same bridge priority have been designated to be root bridges of
the same spanning tree instance, MSTP will select the device with the lowest MAC address as the
root bridge.
4.
The values of forward delay, hello time, and max age are interdependent. Inappropriate settings
of these values may cause network flapping. H3C recommends you to set the network diameter
and let the device automatically set an optimal hello time, forward delay, and max age. The
settings of hello time, forward delay and max age must meet the following formulae:
2 (forward delay 1 second) max age
Max age 2 (hello time + 1 second)
5.
If the device is not enabled with BPDU guard, when an edge port receives a BPDU from another
port, it transits into a non-edge port. To restore its port role as an edge port, you need to restart the
port.
6.
Configure ports that are directly connected to terminals as edge ports and enable BPDU guard for
them. In this way, these ports can rapidly transit to the forwarding state, and network security can
be ensured.
353
RADIUS configuration
You can configure RADIUS through the web interface.
Introduction to RADIUS
The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication,
Authorization, and Accounting (AAA).
RADIUS uses the client/server model. It can protect networks against unauthorized access and is often
used in network environments where both high security and remote user access are required. RADIUS
defines the packet format and message transfer mechanism, and uses UDP as the transport layer protocol
for encapsulating RADIUS packets. It uses UDP port 1812 for authentication and UDP port 1813 for
accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.
RADIUS provides access authentication and authorization services, and its accounting function collects
and records network resource usage information.
NOTE:
For more information about RADIUS and AAA, see the H3C MSR Series Routers Security Configuration
Guide.
Configuring a RADIUS scheme

A RADIUS scheme defines a set of parameters that the device uses to exchange information with the
RADIUS servers. There might be authentication servers and accounting servers, or primary servers and
secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and
the RADIUS server type. By default, no RADIUS scheme exists.
Select Advanced > RADIUS from the navigation tree to enter the RADIUS scheme list page, as shown in
Figure 335. Click Add to enter the RADIUS scheme configuration page, as shown in Figure 336.
Figure 335 RADIUS scheme list
354
Figure 336 RADIUS scheme configuration page
Table 162 RADIUS scheme configuration items

Item
Description
Scheme Name
Type a name for the RADIUS scheme
Common Configuration
Configure the common parameters for the RADIUS scheme, including the server
type, the username format, and the shared keys for authentication and accounting
packets. For more information about common configuration, see Common
configuration.
RADIUS Server
Configuration
Configure the parameters of the RADIUS authentication servers and accounting

servers. For more information about RADIUS server configuration, see RADIUS
server configuration.
Common configuration
Click the expand button before Advanced in the Common Configuration area to expand the advanced
configuration area, as shown in Figure 337.
355
Figure 337 Common configuration
Table 163 Common configuration items

Item
Description
Select the type of the RADIUS servers supported by the device, which can be:
StandardConfigures the RADIUS client to communicate with the RADIUS

Server Type
server by using the standard RADIUS protocol and packet format defined in RFC
2865/2866 or later.
ExtendedConfigures the RADIUS client to communicate with the RADIUS

server (usually a CAMS or iMC server) by using the proprietary RADIUS protocol
and packet format.
356
Item
Description
Select the format of usernames to be sent to the RADIUS server, including Original
format, With domain name, and Without domain name.
Username Format
Authentication Key
Confirm Authentication
Key
Accounting Key
A username is generally in the format of userid@isp-name, of which isp-name is

used by the device to determine the ISP domain to which a user belongs. If a
RADIUS server (such as a RADIUS server of some early version) does not accept a
username that contains an ISP domain name, you can configure the device to
remove the domain name of a username before sending it to the RADIUS server.
Set the shared key for authenticating RADIUS authentication packets and that for
authenticating RADIUS accounting packets.
The RADIUS client and the RADIUS server use MD5 to encrypt RADIUS packets, and
use the shared key to authenticate the packets exchanged between them. Only if the
shared key of the client and that of the server are the same, will the client and the
server receive and respond to packets from each other.
IMPORTANT:
Confirm Accounting Key
The shared keys configured in the common configuration part are used only when no
corresponding shared keys are configured in the RADIUS server configuration part.
Set the time to wait before the device restores an unreachable RADIUS server to
active state.
Quiet Time
If the primary server is unreachable due to temporary interruption on the network

interface or the busy server, you can set the quiet time to 0 so that authentication
and accounting requests for other users are still sent to the primary server for
processing. When the quiet time is 0, if the server being used is unreachable, the
device keeps the server in the active state, and sends the request to the next server
in the active state. In this way, subsequent authentication or accounting requests
may still be sent to the server.
Set the RADIUS server response timeout time.
Server Response Timeout

Time
Request Transmission
Attempts
If the device sends a RADIUS request to a RADIUS

server but receives no response within the specified
server response timeout time, it retransmits the
request. Setting a proper value according to the
network conditions helps in improving the system
performance.
Set the maximum number of attempts for
transmitting a RADIUS packet to a single RADIUS
server. If the device does not receive a response to
its request from the RADIUS server within the
response timeout period, it retransmits the RADIUS
request. If the number of transmission attempts
exceeds the limit but the device still receives no
response from the RADIUS server, the device
considers the request a failure.
IMPORTANT:
The server response timeout
time multiplied by the
maximum number of RADIUS
packet transmission attempts
must not exceed 75.
Set the interval for sending real-time accounting information to the RADIUS
accounting server. The interval must be a multiple of 3.
Realtime Accounting
Interval
Different real-time accounting intervals impose different performance requirements

on the NAS and the RADIUS server. A shorter interval helps achieve higher
accounting precision but requires higher performance. Use a longer interval when
a large number of users (1000 or more) exist. For more information about the
recommended real-time accounting intervals, see Configuration guidelines.
357
Item
Description
Realtime Accounting
Attempts
Set the maximum number of attempts for sending a real-time accounting request.
Unit for Data Flows
Specify the unit for data flows sent to the RADIUS server, which can be byte,
kilo-byte, mega-byte, or giga-byte.
Unit for Packets
Specify the unit for data packets sent to the RADIUS server, which can be
one-packet, kilo-packet, mega-packet, or giga-packet
Specify the VPN to which the RADIUS scheme belongs.
VPN
This setting is effective to all RADIUS authentication servers and accounting servers
configured in the RADIUS scheme, but the VPN individually specified for a RADIUS
authentication or accounting server takes priority.
Security Policy Server
Specify the IP address of the security policy server.

Specify the source IP address for the device to use in RADIUS packets sent to the
RADIUS server.
RADIUS Packet Source IP
Buffer stop-accounting
packets
Stop-Accounting
Attempts
H3C recommends you to use a loopback interface address instead of a physical

interface address as the source IP address, so that when the physical interface is
down, the response packets from the server can still reach the device.
Enable or disable buffering of stop-accounting requests for which no responses are
received, and set the maximum number of attempts for sending stop-accounting
requests
Send accounting-on
packets
Enable or disable the accounting-on feature, and set the interval and the maximum
number of attempts for sending accounting-on packets
Accounting-On Interval
The accounting-on feature enables a device to send accounting-on packets to

RADIUS servers after it reboots, making the servers forcedly log out users who
logged in through the device before the reboot.
IMPORTANT:
Accounting-On Attempts
When enabling the accounting-on feature on a device for the first time, you must save
the configuration so that the feature takes effect after the device reboots.
Attribute
Interpretation
Enable or disable the device to interpret the RADIUS class attribute as CAR
parameters.
RADIUS server configuration

In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page, as
shown in Figure 338. You can configure RADIUS servers for the RADIUS scheme.
358
Figure 338 RADIUS server configuration
Table 164 RADIUS server configuration items

Item
Description
Server Type
Select the type of the RADIUS server to be configured. Possible values include
primary authentication server, primary accounting server, secondary
authentication server, and secondary accounting server.
IP Address
Specify the IP address of the RADIUS server.
Port
Specify the UDP port of the RADIUS server
Key
Specify the shared key for communication with the RADIUS server.
Confirm Key
If no shared key is specified here, the shared key specified in the common
configuration part is used.
Specify the VPN to which the RADIUS server belongs.
VPN
If no VPN is specified here, the VPN specified in the common configuration part is
used.
IMPORTANT:
Support for this configuration item depends on your device model.
RADIUS configuration example

As shown in Figure 339, connect the Telnet user to the router and the router to the RADIUS server.
Run the CAMS/iMC Server on the RADIUS server to provide authentication, authorization, and
accounting services for Telnet users. The IP address of the RADIUS server is 10.1.1.1/24.
Set the shared keys for authentication, authorization, and accounting packets exchanged between
the router and the RADIUS server to expert and specify the ports for authentication/authorization
and accounting as 1812 and 1813 respectively.
Specify that a username sent to the RADIUS server carries the domain name.
Add an account on the RADIUS server, with the username and password being hello@bbb and abc.
If the user passes authentication, it is assigned a privilege level of 3.
359
Figure 339 Network diagram for RADIUS configuration

RADIUS server
10.1.1.1/24
Eth0/1
192.168.1.70/24
Telnet user
192.168.1.58/24
Eth0/2
10.1.1.2/24
Internet
Router
1.
Configure the RADIUS server
When the RADIUS server runs CAMS:

NOTE:
This example assumes that the RADIUS server runs CAMS Server Version 2.10-R0210.
Log into the CAMS management platform and select System Management > System Configuration from
the navigation tree. In the System Configuration page, click Modify of the Access Device item, and then
click Add to enter the Add Access Device page and perform the following configurations as shown in
Figure 340.
Figure 340 Add an access device
Specify the IP address of the device as 10.1.1.2.
Set the shared keys for authentication and accounting both to expert.
Select Device Management Service as the service type.
Specify the ports for authentication and accounting as 1812 and 1813 respectively.
Select Extensible Protocol as the protocol type.
Select Standard as the RADIUS packet type.

360
Click OK.
# Add a user.
From the navigation tree, select User Management > User for Device Management, and then in the right
pane, click Add to enter the Add Account page and perform the following configurations, as shown in
Figure 341.
Figure 341 Add a user account
Add a user account named hello@bbb.
Specify the password as abc and confirm the password.
Select Telnet as the service type.
Set the EXEC privilege level to 3. This value identifies the privilege level of the Telnet user after login,
which is 0 by default.
Specify the IP address range of the hosts to be managed as 192.168.1.0 to 192.168.1.255, and click
Add.
Click OK to finish the operation.
When the RADIUS server runs iMC:

NOTE:
This example assumes that the RADIUS server runs iMC PLAT 3.20-R2602 and iMC UAM 3.60-E6102.
Log into the iMC management platform, select the Service tab, and select Access Service > Service
Configuration from the navigation tree to enter the Service Configuration page. Then, click Add to enter
the Add Access Device page and perform the following configurations, as shown in Figure 342.
361
Figure 342 Add an access device
Set the shared keys for authentication and accounting to expert.
Specify the ports for authentication and accounting as 1812 and 1813 respectively.
Select Device Management Service as the service type.
Select H3C as the access device type.
Select the access device from the device list or manually add the device with the IP address of
10.1.1.2.
NOTE:
The IP address of the access device must be the same as the source IP address of the RADIUS packets sent
from the router. By default, the source IP address of a RADIUS packet is the IP address of the sending
interface.
# Add a user account.
Log into the iMC management platform, select the User tab, and select Access User View > All Access
Users from the navigation tree to enter the All Access Users page. Then, click Add to enter the Add Device
Management User page and perform the following configurations, as shown in Figure 343.
362
Figure 343 Add an account
Add a user account named hello@bbb.
Specify the password as abc and confirm the password.
Select Telnet as the service type.
Set the EXEC privilege level to 3. This value identifies the privilege level of the Telnet user after login,
which is 0 by default.
Click Add under IP Address List of Managed Devices, and then specify the IP address range of the
hosts to be managed as 10.1.1.0 to 10.1.1.255.
NOTE:
The IP address range of the hosts to be managed must contain the IP address of the access device added.
2.
Configure the router
# Configure the IP address of each interface. Detailed configuration steps are omitted here.
Select Advanced > RADIUS from the navigation tree to enter the RADIUS scheme list page. Click
Add and perform the following configuration.
Type system as the scheme name.
Select Extended as the server type.
Select Without domain name for the username format.
In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page,
and perform the configuration as shown in Figure 344.
363
Figure 344 RADIUS authentication server configuration page
Select Primary Authentication as the server type.
Type 10.1.1.1 as the IP address of the primary authentication server.
Type 1812 as the port.
Type expert as the key.
Type expert to confirm the key.
Click Apply to finish the configuration.
In the RADIUS Server Configuration area, click Add again to add a RADIUS accounting server as
Figure 345 RADIUS accounting server configuration page
Select Primary Accounting as the server type.
Type 10.1.1.1 as the IP address of the primary accounting server.
Type 1813 as the port.
Type expert as the key.
Type expert to confirm the key.
Click Apply. The RADIUS scheme configuration page refreshes and the added servers appear in
the server list, as shown in Figure 346. Click Apply to finish the scheme configuration.
364
Figure 346 RADIUS scheme configuration page
# Enable the Telnet service on the router.

[Router] telnet server enable
# Configure the router to use AAA for Telnet users.

[Router] user-interface vty 0 4
[Router-ui-vty0-4] authentication-mode scheme
[Router-ui-vty0-4] quit
# Configure the AAA methods for domain bbb. As RADIUS authorization information is sent by the
RADIUS server to the RADIUS client in the authentication response message, be sure to reference the
same scheme for authentication and authorization.
[Router] domain bbb
[Router-isp-bbb] authentication login radius-scheme system
[Router-isp-bbb] authorization login radius-scheme system
[Router-isp-bbb] accounting login radius-scheme system
[Router-isp-bbb] quit
# You can achieve the same result by configuring default AAA methods for all types of users in domain
bbb. (You can use either approach as needed)
[Router] domain bbb
[Router-isp-bbb] authentication default radius-scheme system
[Router-isp-bbb] authorization default radius-scheme system
[Rfm
Verification
After the configuration, the Telnet user should be able to telnet to the router and use the configured
account (username hello@bbb and password abc) to enter the user interface of the router, and access all
the commands of level 0 through level 3.
365
When you configure the RADIUS client, note the following guidelines:
1.
Accounting for FTP users is not supported.
2.
If you remove the accounting server used for online users, the router cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
3.
The status of RADIUS serversblocked or activedetermines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can
specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary
servers that function as the backup of the primary servers. Generally, the device chooses servers
based on these rules:
When the primary server is in the active state, the device communicates with the primary server. If
the primary server fails, the device changes the state of the primary server to blocked, starts a quiet
timer for the server, and turns to a secondary server in the active state (a secondary server
configured earlier has a higher priority). If the secondary server is unreachable, the device changes
the state of the secondary server to blocked, starts a quiet timer for the server, and continues to
check the next secondary server in the active state. This search process continues until the device
finds an available secondary server or has checked all secondary servers in the active state. If the
quiet timer of a server expires or an authentication or accounting response is received from the
server, the status of the server changes back to active automatically, but the device does not check
the server again during the authentication or accounting process. If no server is found reachable
during one search process, the device considers the authentication or accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the users real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove the
accounting server, real-time accounting requests and stop-accounting requests for the user cannot
be delivered to the server any more.
If you remove an authentication or accounting server in use, the communication of the device with
the server will soon time out, and the device will look for a server in the active state from scratch: it
checks the primary server (if any) first and then the secondary servers in the order they are
configured.
When the primary server and secondary servers are all in the blocked state, the device
communicates with the primary server. If the primary server is available, its statues changes to
active. Otherwise, its status remains to be blocked.
If one server is in the active state but all the others are in the blocked state, the device only tries to
communicate with the server in the active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the device changes the status
of the server identified by the source IP address of the response to active if the current status of the
server is blocked.
4.
Table 165 lists the recommended real-time accounting intervals.
Table 165 Recommended real-time accounting intervals

Number of users
Real-time accounting interval (in minutes)
1 to 99
100 to 499
500 to 999
12
366
Number of users
Real-time accounting interval (in minutes)
1000 or more
15
367
Login control configuration

Login control overview
The login control feature allows you to control Web or Telnet logins of specified users based on IP
address and login type.
Configuring login control

From the navigation tree, select Advanced > Access to enter the page as shown in Figure 347. The upper
part of the page allows you to configure login control rules, and the lower part displays existing login
control rules. You can also delete the rules.
Figure 347 Login control configuration
Table 166 Login control configuration items

Item
Description
Login Type
Select the login type to be restricted, Telnet, Web, or both.
User IP Address
Enter an IP address and wildcard to specify the users.

IMPORTANT:
Wildcard
Exclude the management IP segment from login control; otherwise, you cannot log
in to the device.
Do not set the wildcard to 255.255.255.255; otherwise, all users cannot log in to
the device.
368
Login control configuration example

As shown in Figure 348, configure login control rules so that Host A cannot telnet to Router, and Host B
cannot access Router through the Web.
Figure 348 Network diagram for login control
# Configure a login control rule so that Host A cannot telnet to Router.
Select Advanced > Access from the navigation tree to enter the page for configuring login control
rules. Perform the configurations shown in Figure 349.
Figure 349 Configure a login control rule so that Host A cannot telnet to Router
Select Telnet as the login type to be restricted.
Type 10.0.0.1 as the user IP address.
Type 0.0.0.0 as the wildcard.
Click Apply. A dialog box appears, asking you whether to continue your operation.
Click OK. A configuration progress dialog box appears, as shown in Figure 350.
369
After the setting completes, click Close.
# Configure a login control rule so that Host B cannot access Router through the Web.
Select Advanced > Access from the navigation tree to enter the page for configuring login control
rules. Perform the configurations shown in Figure 351.
Figure 351 Configure a login control rule so that Host B cannot access Router through the Web
Select Web as the login type to be restricted.
Type 10.1.1.2 as the user IP address.
Type 0.0.0.0 as the wildcard.
Click Apply. A dialog box appears, asking you whether to continue your operation.
Click OK. A configuration progress dialog box that is similar to Figure 350 appears.
After the setting completes, click Close.
370
ARP configuration
You can do the following to configure ARP on the web interface:
Displaying ARP entries
Creating a static ARP entry
Removing ARP entries
Enabling learning of dynamic ARP entries
Configuring gratuitous ARP
The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet
MAC address, for example).
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
NOTE:
For more information about ARP, see the H3C MSR Series Routers Layer 3IP Services Configuration
Guide.
Gratuitous ARP overview

Gratuitous ARP packets
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device, the sender MAC address is the MAC address of the sending device, and the target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
Determine whether its IP address is already used by another device. If the IP address is already used,
the device will be informed of the conflict by an ARP reply;
Inform other devices of the change of its MAC address.
Enabling learning of gratuitous ARP packets

With this feature enabled, a device, upon receiving a gratuitous ARP packet, adds an ARP entry that
contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry
exists, the device updates the ARP entry.
With this feature disabled, the device uses received gratuitous ARP packets to update existing ARP entries,
but not to create new ARP entries.
Displaying ARP entries

Select Advanced > ARP Management > ARP Table from the navigation tree to enter the page shown in
Figure 352. All ARP entries are displayed on the page.
371
Figure 352 ARP Table configuration page
Creating a static ARP entry

Figure 352. Click Add to enter the New Static ARP Entry page, as shown in Figure 353.
Figure 353 Add a static ARP entry
Table 167 Static ARP entry configuration items

Item
Description
IP Address
Type an IP address for the static ARP entry.
MAC Address
Type a MAC address for the static ARP entry.
VLAN ID
Advanced
Options
Type a VLAN ID and specify a port for the static ARP entry.
IMPORTANT:
Port
The VLAN ID must be the ID of the VLAN that has already been created, and the port
must belong to the VLAN. The corresponding VLAN interface must have been
created.
VPN
Instance
Type the name of the VPN instance to which the static ARP entry belongs.
Removing ARP entries

Figure 352.
372
To remove specific ARP entries, select the check boxes of target ARP entries, and click Del Selected.
To remove all static and dynamic ARP entries, click Delete Static and Dynamic.
To remove all static ARP entries, click Delete Static.
To remove all dynamic ARP entries, click Delete Dynamic.
Enabling learning of dynamic ARP entries

Select Advanced > ARP Management > Dynamic Entry from the navigation tree to enter the configuration
page, as shown in Figure 354.
Figure 354 Dynamic entry management
To disable all the listed interfaces from learning dynamic ARP entries, click Disable all.
To disable specific interfaces from learning dynamic ARP entries, select target interfaces and click
Disable selected.
To allow all the listed interfaces to learn dynamic ARP entries, click Enable all.
To allow specific interfaces to learn dynamic ARP entries, select target interfaces and click Enable
selected.
icon of an interface to enter the configuration page as shown in Figure 355, and
Click the
specify the maximum number of dynamic ARP entries that this interface can learn. If you type 0, the
interface is disabled from learning dynamic ARP entries.
373
Figure 355 Modify an interface
NOTE:
If you enable an interface to learn dynamic ARP entries on the dynamic entry management page, the
number of dynamic ARP entries that the interface can learn restores the default.
Configuring gratuitous ARP

Select Advanced > ARP Management > Gratuitous ARP from the navigation tree to enter the page, as
shown in Figure 356
Figure 356 Configuring gratuitous ARP
Table 168 Gratuitous ARP configuration items

Item
Description
Disable gratuitous ARP packets learning function
Disable learning of ARP entries according to

gratuitous ARP packets.
Send gratuitous ARP packets when receiving ARP

requests from another network segment
Enable the device to send gratuitous ARP packets

upon receiving ARP requests from another network
segment.
Static ARP configuration example

Network Requirements
As shown in Figure 357, hosts are connected to Router A, which is connected to Router B through Ethernet
0/1 belonging to VLAN 10. The IP address of Router B is 192.168.1.1/24. The MAC address of Router
B is 00e0-fc01-0000.
To enhance communication security between Router A and Router B, a static ARP entry for Router B needs
to be configured on Router A.
374
Figure 357 Network diagram for configuring static ARP entries
# Create VLAN 10 and VLAN-interface 10.
Select Interface Setup > LAN Interface Setup from the navigation tree to enter the default VLAN
Setup page. Perform the following configurations, as shown in Figure 358.
Figure 358 Create VLAN 10 and VLAN-interface10
Click on the Create radio button.
Type 10 for VLAN IDs.
Select the Create VLAN Interface checkbox.
Click Apply.
# Add Ethernet 0/1 to VLAN 10.

375
Figure 359 Add Ethernet 0/1 to VLAN 10
As shown in Figure 359, on the VLAN Setup page, select 10 in the VLAN Config field.
Select Ethernet0/1 from the list.
Click Add to bring up the configuration progress dialog box, as shown in Figure 360.
Figure 360 The configuration progress dialog box
# Configure the IP address of VLAN-interface 10.
Click the VLAN Interface Setup tab. Perform the following configurations, as shown in Figure 361.
376
Figure 361 Configure the IP address of VLAN-interface 10
Select 10 for Select a VLAN.
Type 192.168.1.2 for IP Address.
Type 255.255.255.0 for Subnet Mask.
Click Apply.
# Create a static ARP entry.
Select Advanced > ARP Management > ARP Table from the navigation tree and click Add. Perform
the following configurations, as shown in Figure 362.
377
Figure 362 Create a static ARP entry
Type 00e0-fc01-0000 for MAC Address.
Select the Advanced Options checkbox.
Type 10 for VLAN ID.
Select Ethernet0/1 for Port.
Click Apply.
# View information about static ARP entries.
After the above configuration is complete, the page returns to display ARP entries. Select Type for
Search.
Type Static.
Click Search. Then you can view the static ARP entries of Router A, as shown in Figure 363.
378
Figure 363 Display information about static ARP entries page
379
ARP attack defense configuration

You can do the following to configure ARP attack defense on the web interface:
Configure periodic sending of gratuitous ARP packets
Configure ARP automatic scanning
Configure fixed ARP
Overview
Although ARP is easy to implement, it provides no security mechanism and thus is prone to network
attacks. ARP attacks and viruses are threatening LAN security. The router can provide the following
features to detect and prevent such attacks.
Periodic sending of gratuitous ARP packets

Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their
corresponding ARP entries or MAC entries in time. This feature can be used to:
Prevent gateway spoofing
Prevent ARP entries from being aged out
Prevent the virtual IP address of a VRRP group from being used by a host
Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured
Configuring ARP automatic scanning and fixed ARP

ARP automatic scanning is usually used together with the fixed ARP feature.
With ARP automatic scanning enabled on an interface, the device automatically scans neighbors
on the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates
dynamic ARP entries.
Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated
through ARP automatic scanning) into static ARP entries.
The ARP automatic scanning and fixed ARP feature effectively prevent ARP entries from being modified
by attackers. Use the two functions in a small-sized network with stable environment, such as a cybercaf.
Configuring periodic sending of gratuitous ARP

packets
Select Advanced > ARP Anti-Attack > Send Gratuitous ARP from the navigation tree to enter the page
380
Figure 364 Send Gratuitous ARP configuration page
Table 169 Periodic sending of gratuitous ARP packets configuration items

Item
Description
Select one or more interfaces on which gratuitous ARP packets will be sent out
periodically, and set the interval at which gratuitous ARP packets are sent.
To enable an interface to send out gratuitous ARP packets periodically, select the
interface from the Standby Interface list box and click <<. To disable an interface from
periodic sending of gratuitous ARP packets, select the interface from the Sending
Interface list box and click >>.
IMPORTANT:
You can enable periodic sending of gratuitous ARP packets on a maximum of 1024
Sending Interface
interfaces.
This feature takes effect only when the link of the enabled interface goes up and an
IP address has been assigned to the interface.
If you change the interval for sending gratuitous ARP packets, the configuration is
effective at the next sending interval.
The frequency of sending gratuitous ARP packets may be much lower than is
expected if this function is enabled on multiple interfaces, or each interface is
configured with multiple secondary IP addresses, or a small sending interval is
configured in the preceding cases.
Do not configure this feature on an interface belonging to a VRRP group.
Configuring ARP automatic scanning

NOTE:
Do not perform other operations during an ARP automatic scan.
ARP automatic scanning may take some time. To stop an ongoing scan, click the Interrupt button.
Select Advanced > ARP Anti-Attack > Scan from the navigation tree to enter the page shown in Figure
365.
381
Figure 365 ARP Scan configuration page
Table 170 ARP automatic scanning configuration items

Item
Description
Interface
Specify the interface on which ARP automatic scanning is to be performed.

Type the address range for ARP automatic scanning.
To reduce the scanning time, you can specify the address range for scanning.
Start IP Address
If the specified address range covers multiple network segments of the

interface's addresses, the sender IP address in the ARP request is the
interface's address on the smallest network segment.
If no IP address range is specified, the device only scans the network where
the primary IP address of the interface resides for neighbors, and sends ARP
requests in which the sender IP address is the primary IP address of the
interface.
IMPORTANT:
You must specify both the start IP address and the end IP address. Otherwise,
End IP Address
specify neither of them.
Start and end IP addresses must be on the same network segment as the
primary IP address or a specific manually configured secondary IP address of
the interface. The end IP address must be higher than or equal to the start IP
address.
Also scan IP addresses of

dynamic ARP entries
Select to scan IP addresses already existent in ARP entries.
After the preceding configuration is complete, click Scan to start an ARP automatic scan. To stop an
ongoing scan, click Interrupt. After the scanning is complete, a prompt Scanning is complete appears.
You can view the generated dynamic ARP entries by selecting Advanced > ARP Anti-Attack > Fixed ARP
from the navigation tree.
Configuring fixed ARP
382
NOTE:
The static ARP entries changed from dynamic ARP entries have the same attributes as the static ARP
entries manually configured.
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static
ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries
into static.
Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S.
When the dynamic ARP entries are changed into static, new dynamic ARP entries may be created
(suppose the number is M) and some of the dynamic ARP entries may be aged out (suppose the number
is N). After the process is complete, the number of static ARP entries is D + S + M N.
Select Advanced > ARP Anti-Attack > Fix from the navigation tree to enter the page shown in Figure 366.
The page displays all dynamic ARP entries and static ARP entries (including manually configured and
changed by the fixed ARP feature).
Figure 366 Fixed ARP configuration page
To change all dynamic ARP entries into static, click Fix All. This operation does not affect existing
static ARP entries.
To remove all static ARP entries, click Del All Fixed. This operation does not affect dynamic ARP
entries.
To change a specific dynamic ARP entry into static, select the ARP entry and click Fix. This operation
does not take effect if you select a static ARP entry.
To remove a specific static ARP entry, select the ARP entry and click Del Fixed. This operation does
not take effect if you select a dynamic ARP entry.
383
IPsec VPN configuration

You can perform the following IPsec VPN configurations in the web interface:
Configuring an IPsec connection
Displaying IPsec VPN monitoring information
Overview
IP Security (IPsec) is a security framework defined by the Internet Engineering Task Force (IETF) for
securing IP communications. It is a Layer 3 virtual private network (VPN) technology that transmits data
in a secure tunnel established between two endpoints.
IPsec provides the following security services in insecure network environments:
ConfidentialityThe sender encrypts packets before transmitting them over the Internet, protecting
the packets from being eavesdropped en route.
Data integrityThe receiver verifies the packets received from the sender to ensure they are not
tampered with during transmission.
Data origin authenticationThe receiver verifies the authenticity of the sender.
Anti-replayThe receiver examines packets and drops outdated and duplicate packets.
IPsec delivers these benefits:
Reduced key negotiation overheads and simplified maintenance by supporting the Internet Key
Exchange (IKE) protocol. IKE provides automatic key negotiation and automatic IPsec security
association (SA) setup and maintenance.
Good compatibility. You can apply IPsec to all IP-based application systems and services without
modifying them.
Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility
and greatly enhances IP security.
Internet Key Exchange (IKE) is built on a framework defined by the Internet Security Association and Key
Management Protocol (ISAKMP). It provides automatic key negotiation and SA establishment services for
IPsec, simplifying the application, management, configuration and maintenance of IPsec dramatically.
Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them,
and calculate shared keys respectively. Even if a third party captures all exchanged data for calculating
the keys, it cannot calculate the keys.
NOTE:
For more information about IPsec and IKE, see the H3C MSR Series Routers Security Configuration Guide.
384
Configuring IPsec VPN

Table 171 IPsec VPN configuration task list
Task
Remarks
Required
Optional
Displaying IPsec VPN monitoring

information
Displays configuration and status information of IPsec connections, and

information of IPsec tunnels.
Allows you to delete tunnels that are set up with configuration of an IPsec
connection, and delete all ISAKMP SAs of all IPsec connections.

Select VPN > IPsec VPN from the navigation tree to enter the IPsec connection management page, as
show in Figure 367. Click Add to enter the page for adding an IPsec connection, as shown in Figure 368.
Figure 367 IPsec connection management page
385
Figure 368 Add an IPsec connection
Table 172 Basic configuration items for adding an IPsec connection

Item
Description
IPsec Connection Name
Type a name for the IPsec connection.
Interface
Select an interface where IPsec is performed.
Network Type
Select a network type, site-to-site or PC-to-site.

Type the address of the remote gateway, which can be an IP address or a host name.
Remote Gateway
Address/Hostname
The IP address can be a host IP address or an IP address range. If the local end is the
initiator of IKE negotiation, it can have only one remote IP address and its remote IP
address must match the local IP address configured on its peer. If the local end is the
responder of IKE negotiation, it can have more than one remote IP address and one
of its remote IP addresses must match the local IP address configured on its peer.
The remote host name uniquely identifies the remote gateway in the netowrk, and
can be resolved into an IP address by the DNS server. The local end can be the
initiator of IKE negotiation when the host name is specified.
386
Item
Description
Type the IP address of the local gateway.
By default, it is the primary IP address of the interface where the IPsec connection is
set up.
Local Gateway Address
IMPORTANT:
Configure this item when you want to specify a special address (a loopback
interface address, for example) for the local gateway. The name or IP address
of the remote gateway is required for an initiator so that the initiator can find
the remote peer in negotiation.
Select the authentication method to be used by the IKE negotiation. Options include:
Pre-Shared-KeyUses the pre-shared key method. If this option is selected, type

the key in the text box.
CertificateUses the digital signature method. If this option is selected, select a

certificate from the drop-down list. Available certificates are configured in the
certificate management.
Select the remote ID type for IKE
negotiation phase 1. Options include:
IP AddressUses an IP address as
the ID in IKE negotiation.
Remote ID Type
FQDNUses a Fully Qualified

Domain Name (FQDN) type of a
gateway name as the ID in IKE
negotiation. If this option is selected,
the remote gateway ID is required.
Select the local ID type for IKE
negotiation phase 1. Options include:
IP AddressUses an IP address as
the ID in IKE negotiation.
FQDNUses an FQDN type as the

Local ID Type
ID in IKE negotiation. If this option is

selected, type a name without any at
sign (@) for the local security
gateway, for example, foo.bar.com.
User FQDNUses a user FQDN

type as the ID in IKE negotiation. If
this option is selected, type a name
string with an at sign (@) for the local
security gateway, for example,
test@foo.bar.com.
IMPORTANT:
If the IKE negotiation initiator uses

the FQDN or user FQDN ID type
of the security gateway as the ID
for IKE negotiation, it sends its
gateway ID to the peer, and the
peer uses the locally configured
remote gateway ID to authenticate
the initiator. Make sure that the
remote gateway ID configured
here is identical to the local
gateway ID configured on its peer.
In main mode, only the ID type of
IP address can be used in IKE
negotiation and SA establishment.
Select a method to identify the traffic to be protected by IPsec. Options include:

Selector
Characteristics of TrafficIdentifies traffic to be protected based on the source

address/wildcard and destination address/wildcard specified.
Designated by Remote GatewayThe data to be protected is determined by the

Source
Address/Wildcard
remote gateway.
IMPORTANT:
387
Item
Destination
Address/Wildcard
Description
To ensure that SAs can be set up, configure the source address/wildcard
on one peer as the destination address/wildcard on the other, and the
destination address/wildcard on one peer as the source address/wildcard
on the other. If you do not configure the parameters this way, SAs can be
set up only when the IP addresses configured on one peer are subsets of
those configured on the other and the peer with the narrower address
range initiates SA negotiation.
If the data range is designated by the remote gateway, the local peer
cannot initiate a negotiation.
Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop
and change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static route
to the peer private network. You do not have to manually configure the static route.
IMPORTANT:
Reverse Route Injection
If you enable IPsec RRI and do not configure the static route, the SA
negotiation must be initiated by the remote gateway.
IPsec RRI creates static routes when IPsec SAs are set up, and delete the
static routes when the IPsec SAs are deleted.
To view the static routes created by IPsec RRI, select Advanced > Route
Setup [Summary] from the navigation tree.
Specify a next hop for the static routes.
Next Hop
If you do not specify any next hop, the remote tunnel endpoints address learned
during IPsec SA negotiation is used.
Change the preference of the static routes.
Priority
Change the route preference for equal-cost multipath (ECMP) routing or route
backup. If multiple routes to the same destination have the same preference, traffic is
balanced among them. If multiple routes to the same destination have different
preference values, the route with the highest preference forwards traffic and all other
routes are backup routes.
On the page for adding an IPsec connection, click Advanced Configuration to expand the advanced
configuration area, as shown in Figure 369.
388
Figure 369 Advanced configuration
Table 173 Advanced configuration items for adding an IPsec connection

Item
Description
Phase 1
Select the IKE negotiation mode in phase 1, which can be main or aggressive.
IMPORTANT:
Exchange Mode
If the IP address of one end of an IPsec tunnel is obtained dynamically, the

IKE negotiation mode must be aggressive. In this case, SAs can be
established as long as the username and password are correct.
An IKE peer uses its configured IKE negotiation mode when it is the
negotiation initiator. A negotiation responder uses the IKE negotiation mode
of the initiator.
Authentication
Algorithm
Select the authentication algorithm to be used in IKE negotiation. Options include:
SHA1Uses HMAC-SHA1.
MD5Uses HMAC-MD5.
389
Item
Description
Select the encryption algorithm to be used in IKE negotiation. Options include:
Encryption Algorithm
DES-CBCUses the DES algorithm in CBC mode and 56-bit key

3DES-CBCUses the 3DES algorithm in CBC mode and 168-bit key.
AES-128Uses the AES algorithm in CBC mode and 128-bit key.
Select the DH group to be used in key negotiation phase 1. Options include:

DH
Diffie-Hellman Group1Uses the 768-bit Diffie-Hellman group.

Type the ISAKMP SA lifetime in IKE negotiation.

Before an SA expires, IKE negotiates a new SA. As soon as the new SA is set up, it
takes effect immediately and the old one will be cleared automatically when it expires.
SA Lifetime
IMPORTANT:
Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. DH

calculation in IKE negotiation takes time, especially on low-end devices. Set the
lifetime greater than 10 minutes to prevent the SA update from influencing
normal communication.
Phase 2
Select the security protocols to be used. Options include:
Security Protocol
AH Authentication
Algorithm
ESPUses the ESP protocol.

AHUses the AH protocol.
AH-ESPUses ESP first and then AH.
Select the authentication algorithm for AH when you select AH or AH-ESP for Security
Protocol.
Available authentication algorithms include MD5 and SHA1.
Select the authentication algorithm for ESP when you select ESP or AH-ESP for Security
Protocol.
ESP Authentication
Algorithm
You can select MD5 or SHA1, or select NULL so that ESP performs no authentication.
IMPORTANT:
The ESP authentication algorithm and ESP encryption algorithm cannot be null
at the same time.
390
Item
Description
Select the encryption algorithm for ESP when you select ESP or AH-ESP for Security
Protocol. Options include:
ESP Encryption
Algorithm
3DESUses the 3DES algorithm and 168-bit key for encryption.

DESUses the DES algorithm and 56-bit key for encryption.
AES128Uses the AES algorithm and 128-bit key for encryption.
NULLPerforms no encryption.
IMPORTANT:
Higher security means more complex implementation and lower speed. DES
is enough to meet general requirements. Use 3DES when high confidentiality
and security are required.
The ESP authentication algorithm and ESP encryption algorithm cannot be
null at the same time.
Select the IP packet encapsulation mode. Options include:
Encapsulation Mode
TunnelUses the tunnel mode.

TransportUses the transport mode.
Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature.
Options include:
PFS
NoneDisables PFS.
Diffie-Hellman Group1Enables PFS and uses the 768-bit Diffie-Hellman group.
IMPORTANT:
DH Group14, DH Group5, DH Group2, and DH Group1 are in the

descending order of security and calculation time.
When IPsec uses an IPsec connection with PFS configured to initiate
negotiation, an additional key exchange is performed in phase 2 for higher
security.
Two peers must use the same Diffie-Hellman group. Otherwise, negotiation
will fail.
Type the IPsec SA lifetime, which can be time-based or traffic-based.
SA Lifetime
IMPORTANT:
When negotiating to set up IPsec SAs, IKE uses the smaller one between the
lifetime set locally and the lifetime proposed by the peer.
Enables or disables IKE dead peer detection (DPD).
DPD
DPD irregularly detects dead IKE peers. When the local end sends an IPsec packet,
DPD checks the time the last IPsec packet was received from the peer. If the time
exceeds the DPD interval, it sends a DPD hello to the peer. If the local end receives no
DPD acknowledgement within the DPD packet retransmission interval, it retransmits the
DPD hello. If the local end still receives no DPD acknowledgement after having made
the maximum number of retransmission attempts (two by default), it considers the peer
already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.
391
Item
Description
DPD Query
Triggering Interval
Type the interval after which DPD is triggered if no IPsec protected packets is received
from the peer.
DPD Packet
Retransmission
Interval
Type the interval after which DPD packet retransmission will occur if no DPD response
is received.
Displaying IPsec VPN monitoring information

Select VPN > IPsec VPN from the navigation tree, and then click the Monitoring Information tab to enter
the page that displays the IPsec connection configuration and status information, as shown in Figure 370.
Select an IPsec connection by selecting its check box. The lower part of the page shows the information
of the IPsec tunnel that was set up with the selected IPsec connection configuration.
To delete all ISAKMP SAs of all IPsec connections, click Delete ISAKMP SA. To delete IPsec tunnels that
use the configuration of an IPsec connection, select the IPsec connection, and click Delete Selected
Connection's Tunnels.
Figure 370 Monitoring information
Table 174 Field of the IPsec connection list

Field
Description
Status of an IPsec connection. Possible values include:
Connection Status
Connected
Disconnected
UnconfiguredThe IPsec connection is disabled.
392
Field
Description
The most recent error, if any. Possible values include:
Last Connection Error
ERROR_NONENo error occurred.

ERROR_QM_FSM_ERRORState machine error.
ERROR_PHASEI_FAILError occurred in phase 1.
ERROR_PHASEI_PROPOSAL_UNMATCHEDNo matching security proposal in
phase 1.
ERROR_PHASEII_PROPOSAL_UNMATCHEDNo matching security proposal in

phase 2.
ERROR_NAT_TRAVERSAL_ERRORNAT traversal error.

ERROR_PHASEII_FAILError occurred in phase 2.
ERROR_INVALID_SPISPI error.
ERROR_UNKNOWNUnknown error.
Table 175 Fields of the IPsec tunnel list
Field
Description
Characteristics of Traffic
Characteristics of the IPsec protected traffic, including the source

address/wildcard, destination address/wildcard, protocol, source port, and
destination port.
SPI
The inbound and outbound SPIs, and the security protocols used.
IPsec VPN configuration example

As shown in Figure 371, an IPsec tunnel is required between Router A and Router B to protect traffic
between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Enable IPsec RRI on Router A and specify the next
hop as 2.2.2.2.
Figure 371 Network diagram for IPsec VPN configuration
1.
Configure Router A
# Assign IP addresses to the interfaces. (Omitted)

# Configure an IPsec connection.
393
Select VPN > IPsec VPN from the navigation tree, and then click Add. The IPsec connection configuration
page appears, as shown in Figure 372.
Perform the following operations on the page:
Type map1 as the IPsec connection name.
Type 2.2.3.1 as the remote gateway IP address.
Select Pre-Shared-Key, and type abcde in the text box.
In the Selector area, select Characteristics of Traffic as the selector type.
Specify 10.1.1.0/0.0.0.255 as the source address/wildcard.
Specify 10.1.2.0/0.0.0.255 as the destination address/wildcard.

Select Enable for RRI.
Type 2.2.2.2 as the next hop.
Click Apply.
2.
Configure Router B
# Assign IP addresses to the interfaces. (Omitted)

# Configure a static route to Host A.
Select Advanced > Route Setup from the navigation tree, and then select the Create tab.
394
Figure 373 Configure a static route to Host A
Perform the following operations on the page:
Type 24 as the mask.
Select the Interface check box and then select Ethernet0/1 as the interface.
Click Apply.
# Configure an IPsec connection.

Select VPN > IPsec VPN from the navigation tree and then click Add to enter the IPsec connection
configuration page (see Figure 372). Perform the following operations on the page:
Type map1 as the IPsec connection name.
Select Pre-Shared-Key, and type abcde in the text box.
In the Selector area, select Characteristics of Traffic as the selector type.
Specify 10.1.2.0/0.0.0.255 as the source address/wildcard.
Specify 10.1.1.0/0.0.0.255 as the destination address/wildcard.
Click Apply.
Verification
After you complete the configuration, packets to be exchanged between subnet 10.1.1.0/24 and subnet
10.1.2.0/24 triggers the negotiation of SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are
established, a static route to subnet 10.1.2.0/24 via 2.2.2.2 is added to the routing table on Device A,
and traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 is protected by IPsec.
When configuring IPsec, follow these guidelines:
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50 respectively. Make sure that flows of these protocols are not denied on the interfaces with
IKE or IPsec configured.
395
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different
queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay
operation, packets outside the anti-replay window in the inbound direction may be discarded,
resulting in packet loss. When using IPsec together with QoS, ensure that the characteristics of
traffic in IPsec is the same as classification of traffic in QoS.
396
L2TP configuration
You can perform the following configurations for the LNS of an L2TP tunnel in the web interface:
Enabling L2TP
Adding an L2TP group
Displaying L2TP tunnel information
L2TP overview
A virtual private dial-up network (VPDN) is a virtual private network (VPN) that utilizes the dial-up function
of public networks such as ISDN or PSTN networks to provide access services for enterprises, small
Internet service providers (ISPs), and telecommuters. VPDN provides an economical and effective,
point-to-point way for remote users to connect to their private LANs.
The VPDN technology uses a tunneling protocol to build secure VPNs across public networks for
enterprises. Branches away from the headquarters and staff on business trips can remotely access the
Intranet resources in the headquarters through a virtual tunnel over public networks, while other users on
the public networks cannot.
There are primarily three VPDN tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Forwarding (L2F)
Layer 2 Tunneling Protocol (L2TP)
L2TP is the most widely-used VPDN tunneling protocol. Figure 374 shows a typical VPDN built by using
L2TP.
Figure 374 VPDN built by using L2TP
Remote user
LAC
PPPoE/ISDN
LNS
Internet
L2TP tunnel
Remote branch
Internal server
A VPDN built by using L2TP comprises three components:
Remote system
A remote system is usually a remote users host or a remote branchs routing device that needs to access
the VPDN network.
LAC
397
An L2TP access concentrator (LAC) is a device that has PPP and L2TP capabilities. An LAC is usually a
Network Access Server (NAS) located at a local ISP, which provides access services mainly for PPP users.
An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It encapsulates
packets received from a remote system using L2TP and then sends the resulting packets to the LNS. It
de-encapsulates packets received from the LNS and then sends the resulting packets to the intended
remote system.
Between an LAC and a remote system is a local connection or a PPP link. Usually, a PPP link is used in
a VPDN application.
LNS
An L2TP network server (LNS) functions as both the L2TP server and the PPP end system. It is usually an
edge device on an enterprise network.
An LNS is the other endpoint of an L2TP tunnel and is a peer to the LAC. It is the logical termination point
of a PPP session tunneled by the LAC. The L2TP extends the termination point of a PPP session from a NAS
to an LNS, logically.
NOTE:
For more information about L2TP, see the H3C MSR Series Routers Layer 2WAN Configuration Guide.
Configuring L2TP
L2TP configuration task list
Table 176 L2TP configuration task list
Task
Enabling L2TP
Remarks
Required
By default, L2TP is disabled.
Required
Create a L2TP group and configure L2TP group related parameters.

By default, no L2TP group exists.
Displaying L2TP tunnel

information
Optional
View the L2TP tunnel information.
Enabling L2TP
Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as shown
in Figure 375. On the upper part of the page, you can enable or disable L2TP.
398
Figure 375 L2TP configuration page
Table 177 Configuration item for enabling L2TP

Item
Description
Enable L2TP
Specify whether to enable L2TP globally.
Return to L2TP configuration task list.

Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as shown
in Figure 375. On the lower part of the page, you can view and configure L2TP groups. Click Add to add
an L2TP group, as shown in Figure 376.
399
Figure 376 Add an L2TP group
Table 178 Configuration items for adding an L2TP group

Item
Description
L2TP Group Name
Specify the name of the L2TP group.
Peer Tunnel Name
Specify the peer name of the tunnel.
Local Tunnel Name
Specify the local name of the tunnel.
Tunnel Authentication
Enable or disable L2TP tunnel authentication in the group. If you

enable tunnel authentication, you need to set the authentication
password.
Either the LAC or LNS end can initiate a tunnel authentication
request. If tunnel authentication is enabled on one end, the tunnel
can be established successfully only if the other end is also
enabled with tunnel authentication, and the two ends are
configured with the same authentication passwords. If tunnel
authentication is disabled on both ends, authentication passwords
will not take effect.
IMPORTANT:
Normally, you need to enable tunnel authentication on both

ends of the tunnel for security. You can disable tunnel
authentication if you want to test the network connectivity or let
the local end receive connections initiated by unknown peers.
To change the tunnel authentication password, do so after

tearing down the tunnel. Otherwise, your change does not take
effect.
400
Item
Description
Authentication
Method
Select the authentication method for PPP users on the local end.
You can select PAP or CHAP. If you do not select an authentication
method, no authentication will be performed.
Specify the ISP domain for PPP user authentication. You can:
Click Add to enter the page for adding an ISP domain, as

shown in Figure 377. See Table 179 for configuration details.
Select an ISP domain and click Modify to enter the ISP domain
modification page. See Table 179 for configuration details.
PPP
Authentication
Configuration
Select an ISP domain and click Delete to delete the ISP domain.
Note that:
ISP Domain
If you specify an ISP domain, the specified domain will be used

for authentication, and IP addresses must be assigned from the
address pool configured in the specified domain. See
description on the User Address parameter for details.
If you do not specify any ISP domain, the system will check
whether domain information is carried in a username. If yes,
the domain will be used for authentication (if the domain does
not exist, the authentication will fail); otherwise, the default
domain (system by default) will be used for authentication.
PPP Server IP/Mask
Specify the IP address and mask of the local end.

Specify the address pool for assigning IP addresses to users on the
peer end, or assign an IP address to a user directly.
If you have specified an ISP domain in PPP authentication
configuration, the address pools in the ISP domain will be listed in
the User Address drop-down list. You can:
PPP Address
User Address
Click Add to add an address pool, as shown in Figure 378. See

Table 180 for configuration details.
Select an address pool and click Modify to enter the address

pool modification page. See Table 180 for configuration
details.
Select an address pool and click Delete to delete the address

pool.
Assign Address
Forcibly
Specify whether to force the peer end to use the IP address

assigned by the local end. If you enable this function, the peer end
is not allowed to use its locally configured IP address.
Specify the interval between sending hello packets.
Advance d
Configuration
Hello Interval
To check the connectivity of a tunnel, the LAC and LNS regularly

send Hello packets to each other. Upon receipt of a Hello packet,
the LAC or LNS returns a response packet. If the LAC or LNS
receives no Hello response packet from the peer within a specified
period of time, it retransmits the Hello packet. If it receives no
response packet from the peer after transmitting the Hello packet
for three times, it considers that the L2TP tunnel is down and tries to
re-establish a tunnel with the peer.
The intervals on the LAC and LNS ends of a tunnel can be different.
401
Item
Description
Specify whether to transfer Attribute Value Pair (AVP) data in
hidden mode.
AVP Hidden
With L2TP, some parameters are transferred as AVP data. You can
configure an LAC to transfer AVP data in hidden mode, namely,
encrypt AVP data before transmission, for higher security.
This configuration takes effect only on a LAC.
Specify whether to enable flow control for the L2TP tunnel.
Flow Control
The L2TP tunnel flow control function is for control of data packets
in transmission. The flow control function helps in buffering and
adjusting the received out-of-order data packets.
402
Item
Description
Configure user authentication on an LNS.
Mandatory CHAP
An LNS may be configured to authenticate a user who has passed

authentication on the LAC to increase security. In this case, an
L2TP tunnel can be set up only when both of the authentications
succeed. An LNS can authenticate users in three ways: mandatory
CHAP authentication, LCP re-negotiation and proxy
authentication.
Mandatory CHAP authentication: With mandatory CHAP

authentication configured, a VPN user who depends on a NAS
to initiate tunneling requests is authenticated twice: once when
accessing the NAS and once on the LNS by using CHAP.
LCP re-negotiation: For a PPP user who depends on a NAS to

initiate tunneling requests, the user first performs PPP
negotiation with the NAS. If the negotiation succeeds, the NAS
initiates an L2TP tunneling request and sends the user
authentication information to the LNS. The LNS then determines
whether the user is valid according to the user authentication
information received. Under some circumstances (when
authentication and accounting are required on the LNS for
example), another round of Link Control Protocol (LCP)
negotiation is required between the LNS and the user. In this
case, the user authentication information from the NAS will be
neglected.
Proxy authentication: If neither LCP re-negotiation nor

mandatory CHAP authentication is configured, an LNS
performs proxy authentication of users. In this case, the LAC
sends to the LNS all authentication information from users as
well as the authentication mode configured on the LAC itself.
IMPORTANT:
Mandatory LCP
Among these three authentication methods, LCP re-negotiation

has the highest priority. If both LCP re-negotiation and
mandatory CHAP authentication are configured, the LNS uses
LCP re-negotiation and the PPP authentication method
configured in the L2TP group.
With LCP re-negotiation, if no PPP authentication method is

configured in the L2TP group, the LNS will not re-authenticate
users; it will assign public addresses to the PPP users
immediately. In other words, the users are authenticated only
once at the LAC end.
Some PPP clients may not support re-authentication, in which

case LNS side CHAP authentication will fail.
When the LNS uses proxy authentication and the user

authentication information received from the LAC is valid: if the
authentication method configured in the L2TP group is PAP, the
proxy authentication succeeds and a session can be
established for the user; if the authentication method
configured in the L2TP group is CHAP but that configured on
the LAC is PAP, the proxy authentication will fail and no session
can be set up. This is because the level of CHAP authentication,
which is required by the LNS, is higher than that of PAP
authentication, which the LAC provides.
403
Figure 377 Add an ISP domain
Table 179 Configuration items for adding an ISP

Item
Description
ISP Domain
Specify the name of the ISP domain.

Select the primary authentication method for PPP users.
HWTACACS: Uses HWTACACS authentication, which uses the

HWTACACS scheme system.
Primary
Authentication
Methods
Local: Uses local authentication.

None: All users are trusted and no authentication is performed.
RADIUS: Uses RADIUS authentication, which uses the RADIUS scheme
system.
If you do not select any authentication method, the default authentication

method of the ISP domain will be used, which is Local by default.
Backup
Specify whether to use local authentication as the backup authentication

method. This item is available only when you select HWTACACS or RADIUS
as the primary authentication method.
Select the primary authorization method for PPP users.
HWTACACS: Uses HWTACACS authorization, which uses the

Primary
Authorization
Methods
Local: Uses local authorization.

None: The access device does not perform any authorization exchange.
After passing authentication, PPP users can directly access the network.
RADIUS: Uses RADIUS authorization, which uses the RADIUS scheme

system.
If you do not select any authorization method, the default authorization

Backup
Specify whether to use local authorization as the backup authorization

method. This item is available only when you select HWTACACS or RADIUS
as the primary authorization method.
404
Item
Description
Specify whether to enable the accounting optional function.
Accounting
Optional
For an online user, with the accounting optional function disabled, if no

accounting server is available or communication with the current accounting
server fails, the user will be disconnected. However, with the accounting
optional function enabled, the user can still use the network resources in such
case, but the system will not send the accounting information of the user to
the accounting server any more.
Select the primary accounting method for PPP users.
HWTACACS: Uses HWTACACS accounting, which uses the
Accounting
Methods

Primary
Local: Uses local accounting.

None: The system does not perform accounting for the users.
RADIUS: Uses RADIUS accounting, which uses the RADIUS scheme
system.
If you do not select any accounting method, the default accounting

Backup
Max. Number of Users
Specify whether to use local accounting as the backup accounting method.

This item is available only when you select HWTACACS or RADIUS as the
primary accounting method.
Specify the maximum number of users the ISP domain can accommodate. If
you do not specify the maximum number, the system will not limit the number
of users of the ISP domain.
Because users may compete for resources, setting a proper limit on the
number of users of an ISP domain helps guarantee performance for the users
of the ISP domain.
Figure 378 Add an address pool
Table 180 Configuration items for adding an IP address pool

Item
Description
ISP Domain
Select the ISP domain for the IP address pool to be created.

Specify the number of the IP address pool.
IP Address Pool Number
If you set the IP address pool number to 1, the name of the IP address pool is
pool1.
Start IP
Specify the start IP address and end IP address of the IP address pool.
405
Item
Description
End IP
The number of addresses between the start IP address and end IP address
must not exceed 1024. If you specify only the start IP address, the IP address
pool will contain only one IP address, namely, the start IP address.
Displaying L2TP tunnel information

Select VPN > L2TP > Tunnel Info from the navigation tree to enter the L2TP tunnel information page, as
Figure 379 L2TP tunnel information
Table 181 L2TP tunnel information

Item
Description
Local Tunnel ID
Local ID of the tunnel
Peer Tunnel ID
Peer ID of the tunnel
Peer Tunnel Port
Peer port of the tunnel
Peer Tunnel IP
Peer IP address of the tunnel
Session Count
Number of sessions on the tunnel
Peer Tunnel Name
Peer name of the tunnel
L2TP configuration example

Client-initiated VPN configuration example
As shown in Figure 380, a VPN user accesses the corporate headquarters as follows:
1.
The user first connects to the Internet, and then initiates a tunneling request to the LNS directly.
2.
After the LNS accepts the connection request, an L2TP tunnel is set up between the LNS and the
VPN user.
3.
The VPN user communicates with the headquarters over the tunnel.
406
Figure 380 Network diagram for client-initiated VPN configuration
1.
Configure the VPN user
Assign an IP address (2.1.1.1 in this example) to the user host, configure a route to ensure the reachability
of the LNS (1.1.2.2), and create a virtual private network connection using the Windows operating system,
or install L2TP client software such as WinVPN Client and connect to the Internet in dial-up mode. Then,
perform the following configurations (the configuration order may vary with the client software):
Specify the VPN username as vpdnuser and the password as Hello.
Set the Internet interface address of the security gateway as the IP address of the LNS. In this
example, the Ethernet interface on the LNS, the interface for the tunnel, has an IP address of 1.1.2.2.
Modify the connection attributes, setting the protocol to L2TP, the encryption attribute to customized
and the authentication mode to CHAP.
2.
Configure the LNS
# Configure IP addresses for interfaces (omitted).

# Configure a route to ensure the reachability of the user host.
# Create a local user named vpdnuser, and set the password to Hello and the service type to PPP.
Select System Management > Users from the navigation tree, and then click the Create User tab
and perform the configurations shown in Figure 381.
Figure 381 Add a local user
Type vpdnuser as the username.
Select access level Configure.

407
Type password Hello.
Type Hello to confirm the password.
Select PPP Service as the service type.
Click Apply.
# Enable L2TP.
Select VPN > L2TP > L2TP Config from the navigation tree. Then, perform the configurations shown
in Figure 382.
Figure 382 Enable L2TP
Select the check box before Enable L2TP.
Click Apply.
# Add an L2TP group.
On the L2TP configuration page, click Add and then perform the following configurations.
Type the L2TP group name test.
Type the peer tunnel name vpdnuser.
Type the local tunnel name LNS.
Select Disable for Tunnel Authentication.
Select CHAP as the PPP authentication method.
Select ISP domain system (the default ISP domain).
Click the Modify button of the ISP domain to perform the configurations shown in Figure 383.
408
Figure 383 Select local authentication for VPN users
Select the server type Local as the PPP authentication method.
Click Apply to return to the L2TP group configuration page.
Type 192.168.0.1/255.255.255.0 as the PPP server IP address/mask.
Click the Add button of the User Address parameter and then perform the configurations shown in
Figure 384.
Figure 384 Add an IP address pool
Select domain system.
Type 1 as the IP address pool number.
Type the start IP address 192.168.0.2.
Type the end IP address 192.168.0.100.
Click Apply to finish the IP address pool configuration and return to the L2TP group configuration
page.
Select pool1 from the User Address drop-down list.
Select Enable from the Assign Address Forcibly drop-down list. Figure 385 shows the L2TP group
configuration page after the above configurations.
Click Apply.
409
Figure 385 L2TP group configurations
Verification
# On the user host, initiate an L2TP connection to the LNS. The host will obtain an IP address
(192.168.0.2) and will be able to ping the private address of the LNS (192.168.0.1).
# On the LNS, select VPN > L2TP > Tunnel Info from the navigation tree. Information of the established
L2TP tunnel should appears, as shown in Figure 386.
Figure 386 L2TP tunnel information
410
GRE configuration
You can configure GRE over IPv4 tunnels in the web interface.
GRE overview
Introduction to GRE
Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets
of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example,
IP). GRE is a tunneling technology and serves as a Layer 3 tunneling protocol.
A GRE tunnel is a virtual point-to-point connection for transferring encapsulated packets. Packets are
encapsulated at one end of the tunnel and de-encapsulated at the other end. Figure 387 depicts the
encapsulation and de-encapsulation processes.
Figure 387 X protocol networks interconnected through the GRE tunnel
NOTE:
For more information about GRE, see the H3C MSR Series Routers Layer 3IP Services Configuration
Guide.
Configuring a GRE over IPv4 tunnel

Configuration prerequisites
Interfaces on a device, such as VLAN interfaces, Ethernet interfaces, and loopback interfaces, are
configured with IPv4 addresses and can communicate. Such an interface can be used as the source of
a virtual tunnel interface to ensure the reachability of the tunnel destination address.

Table 182 GRE over IPv4 tunnel configuration task list
Task
Creating a GRE tunnel
Remarks
Required
Create a tunnel interface and configure GRE tunnel related parameters.
411
Task
Remarks
Optional
Configuring a route through the

tunnel
Each end of the tunnel must have a route (static or dynamic) through the
tunnel to the other end, so that GRE encapsulated packets can be forwarded
normally.
For more configuration information, see the chapter Route configuration.
Creating a GRE tunnel

Select VPN > GRE from the navigation tree to enter the GRE tunnel configuration page, as shown in
Figure 388. Then, click Add to add a GRE tunnel, as shown in Figure 389.
Figure 388 GRE tunnel configuration page
Figure 389 Add a GRE tunnel
Table 183 GRE tunnel configuration items

Item
Description
Tunnel Interface
Specify the number of the tunnel interface.
412
Item
Description
Specify the IP address and subnet mask of the tunnel interface.
IP/Mask
IMPORTANT:
When configuring a static route on the tunnel interface, note that the destination IP
address of the static route must not be in the subnet of the tunnel interface.
Tunnel Source
IP/Interface
Specify the source IP address and destination IP address for the tunnel interface.
For the tunnel source address, you can input an IP address or select an interface. In
the latter case, the primary IP address of the interface will be used as the tunnel
source address.
IMPORTANT:
Tunnel Destination IP
GRE Key
The source address and destination address of a tunnel uniquely identify a path. They
must be configured at both ends of the tunnel and the source address at one end must
be the destination address at the other end and vice versa.
Specify the key for the GRE tunnel interface. This configuration is to prevent the
tunnel ends from servicing or receiving packets from other places.
IMPORTANT:
The two ends of a tunnel must have the same key or have no key at the same time.
GRE Packet Checksum
Enable or disable the GRE packet checksum function.

Enable or disable the GRE keepalive function.
Keepalive
With the GRE keepalive function enabled on a tunnel interface, the device sends
GRE keepalive packets from the tunnel interface periodically. If no response is
received from the peer within the specified interval, the device retransmits the
keepalive packet. If the device still receives no response from the peer after sending
the keepalive packet for the maximum number of attempts, the local tunnel interface
goes down and stays down until it receives a keepalive acknowledgement packet
from the peer.
Keepalive Interval
Specify the interval between sending the keepalive packets and the maximum
number of transmission attempts.
Number of Retries
The two configuration items are available when you select Enable for the GRE
keepalive function.
GRE over IPv4 tunnel configuration example

As shown in Figure 390, Router A and Router B are interconnected through the Internet. Two private IP
subnets Group 1 and Group 2 are interconnected through a GRE tunnel between Router A and Router B.
Figure 390 Network diagram for a GRE over IPv4 tunnel
413
NOTE:
Before the configuration, make sure that Router A and Router B are reachable to each other.
1.
Configure Router A
# Configure an IPv4 address for interface Ethernet 0/0.

Select Interface Setup > WAN Interface Setup from the navigation tree of Router A. Click the
interface Ethernet 0/0 and then perform the configurations shown in Figure 391:
icon of
Figure 391 Configure interface Ethernet 0/0
Select Manual for Connect Mode.
Type IP address 10.1.1.1.
Select IP mask 24 (255.255.255.0).
Click Apply.
# Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel.
Click the
icon of interface Ethernet 0/1 and then perform the configurations shown in Figure 392.
414
Select IP mask 24 (255.255.255.0).
Click Apply.
# Create a GRE tunnel.

Select VPN > GRE from the navigation tree. Click Add and then perform the configurations shown in
Figure 393:
Figure 393 Set up a GRE tunnel
415
Type 0 in the Tunnel Interface text box.
Type IP address/mask 10.1.2.1/24.
Type the source end IP address 1.1.1.1, the IP address of Ethernet 0/1.
Type the destination end IP address 2.2.2.2, the IP address of Ethernet 0/1 on Router B.
Click Apply.
# Configure a static route from Router A through interface Tunnel 0 to Group 2.

Select Advanced > Route Setup from the navigation tree. Click the Create tab and then perform the
configurations shown in Figure 394.
Figure 394 Add a static route from Router A through interface Tunnel 0 to Group 2
Type mask 24.
Select the check box before Interface, and then select egress interface Tunnel0.
Click Apply.
2.
Configure Router B
# Configure an IPv4 address for interface Ethernet 0/0.

Select Interface Setup > WAN Interface Setup from the navigation tree. Click the
Ethernet 0/0 and then perform the configurations shown in Figure 395.
416
icon of interface
Select IP mask 24 (255.255.255.0).
Click Confirm.
# Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel.
Click the
icon of interface Ethernet 0/1 and then perform the configurations shown in Figure 396.
417
Select IP mask 24 (255.255.255.0).
Click Confirm.
# Create a GRE tunnel.

Select VPN > GRE from the navigation tree. Click Add and then perform the configurations shown in
Figure 397:
Figure 397 Set up a GRE tunnel
418
Type 0 in the Tunnel Interface text box.
Type IP address/mask 10.1.2.2/24.
Type the source end IP address 2.2.2.2, the IP address of Ethernet 0/1.
Type the destination end IP address 1.1.1.1, the IP address Ethernet 0/1 on Router A.
Click Apply.
# Configure a static route from Router B through interface Tunnel 0 to Group 1.

Select Advanced > Route Setup from the navigation tree. Click the Create tab and then perform the
configurations shown in Figure 398:
Figure 398 Add a static route from Router B through interface Tunnel 0 to Group 1
Type mask 24.
Select the check box before Interface, and then select egress interface Tunnel0.
Click Apply.

# After the above configuration, on Router B, you can ping the IP address of Ethernet 0/0 of Router A.
Select Other > Diagnostic Tools from the navigation tree of Router B, and then click the Ping tab.
Input the destination IP address 10.1.1.1.
Click Start.
View the result of the ping operation in the Summary area, as show in Figure 399:
419
Figure 399 Verify the configuration
420
Certificate management
You can do the following to configure certificate management on the web interface:
Creating a PKI entity
Creating a PKI domain
Generating an RSA key pair
Destroying the RSA key pair
Retrieving and displaying a certificate
Requesting a local certificate
Retrieving and displaying a CRL
Introduction to PKI
The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security
through public key technologies, and it is the most widely applied encryption mechanism currently.
H3C's PKI system provides certificate management for IP Security (IPsec), Secure Sockets Layer (SSL), and
WLAN Authentication and Privacy Infrastructure (WAPI).
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair
consists of a private key and a public key. The private key must be kept secret but the public key needs
to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate
mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners,
helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Here are some application examples:
VPNA virtual private network (VPN) is a private data communication network built on the public
communication infrastructure. A VPN can leverage network layer security protocols (for instance,
IPsec) in conjunction with PKI-based encryption and digital signature technologies to achieve
confidentiality.
Secure emailEmails require confidentiality, integrity, authentication, and non-repudiation. PKI

can address these needs. The secure email protocol that is currently developing rapidly is
Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for
transfer of encrypted mails with signature.
Web securityFor Web security, two peers can establish a Secure Sockets Layer (SSL) connection
first for transparent and secure communications at the application layer. With PKI, SSL enables
encrypted communications between a browser and a server. Both the communication parties can
verify the identity of each other through digital certificates.
421
Operation of PKI
In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check
the validity of certificate. The following describes how it works:
1.
An entity submits a certificate request to the CA.
2.
The RA verifies the identity of the entity and then sends the identity information and the public key
with a digital signature to the CA.
3.
The CA verifies the digital signature, approves the application, and issues a certificate.
4.
The RA receives the certificate from the CA, sends it to the LDAP server to provide directory
navigation service, and notifies the entity that the certificate is successfully issued.
5.
The entity retrieves the certificate. With the certificate, the entity can communicate with other
entities safely through encryption and digital signature.
6.
The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the
request, updates the CRLs and publishes the CRLs on the LDAP server.
Configuring PKI
The system supports the following PKI certificate request modes:
ManualIn manual mode, you need to retrieve a CA certificate, generate a local RSA key pair,
and submit a local certificate request for an entity.
AutoIn auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP, a dedicated protocol for an entity to communicate with a CA) when it
has no local certificate or the present certificate is about to expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
Requesting a certificate manually

Table 184 Configuration task list for requesting a certificate manually
Task
Remarks
Required
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an entity,
where the identity information is identified by an entity distinguished name (DN). A CA
identifies a certificate applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue policy.
Otherwise, the certificate request might be rejected.
Required
Create a PKI domain, setting the certificate request mode to Manual.
Creating a PKI
domain
Before requesting a PKI certificate, an entity needs to be configured with some

enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other applications like
IKE and SSL, and has only local significance.
422
Task
Remarks
Required
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA
key pair
Generating an RSA key pair is an important step in certificate request. The key pair
includes a public key and a private key. The private key is kept by the user, and the
public key is transferred to the CA along with some other information.
IMPORTANT:
If a local certificate already exists, you must remove the certificate before generating a
new key pair, so as to keep the consistency between the key pair and the local certificate.
Required
Certificate retrieval serves the following purposes:
Locally store the certificates associated with the local security domain for improved
query efficiency and reduced query count,
Retrieving the CA
certificate
Prepare for certificate verification.

IMPORTANT:
If a local CA certificate already exists, you cannot perform the CA certificate retrieval
operation. This will avoid possible mismatch between certificates and registration
information resulting from relevant changes. To retrieve the CA certificate, you need to
remove the CA certificate and local certificate first.
Required
When requesting a certificate, an entity introduces itself to the CA by providing its
identity information and public key, which will be the major components of the
certificate.
A certificate request can be submitted to a CA in online mode or offline mode.
Requesting a local
certificate
In online mode, if the request is granted, the local certificate will be retrieved to the
local system automatically.
In offline mode, you need to retrieve the local certificate by an out-of-band means.
IMPORTANT:
If a local certificate already exists, you cannot perform the local certificate retrieval
operation. This will avoid possible mismatch between the local certificate and registration
information resulting from relevant changes. To retrieve a new local certificate, you need
to remove the CA certificate and local certificate first.
Optional
Destroying the RSA

key pair
Destroy the existing RSA key pair and the corresponding local certificate.
If the certificate to be retrieved contains an RSA key pair, you need to destroy the
existing RSA key pair. Otherwise, the retrieving operation will fail.
Optional
Retrieving and
displaying a
certificate
Retrieve an existing certificate and display its contents.
Retrieving and
displaying a CRL
Optional
IMPORTANT:
Before retrieving a local certificate in online mode, be sure to complete LDAP server
configuration.
Retrieve a CRL and display its contents.
423
Requesting a certificate automatically

Table 185 Configuration task list for requesting a certificate automatically
Task
Remarks
Required
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an entity,
where the identity information is identified by an entity distinguished name (DN). A CA
identifies a certificate applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue policy.
Otherwise, the certificate request might be rejected.
Required
Create a PKI domain, setting the certificate request mode to Auto.
Creating a PKI
domain
Before requesting a PKI certificate, an entity needs to be configured with some

enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other applications like
IKE and SSL, and has only local significance.
Optional
Destroying the RSA

key pair
Destroy the existing RSA key pair and the corresponding local certificate.
If the certificate to be retrieved contains an RSA key pair, you need to destroy the
existing RSA key pair. Otherwise, the retrieving operation will fail.
Optional
Retrieve an existing certificate and display its contents.
IMPORTANT:
Retrieving and
displaying a
certificate
Before retrieving a local certificate in online mode, be sure to complete LDAP server
configuration.
If a PKI domain already has a CA certificate, you cannot retrieve another CA

certificate for it. This restriction is in order to avoid inconsistency between the
certificate and registration information due to related configuration changes. To
retrieve a new CA certificate, delete the existing CA certificate and local certificate
first.
Retrieving and
displaying a CRL
Optional
Retrieve a CRL and display its contents.

Select Certificate Management > Entity from the navigation tree to enter the page displaying existing PKI
entities, as shown in Figure 400. Then, click Add to enter the PKI entity configuration page, as shown in
Figure 401.
424
Figure 400 PKI entities
Figure 401 Create a PKI entity
Table 186 PKI entity configuration items

Item
Description
Entity Name
Type the name for the PKI entity.
Common Name
Type the common name for the entity.
IP Address
Type the IP address of the entity.

Type the fully qualified domain name (FQDN) for the entity.
FQDN
An FQDN is a unique identifier of an entity on the network. It consists of a host name and
a domain name and can be resolved to an IP address. For example,
www.whatever.com is an FQDN, where www indicates the host name and
whatever.com the domain name.
Country/Region
Code
Type the country or region code for the entity.
State
Type the state or province for the entity.
Locality
Type the locality for the entity.
Organization
Type the organization name for the entity.
Organization Unit
Type the unit name for the entity.
Return to Configuration task list for requesting a certificate manually.

Return to Configuration task list for requesting a certificate automatically.
425
Creating a PKI domain

Select Certificate Management > Domain from the navigation tree to enter the page displaying existing
PKI domains, as shown in Figure 402. Then, click Add to enter the PKI domain configuration page, as
Figure 402 PKI domains
Figure 403 Create a PKI domain
Table 187 PKI domain configuration items

Item
Description
Domain Name
Type the name for the PKI domain.

Type the identifier of the trusted CA.
An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility
of certificate registration, distribution, and revocation, and query.
CA Identifier
IMPORTANT:
In offline mode, this item is optional. In other modes, this item is required.
The CA identifier is used only when you retrieve a CA certificate. It is not used when
you retrieve a local certificate.
Select the local PKI entity.
Entity Name
When submitting a certificate request to a CA, an entity needs to show its identity
information.
Available PKI entities are those that have been configured.
426
Item
Description
Select the authority for certificate request.
CAIndicates that the entity requests a certificate from a CA.

RAIndicates that the entity requests a certificate from an RA.
Institution
Generally, an independent RA is in charge of certificate request management. It receives

the registration request from an entity, checks its qualification, and determines whether to
ask the CA to sign a digital certificate. The RA only checks the application qualification
of an entity; it does not issue any certificate. Sometimes, the registration management
function is provided by the CA, in which case no independent RA is required. H3C
recommends you to deploy an independent RA.
Type the URL of the RA.
The entity will submit the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.
Requesting URL
IMPORTANT:
Currently, this item does not support domain name resolution.
LDAP IP
Type the IP address, port number, and version of the LDAP server.
Port
An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you
need to configure the IP address of the LDAP server.
Version
Request Mode
Select the online certificate request mode, which can be auto or manual.
Password Encrypt
Type the password for certificate revocation and specify whether to display the password
in cipher text when the certificate request mode is set to Auto.
Password
Specify the fingerprint used for verifying the CA root certificate.

Fingerprint Hash
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the
root certificate, namely, the hash value of the root certificate content. This hash value is
unique to every certificate. If the fingerprint of the root certificate does not match the one
configured for the PKI domain, the entity will reject the root certificate.
If you specify MD5 as the hash algorithm, type an MD5 fingerprint. The fingerprint
must a string of 32 characters in hexadecimal notation.
If you specify SHA1 as the hash algorithm, type an SHA1 fingerprint. The fingerprint
must a string of 40 characters in hexadecimal notation.
If you do not specify the fingerprint hash, do not type any fingerprint. The entity will not
Fingerprint
verify the CA root certificate, and you yourself must ensure that the CA server is
trusted.
IMPORTANT:
The fingerprint must be configured if you specify the certificate request mode as Auto. If you
specify the certificate request mode as Manual, you can leave the fingerprint settings null. If
you do not configure the fingerprint, the entity will not verify the CA root certificate and you
yourself must ensure that the CA server is trusted.
Polling Count
Polling Interval
Set the polling interval and attempt limit for querying the certificate request status.
After an entity makes a certificate request, the CA might need a long period of time if it
verifies the certificate request in manual mode. During this period, the applicant needs to
query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed.
427
Item
Description
Enable CRL
Checking
Select this box to specify that CRL checking is required during certificate verification.
Type the CRL update period, that is, the interval at which the PKI entity downloads the
latest CRLs.
This item is available when the Enable CRL Checking check box is selected.
CRL Update Period
By default, the CRL update period depends on the next update field in the CRL file.
IMPORTANT:
The manually configured CRL update period takes precedent over that specified in the CRL
file.
Type the URL of the CRL distribution point.
This item is available when the Enable CRL Checking check box is selected.
CRL URL
When the URL of the CRL distribution point is not set, you should acquire the CA
certificate and a local certificate, and then acquire a CRL through SCEP.
IMPORTANT:
Currently, this item does not support domain name resolution.

Generating an RSA key pair

Select Certificate Management > Certificate from the navigation tree to enter the page displaying
existing PKI certificates, as shown in Figure 404. Then, click Create Key to enter RSA key pair
Figure 404 PKI certificates
428
Figure 405 Gerate an RSA key pair
Table 188 Configuration items for generating an RSA key pair

Item
Description
Key Length
Type the length of the RSA keys.
Destroying the RSA key pair

existing PKI certificates, as shown in Figure 404.
Click Destroy Key to enter RSA key pair destruction page, as shown in Figure 406. Then, click Apply to
destroy the existing RSA key pair and the corresponding local certificate.
Figure 406 Destroy an RSA key pair

Retrieving and displaying a certificate

You can download an existing CA certificate or local certificate from the CA server and save it locally.
To do so, you can use offline mode or online mode. In offline mode, you need to retrieve a certificate by
an out-of-band means like FTP, disk, email and then import it into the local PKI system.
existing PKI certificates, as shown in Figure 404. Then click Retrieve Cert to enter PKI certificate retrieval
429
Figure 407 Retrieve a certificate
Table 189 Configuration items for retrieving a PKI certificate

Item
Description
Domain Name
Select the PKI domain for the certificate.
Certificate Type
Select the type of the certificate to be retrieved, which can be CA or local.
Enable Offline
Mode
Select this check box to retrieve a certificate in offline mode (that is, by an out-of-band
means like FTP, disk, or email) and then import the certificate into the local PKI system.
Get File From

Device
Specify the path and name of the certificate file.
Get File From PC
If the certificate file is saved on a local PC, Select Get File From PC and then specify the
Password
Enter the password for protecting the private key, which was specified when the
certificate was exported.
If the ceritificate file is saved on the device, select Get File From Device and then
specify the path of the file on the devivce.
path to the file and select the partition of the device for saving the the file.
After retrieving a certificate, you can click View Cert corresponding to the certificate from the PKI
certificates list to display the contents of the certificate, as shown in Figure 408.
430
Figure 408 Display certificate information

Requesting a local certificate

existing PKI certificates, as shown in Figure 404. Then click Request Cert to enter the local certificate
request page, as shown in Figure 409.
Figure 409 Request a certificate
Table 190 Configuration items for requesting a local certificate

Item
Description
Domain Name
Select the PKI domain for the certificate.
Password
Type the password for certificate revocation.

431
Item
Description
Select this check box to request a certificate in offline mode, that is, by an out-of-band
means like FTP, disk, or email.
Enable Offline
Mode
If you cannot request a certificate from the CA through the SCEP protocol, you can enable
the offline mode. In this case, after clicking Apply, the offline certificate request
information page appears, as shown in Figure 410. Submit the information to the CA to
request a local certificate.
Figure 410 Offline certificate request information
Retrieving and displaying a CRL

Select Certificate Management > CRL from the navigation tree to enter the page displaying CRLs, as
Figure 411 CRLs
Click Retrieve CRL to retrieve the CRL of a domain.
Then, click View CRL for the domain to display the contents of the CRL.
432
Figure 412 Display CRL information

PKI configuration examples

Configuring a PKI entity to request a certificate from a CA
(method I)
As shown in Figure 413, configure the router to work as the PKI entity, so that:
The router submits a local certificate request to the CA server, which runs Windows Server 2003.
The router acquires CRLs for certificate verification.
433
Figure 413 Network diagram for configuring a PKI entity to request a certificate from a CA
1.
Configure the CA server
# Install the CA server component.

From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove
Windows Components. Then in the pop-up dialog box, select Certificate Services and click Next to begin
the installation.
# Install the SCEP add-on.
Because a CA server running Windows 2003 server operating system does not support SCEP by default,
be sure to install the SCEP add-on to provide the router with automatic certificate registration and retrieval.
After the add-on is installed, a prompt dialog box appears, displaying the URL of the registration server
configured on the router.
# Modify the certificate service properties.
From the start menu, select Control Panel > Administrative Tools > Certificate Authority. If the CA server
and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to
the RA. Right-click CA server and select Properties from the shortcut menu, and select the Policy Module
tab in the CA server Properties dialog box. Select the option of Follow the settings in the certificate
template, if applicable. Otherwise, automatically issue the certificate. Then click OK.
# Modify the IIS attributes.
From the start menu, select Control Panel > Administrative Tools > Internet Information Services (IIS)
Manager and then select Web Sites from the navigation tree. Right-click Default Web Site and select
Properties. Then select the Home Directory tab. Specify the path for certificate service in the Local path
text box. To avoid conflicts with existing services, change the TCP port number to an unused one on the
Web Site tab.
After the configuration, it is also required to ensure that the system clock of the router and that of the CA
are synchronized, so that the router can request certificate correctly.
2.
# Create a PKI entity
Select Certificate Management > Entity from the navigation tree and then click Add to perform the
434
Figure 414 Add a PKI entity
Type aaa as the PKI entity name.
Type router as the common name.
Click Apply.
# Create a PKI domain.
Select Certificate Management > Domain from the navigation tree and then click Add to perform
the configurations shown in Figure 415.
Figure 415 Add a PKI domain
Type torsa as the PKI domain name.
Type CA server as the CA identifier.
Select aaa as the local entity.
Select RA as the authority for certificate request.
Type http://4.4.4.1:8080/certsrv/mscep/mscep.dll as the URL for certificate request. The URL must
be in the format of http://host:port/certsrv/mscep/mscep.dll, where host and port are the host
address and port number of the CA server.
Select Manual as the certificate request mode.

435
Click Apply. When the system displays Fingerprint of the root certificate not specified. No root
certificate validation will occur. Continue?, click OK to confirm.
# Generate an RSA key pair.
Select Certificate Management > Certificate from the navigation tree and then click Create Key to
perform the configurations shown in Figure 416.
Figure 416 Generate an RSA key pair
Click Apply to generate an RSA key pair.
# Retrieve the CA certificate.
Select Certificate Management > Certificate from the navigation tree and then click Retrieve Cert to
Figure 417 Retrieve the CA certificate
Select torsa as the PKI domain.
Select CA as the certificate type.
Click Apply.
436
# Request a local certificate.
Select Certificate Management > Certificate from the navigation tree and then click Request Cert to
Select Password and then type challenge-word as the password.
Click Apply. When the system displays Certificate request has been submitted, click OK to
confirm.

After the configuration, select Certificate Management > Certificate from the navigation tree, and then
click View Cert corresponding to the certificate of PKI domain torsa to view the certificate information.
You can also click View Cert corresponding to the CA certificate of PKI domain torsa to view the CA
certificate information.
Configuring a PKI entity to request a certificate from a CA

(method II)
Configure the router working as the PKI entity, so that:
The router submits a local certificate request to the CA server, which runs the RSA Keon software.
The router acquires CRLs for certificate verification.
Figure 419 Diagram for configuring a PKI entity to request a certificate from a CA
437
1.
Configure the CA server
# Create a CA server named myca.

In this example, you need to configure the basic attributes of Nickname and Subject DN on the CA server
at first:
NicknameName of the trusted CA
Subject DNDN information of the CA, including the Common Name (CN)
Organization Unit (OU)
Organization (O)
Country (C)
The other attributes might use the default values.

# Configure extended attributes
After configuring the basic attributes, you need to perform configuration on the Jurisdiction
Configuration page of the CA server. This includes selecting the proper extension profiles, enabling the
SCEP autovetting function, and adding the IP address list for SCEP autovetting.
# Configure the CRL publishing behavior
After completing the configuration, you need to perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After the configuration, make sure that the system clock of the router is synchronous to that of the CA, so
that the router can request certificates and retrieve CRLs properly.
2.
# Create a PKI entity.
Select Certificate Management > Entity from the navigation tree, and then click Add to perform the
Type aaa as the PKI entity name.

438
Type router as the common name.
Click Apply.
Select Certificate Management > Domain from the navigation tree, and then click Add to perform
Type torsa as the PKI domain name.
Type myca as the CA identifier.
Select aaa as the local entity.
Select CA as the authority for certificate request.
Type http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for

certificate request. The URL must be in the format of http://host:port/Issuing Jurisdiction ID, where
Issuing Jurisdiction ID is the hexadecimal string generated on the CA.
Click the expansion button before Advanced Configuration to display the advanced configuration
items.
Select the Enable CRL Checking check box.
Type http://4.4.4.133:447/myca.crl as the CRL URL.
Select Certificate Management > Certificate from the navigation tree, and then click Create Key to
439

Select Certificate Management > Certificate from the navigation tree, and then click Retrieve Cert to

Click Apply.
Select Certificate Management > Certificate from the navigation tree, and then click Request Cert to
440
Select Password and then type challenge-word as the password.
confirm.
# Retrieve the CRL.
After retrieving a local certificate, select Certificate Management > CRL from the navigation tree.
Figure 425 Retrieve CRL
Click Retrieve CRL of the PKI domain of torsa.

After the configuration, select Certificate Management > Certificate from the navigation tree to view
detailed information about the retrieved CA certificate and local certificate, or select Certificate
Management > CRL from the navigation tree to view detailed information about the retrieved CRL.
441
Applying RSA digital signature in IKE negotiation

An IPsec tunnel is set up between Router A and Router B to secure the traffic between Host A on
subnet 10.1.1.0/24 and Host B on subnet 11.1.1.0/24.
Router A and Router B use IKE for IPsec tunnel negotiation and RSA digital signature of a PKI
certificate system for identity authentication.
As shown in Figure 426, Router A and Router B use different CAs. They might also use the same CA
as required.
Figure 426 Diagram for applying RSA digital signature in IKE negotiation
PKI certificate system
CA 1
CA 2
1.1.1.101/32
2.1.1.101/32
LDAP 1
1.1.1.100/32
Router A
LDAP 2
1.1.1.102/32
RA 1
Eth0/2
2.2.2.1/24
Eth0/1
10.1.1.1/24
2.1.1.102/32
RA 2
2.1.1.100/32
Internet
Eth0/2
3.3.3.1/24
Router B
Eth0/1
11.1.1.1/24
Host A
Host B
10.1.1.2/24
11.1.1.2/24
1.
Configure Router A
Select Certificate Management > Entity from the navigation tree, and then click Add to perform the
442
Type en as the PKI entity name.
Type router-a as the common name.
Type 2.2.2.1 as the IP address of the entity.
Click Apply.
# Create a PKI domain. (The RA URL given here is just an example. Configure the RA URL as required.)
Select Certificate Management > Domain from the navigation tree, and then click Add to perform
Type 1 as the PKI domain name.
Type CA1 as the CA identifier.
Select en as the local entity.

443
Type http://1.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request. (The RA URL

given here is just an example. Configure the RA URL as required.)
Type 1.1.1.102 as the IP address of the LDAP server, 389 as the port number, and select 2 as the
version number.
items.
Type ldap://1.1.1.102 as the URL for CRLs.
Select Certificate Management > Certificate from the navigation tree, and then click Create Key to
Select Certificate Management > Certificate from the navigation tree, and then click Retrieve Cert to
444
Select 1 as the PKI domain.
Click Apply.
Select Certificate Management > Certificate from the navigation tree, and then click Request Cert to
confirm.
# Add an IPsec connection.
Select VPN > IPsec VPN from the navigation tree, and then click Add to perform the configurations
445
Type con as the IPsec connection name.
Select Ethernet0/2 as the gateway interface
Select Certificate as the authentication method, and select CN=router-a for the certificate.
Select Characteristics of Traffic as the selector type.
Type 11.1.1.0/0.0.0.255 as the source IP address/wildcard.
Type 10.1.1.0/0.0.0.255 as the detination IP address/wildcard.
Click Apply.
2.
Configure Router B (The configuration pages for Router B are similar to those of Router A, and thus
omitted)
Select Certificate Management > Entity from the navigation tree, and then click Add.
Type en as the PKI entity name.
Type router-b as the common name.
Type 3.3.3.1 as the IP address of the entity.
Click Apply.

446
Select Certificate Management > Domain from the navigation tree, and then click Add.
Type 1 as the PKI domain name.
Type CA2 as the CA identifier.
Select en as the local entity.
Type http://2.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request. (The RA URL given
here is just an example. Configure the RA URL as required.)
Type 2.1.1.102 as the IP address of the LDAP server, 389 as the port number, and select 2 as the
version number.
items.
Type ldap://2.1.1.102 as the URL for CRLs.
Select Certificate Management > Certificate from the navigation tree, and then click Create Key.
Select Certificate Management > Certificate from the navigation tree, and then click Retrieve Cert.
Click Apply.
Select Certificate Management > Certificate from the navigation tree, and then click Request Cert.
confirm.
# Add an IPsec connection.
Select VPN > IPsec VPN from the navigation tree, and then click Add.
Type con as the IPsec connection name.
Select Ethernet0/2 as the gateway interface
Select Certificate as the authentication method, and select CN=router-b for the certificate.
Select Characteristics of Traffic as the selector type.
Type 10.1.1.0/0.0.0.255 as the source IP address/wildcard.
Type 11.1.1.0/0.0.0.255 as the detination IP address/wildcard.
Click Apply.
447
When you configure PKI, note the following guidelines:
1.
Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
2.
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If
the PKI entity identity information in a certificate request goes beyond a certain limit, the server will
not respond to the certificate request.
3.
The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need
to specify RA as the authority for certificate request when configuring the PKI domain.
4.
The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you
need to specify CA as the authority for certificate request when configuring the PKI domain.
448
System management
System management allows you to perform the following operations:
Configuration management
Reboot
Service management
User management
System time
TR-069 configuration
Software upgrade (for the MSR 900/MSR 20-1X series)
Software upgrade (for the MSR 20/30/50 series)
Configuration management
Save
The save configuration module provides the following two functions:
Saving the current configuration to the configuration file to be used at the next startup (including
the .cfg and .xml files).
Saving the current configuration as the factory default configuration, and the name of the
configuration file is init.cfg.
CAUTION:
Besides the following methods, the web management interface allows you to click the
the right of the title area to fast save the configuration.
button on
Saving the configuration takes a period of time.

The system does not support the operation of saving configuration of two or more consecutive users. If
such a case occurs, the system prompts the latter users to try later.
When you save the current configuration on a distributed device, the standby main board (SMB) does
not save the .xml configuration file. To ensure the synchronization between the active main board (AMB)
and the SMB, you need to copy this file to the SMB.
Select System Management > Configuration from the navigation tree to enter the save configuration
449
Figure 433 Save configuration page
To save the current configuration to the configuration file to be used at the next startup, click Save
Current Settings.
To save the current configuration to both the configuration file to be used at the next startup and the
factory default configuration file, click Save As Factory-Default Settings.
Initialize
Initialization means to clear the current configuration file, and then restart the device with the factory
default configuration.
Select System Management > Configuration from the navigation tree, and click the Initialize tab to enter
the initialize configuration page, as shown in Figure 434.
Figure 434 Initialize
To restore the factory defaults, click Restore Factory-Default Settings.
Backing up configuration
Configuration file backup allows you to:
View the configuration file for next startup (including .cfg and .xml files).
Back up the configuration file for next startup (including .cfg and .xml files) to the PC of the current user.
Select System > Maintenance > Backup from the navigation tree, and click Backup to enter the
configuration file backup configuration page, as shown in Figure 435.
450
Figure 435 Configuration file backup page
When you click the upper Backup button in this figure, a file download dialog box appears. You
can select to view the .cfg file or to save the file locally.
When you click the lower Backup button in this figure, a file download dialog box appears. You
can select to view the .xml file or to save the file locally.
Restoring configuration
Configuration restoration allows you to:
Upload the .cfg file on the host of the current user to the device for the next startup
Upload the .xml file on the host of the current user to the device for the next startup, and delete the
previous .xml configuration file that was used for the next startup
Select System > Maintenance > Restore from the navigation tree, and click Restore to enter the restoring
configuration file page, as shown in Figure 436.
Figure 436 Restoring configuration file page
When you click the upper Browse button in this figure, the file upload dialog box appears. You can
select the .cfg file to be uploaded, and then click Apply.
When you click the lower Browse button in this figure, the file upload dialog box appears. You can
select the .xml file to be uploaded, and then click Apply.
451
Backing up and restoring device files through the USB port

The files needed in device running, such as startup files and configuration files, are stored in the storage
medium of the device. To facilitate management of the files on the device, the device provides the fast
backup and restoration function.
Fast backup: It allows you to back up files on the device to the destination device through a universal
serial bus (USB) port.
Fast restoration: It allows you to transfer files from the device where the files are backed up to the
local device through a USB port. Whats more, the system allows you to choose whether to specify
the startup file or configuration file to be restored as the main startup file or configuration file of the
device.
NOTE:
The storage medium of a device has many types, such as flash cards, CF cards, and so on. The storage
medium type used by the device depends on the device model.
Select System Management > Configuration from the navigation tree, and click the Backup and Restore
tab to enter the fast backup and restoration page, as shown in Figure 437.
Figure 437 Back up and restore device files through the USB port
In the Device File(s) area, select the files to be backed up, and click the Backup button to backup the
selected files to the destination device.
452
In the USB File(s) area, select the files to be restored, and click the Restore button to transfer the
selected files to the device through the USB port.
CAUTION:
At a time, you can restore multiple files, but only one startup file or configuration file can be
included in these files for restoration.
Reboot
CAUTION:
Before rebooting the device, save the configuration; otherwise, all unsaved configuration will be lost after
reboot. After the device reboots, you need to re-log in to the Web interface.
Select System Management > Reboot from the navigation tree to enter the device reboot configuration
page, as shown in Figure 438. Click Apply to reboot the device.
Figure 438 Device reboot page
You can choose to check whether the current configuration has been saved to the configuration file to be
used at the next startup as needed.
If you select the Check whether the current configuration is saved in the next startup configuration
file option, the system will check the configuration before rebooting the device. If the check
succeeds, the system will reboot the device; if the check fails, the system will pop up a dialog box
to tell you that the current configuration and the saved configuration are inconsistent, and will not
reboot the device. In this case, you need to save the current configuration manually before you can
reboot the device.
If you do not select the option, the system will reboot the device directly.
Service management
Overview
The service management module provides six types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS.
You can enable or disable the services as needed. In this way, the performance and security of the
system can be enhanced, thus secure management of the device can be achieved.
453
The service management module also provides the function to modify HTTP and HTTPS port numbers,
and the function to associate the FTP, HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal
users on these services.
FTP service
The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client
over a TCP/IP network.
Telnet service
The Telnet protocol is an application layer protocol that provides remote login and virtual terminal
functions on the network.
SSH service
Secure Shell (SSH) offers an approach to securely logging in to a remote device. By encryption and
strong authentication, it protects devices against attacks such as IP spoofing and plain text password
interception.
SFTP service
The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to
provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to
the SFTP server for secure file management and transfer. The device can also serve as an SFTP client,
enabling a user to login from the device to a remote device for secure file transfer.
HTTP service
The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet.
It is an application-layer protocol in the TCP/IP protocol suite.
You can log in to the device by using the HTTP protocol with HTTP service enabled, accessing and
controlling the device with Web-based network management.
HTTPS service
The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL)
protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal
clients;
Encrypts the data exchanged between the HTTPS client and the device to ensure the data security
and integrity, thus realizing the security management of the device;
Defines certificate attribute-based access control policy for the device to control the access right of
the client, in order to further avoid attacks from illegal clients.
Configuring service management

Select System Management> Service Management from the navigation tree to enter the service
management configuration page, as shown in Figure 439.
454
Figure 439 Service management
Table 191 Service management configuration items

Item
Description
Enable FTP
service
FTP
ACL
Specify whether to enable the FTP service.

The FTP service is disabled by default.
Associate the FTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the FTP service.
You can view this configuration item by clicking the expanding button in
front of FTP.
Telnet
Enable Telnet
service
Specify whether to enable the Telnet service.
SSH
Enable SSH
service
Specify whether to enable the SSH service.
The Telnet service is disabled by default.

The SSH service is disabled by default.
Specify whether to enable the SFTP service.
SFTP
Enable SFTP
service
The SFTP service is disabled by default.

IMPORTANT:
When you enable the SFTP service, the SSH service must be enabled.
Enable HTTP
service
Specify whether to enable the HTTP service.

The HTTP service is disabled by default.
Set the port number for HTTP service.
HTTP
Port Number
front of HTTP.
IMPORTANT:
When you modify a port, ensure that the port is not used by other service.
ACL
HTTPS
Enable HTTPS
service
Associate the HTTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTP service.
front of HTTP.
Specify whether to enable the HTTPS service.
The HTTPS service is disabled by default.
455
Item
Description
Set the port number for HTTPS service.
Port Number
front of HTTPS.
IMPORTANT:
When you modify a port, ensure that the port is not used by other service.
ACL
Associate the HTTPS service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTPS service.
front of HTTPS.
Set the local certificate for the HTTPS service. What is displayed in the
drop-down list is the theme of the certificate.
Certificate
You can configure the available certificates by selecting Certificate

Management from the navigation tree. For more information, see the
chapter Certificate management.
User management
The user management module provides these three functions:
Create a local user, and set the password, access level, and service type for the user.
Set the super password for switching the current Web user access level to the management level
Switch the current Web user access level to the management level.
Creating a user
Select System Management > Users from the navigation tree, and click the Create User tab to enter the
page for creating local users, as shown in Figure 440.
Figure 440 Create a user
456
Table 192 Configuration items for creating a user

Item
Description
Username
Set the username for a user

Set the access level for a user. Therefore, users of different levels can perform different
operations. Ranging from low to high, Web user levels are as follows:
Visitor: Users of this level can use the network diagnostic tools ping and trace route. They
can neither access the device data nor configure the device.
Access Level
Monitor: Users of this level can only access the device data but cannot configure the
device.
Configure: Users of this level can access data from the device and configure the device,
but they cannot upgrade the host software, add/delete users, modify users, or back
up/restore the application file.
Management: Users of this level can perform any operations for the device.
IMPORTANT:
Only the web, FTP, and Telnet users support the access level setting.
Password
Set the password for a user.
Confirm Password
Input the same password again. Otherwise, the system prompts that the two passwords
input are not consistent when you apply the configuration.
Service
Set the service type, including web, FTP, Telnet, and PPP services. You must select at least
one of them.
Setting the super password for switching to the management

level
In this part, users of the management level can specify the password for a lower-level user to switch from
the current access level to the management level. If no such a password is configured, the switchover will
fail.
Select System Management > Users from the navigation tree, and click the Super Password tab to enter
the super password configuration page, as shown in Figure 441.
Figure 441 Super password configuration page
457
Table 193 Super password configuration items

Item
Description
Set the operation type:
Create/Remove
Create: Configure or modify the super password.

Remove: Remove the current super password.
Password
Set the password for a user to switch to the management level.
Confirm Password
Input the same password again. Otherwise, the system prompts that the two passwords
input are not consistent when you apply the configuration.
Switching the user access level to the management level

This function is provided for a user to switch the current user level to the management level. Note the
following:
Before switching, make sure that the super password is already configured. A user cannot switch to
the management level without a super password.
The access level switchover of a user is valid for the current login only. The access level configured
for the user is not changed. When the user re-logs in to the Web interface, the access level of the
user is still the original level.
Log in to the Web interface, and then select System Management > Users from the navigation tree, and
click the Switch to Management tab to enter the access level switching page, as shown in Figure 442.
Then, type the super password and click Login.
Figure 442 Access level switching page
System time
You need to configure a correct system time so that the device can work with other devices properly.
The device supports setting system time through manual configuration and automatic synchronization of
NTP server time.
An administrator can by no means keep time synchronized among all the devices within a network by
changing the system clock on each device, because this is a huge amount of workload and cannot
guarantee the clock precision. NTP, however, allows quick clock synchronization within the entire
network and ensures a high clock precision.
Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed
time servers and clients. NTP runs over the User Datagram Protocol (UDP), using UDP port 123.
The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within
the network so that the devices can provide diverse applications based on the consistent time.
458
Setting the system time

Select System Management > System Time from the navigation tree, and you will enter the System Time
tab, as shown in Figure 443. On the upper part of the interface, the current system time is displayed. On
the lower part of the interface, you can set the system time.
Figure 443 System time configuration page
Table 194 System time configuration items

Item
Description
NTP Server 1
Automatic
Synchronizat
ion
Enable clock automatic synchronization with an NTP server. You can

specify two NTP servers by inputting their IP addresses. NTP Server 1 is the
primary and NTP Server 2 is the secondary.
IMPORTANT:
NTP Server 2
With automatic synchronization configured, the device periodically

synchronizes its time with the NTP server. If the synchronization fails, the
system uses the manually configured time; after the synchronization recovers,
the system uses the synchronized time.
The IP address of an NTP server is a host address, and cannot be a
broadcast or a multicast address, or the IP address of the local clock.
Set the system time manually.
Manual Setup
You can type the system date and time in the text box, or select the date and
time in the calendar as follows:
Click Today. The date in the calendar becomes the local date, and the
time in the calendar does not change.
Select the year, month, date, and time, and then click OK.
459
Figure 444 Calendar page
Setting the time zone of the system

Select System Management > System Time from the navigation tree, and click the Time Zone tab to enter
page as shown in Figure 445 to set the time zone of the system.
Figure 445 Time zone
TR-069 protocol is a technology specification initiated and developed by the Digital Subscribers Line
(DSL) Forum. It defines the general frame, message format, management method, and data model for the
management and configuration of home network devices in the next-generation network.
TR-069 is mainly applied to DSL access networks. In a DSL access network, user devices are large in
number and deployed separately usually in the customer premise. Therefore device management and
maintenance is hard to perform. TR-069 is designed to solve the problem by the idea of remote central
management of the Customer Premise Equipment (CPE) through an Auto-Configuration Server (ACS).
460
TR-069 network framework

Figure 446 Network diagram for TR-069
The basic network elements of TR-069 are:
ACS: Auto-Configuration Server, which is the management device in the network.
CPE: Customer Premise Equipment, which is the managed device in the network.
DNS server: Domain Name System server. TR-069 defines that an ACS and a CPE use URLs to
identify and access each other. DNS is used to resolve the URLs.
DHCP server: Dynamic Host Configuration Protocol server, which assigns an IP address to an ACS
and a CPE, and uses the options filed in the DHCP packet to provide configuration parameters to
the CPE.
The device is a CPE and uses TR-069 to communicate with an ACS.
Basic functions of TR-069

Auto connection between ACS and CPE
A CPE can connect to an ACS automatically by sending an Inform message. The following conditions
may trigger an auto connection:
CPE startup. A CPE can find the corresponding ACS according to the acquired URL, and initiates a
connection to the ACS.
A CPE is configured to send Inform messages periodically. The CPE will automatically send an
Inform message at the configured interval (1 hour for example) to establish connections.
A CPE is configured to send Inform messages at a specific time. The CPE will automatically send an
Inform message at the configured time to establish a connection.
The current session is not finished but interrupted abnormally. In this case, if the number of CPE
auto-connection retries does not reach the limit, the CPE will automatically establish a connection.
An ACS can initiate a Connect Request to a CPE at any time, and can establish a connection with the
CPE after passing the CPE authentication.
Auto-configuration
When a CPE logs in to an ACS, the ACS can automatically apply some configurations to the CPE to
perform auto configuration of the CPE. Auto-configurable parameters supported by the device include
(but are not confined to) the following:
Configuration file (ConfigFile)

461
ACS address (URL)
ACS username (Username)
ACS password (Password)
Inform message auto sending flag (PeriodicInformEnable)
Inform message auto sending interval (PeriodicInformInterval)
Inform message auto sending time (PeriodicInformTime)
CPE username (ConnectionRequestUsername)
CPE password (ConnectionRequestPassword)
CPE system boot file and configuration file management

The administrator can store important files such as the system boot file and configuration file on an ACS.
If the ACS finds that a file is updated, it will notify the CPE to download the file by sending a request.
After the CPE receives the request, it can automatically download the file from the specified file server
according to the filename and download address provided in the ACS request. After the CPE downloads
the file, it will check the file validity and then report the download result (succeeded or failed) to the ACS.
The device does not support file download using digital signature.
The device supports to download the following types of files: system boot file and configuration file.
To backup important data, a CPE can upload the current configuration file to the specified server
according to the requirement of an ACS. The device only supports to upload the vendor configuration file
and log file.
CPE status and performance monitoring

An ACS can monitor the parameters of the CPE connected to it. Different CPE have different
performances and functionalities. Therefore the ACS must be able to identify each CPE and monitor the
current configuration and the configuration changes of each CPE. TR-069 also allows the administrator
to define monitor parameters and get the parameters through an ACS, so as to get the CPE status and
statistics information.
The status and performance that can be monitored by an ACS include: manufacture name
(Manufacturer), manufacture identification (ManufacturerOUI), serial number (SerialNumber), hardware
version (HardwareVersion), software version (SoftwareVersion), device status (DeviceStatus), up time
(UpTime), configuration file, ACS address, ACS username, ACS password, PeriodicInformEnable,
PeriodicInformInterval, PeriodicInformTime, CPE address, CPE username, and CPE password.
NOTE:
For the TR-069 mechanism, see the H3C MSR Series Routers Network Management and
The TR-069 parameters of CPE can be configured automatically through ACS remote management, and
also can be configured manually through Web, which is described in detail in this section.
Select System Management > TR-069 from the navigation tree to enter the TR-069 configuration page, as
462
Figure 447 TR-069 configuration page
Table 195 TR-069 configuration items

Item
Description
Enable or disable TR-069.
TR-069
TR-069 configurations can take effect only after you enable TR-069.
URL
Configure the URL used by a CPE to initiate a connection to the ACS.
Username
Configure the username used by a CPE to initiate a connection to the ACS.
ACS
Configure the password used by a CPE to initiate a connection to the ACS.

Password
Username
Password
CPE
You can specify a username without a password that is used in the authentication.
If so, the configuration on the ACS and that on the CPE must be the same.
Configure the username used by the CPE to authenticate the connection sent from
the ACS.
Configure the password used by the CPE to authenticate the connection sent from
the ACS.
You can specify a username without a password that is used in the authentication.
If so, the configuration on the ACS and that on the CPE must be the same.
Sending
Inform
Enable or disable CPEs periodical sending of Inform messages.
Interval
Configure the interval between sending the Inform messages.
CPE Interface
Set the CPE connection interface. The CPE sends inform packets carrying the IP
address of this interface to make the ACS establish a connection with the CPE using
this IP address.
TR-069 configuration through ACS is of higher priority than that through Web. You cannot use a
configuration mode to modify parameters configured through a configuration mode with a higher
priority.
463
To remove the configuration of a parameter, select the check box of the parameter, clear the value
you input, and click Apply.
Software upgrade (for the MSR 900/MSR 20-1X

series)
A boot file, also known as the system software or device software, is an application file used to boot the
device. Software upgrade allows you to obtain a target application file from the current host and set the
file as the boot file to be used at the next boot. In addition, you can select to reboot the device
immediately after the above operations to make the upgraded software effective.
Upgrading software
CAUTION:
Software upgrade takes a period of time. During software upgrade, do not perform any operation on the
Web interface; otherwise, software upgrade may be interrupted.
Select System Management > Software Upgrade from the navigation tree to enter the software upgrade
Figure 448 Software upgrade configuration page
Table 196 Software upgrade configuration items

Item
File
Description
Specify the filename of the local application file, which must be suffixed with
the .app or .bin extension.
IMPORTANT:
The filename is main.bin when the file is saved on the device.
Reboot after the

upgrading finished
Specify whether to reboot the device to make the upgraded software take effect
after the application file is uploaded.
464
Software upgrade (for the MSR 20/30/50 series)

Software upgrade allows you to obtain a target application file from the current host and set the file as
the main boot file or backup boot file to be used at the next boot.
A boot file, also known as the system software or device software, is an application file used to boot the
device. A main boot file is used to boot a device and a backup boot file is used to boot a device only
when the main boot file is unavailable.
Upgrading software
CAUTION:
Software upgrade takes a period of time. During software upgrade, do not perform any operation on the
Web interface; otherwise, software upgrade may be interrupted.
Select System Management > Software Upgrade from the navigation tree to enter the software upgrade
Figure 449 Software upgrade configuration page
Table 197 Software upgrade configuration items

Item
Description
File
Specify the filename of the local application file, which must be suffixed with
the .app or .bin extension.
Specify the type of the boot file for the next boot:
File Type
Main
Backup
If a file with same name

already exists, overwrite
it without any prompt
Specify whether to overwrite the file with the same name.
Reboot after the

upgrading finished
Specify whether to reboot the device to make the upgraded software take effect
after the application file is uploaded.
If you do not select the option, when a file with the same name exists, the system
prompts The file has existed., and you cannot perform the upgrade operation.
465
SNMP (lite version)

NOTE:
Only the MSR 900/20-1X series routers support this function.
For the MSR 20/30/50 series routers, see the chapter SNMP.
You can configure the SNMP agent function on the web interface.
SNMP overview
The Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a
network management station (NMS) to access and operate the devices (SNMP agents) on a network,
regardless of their vendors, physical characteristics and interconnect technologies.
SNMP enables network administrators to read and set the variables on managed devices to monitor their
operating and health state, diagnose network problems, and collect statistics for management purposes.
H3C SNMP agents support three SNMP versions: SNMPv1, SNMPv2c, and SNMPv3.
SNMPv1 uses password authentication to control access to SNMP agents. SNMPv1 passwords fall
into read only passwords and read and write passwords.
A read password enables reading data from an SNMP agent.
A read and write password enables reading data and setting variables on an SNMP agent.
SNMPv2c also uses password authentication for SNMP agent access control. It is compatible with
SNMPv1, but supports more operation modes, data types, and error codes.
SNMPv3 uses a user-based security model (USM) to secure SNMP communication. You can
configure authentication and privacy mechanisms to authenticate access and encrypt SNMP
packets for integrity, authenticity, and confidentiality.
IMPORTANT:
An NMS and an SNMP agent must use the same SNMP version to communicate with each other.
NOTE:
For more information about SNMP, see the H3C MSR Series Routers Network Management and
SNMP agent configuration

Select System Management > SNMP from the navigation tree to access the SNMP configuration page.
466
Figure 450 SNMP configuration page
Table 198 SNMP agent configuration items

Item
Description
Enable or disable the SNMP agent.
SNMP
IMPORTANT:
When you disable the SNMP agent, all SNMP agent settings are removed.
Select the SNMP version run by the system.
SNMP Version
IMPORTANT:
Set the same SNMP version as on the NMS.
Contact Information
Sysname
Device Location
Type contact information for the device.

Set the system name of the device.
The configured system name appears at the top of the navigation tree.
Type the physical location of the device.
Set the SNMP security username when SNMPv3 is used.
Security Username
IMPORTANT:
Set the same security username on the NMS.
467
Item
Description
Set the authentication password when the SNMP version is selected as SNMPv3.
IMPORTANT:
Set the same authentication password on the NMS.

The authentication protocol on the agent is MD5. Set MD5 as the
authentication protocol on the NMS.
Set the privacy password when the SNMP version is selected as SNMPv3.
Privacy Password
IMPORTANT:
Set the same privacy password on the NMS.

The privacy protocol on the agent is DES56. Set DES56 as the privacy
protocol on the NMS.
Read Password
When the SNMP version is SNMPv1 & v2, set the read-only password with which
the NMS can perform only read operation to the agent.
IMPORTANT:
Set the same read password on the NMS.
Read & Write Password
When the SNMP version is SNMPv1 & v2, set the read and write password with
which the NMS can perform both read and write operations to the agent.
IMPORTANT:
Set the same read and write password on the NMS.
When the SNMP version is SNMPv1 & v2, set the authentication password
Trap Password
with which the agent can send traps to the NMS. The trap password must be
the same with either the read password or the read & write password.
The trap password defaults to the security username and is not configurable
when the SNMP version is SNMPv3.
Set the trusted IP address of the agent.
If the trusted host is specified, only the NMS with the specified source IP
Trusted Host
address can access the agent.
If no trusted host is specified, there is no IP-address-based access control to the

NMS.
Trap Target Host
Set the IP address of the target host of SNMP traps.
SNMP configuration example

SNMPv1/SNMPv2c configuration example
The SNMP agent (1.1.1.1/24) connects to an NMS (1.1.1.2/24) over Ethernet, as shown in Figure 451.
The NMS uses SNMPv1 or SNMPv2c to monitor and manage the SNMP agent, and the SNMP agent
reports errors and failures to the NMS.
468
Figure 451 Network diagram for SNMPv1 or SNMPv2c configuration
Agent
1.1.1.1/24
NMS
1.1.1.2/24
1.
Configure the SNMP agent.
Select System Management > SNMP from the navigation tree, and configure SNMP as shown in
Figure 452.
Figure 452 Configure the SNMP agent
Select the Enable option for SNMP.
Select the SNMPv1 & v2 option for SNMP Version.
Type a read password, a read and write password, and a trap password.
Type the IP address of the trap destination, 1.1.1.2 in this example, in the Trap Target Host
Address/Domain text box.
Click Apply.
2.
Configure the SNMP NMS.
NOTE:
The SNMP settings on the NMS and the agent must match.
Set the same SNMP version, read password, and read and write password as on the SNMP agent.
469
Check that the NMS and the SNMP agent can set up SNMP sessions, and the NMS can query and
set MIB variables on the SNMP agent.
Execute the shutdown and undo shutdown commands on an idle interface on the SNMP agent,
and check that the NMS can receive linkUp and linkDown traps.
SNMPv3 configuration example

The SNMP agent (1.1.1.1/24) connects to an NMS (1.1.1.2/24) over Ethernet, as shown in Figure 453.
The NMS uses SNMPv3 to monitor and manage the interface status of the SNMP agent. The SNMP
agent reports errors and failures to the NMS, and the NMS uses UDP port 5000 for SNMP traps.
The NMS and the SNMP agent perform authentication when they set up an SNMP session, and encrypt
SNMP packets between them. The authentication key is authkey and the privacy key prikey.
Figure 453 Network diagram for SNMPv3 configuration
1.
Configure the SNMP agent.
Select System Management > SNMP from the navigation tree, and configure SNMP settings as
470
Figure 454 Configure the SNMP agent.
Select the Enable option for SNMP.
Select the SNMPv3 option for SNMP Version.
Type a username in the Security Username text box.
Type authkey in the Authentication Password text box.
Type prikey in the Privacy Password.
Type 1.1.1.2 in the text box of Trusted Host.
Type 1.1.1.2 in the text box of Trap Target Host.
Click Apply.
2.
Configure the SNMP NMS
NOTE:
The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform
SNMPv3 adopts a security mechanism of authentication and privacy. You need to configure security
username, authentication protocol, authentication password, privacy protocol, privacy password, and so
on.
Besides, you need to configure the aging time and retry times. After the above configurations, you can
configure the device as needed through the NMS. For more inforamtion about NMS configuration, see
the manual provided for NMS.
471
Disable or enable an idle interface on the device, and the NMS receives the corresponding trap.
472
Syslog
The web interface allows you to perform the following operations:
Displaying syslogs
Setting the loghost
Setting buffer capacity and refresh interval
System logs contain a large amount of network and device information, including running status and
configuration changes. System logs are an important way for network administrators to monitor network
and device running status. With system log information, network administrators can find network or
security problems, and take corresponding actions against them.
The system supports five information output destinations, including the console, monitor terminal
(terminal of users logged in through the AUX, VTY, or TTY user interface), log buffer, log host, and web
interface.
Configuring syslog
Displaying syslogs
The web interface provides rich search and sorting functions, and you can easily view system logs
through the web interface. Select Other > Syslog from the navigation tree to enter the syslog display page,
473
Figure 455 Syslog display page
TIP:
To clear all the system logs in the log cache of the web interface, click Reset.
To refresh the system logs displayed on the web page, click Refresh.
To make the syslog display page refresh automatically, set the refresh interval on the syslog configuration
page. For more information, see Setting buffer capacity and refresh interval.
Table 199 Syslog display items
Item
Description
Time/Date
Displays the time/date when system logs are generated.
Source
Displays the module that generates system logs.
474
Item
Description
Displays the severity level of system logs. System logs are classified into eight levels
by severity. The severity levels in the descending order are emergency, alert, critical,
error, warning, notification, informational, and debugging.
Level
Emergency: The system is unavailable.

Alert: Information that depends prompt reaction.
Critical: Critical information.
Error: Error information.
Warning: Warnings.
Notification: Normal information that needs to be noticed.
Informational: Informational information to be recorded.
Debugging: Information generated during the debugging.
Digest
Displays the summary of system logs
Description
Displays the contents of system logs.
Setting the loghost

To send system logs to the specified log host, set the log host information on the web interface. You can
specify up to four loghosts.
Select Other > Syslog from the navigation tree, and click the Loghost tab to enter the loghost
Figure 456 Loghost configuration page
475
Table 200 Loghost configuration items

Item
IPv4/Domain
Loghost IP/Domain
IPv6
Loghost IP
Description
Set the IPv4 address or domain name of the loghost.
Set the IPv6 address of the loghost.
Setting buffer capacity and refresh interval

Select Other > Syslog from the navigation tree, and click the Log Setup tab to enter the syslog
Figure 457 Log setup
Table 201 Syslog configuration items

Item
Description
Buffer Capacity
Set the number of logs that can be stored in the log buffer of the web interface.
Set the refresh interval of the log information displayed on the web interface.
You can select manual refresh or automatic refresh:
Refresh Interval
Manual: You need to click Refresh to refresh the web interface when displaying
log information.
Automatic: You can select to refresh the web interface every 1 minute, 5 minutes,
or 10 minutes.
476
Diagnostic tools
Overview
Trace route
By using the trace route command, you can display the Layer 3 devices involved in delivering a packet
from source to destination. This function is useful for identification of failed node(s) in the event of a
network failure.
A trace route operation involves the following steps:
1.
The source device sends a packet with a TTL value of 1 to the destination device.
2.
The first hop (the Layer 3 device that first receives the packet) responds with a TTL-expired ICMP
message to the source. In this way, the source device can get the address of the first Layer 3
device.
3.
The source device sends a packet with a TTL value of 2 to the destination device.
4.
The second hop responds with a TTL-expired ICMP message, which gives the source device the
address of the second Layer 3 device.
5.
The above process continues until the ultimate destination device is reached. In this way, the
source device can trace the addresses of all the Layer 3 devices involved to get to the destination
device.
You can trace route to an IP address or a host name. If the host name cannot be resolved, prompt
information is displayed on the source device.
Ping
You can use the ping function to check whether a device with a specified address is reachable, and to
examine network connectivity.
A successful execution of the ping command involves the following steps:
1.
The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.
2.
The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source
device after receiving the ICMP echo request.
3.
The source device displays related statistics after receiving the reply.
Output of the ping command falls into the following:
You can use the ping command to ping an IP address or a host name. If the host name is unknown,
the prompt information is displayed on the source device.
If the source device does not receive an ICMP echo reply within the timeout time, it displays the
prompt information and the statistics during the ping operation. If the source device receives an
ICMP echo reply within the timeout time, it displays the number of bytes of the echo reply, the
message sequence number, Time to Live (TTL), the response time, and the statistics during the ping
operation.
477
Statistics during the ping operation include number of packets sent, number of echo reply messages
received, percentage of messages not received, and the minimum, average, and maximum response
time.
Tools operations
Trace route operation
NOTE:
The trace route function of the Web interface does not support IPv6 addresses.
Before executing a trace route operation, execute the ip ttl-expires enable command on the
intermediate device to enable the sending of ICMP timeout packets, and execute the ip unreachables
enable command on the destination device to enable the sending of ICMP destination unreachable
packets.
Log in to the Web interface, and then select Other > Diagnostic Tools from the navigation tree to enter the
trace route operation page, as shown in Figure 458.
Figure 458 Trace route configuration page
Type in the destination IP address or host name, and click Start to execute the trace route command, and
you can see the result in the Summary box.
Ping operation
NOTE:
The ping function of the Web interface does not support IPv6 addresses.
478
Select Other > Diagnostic Tools from the navigation tree, and click the Ping tab to enter the ping
operation page, as shown in Figure 459.
Figure 459 Ping configuration page
Type in the destination IP address or host name, and click Start to execute the ping command, and you
can see the result in the Summary box.
479
WiNet configuration
Overview
As networks expand, more access devices are deployed at network edges. To manage these devices is
a tedious and complicated job. In addition, although IP address resources become insufficient at present,
a large number of public IP addresses are required as each device needs to be configured with an IP
address. The Wisdom Network (WiNet) technology helps you manage a large number of scattered
network devices centrally.
WiNet has the following benefits:
Saving public IP addresses
Integration: WiNet is integrated in network devices as a function, and requires no special network
management device.
Easy to deploy: To build a WiNet, you only need to select a management device and complete
simple configurations through web pages on the management device.
Low cost: No additional software is needed.
User-friendly interface: WiNet provides the web interface for interaction, which facilitates
operations and management, and requires no special network management staff.
Plug-and-play: Based on an H3C proprietary technology, WiNet displays the device in the network
topology once it is connected to the network through an Ethernet interface, and allows you to
perform corresponding operations.
Easy and quick deployment of security authentication: WiNet allows you to configure a RADIUS
server on an administrator device through simple web configuration and to configure interfaces of
member devices for security authentication through the administrator device.
According to the status and functions, devices are classified into three roles in WiNet.
Administrator: Refers to the device serving as the WiNet management device. In a WiNet, only the
administrator is configured with a public IP address. You need to specify one administrator only in
each WiNet to configure, manage, and monitor other devices. The administrator collects
information to discover and add candidates.
Member: Refers to a device managed by the administrator in the WiNet.
Candidate: Refers to a WiNet-capable device that has not been added to the WiNet yet; however,
the topology information of the candidate is already collected by the administrator.
480
Figure 460 Network diagram of a WiNet
Configuring WiNet
Enabling WiNet
To build a WiNet, configure a candidate as the administrator and configure WiNet on it.
Select WiNet from the navigation tree. When WiNet is disabled, a dialog box Only the WiNet
administrator supports the function appears. Click OK to enter the Setup page, as shown in Figure 461.
You can build or close WiNet on the page.
Figure 461 WiNet setup page
Table 202 WiNet setup configuration items

Item
Description
WiNet Name
Type a WiNet name.
481
Item
Description
Type a management VLAN ID in the WiNet. You can type an existing static
VLAN only.
The management VLAN is used by WiNet packets for communication. It
actually defines the WiNet management range and delivers the following
functions:
Management VLAN
Isolates WiNet management packets from other packets, so that security is

enhanced.
Enables internal communication between the administrator, members, and

candidates.
WiNet management requires that the management VLAN traffic be permitted
on the administrators ports (including cascade ports if there is any) connected
to members, candidates, and the external network.
IP Pool (Administrator IP)
Mask of IP Pool
Type an IP address and select a network mask for the administrator. After that,
each WiNet member is assigned with an IP address on the same subnet as the
administrator.
NOTE:
After a WiNet is built, you cannot configure items on the Setup page, and the Build WiNet button changes
to Close WiNet. To delete the WiNet, click the Close WiNet button.
Setting the background image for the WiNet topology diagram

The WiNet topology diagram is displayed in the WiNet Management page and uses a white
background by default. You can customize the background image by uploading a JPG or BMP image
(which is less than 0.5 MB).
Select WiNet from the navigation tree and then click the Setup tab to enter the configuration page as
To customize the background image, click Browse, locate the image you want to use, and click Upload.
To remove the customized background image, click Clear.
Managing WiNet
To manage WiNet members, make sure the port that connects your host to the administrator permits
packets of the management VLAN. Select WiNet from the navigation tree to enter the default WiNet
Management page as shown in Figure 462.
482
Figure 462 WiNet management page
On the WiNet Management page, you can perform these operations:

1.
Set the refresh period for automatic refreshing of the WiNet topology diagram. Or you can select
Manual for Refresh Period and click Refresh to display the latest WiNet topology diagram.
2.
Click Collect Topology. After that the administrator starts to collect topology information. Note that,
in addition to manual topology collection, the system automatically collects topology information
every minute.
3.
Click Network Snapshot to save the current WiNet topology as the baseline topology. The
baseline topology is used to show changes in network topology at different time points.
4.
Click Initialize Topology to clear the stored baseline topology and cookies.
5.
Click Open AuthN Center to configure a RADIUS server for security authentication on the
administrator device. Then this button changes to Close AuthN Center and you can click the button
to remove the RADIUS server.
6.
Drag the icon of a specific device in the WiNet topology and place it to a position as needed. If
the browser is configured to accept cookies, the latest position information of each device is stored
after you click Network Snapshot.
7.
Double click a device on the WiNet topology map to show details about the device, including the
hostname, MAC address, device model, IP address, version, number of hops, and WiNet
information, as shown in Figure 463.
483
Figure 463 Device details
8.
View the WiNet topology information, including the role of each device and connection status
between devices. The connection status can be:
Normal link: Indicates a connection existing in the baseline topology and the current topology.
New link: Indicates a connection not existing in the baseline topology but in the current topology.
Blocked loops: Indicate connections blocked by STP. Note that if a normal link is blocked, it is
displayed as a black broken line; if a new link is blocked, it is displayed as a blue broken line.
Down link: Indicates a connection existing in the baseline topology but not in the current topology.
9.
Click a device in the topology diagram to view its panel diagram. You can manage the device as
follows:
NOTE:
Only MIM-FSW modules, MSR 30-11E routers, and MSR 30-11F routers support displaying of the device
panel, device renaming, and Layer 2 Portal authentication on interfaces.
Click Rename Device and enter a new system name for the device, as shown in Figure 464.
Figure 464 Rename a device
Select one or multiple Layer 2 Ethernet interfaces on the panel diagram of the device, and click Port
Guard to enable Layer 2 Portal authentication on the interfaces.
CAUTION:
You cannot enable Layer 2 Portal authentication on an interface that connects the management device to
a member/candidate device, connects the management device to an external network, or connects the
administrator to the management device.
484
If a member is selected, click Manage Device to log in to the web page of the member. You can
configure and manage the member through the web page. Note that the username and password
are required before you can log in to the member. If the current user and password are consistent
with those of the member, you can directly log in to the member.
If a member is selected, click Initialize to restore the configuration to factory defaults and restart the
member.
If a member is selected, click Reboot to restart the member.
Configuring a RADIUS user

Select WiNet from the navigation tree, and click the User Management tab to enter the page as shown
in Figure 465. Click Add to enter the page, as shown in Figure 466.
Figure 465 User management page
Figure 466 Add a user
Table 203 Configuration items for a RADIUS user

Item
Description
Username
Type the name of the user.
Password
Confirm Password
Set a user password and confirm it.

IMPORTANT:
The leading spaces (if any) of a password will be omitted.
485
Item
Description
Type an authorized VLAN ID for the user.
VLAN
IMPORTANT:
If the access device does not support authorized VLANs, users with the authorized
VLAN ID specified cannot pass authentication.
Type an authorized ACL number for the user.
ACL
IMPORTANT:
If the access device does not support authorized ACL properties, users with the
authorized ACL specified cannot pass authentication.
Expire Time
Description
Set the time when the user becomes invalid, in the format of
HH:MM:SS-YYYY/MM/DD.
A user whose system time is later than the preset expire time cannot pass
authentication.
Type the user information.
WiNet configuration example

WiNet establishment configuration example
As shown in Figure 467, a WiNet comprises an administrator and two members.
The administrator is connected to the external network through Ethernet 0/1, and is connected to
the members through Ethernet 0/2 and Ethernet 0/3 respectively.
The WiNet management VLAN is VLAN 10.
The network interface of the administrator is VLAN-interface 10 with IP address 163.172.55.1/24.
Figure 467 Network diagram for WiNet configuration
486
1.
Configure Device A and Device C
# Configure Ethernet 0/1 on each device to permit VLAN 10 traffic respectively. (Omitted)
2.
Configure Device B
# Create VLAN 10 and VLAN-interface 10.
Select Interface Setup > LAN Interface Setup from the navigation tree to enter the default VLAN
Setup page, as shown in Figure 468.
Figure 468 Create VLAN 10 and VLAN-interface 10
Click on the Create radio button.
Type 10 for VLAN IDs.
Select the Create VLAN Interface checkbox.
Click Apply.
# Assign Ethernet 0/1, Ethernet 0/2, and Ethernet 0/3 to VLAN 10.
487
Figure 469 Assign interfaces to VLAN 10
On the VLAN Setup page, select 10 in the VLAN Config field, as shown in Figure 469.
Select Ethernet0/1, Ethernet0/2, and Ethernet0/3 from the list.
Click Add. The configuration progress dialog box appears, as shown in Figure 470.
After the configuration is complete, click Close.
# Configure the IP address of VLAN-interface 10.
Click the VLAN Interface Setup tab to enter the page, as shown in Figure 471.
488
Figure 471 Specify an IP address for VLAN-interface 10
Select 10 for VLAN ID.
Type 255.255.255.0 for Subnet Mask.
Click Apply.
# Enable WiNet.
Select WiNet from the navigation tree. When WiNet is disabled, a dialog box Only the WiNet
administrator supports the function appears. Click OK to enter the Setup page, as shown in Figure
472.
489
Figure 472 Enable WiNet
Type WiNet for WiNet Name.
Click Advance Options.
Type 10 for Management VLAN.
Type 192.168.0.1 for IP Pool (Administrator IP).
Select 255.255.255.0 for Mask of IP Pool.
Click Build WiNet.
Verification
After the preceding configuration is complete, log in to Device B via Ethernet 0/1, select WiNet from the
navigation tree to enter the WiNet Management page. You can view a WiNet topology diagram
comprising an administrator (Device B) and two members (Device A and Device C), and manage the
devices, as shown in Figure 473.
490
Figure 473 WiNet topology diagram
WiNet-based RADIUS authentication configuration example

As shown in Figure 474, a WiNet comprises an administrator (Device B )and two members (Device A
and Device C). Client connects to Device A through Ethernet 0/2.
Deploy security authentication in the WiNet so that the client can access external networks after passing
authentication on Device B.
491
Figure 474 Network diagram for WiNet-based RADIUS authentication configuration
1.
Establish a WiNet
See WiNet establishment configuration example for detailed configuration.

2.
Configure WiNet-based RADIUS authentication
# Specify a RADIUS user.
Log in to Device B through Ethernet 0/1. Select WiNet from the navigation tree on Device B, click the
User Management tab, and then click Add to enter the page, as shown in Figure 475.
Figure 475 Configure WiNet-based RADIUS authentication
Type client for Username.
Type client_password for Password.
Type client_password for Confirm Password.
Click Apply.
# Set up a RADIUS server.

492
Figure 476 Set up a RADIUS server
As shown in Figure 476, click the WiNet Management tab.
Click Open AuthN Center.
# Enable Layer 2 Portal authentication on Ethernet 0/2 of Device A.
493
Figure 477 Enable Layer 2 Portal authentication on Ethernet 0/2 of Device A
As shown in Figure 477, click Device A on the topology diagram.
Click Ethernet 0/2 on the panel diagram.
Click Port Guard.
494
Configuration wizard
Overview
The configuration wizard guides you to establish a basic call, and configure local numbers and
connection properties.
Basic service setup

Entering the configuration wizard homepage
From the navigation tree, select Voice Management > Configuration Wizard to enter the configuration
wizard homepage, as shown in Figure 478.
Figure 478 Configuration wizard homepage
Selecting a country
In the wizard homepage, click Start to enter the country selection page, as shown in Figure 479.
495
Figure 479 Country selection page
Table 204 Configuration items

Item
Description
Call Progress Tone

Country Mode
Configure the device to play the call progress tones of a specified country or region.
Configuring local numbers

In the country tone configuration page, click Next to enter the local number configuration page, as
Figure 480 Local number configuration page

Item
Description
Line
FXS voice subscriber lines.
Number
Local telephone numbers
Username
Username used for the register authentication.
Password
Password used for the register authentication.
496
Configuring connection properties

After finishing the local number configuration, click Next to enter the connection property configuration
Figure 481 Connection property configuration page

Item
Description
Main Registrar Address
Address of the main registrar. It can be an IP address or a domain name.
Main Registrar Port

Number
Port number of the main registrar.
Backup Registrar Address
Address of the backup registrar. It can be an IP address or a domain name.
Backup Registrar Port

Number
Port number of the backup registrar.
Proxy Server Address
Address of the proxy server. It can be an IP address or a domain name.
Proxy Server Port Number
Port number of the proxy server.
Finishing configuration wizard

After finishing the connection property configuration, click Finish to compete your configuration. Then the
page jumps to the local number list where you can view the configured local numbers and modify their
settings.
497
Local number and call route

The local number and call route parts contain basic settings, fax and Modem, call services and
advanced settings pages.
Basic settings
To implement a basic voice call, you need to complete local number and call route configurations.
Local number configuration includes setting a local telephone number and authentication
information used for registration.
Call route configuration includes setting a destination telephone number and call route type. You
can select either SIP routing or trunk routing as the call route type. SIP routing includes proxy server
mode, IP routing mode, and server group binding mode.
For more information about basic settings of local number and call route, see Basic settings.
Fax and Modem

After completing the VoIP configurations (that is, the basic settings of local number and call route), you
can make IP calls. Generally, if you connect the device to a fax machine or a Modem, you can send and
receive faxes with the default settings. In the fax and modem configuration page, you can adjust some
parameters according to your needs.
For more information about fax and Modem configuration, see Fax and Modem.
Call services
Call services contains various new functions on the basis of voice basic call to meet the application
requirements of VoIP users.
For more information about call services configuration, see Call services.
Some call services require the involvement of a voice server. For the configuration of the voice server, see
the chapter Call connection configuration.
Advanced settings
The advanced settings include the following parts:
Coding parameters: This part includes the configuration of codec priorities and packet assembly
intervals. The voice codec affects the voice bandwidth and voice quality, and you need to select a
proper codec according to the actual network. The packet assembly interval depends on the
network bandwidth and network architecture, and affects codec delay time.
Others: This part includes the configuration of number selection priority, dial prefix, called number
sending mode, DTMF transmission mode, DSCP field value, and so on.
498
Basic settings
Introduction to basic settings
Local number
Local number configuration includes setting a local telephone number and authentication information
used for registration.
Call route
Call route configuration includes setting a destination telephone number and call route type. The call
route type can be either SIP routing or trunk routing.
SIP routing
SIP routing includes proxy server mode, IP routing mode, and server group binding mode. If you select
IP routing, the called parties can be found through static IP addresses or domain names. The network
diagram for IP routing mode is shown in Figure 482.
Figure 482 Network diagram for IP routing
Proxy server mode and server group binding mode need the SIP server to complete routing, as shown in
Figure 483
Figure 483 Network diagram for proxy server/server group binding modes
SIP server
IP network
Router A
Router B
Trunk routing
You can connect devices to the private branch exchanges (PBX) on the PSTN network through FXO, E&M,
VE1, VT1, and BSV trunk lines. Among them, VE1 and VT1 trunk routing enables the device to provide
more voice communication channels, and thus greatly increases device utilization and broaden the
service range.
499
See Configuring trunking mode calling for the configuration example of using the trunking routing as the
call route type.
Basic settings
Configuring a local number
Select Voice Management > Local Number from the navigation tree, and Configuring trunking mode
calling click Add to enter the page for creating a local number, as shown in Figure 484.
Figure 484 Local number configuration page

Item
Description
Number ID
Local number ID (1 to 9999)
Number
Local number
Bound Line
This drop-down list displays all FXS voice subscriber lines. Select a voice subscriber
line to be bound with the local number.
Description
Description of the number
Enable. After the Enable radio button is selected, the authentication related options
Register Function
can be configured.
Disable.
Register Username
Username used for registration authentication
Register Password
Password used for registration authentication

500
Item
Description
Cnonce Name
Authentication information used for handshake authentication between the registrar

and the SIP UA
Realm name used for handshake authentication between the registrar and SIP UA.
IMPORTANT:
Realm Name
If a realm name is configured on the SIP UA, ensure that it is the same as that configured
on the registrar. Otherwise, the SIP UA will fail the authentication due to mismatch. If no
realm name is configured on a SIP UA, the SIP UA will perform no realm name match
and consider that the realm name configured on the registrar is trusted.
Status
Enable or disable the local number.
CAUTION:
If it is necessary to configure authentication information for a local number, the same authentication
information is recommended for the same telephone number.
In the case of authentication, it is forbidden to modify the authentication information after the register
function is enabled because this operation may result in registration update failures.
Configuring a call route

Select Voice Management > Call Route from the navigation tree and click Add to enter the page for
creating a call route, as shown in Figure 485.
501
Figure 485 Call route configuration page

Item
Description
Call Route ID
Type a call route ID (10000 to 19999).
Destination
Number
Type the called telephone number.
Description
Type the description of the call route.

Proxy Server
Use a SIP proxy server to complete

calling.
IP Routing
Use the SIP protocol to perform direct

calling. It you select this radio button,
you need to provide the destination
address and port number.
Binding Server
Group
Select a server group from the Server

Group drop-down list. You can add SIP
server groups into the list in Voice
Management > Call Connection > SIP
Server Group Management.
Trunk Route Line
Select a trunk routing line from the

drop-down list that displays all available
voice subscriber lines.
SIP
Call Route Type
Trunk
502
Required
to use one
approach
Item
Description
Select one of the following transport layer protocols.
Transport Layer
Protocol for Call
Route
UDP
TCP
TLS
By default, UDP is selected.
URL Scheme for

Call Route
SIP: Specifies the SIP scheme.

SIPS: Specifies the SIPS scheme.
By default, the SIP scheme is selected.
Enable. After the Enable radio button is selected, the authentication related options
can be configured.
Register Function
Disable.
IMPORTANT:
The trunk routing mode supports register function. Authentication related options and their
meanings are the same as those of local number and thus are omitted here.
Status
Enable or disable the call route.
Configuration examples of local number and call

route
Configuring direct calling for SIP UAs through the SIP protocol
(configuring static IP address)
As shown in Figure 486, Router A and Router B can directly call each other as SIP UAs using the SIP
protocol (configuring static IP addresses).
Figure 486 Network diagram for direct calling configuration
Configuratin procedure
1.
Configure Router A
# Create a local number.
503
Select Voice Management > Local Number from the navigation tree, and then click Add to enter the page
for creating a local number.
Figure 487 Create local number 1111
Type 1 for Number ID.
Type 1111 for Number.
Select subscriber-line 8/0 from the Bound Line drop-down list.
Type Telephone A for Description.
Click Apply.
# Create a call route.

Select Voice Management > Call Route from the navigation tree, and then click Add to enter the page for
creating a call route.
Figure 488 Create call route 2222
504
Type 10000 for Call Route ID.
Type 2222 for Destination Number.
Select IP Routing for SIP Routing, and type 192.168.2.2 for Destination Address.
Click Apply.
2.
Configure Router B
505
Type Telephone B for Description.
Click Apply.

506
Click Apply.
After the above configuration, you can use telephone 1111 to call telephone 2222, or use telephone
2222 to call telephone 1111.
Select Voice Management > States and Statistics > Call Statistics from the navigation tree to enter
the Active Call Summary page, which displays the statistics of ongoing calls.
Configuring direct calling for SIP UAs through the SIP protocol
(configuring domain name)
As shown in Figure 491, acting as SIP UAs, Router A and Router B can first query destination addresses
through a DNS server and then make calls using the SIP protocol.
Figure 491 Network diagram for calling between SIP UAs through DNS
507
NOTE:
Before the following configurations, configure domain name resolution. For more information about DNS,
see the chapter DNS configuration.
1.
Configure Router A

Click Apply.
508

Select IP Routing for SIP Routing, and type cc.news.com for Destination Address.
Click Apply.
2.
Configure Router B
509
Click Apply.

510
Click Apply.
After the above configuration, you can use telephone 1111 to call telephone 2222 by using the DNS
server to get the destination address, and you can use telephone 2222 to call telephone 1111 by
querying the static IP address of the called party.
Configuring proxy server involved calling for SIP UAs

As shown in Figure 496, Router A and Router B act as SIP UAs and SIP calls are made through a SIP
proxy server.
Figure 496 Network diagram for calling between SIP UAs through SIP server
511
Eth2/1
192.168.2.1/24
Router A
Internet
FXS 8/0
Telephone A
1111
Eth2/1
192.168.2.2/24
Eth2/1
192.168.2.3/24
Router B
FXS 8/0
Telephone B
2222
SIP server
1.
Configure Router A

Click Apply.

512
Select SIP Routing for Call Route Type.
Select Proxy Server for SIP Routing.
Click Apply.
# Configure the registrar and the proxy server.

Select Voice Management > Call Connection > SIP Connection from the navigation tree to enter the
connection properties configuration page.
Figure 499 Configure registration information
513
Select Enable for Register State.
Type 192.168.2.3 for Main Registrar Address.
Type Router A for Username and abc for Password.
In the Proxy Server area, type 192.168.2.3 for Server Address.
Click Apply.
2.
Configure Router B
514
Click Apply.
# Create a call route

515
Select SIP for Call Route Type.
Click Apply.
# Configure the registrar and the proxy server.

connection properties configuration page.
Figure 502 Configure registration information
516
In the Proxy Server area, type 192.168.2.3 for Server Address.
Type Router A for Username and abc for Password.
Click Apply.
After the local numbers of the two sides are registered on the registrar successfully, telephone 1111
and telephone 2222 can call each other through the proxy server.
Select Voice Management > States and Statistics > Connection Status from the navigation tree, and
then click the Register Status tab to view the SIP register status.
517
Configuring trunking mode calling

As shown in Figure 503, Router A and Router B are connected through an FXO trunk line. It is required
that Telephone 1111 can call telephone 2222.
Figure 503 Network diagram for trunking mode call
1.
Configure Router A

Click Apply.

518
Select Trunk for Call Route Type.
Select subscriber-line 1/0 from the Trunk Route Line drop-down list.
Click Apply.
# Configure number sending mode.

Select Voice Management > Call Route from the navigation tree, and click the
to enter the advanced settings page.
Figure 506 Configure number sending mode
519
icon of the target route
Select Send All Digits of a Called Number for Called Number Sending Mode.
Click Apply.
2.
Configure Router B
Click Apply.
520
Telephone 1111 can call telephone 2222 over the trunk line.
521
Fax and Modem

FoIP overview
Traditional fax machines transmit and receive faxes over PSTN. As time passes, fax has gained wide
applications owing to its advantages such as various information, high transmission speed, and simple
operations. By far, G3 fax machines are dominant in the fax communications. A G3 fax machine adopts
the signal digitizing technology. Image signals are digitized and compressed internally, then converted
into analog signals through a Modem, and finally transmitted into the PSTN switch through common
subscriber lines.
FoIP means sending and receiving faxes over the Internet. Devices can provide the FoIP function after the
FoIP feature is added on the basis of the VoIP function. Because the FoIP is the Internet-based fax service,
users spend low cost for sending national and international faxes.
The network diagram for FoIP is similar to that for VoIP. You just replace the IP phone with a fax machine
to implement the fax function. As long as you can use IP phones, you can use the fax function. Therefore,
the fax function is very simple. The following figure illustrates an FoIP system structure.
Figure 508 FoIP system structure
Protocols and standards for FoIP

IP real-time fax complies with the ITU-T T.30 and T.4 protocols on the PSTN side and the H.323 and T.38
protocols on the IP network side.
T.30 protocol is about file and fax transmission over PSTN. It describes and regulates the
communication traffic of G3 fax machines over common telephone networks, signal format, control
signaling, and error correction to the full extent.
T.4 protocol is a standard protocol involving the G3 fax terminals for file transmission. It provides a
standard regulation for the G3 fax terminals on image encoding/decoding scheme, signal
modulation and speed, transmission duration, error correction, and file transmission mode.
T.38 protocol is about the real-time G3 fax over IP networks. It describes and regulates the
communication mode, packet format, error correction and some communication flows of real-time
G3 fax over IP networks.
Fax flow
In FoIP, the call setup, handshake, rate training, packet transfer, and call release are always realtime.
From the perspective of users, FoIP has no difference from faxing over PSTN.
522
Signals that a G3 fax machine receives and sends are modulated analog signals. Therefore the router
processes fax signals in a different way it processes telephone signals. The router needs to perform A/D
or D/A conversion for fax signals (that is, the router demodulates analog signals from PSTN into digital
signals, or modulates digital signals from the IP network into analog signals), but does not need to
compress fax signals.
A real-time fax process consists of five phases:
1.
Fax call setup phase. This phase is similar to the process of a telephone call setup. The difference
is that the fax tones identifying the sending/receiving terminals are included.
2.
Prior-messaging phase. During this phase, fax faculty negotiation and training are performed.
3.
Messaging phase. During this phase, fax packets are transmitted in accordance with the T.4
procedure, and packet transmission is controlled (including packets synchronization, error
detection and correction, and line monitoring).
4.
Post-messaging phase. During this phase, control operations such as packet authentication,
messaging completion, and multi-page continuous transmission are performed.
5.
Fax call release phase. During this phase, the fax call is released.
Introduction to fax methods

T.38 fax
The device supports two fax protocols: T.38 protocol and standard T.38 protocol. The standard T.38
protocol should be selected for interworking with leading fax terminals in the industry. Since most
leading fax terminals in the industry do not support the local training mode, the end-to-end training
mode must be selected for interworking with them.
Pass-through fax
The fax pass-through technology was developed primarily for the purpose of compressing and
transmitting T.30 fax packets that cannot be demodulated through packet switched networks. With this
technology, the devices on two sides can directly communicate over a transparent IP link, and the voice
gateways do not distinguish fax calls from voice calls. After detecting a fax tone in an established VoIP
call, the voice gateway checks whether the voice codec protocol is G.711. If not, the voice gateway
switches the codec to G.711. Then fax data is transmitted as voice data in the pass-through mode.
In the pass-through mode, fax information is in the format of uncompressed G.711 codes and is
encapsulated in RTP packets between gateways, and a fixed bandwidth of 64 Kbps is occupied.
Although the packet redundancy mechanism can reduce the packet loss ratio, the pass-through mode is
subject to factors such as packet loss ratio, jitter, and delay. Therefore, it is necessary to ensure
synchronization of the clocks on both sides. Fax pass-through is called voice band data (VBD) by ITU-T.
That is, fax or modem signals are transmitted over a voice channel using a proper coding method. So far,
the codecs supported are only G.711 A-law and G.711 -law. In addition, when the fax pass-through
function is enabled, the voice activity detection (VAD) function must be disabled to avoid fax failures.
You can implement the fax pass-through function on the voice gateway in two ways:
Configure the fax to work in the pass-through mode on both sides.
Negotiate the codec as G.711 and disable fax forwarding. Then, disable the VAD function to avoid
fax failures. This method is used for the voice gateway to interwork with other devices in the
pass-through mode.
523
SIP Modem pass-through function

The SIP Modem pass-through function is mainly used for remote device management. Since the VoIP
network has replaced part of the traditional PSTN, VoIP devices are required to support the Modem
pass-through function, which can help remote PSTN users to log in to internal network devices through
dialup.
Configuring fax and Modem

Before configuring fax and Modem, you need to configure local numbers and call routes. See Basic
settings for details.
Configuring fax and Modem parameters of a local number

Select Voice Management > Local Number from the navigation tree, and then click the
icon of the
local number to be configured to enter the local number Fax and Modem configuration page, as shown
in Figure 509.
Figure 509 Local number Fax and Modem configuration page

Item
Description
Enable. Only when the fax function is enabled, the fax parameters can be
Fax Function
configured.
Disable
Configure the protocol used for fax communication with other devices.
Fax Protocol
T.38: With this protocol, a fax connection can be set up quickly.

Standard T.38: It supports H323 and SIP.
524
Item
Description
Configure the fax pass-through mode.
G.711 A-law
G.711 -law
The pass-through mode is subject to such factors as loss of packet, jitter and
delay, so the clocks on both communication sides must be kept synchronized. At
present, only G.711 A-law and G.711 -law are supported, and the VAD
function should be disabled.
Number of Redundant
Low-speed T.38 Packets
Number of Redundant
High-speed T.38 Packets
Low-speed data refers to the V.21

command data.
This option is configurable when T.38
or standard T.38 is selected as the fax
protocol.
High-speed data refers to the TCF and
image data
This option is configurable when T.38
or standard T.38 is selected as the fax
protocol.
IMPORTANT:
Increasing the number of redundant
packets will improve reliability of
network transmission and reduce
packet loss ratio. A great amount of
redundant packets, however, can
increase bandwidth consumption to a
great extent and thereby, in the case of
low bandwidth, affect the fax quality
seriously. Therefore, the number of
redundant packets should be selected
properly according to the network
bandwidth.
Specifies the maximum fax transmission rate.

24000 bps: Set the maximum transmission rate to 2400 bps.
4800 bps: Negotiate the baud rate first in accordance with the V.27 fax
protocol. The maximum transmission rate is 4800 bps.
protocol. The maximum transmission rate is 9600 bps.
protocol. The maximum transmission rate is 14,400 bps.
Allowed Max Voice Speed of the Codec Protocol: Determines the maximum fax
rate depending on the codec protocol.
Max Transmission Rate of
Fax
If G.711 is adopted, the maximum fax transmission rate is 14,400 bps and the
fax protocol is V.17.
If G.723.1 Annex A is adopted, the maximum fax transmission rate is 4,800

bps and the fax protocol is V.27.
If G.726 is adopted, the maximum fax transmission rate is 14,400 bps and
the fax protocol is V.17.
By default, the Allowed Max Voice Speed of the Codec Protocol option is
adopted.
If G.729 is adopted, the maximum fax transmission rate is 7,200 bps and the
fax protocol is V.29.
IMPORTANT:
Note that if an option other than the default option is adopted, the maximum rate is
negotiated first in accordance with the corresponding fax protocol.
525
Item
Description
Specify the fax training mode, which can be
Local: Indicates that the gateways participate in the rate training between fax
Fax Training Mode
terminals. In the local training mode, rate training is respectively performed

between fax terminals and gateways, and then the receiving gateway sends
the training result of the receiving fax terminal to the transmitting gateway.
The transmitting gateway finalizes the packet transmission rate by comparing
the received training result with its own training result.
Point-to-Point: Indicates that the gateways do not participate in the rate

training between two fax terminals. In this mode, rate training is performed
between two fax terminals and is transparent to the gateways.
When rate training is carried on between fax terminals, the transmitting terminal
transmits zero-filled TCF data (the filling time per packet is 1.510% seconds)
to the receiving fax terminal, and the receiving fax terminal decides whether the
current rate is acceptable according to the received TCF data.
Local Training Threshold in

Percentage
When the percentage of all-ones or all-zeros TCF data to the total number of TCP
data is less than the local training threshold, the current rate training succeeds.
Otherwise, the current rate training fails and you need to drop the rate for a local
training operation again.
By default, the threshold is 10.
IMPORTANT:
When the local training mode is adopted, use this option to configure the threshold
in percentage. When the Point-to-Point training mode is adopted, the gateway
does not participate in rate training and the threshold of local training is not
applicable.
In common fax applications, the participating fax terminals negotiate with the
standard faculty (such as V.17 and V.29 rate) by default. It means that they do
not send each other non-standard facilities (NSF) message frames. In some cases
such as encrypted fax, both fax terminals adopt a nonstandard faculty (NSF) to
negotiate.
Signal Transmission Mode

of Fax Faculty
At the start of negotiation, both terminals first exchange NSF message frames,
and then negotiate the subsequent fax faculty for communication. NSF messages
are standard T.30 messages and carry private information.
In order to use a nonstandard faculty for negotiation, the following conditions
must be satisfied:
1. Fax terminals must support nonstandard transmission mode.
2. The transmission mode must be set to a nonstandard mode in the POTS and
VoIP entities for both fax terminals.
By default, a standard faculty mode is adopted for fax faculty transmission.
Transmit Energy Level of a

Gateway Carrier
Usually, the default transmit energy level of the gateway carrier is acceptable. If
the fax cannot be set up yet on the premise that other configurations are correct,
you can attempt to adjust the transmit energy level of the gateway carrier
(namely, transmit energy level attenuation). A greater level indicates greater
energy. A smaller level indicates greater attenuation.
By default, the transmit energy level of the gateway carrier is 15

dBm.
526
Item
Description
As defined in ITU-T, the error correction mode (ECM) is required for a half duplex
and fax message transmission using the half-duplex and half-modulation system
of ITU-T V.34 protocol. Besides, the G3 fax terminals working in full duplex mode
are required to support half-duplex mode, namely, ECM.
ECM Fax
The fax machines using ECM can correct errors, provide the automatic repeat
request (ARQ) function, and transmit fax packets in the format of HDLC frames.
On the contrary, the fax machines using non-ECM cannot correct errors and they
transmit fax packets in the format of binary strings.
Enable: Enable ECM for fax.

Disable: Disable ECM for fax.
By default, ECM is disabled.
ECM can be adopted only if fax machines on both sides support ECM and the
gateways are configured with ECM.
You must enable ECM mode for the local numbers and call routes corresponding
to the fax sender and receiver in the ECM mode.
CNG Fax Switchover

Function
The calling tone (CNG) fax switchover is mainly used to implement the fax
mailbox service through communication with the VCX. When the local fax
machine A originates a fax call to the peer fax machine B, if B is busy or is
unattended, A can send the originated fax to the fax mailbox of the VCX. With
CNG fax switchover enabled, the voice gateway can switch to the fax mode
once it receives a CNG from A.
Enable
Disable
The function is disabled by default.
Configure the codec type and switching mode for SIP Modem pass-through
function.
Standard G.711 A-law: Adopt G.711 A-law as the codec type and use
Codec Type and Switching
Mode for SIP Modem
Pass-through
Re-Invite switching for SIP Modem pass-through.
Standard G.711 -law: Adopt G.711 -law as the codec type and use
Re-Invite switching for SIP Modem pass-through.
NTE Compatible G.711 A-law: Adopt G.711 A-law as the codec type and use
NTE-compatible switching for SIP Modem pass-through.
NTE Compatible G.711 -law: Adopt G.711 -law as the codec type and use
NTE-compatible switching for SIP Modem pass-through.
Configure the value of NTE payload type for the NTE-compatible switching
mode.
NTE Payload Type Field
This option is configurable only when NTE Compatible G.711 A-law or NTE
Compatible G.711 -law is selected from the Codec Type and Switching Mode
for SIP Modem Pass-through drop-down list.
By default, the value of the NTE payload type is 100.
Configuring fax and Modem parameters of a call route

Select Voice Management > Call Route from the navigation tree, and then click the
route to be configured to enter the call route Fax and Modem configuration page.
527
icon of the call
Figure 510 Call route Fax and Modem configuration page
For call route fax and Modem configuration items, see Table 209 for details.
528
Call services
Introduction to call services
More and more VoIP-based services are demanded as voice application environments expand. On basis
of basic calls, new features are implemented to meet different application requirements of VoIP
subscribers. So far, the new features include:
Call waiting
Call hold
Call forwarding
Call transfer
Call backup
Hunt group
Call barring
Message waiting indication (For information about message waiting indication, see the chapter
Call connection configuration.)
Three-party conference
Silent monitor and barge in services
Calling party control
Door opening control
CID on the FXS voice subscriber line
CID on the FXO voice subscriber line
Support for SIP voice service of the VCX
Call waiting
When subscriber C calls subscriber A who is already engaged in a call with subscriber B, the call will
not be rejected if call waiting is enabled. Just like a normal call, subscriber C will hear ringback tones,
while subscriber A will hear call waiting tones which remind that a call is waiting on the line.
Subscriber A can answer the new call by pressing the flash hook or hanging up to end the call with
subscriber B. In the former case, subscriber B is held. In the latter case, subscriber A is immediately
alerted and can pick up the phone to answer the call originated by subscriber C (the waiting call).
Call hold
If subscriber A in a conversation with subscriber B presses the flash hook, the media session of subscriber
B is temporarily cut through and is held (in the silent state or listening to the waiting tones). The system
plays silent tones or dial tones to subscriber A, depending on the configuration. (The system first plays
dial tones and waits for the subscriber to dial. If the subscriber fails to dial within a period of time, the
system stops playing dial tones and the line stays on hold.). Subscriber A can resume the call with
subscriber B by pressing the flash hook again.
529
After pressing the flash hook, subscriber A hears dial tones and can initiate a new call. The setup flow
for the new call is completely the same as the one for ordinary calls.
Call forwarding
After receiving a session request, the called party cannot answer the call for some reason. In this case,
the called party notifies in a response the calling party of the forwarded-to number so that the calling
party can re-initiate a session request to the new destination. This is call forwarding.
Currently, the system supports four different types of call forwarding:
Call forwarding unconditional: With this feature enabled on a voice subscriber line, incoming calls
will be forwarded to the predetermined destination, no matter whether the voice subscriber line is
available.
Call forwarding busy: With this feature enabled on a voice subscriber line, an incoming call will be
forwarded to the predetermined destination when the voice subscriber line is busy.
Call forwarding no reply: With this feature enabled on a voice subscriber line, an incoming call will
be forwarded to the predetermined destination when the voice subscriber line is not answered
within a period of time, which is configured by specifying Max Duration of Playing Ringback Tones
on the FXS, FXS or E&M line configuration page and defaults to 60 seconds.
Call forwarding unavailable: With this feature enabled on a voice subscriber line, an incoming call
will be forwarded to the predetermined destination when the voice subscriber line is shut down.
Call transfer
Subscriber A (originator) and subscriber B (recipient) are in a conversation. Subscriber A presses the
flash hook and the call is put on hold. Subscriber A dials another number to originate a call to subscriber
C (final recipient); after Subscriber A hangs up, the call between subscriber B and subscriber C is
established. This is call transfer.
To perfect the call transfer feature, the device supports the call recovery function after the call transfer fails,
that is, if subscriber C in the above example is in a conversation with another subscriber and cannot
establish a conversation with subscriber B, the call between subscriber A and subscriber B is recovered.
Call backup
After initiating a call to the called party, the calling party is unable to receive a response. In this case, if
there is another link (PSTN link or VoIP link) to the called party, the calling party re-initiates a call to the
called party over the new route. This is call backup.
Currently, the system supports two types of call backup:
A PSTN link or VoIP link backs up a PSTN link.
A PSTN link backs up a VoIP link.
Hunt group
Multiple voice subscriber lines are configured with the same called number to form a hunt group. If the
voice subscriber line with the first priority is unavailable when a call setup request to the called party is
received, the call will still be established through another voice subscriber line in the hunt group.
530
Call barring
Call barring includes incoming call barring and outgoing call barring.
Incoming call barring usually refers to the Do Not Disturb (DND) service. When incoming call barring is
enabled on a voice subscribe line, calls originated to the attached phone will fail.
When outgoing call barring is enabled on a voice subscriber line, calls originated from the attached
phone will fail, too.
Message waiting indication

The message waiting indication (MWI) feature allows a voice gateway to notify a subscriber of
messages got from a voice mailbox server. For example, when a call destined to subscriber A is
forwarded to the voice mailbox server, the server will notify the state change to the voice gateway. When
subscriber A picks up the phone, subscriber A will hear the message waiting tone without needing to
query the mailbox.
Three-party conference
When subscriber A has a call with subscriber B and holds a call with subscriber C, A can make C join
the current conversation to implement a three-party conference.
During a three-party conference, a passive participant can initiate a new call to create another
conversation. In this way, conference chaining is implemented, and each conference initiator serves as
a conference bridge.
Silent monitor and barge in services

Silent monitor service: Allows a supervisor to monitor active calls without being heard.
Barge in service: Allows a supervisor to participate in a monitored call to implement three-party
conference. For example, suppose subscribers A and B are in a conversation and subscriber C is the
supervisor. If C wants to join the conversation, it sends a request to A. If A permits, the three-party
conference can be held. In this example, C is called the active participant of the conference, A is the
voice mixer, and B is the original participant of the conversation.
Silent monitor and barge in services can be considered as the extensions of three-party conference. To
distinguish them from traditional three-party conference, these two services are called three-party
conference in active participation mode.
Calling party control

The calling party control service allows the called party to resume the conversation with the calling party
by picking up the phone within the specified time. For example, subscriber A is the calling party;
subscriber B is the called party. The on-hook delay is set to m seconds on the voice subscriber line of
subscriber B. After the call between A and B is established, if the calling party A hangs up first, the call
is ended up; if the called party B hangs up first, it can resume the call with A by picking up the phone
within m seconds. After that, no matter how many times B hangs up within m seconds, it can resume the
call with A by picking up the phone.
In this example, after B hangs up for the first time, A hears silent tones from the headphone within m
seconds. If subscriber C dials subscriber B during this time, the telephone of B will not ring, and C will
hear busy tones.
531
Door opening control

The door opening control service allows a user to open a door remotely. The process is as follows: user
A that wants to enter a door calls user B. After the session is established, user B enters a password
starting with an asterisk (*) and ending with a pound (#) on the phone,
If the entered password is correct (the password matches the door opening control password
configured for the voice subscriber line), the door control relay opens the door. After a predefined
door open duration, the door control relay locks the door automatically.
If the entered password is incorrect, the door cannot be opened.
CID on the FXS voice subscriber line

The calling identity delivery (CID) service means that the calling identity information (including the
calling number and calling name) such as calling number, calling name, date, and time is displayed on
the called terminal.
With the CID function, calling numbers and calling time in single-data-message format can be
transmitted or received in an on-hook state. When the CID function is combined with services such as call
forwarding unconditional (CFU) and call forwarding busy (CFB), calling identity information can
also be transmitted if required. A message in the single-data-message format (SDMF) contains the
following information:
Date and time when the voice call occurs (MM DD hh:mm)
Calling number if CID is enabled on the device
P if CID is disabled on the device
O if the terminating private branch exchange (PBX) fails to obtain the calling number (for example,
the originating PBX end does not send it)
A message in the multiple-data-message format (MDMF) contains the following information:
Date and time when the voice call occurs (MM DD hh:mm)
Calling number and calling name if CID is enabled on the device
Two Ps for the calling number and the calling name respectively if CID is disabled on the device
O if the terminating PBX fails to obtain the calling number (for example, the originating PBX end
does not send it)
O if the terminating PBX fails to obtain the calling name (for example, the originating PBX end does
not send it)
The FXS voice subscriber line sends the calling identity information to the called telephone. The calling
identity information is sent to the called telephone through frequency shift keying (FSK) modulation
between first and second rings. Therefore, the called user must pick up the telephone after the second
ring to ensure that the calling identity information is sent and received correctly. Otherwise, the calling
identity information may fail to be displayed.
CID on the FXO voice subscriber line

The FXO voice subscriber line receives the calling identity information from the PBX. The FXO interface
receives the modulation information of the calling identity information from the PBX between the first and
second rings (This is the default situation. You can configure the Time for CID Check on the FXO line
configuration page to configure the time for CID check). The calling identity information then undergoes
FSK demodulation and parity check. The function of sending calling identity information is checked after
532
the parity check succeeds. If the function is enabled, the calling identity information (indicating that the
calling identity information is received) is sent; otherwise, the character P or O is sent.
Support for SIP voice service of the VCX

Together with a server, the VCX implements the application of multiple voice features such as Silent
Monitor, Camp On, and FwdMail Toggle by using the 3Com proprietary SIP Feature messages.
Configuring call services of a local number

Configuring call forwarding, call waiting, call hold, call
transfer, and three-party conference
icon of the
local number to be configured to enter the call services configuration page as shown in Figure 511.
Figure 511 Call services configuration page

Item
Description
The Forwarded-to Number for Call Forwarding no Reply: Input the forwarded-to number
for call forwarding no reply.
Call Forwarding
The Forwarded-to Number for Call Forwarding Busy: Input the forwarded-to number for
call forwarding busy.
Call Forwarding Unconditional: Input the forwarded-to number for forwarding
unconditional.
The Forwarded-to Number for Call Forwarding Unavailable: Input the forwarded-to
number for call forwarding unavailable.
533
Item
Description
After call waiting is enabled, you can configure the following parameters according to
your needs:
Call Waiting
Number of Call Waiting Tone Play Times

Number of Tones Played at One Time
Interval for Playing Call Waiting Tones
By default, two call waiting tones are played once, and if the value of Number of Tones
in a Call Waiting Tone is greater than 1, the Interval for Playing Call Waiting Tones is 15
seconds.
Call Hold
Enable or disable the call hold function.

Call hold must be enabled before call transfer.
Call Transfer
After call transfer is enabled, you can set the Call Transfer Start Delay parameter
according to your needs.
Three-Party
Conference
The three-party conference function depends on the call hold function. Therefore, you
need to enable the call hold function before configuring three-party conference.
Monitor and Barge

In
Enable or disable the silent-monitor and barge in services.
Configuring other voice functions

icon of the
local number to be configured to enter the call services configuration page as shown in Figure 512.
534

Item
Calling Name
Description
Set the calling name, a string of case sensitive characters including numbers 0 through
9, letters A through Z or a through z, underlines (_), hyphens (-),dots (.), exclamation
point (!), percent sign (%), asterisk (*), plus sign (+), grave accent (`), single quotation
mark (), and tilde (~).
By default, no calling name is configured.
The calling name in the calling identity information can only be transmitted in MDMF
format. Therefore, if the calling information delivery is enabled, you need to select the
Complex Delivery radio button in the Calling Information Delivery area.
Configure the format of calling information
Calling Information
Delivery
Complex Delivery: Calling identity information is transmitted in complex format.

Simple Delivery: Calling identity information is transmitted in simple format.
Do Not Delivery: Do not deliver the Calling identity information.
By default, the complex delivery is adopted.
If the remote end supports one format only, you must use the same message format at the
local end.
Call Identity
Delivery
Incoming Call
Barring
Password for
Outgoing Call
Barring
Enable
Disable
The calling identity is delivered by default.
Enable
Disable
By default, incoming call barring is disabled.
Set a password to lock your telephone when you do not want others to use your
telephone.
Door Opening
Password
Enable the door opening control service and set a password for
opening the door and the door open duration before the door
control relay locks the door.
By default, the door opening service is disabled.
Door Open Service
IMPORTANT:
Door Open
Duration
Install a SIC audio card on the device on which the door

opening control enabled FXS voice subscriber line resides.
When the door opening control service enabled, the

out-of-band DTMF transmission is disabled. No matter the line
is a calling or called line, the out-of-band DTMF transmission
loses effect.
Feature Service
Enable
Disable
By default, feature service is disabled.
535
Item
Description
Enable
Disable
Hunt Group
By default, the hunt group function is disabled.

IMPORTANT:
To use the hunt group feature, you need to select the Enable option of all local numbers
involved in this service.
Enable
Disable
By default, MWI is disabled.
Message Waiting
Indicator
After MWI is enabled, you can configure the Duration of Playing the Message Waiting
Tone parameter according to your needs.
IMPORTANT:
Generally, the voice gateway sends a SUBSCRIBE to the server, and receives a NOTIFY
from the server if the subscription is successful, and gets the status of the voice mailbox
afterwards.
Hotline Numbers
On-hook Delay
Time of the Called
Party
Processing Priority
When the Line is
Busy
Configure the private line auto ring-down (PLAR) function. The number is the E.164
telephone number of the terminating end.
Enable calling party control and set the on-hook delay time of the called party. If the
delay time is set to 0, this indicates that the call party control is disabled.
By default, calling party control is disabled, that is, the on-hook delay of the called party
is set to 0.
Specify the processing sequence of services when the line is busy.
Configuring call services of a call route

icon of the call
route to be configured to enter the call route call services configuration page as shown in Figure 513.
NOTE:
After completing the trunk configuration of a call route, you can configure the call services of the call
route. The SIP call route does not support call services configuration.
Support for options provided on the call services page of a call route depends on the selected trunk route
line. Only the FXO trunks support the Calling Number Delivery and Calling Identity Delivery functions.
536

Item
Description
After call waiting is enabled, you can configure the following parameters according to
your needs:
Call Waiting

By default, the number of call waiting tone play times is one, and the number of call wait
tones played at one time is 2, and if the value of Number of Tones Played at One Time is
greater than 1, the Interval for Playing Call Waiting Tones is 15 seconds.
Incoming Call
Barring
Password for
Outgoing Call
Barring
Enable
Disable
By default, incoming call barring is disabled.
Set a password to lock your telephone when you do not want others to use your
telephone.
Enable
Disable
Hunt Group
By default, hunt group function is disabled.

IMPORTANT:
To use the hunt group feature, you need to select the Enable option of all call routes involved
in this service.
Hotline Numbers
Configure the private line auto ring-down (PLAR) function. The number is an E.164
telephone number of the terminating end.
537
Call services configuration examples

Configuring call waiting
As shown in Figure 514, place a call from Telephone C to Telephone A which is already engaged in a
call with Telephone B, and the call will not be rejected. Just like a normal call, the subscriber at Telephone
C will hear ringback tones, while the subscriber at Telephone A will hear call waiting tones which remind
that another call is waiting on the line.
Figure 514 Network diagram for call waiting
Router A
1000
Telephone A
Router B
Eth1/1
10.1.1.1/24
Eth1/2
10.1.1.2/24
Eth1/1
20.1.1.2/24
Eth1/1
20.1.1.1/24
Router C
3000
Telephone C
2000
Telephone B
NOTE:
Before performing the following configuration, make sure Router A, Router B and Router C are reachable
to each other.
1.
Complete basic voice call configurations.
Complete basic voice call configurations on Router A, Router B, and Router C.

2.
Configure call waiting.
Configure call waiting on Router A.

Select Voice Management > Local Number from the navigation tree, click the
1000 in the local number list to enter the call services configuration page.
Figure 515 Configure call waiting
538
icon of local number
Select Enable for Call Waiting.
Click Apply.
Verify the two call waiting operation modes:
Operation 1: When the subscriber at Telephone C dials 1000 to call Telephone A which is already
engaged in a call with Telephone B, the subscriber at Telephone C will hear ringback tones, while the
subscriber at Telephone A will hear call waiting tones which remind that a call is waiting on the line. If
then the subscriber at Telephone A hangs up, the telephone will ring, the subscriber at Telephone A can
pick up the phone to start a conversation with Telephone C.
Operation 2: When the subscriber at Telephone C dials 1000 to call Telephone A who is already
engaged in a call with Telephone B, the subscriber at Telephone A can press the flash hook to start a
conversation with Telephone C, and thus Telephone B is held; the subscriber at Telephone A can press
the flash hook again to continue the talk with Telephone B, and then Telephone C is held. Note that, call
hold function must be enabled on the voice subscriber line connected to Telephone A.
Configuring call forwarding

As shown in Figure 516, place a call from Telephone A to Telephone B. Router B forwards the call to
Telephone C when Telephone B is busy. Finally, Telephone A and Telephone C start a conversation.
Figure 516 Network diagram for call forwarding
539
Router A
Router B
Eth1/1
10.1.1.1/24
1000
Telephone A
Eth1/2
10.1.1.2/24
Eth1/1
20.1.1.2/24
Router C
Eth1/1
20.1.1.1/24
3000
Telephone C
2000
Telephone B
NOTE:
Before performing the following configuration, make sure Router A, Router B and Router C are reachable
to each other.
1.

2.
Configure call forwarding
Configure call forwarding on Router B.

Figure 517 Configure call forwarding
Type 3000 for The Forwarded-to Number for Call Forwarding Busy.
Click Apply.
540
Place a call from Telephone A to Telephone B. Router B forwards the call to Telephone C when Telephone
B is busy. Finally, Telephone A and Telephone C start a conversation
Configuring call transfer

As shown in Figure 518, call transfer enables Telephone A to transfer Telephone B to Telephone C. After
the call transfer is completed, Telephone B and Telephone C are in a conversation.
The whole process is as follows:
1.
Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation.
2.
Perform a hookflash at Telephone A to put the call with Telephone B on hold.
3.
Call Telephone C (3000) from Telephone A after hearing dial tones.
4.
Hang up Telephone A.
5.
Telephone B and Telephone C are in a conversation and call transfer is completed.
Figure 518 Network diagram for call transfer

Router A
1000
Telephone A
Router B
Eth1/1
10.1.1.1/24
Eth1/2
10.1.1.2/24
Eth1/1
20.1.1.2/24
Eth1/1
20.1.1.1/24
Router C
3000
Telephone C
2000
Telephone B
NOTE:
Before performing the following configuration, make sure that Router A, Router B and Router C are
reachable to each other.
1.

2.
Configure call transfer.
# Configure call hold and call transfer on Router A.

Figure 519 Configure call transfer
541
Select Enable for Call Hold.
Select Enable for Call Transfer.
Click Apply.
The whole process is as follows:
1.
Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation.
2.
Perform a hookflash at Telephone A to put the call with Telephone B on hold.
3.
Call Telephone C (3000) from Telephone A after hearing dial tones.
4.
Hang up Telephone A.
5.
Telephone B and Telephone C are in a conversation and call transfer is completed.
Configuring hunt group

As shown in Figure 520, hunt group applies to the situation where multiple subscriber lines correspond
to the same number. When the voice subscriber line with the first highest priority is in use, the device can
automatically connect an incoming call to the voice subscriber line with the second highest priority.
Telephone A1 (1000) and Telephone A2 (1000) are both connected to Router A, and Telephone A1 has
a higher priority. Dial number 1000 from Telephone B (2000). Because Telephone A1 has a higher
priority, Telephone B will be connected to Telephone A1. If number 1000 is dialed from Telephone C
(3000) when Telephone A1 and Telephone B are in a conversation, hunt group enables Telephone C to
have a conversation with Telephone A2.
Figure 520 Network diagram for hunt group
542
Eth1/1
10.1.1.2/24
Router B
1000
Telephone A1
Eth1/1
10.1.1.1/24
Router A
1000
Telephone A2
2000
Telephone B
Eth1/2
20.1.1.1/24
Eth1/1
20.1.1.2/24
3000
Telephone C
Router C
NOTE:
routable to each other.
1.

2.
Configure hunt group
# Configure a number selection priority for Telephone A2 on Router A. Keep the default priority 0 (the
highest priority) for Telephone A1.
1000 in the local number list to enter the advanced settings configuration page.
Figure 521 Configure number selection priority of Telephone A2
543
Select 4 from the Number Selection Priority drop-down list.
Click Apply.
# Configure hunt group on Router A.

1000 of Telephone A1 in the local number list to enter the call services configuration page.
Figure 522 Configure hunt group
544
Select Enable for Hunt Group.
Click Apply.
Perform the same configuration for the local number 1000 of Telephone A2. The configuration procedure
is omitted here.
Dial number 1000 from Telephone B (2000). Because Telephone A1 has a higher priority, Telephone B
is connected to Telephone A1. If you dial number 1000 from Telephone C (3000) when Telephone A1
and Telephone B are in a conversation, hunt group enables Telephone C to have a conversation with
Telephone A2.
Configuring three-party conference

As shown in Figure 523, place a call from Telephone A to Telephone B and after the call is established,
hold the call on Telephone B. Then, place a call from Telephone B to Telephone C. After success, press
the hook flash on Telephone B and press 3. Then a three-party conference can be established among
Telephones A, B and C.
Figure 523 Network diagram for three-party conference
545
Router A
Router B
Eth1/0
10.1.1.1/24
1000
Telephone A
Eth1/0
10.1.1.2/24
Eth1/0
20.1.1.2/24
Router C
Eth1/1
20.1.1.1/24
3000
Telephone C
2000
Telephone B
NOTE:
routable to each other.
1.

2.
Configure three-party conference.
# Enable call hold on Router A and Router C.

to be configured to enter the call services configuration page.
Figure 524 Configure call hold
Click Apply.
546
icon of the local number
# Enable call hold and three-party conference on Router B.

Figure 525 Configure call hold
Select Enable for Three-Party Conference.
Click Apply.
Now Telephone B, as the conference initiator, can establish a three-party conference with participants
Telephone A and Telephone C.
If you also enable three-party conference on the FXS lines of Telephone A and Telephone C on Router A
and Router C, then during the conference, a new call can be initiated from Telephone A or Telephone C
to invite another passive participant. In this way, conference chaining is implemented.
Configuring silent monitor and barge in

Configure silent monitor for Telephone C to monitor the conversation between Telephone A and
Telephone B. After configuration, when Telephone A and Telephone B is in a conversation, dialing
the feature code *425*Number of Telephone A# at Telephone C can monitor the conversation
between Telephone A and Telephone B.
Configure barge in for Telephone C to participate the conversation between Telephone A and
Telephone B. After configuration, dialing the feature code *428# at Telephone C can participate
the conversation between Telephone A and Telephone B.
547
Figure 526 Network diagram for silent monitor and barge in
1.
Configure the VCX
Open the web interface of the VCX and select Central Management Console. Configure the information
of Telephone A, Telephone B, and Telephone C. The following takes Telephone A as an example.
Figure 527 Telephone configuration page
# Configure the silent-monitor authority

Click Features of number 1000 to enter the feature configuration page, and then click Edit Feature of the
Silent Monitor and Barge In feature to enter the page as shown in Figure 528.
548
Figure 528 Silent monitor and barge in feature configuration page (I)
Click Assign External Phones to specify that number 3000 has the authority to monitor number 1000.
After this configuration, the page as shown in Figure 529 appears.
Figure 529 Silent monitor and barge in feature configuration page (II)
After the above configuration, Telephone C with the number 3000 can monitor and barge in the
conversations of Telephone A with the number 1000.
2.
Configure Router A
# Configure a local number and call routes.
Configure a local number: specify the local number ID as 1000 and the number as 1000, and bind
the number to line line 1/0 on the local number configuration page.
Configure the call route to Router B: specify the call route ID as 10000, the destination number as
3000, and the call route type as SIP, and use a SIP proxy server to complete calls on the call route
configuration page.
Configure the call route to Router C: specify the call route ID as 10001, the destination number as
3000, and the call route type as SIP, and use a proxy server to complete calls on the call route
configuration page.
Configure SIP registration: enable register function of the server on the connection properties
configuration page. Select Voice Management > Call Connection > SIP Connection from the
navigation tree to enter the connection properties configuration page, and configure the IP
addresses of both the main registrar and the proxy server as 100.1.1.101.
# Enable the feature service and the silent-monitor and barge-in function.
Select Voice Management > Local Number from the navigation tree, and click the
number 1000 to enter the call services page as shown in Figure 530.
549
icon of local
Figure 530 Enable the feature service and the silent monitor and barge in function
Select Enable for Monitor and Barge In.
Select Enable for Feature Service.
Click Apply.
3.
Configure Router B

550
Configure the call route to Router A: specify the call route ID as 10000, the destination number as
configuration page.
Configure the call route to Router C: specify the call route ID as 10001, the destination number as
configuration page.
navigation tree to enter the connection properties configuration page, then configure the IP
4.
Configure Router C
Configure the call route to Router A: specify the call route ID as 10000, the destination number as
configuration page.
configuration page.
navigation tree to enter the connection properties configuration page, then configure the IP
# Configure the DTMF transmission mode as NTE out-of-band transmission.

Select Voice Management > Call Route from the navigation tree and click the
to enter the advanced settings page as shown in Figure 531.
Figure 531 Configure DTMF transmission mode
551
icon of call route 1000
Select RFC2833 for DTMF Transmission Mode.
Click Apply.
# Enable the feature service.

Select Voice Management > Local Number from the navigation tree, and click the
number 3000 to enter the call services page as shown in Figure 532.
icon of local
Figure 532 Enable the feature service
Select Enable for Feature Service.
Click Apply.
After the above configuration, dial feature code *425*1000# at Telephone C, and you can monitor the
conversation between Telephone A and Telephone C. If you want to participate in the conversation, dial
*428# at Telephone C.
552
Advanced settings
Introduction to advanced settings
Coding parameters
The configuration of coding parameters includes specifying codec priorities and packet assembly
intervals.
The codecs include: g711alaw, g711ulaw, g723r53, g723r63, g726r16, g726r24, g726r32, g726r40,
g729a, g729br8, and g729r8.
The following are the characteristics of different codecs.
g711alaw and g711ulaw provide high-quality voice transmission, while requiring greater
bandwidth.
g723r53 and g723r63 provide silence suppression technology and comfortable noise, the
relatively higher speed output is based on multi-pulse multi-quantitative level technology and
provides relatively higher voice quality, and the relatively lower speed output is based on the
Algebraic-Code-Excited Linear-Prediction technology and provides greater flexibility for
application.
The voice quality provided by g729r8 and g729a is similar to the adaptive differential pulse code
modulation (ADPCM) of 32 kbps, having the quality of a toll, and also featuring low bandwidth,
lesser event delay and medium processing complexity; hence it has a wide field of application.
Table 213 Relationship between algorithms and bandwidth

Codec
Bandwidth
Voice quality
G.711 (A-law and -law)
64 kbps (without compression)
Best
G.726
16, 24, 32, 40 kbps
Good
G.729
8 kbps
Good
G.723 r63
6.3 kbps
Fair
G.723 r53
5.3 kbps
Fair
Actual network bandwidth is related to packet assembly interval and network structure. The longer the
packet assembly interval is, the closer the network bandwidth is to the media stream bandwidth. More
headers consume more bandwidth. A longer packet assembly interval results in a longer fixed coding
latency.
The following tables show the relevant packet assembly parameters without IP header compression
(IPHC), including packet assembly interval, bytes coded in a time unit, and network bandwidth. Thus,
you can choose a suitable codec algorithm according to idle and busy status of the line and network
situations more conveniently.
553
Table 214 G.711 algorithm (A-law and -law)

Packet
assembly
interval
Bytes coded
in a time unit
Packet
length
(IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP) (bytes)
Network
bandwidt
h (IP+PPP)
Coding
latency
10 ms
80
120
96 kbps
126
100.8
kbps
10 ms
20 ms
160
200
80 kbps
206
82.4 kbps
20 ms
30 ms
240
280
74.7 kbps
286
76.3 kbps
30 ms
G.711 algorithm (A-law and -law): media stream bandwidth 64 kbps, minimum packet assembly interval 10
ms.
Table 215 G.723 r63 algorithm

Packet
assembly
interval
Bytes
coded in a
time unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP)
(bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
30 ms
24
64
16.8 kbps
70
18.4 kbps
30 ms
60 ms
48
88
11.6 kbps
94
12.3 kbps
60 ms
90 ms
72
112
9.8 kbps
118
10.3 kbps
90 ms
120 ms
96
136
9.1 kbps
142
9.5 kbps
120 ms
150 ms
120
160
8.5 kbps
166
8.9 kbps
150 ms
180 ms
144
184
8.2 kbps
190
8.4 kbps
180 ms
G.723 r63 algorithm: media stream bandwidth 6.3 kbps, minimum packet assembly interval 30 ms.

Packet
assembly
interval
Bytes coded
in a time
unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP)
(bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
30 ms
20
60
15.9 kbps
66
17.5 kbps
30 ms
60 ms
40
80
10.6 kbps
86
11.4 kbps
60 ms
90 ms
60
100
8.8 kbps
106
9.3 kbps
90 ms
120 ms
80
120
8 kbps
126
8.4 kbps
120 ms
150 ms
100
140
7.5 kbps
146
7.8 kbps
150 ms
180 ms
120
160
7.1 kbps
166
7.4 kbps
180 ms
G.723 r53 algorithm: media stream bandwidth 5.3 kbps, minimum packet assembly interval 30 ms.

Packet
assembly
interval
Bytes coded
in a time
unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP)
(bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
20
60
48 kbps
66
52.8 kbps
10 ms
554
Packet
assembly
interval
Bytes coded
in a time
unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP)
(bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
20 ms
40
80
32 kbps
86
34.4 kbps
20 ms
30 ms
60
100
26.7 kbps
106
28.3 kbps
30 ms
40 ms
80
120
24 kbps
126
22.1 kbps
40 ms
50 ms
100
140
22.4 kbps
146
23.4 kbps
50 ms
60 ms
120
160
21.3 kbps
166
11.4 kbps
60 ms
70 ms
140
180
20.6 kbps
186
21.3 kbps
70 ms
80 ms
160
200
20 kbps
206
20.6 kbps
80 ms
90 ms
180
220
19.5 kbps
226
20.1 kbps
90 ms
100 ms
200
240
19.2 kbps
246
19.7 kbps
100 ms
110 ms
220
260
18.9 kbps
266
19.3 kbps
110 ms
G.726 r16 algorithm: media stream bandwidth 16 kbps, minimum packet assembly interval 10 ms.

Packet
assembly
interval
Bytes
coded in a
time unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
30
70
56 kbps
76
60.8 kbps
10 ms
20 ms
60
100
40 kbps
106
42.4 kbps
20 ms
30 ms
90
130
34.7 kbps
136
36.3 kbps
30 ms
40 ms
120
160
32 kbps
166
33.2 kbps
40 ms
50 ms
150
190
30.4 kbps
196
31.2 kbps
50 ms
60 ms
180
220
29.3 kbps
226
30.1 kbps
60 ms
70 ms
210
250
28.6 kbps
256
29.3 kbps
70 ms

Packet
assembly
interval
Bytes coded
in a time
unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
40
80
64 kbps
86
68.8 kbps
10 ms
20 ms
80
120
48 kbps
126
50.4 kbps
20 ms
30 ms
120
160
42.7 kbps
166
44.3 kbps
30 ms
40 ms
160
200
40 kbps
206
41.2 kbps
40 ms
50 ms
200
240
38.4 kbps
246
39.4 kbps
50 ms
555

Packet
assembly
interval
Bytes coded
in a time unit
Packet
length (IP)
(bytes)
Network
bandwidt
h (IP)
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
50
90
72 kbps
96
76.8 kbps
10 ms
20 ms
100
140
56 kbps
146
58.4 kbps
20 ms
30 ms
150
190
50.7 kbps
196
52.3 kbps
30 ms
40 ms
200
240
48 kbps
246
49.2 kbps
40 ms
Table 221 G.729 algorithm

Packet
assembly
interval
Bytes
coded in a
time unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
10
50
40 kbps
56
44.8 kbps
10 ms
20 ms
20
60
24 kbps
66
26.4 kbps
20 ms
30 ms
30
70
18.7 kbps
76
20.3 kbps
30 ms
40 ms
40
80
16 kbps
86
17.2 kbps
40 ms
50 ms
50
90
14.4 kbps
96
15.4 kbps
50 ms
60 ms
60
100
13.3 kbps
106
14.1 kbps
60 ms
70 ms
70
110
12.6 kbps
116
13.3 kbps
70 ms
80 ms
80
120
12 kbps
126
12.6 kbps
80 ms
90 ms
90
130
11.6 kbps
136
12.1 kbps
90 ms
100 ms
100
140
11.2 kbps
146
11.7 kbps
100 ms
110 ms
110
150
10.9 kbps
156
11.3 kbps
110 ms
120 ms
120
160
10.7 kbps
166
11.1 kbps
120 ms
130 ms
130
170
10.5 kbps
176
10.8 kbps
130 ms
140 ms
140
180
10.3 kbps
186
10.6 kbps
140 ms
150 ms
150
190
10.1 kbps
196
10.5 kbps
150 ms
160 ms
160
200
10 kbps
206
10.3 kbps
160 ms
170 ms
170
210
9.9 kbps
216
10.2 kbps
170 ms
180 ms
180
220
9.8 kbps
226
10 kbps
180 ms
G.729 algorithm: media stream bandwidth 8 kbps, minimum packet assembly interval 10 ms.
556
NOTE:
The packet assembly interval is the duration to encapsulate information into a voice packet.
Bytes coded in a time unit = packet assembly interval media stream bandwidth.
Packet length (IP) = IP header + RTP header + UDP header + voice information length = 20+12+8+data.
Packet length (IP+PPP) = PPP header + IP header + RTP header + UDP header + voice information length
= 6+20+12+8+data.
Network bandwidth = Bandwidth of the media stream packet length/bytes coded in a time unit.
Because IPHC compression is affected significantly by network stability, it cannot achieve high efficiency
unless the line is of high quality, the network is very stable, and packet loss does not occur or seldom
occurs. When the network is unstable, IPHC efficiency drops drastically. With best IPHC performance,
the IP (RTP) header can be compressed to 2 bytes. If the PPP header is compressed at the same time, a
great deal of media stream bandwidth can be saved. The following table shows the best IPHC
compression efficiency of codec algorithms with a packet assembly interval of 30 milliseconds.
Table 222 Compression efficiency of IPHC+PPP header
Before compression
After IPHC+PPP compression
Codec
Bytes
coded in
a time
unit
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
G.729
30
76
20.3 kbps
34
9.1 kbps
G.723r63
24
70
18.4 kbps
28
7.4 kbps
G.723r53
20
66
17.5 kbps
24
6.4 kbps
G.726r16
60
106
28.3 kbps
64
17.1 kbps
G.726r24
90
136
17.5 kbps
94
25.1 kbps
G.726r32
120
166
44.3 kbps
124
33.1 kbps
G.726r40
150
196
52.3 kbps
154
41.1 kbps
Other parameters
Other parameters are some optional parameters, such as number selection priority, dial prefix, called
number sending mode, and DTMF transmission mode. For the description of these parameters, see
Configuring other parameters of a local number and Configuring other parameters for a call route.
Configuring advanced settings of a local number

Configuring coding parameters of a local number
local number to be configured to enter the advanced settings configuration page.
557
icon of the
Figure 533 Configure coding parameters of the local number

Item
Description
Codec with the First Priority
Specify a codec
with the first
priority.
Specify the codecs and their priority levels. The available

codes are:
Codec with the Second

Priority
Specify a codec
with the second
priority.
modulation technology), requiring a bandwidth of 64

kbps, usually adopted in Europe.
Codec with the Third

Priority
Specify a codec
with the third
priority.
g711alaw: G.711 A-law codec (defining the pulse code
g711ulaw: G.711-law codec, requiring a bandwidth of

64 kbps, usually adopted in North America and Japan.
g723r53: G.723.1 Annex A codec, requiring a

bandwidth of 5.3 kbps.
g723r63: G.723.1 Annex A codec, requiring a

bandwidth of 6.3 kbps.
g726r16: G.726 Annex A codec. It uses the ADPCM

technology, requiring a bandwidth of 16 kbps.
g726r24: G.726 Annex A codec. It uses ADPCM,

requiring a bandwidth of 24 kbps.

Codec with the Lowest
Priority
Specify a codec
with the lowest
priority.

g729a: G.729 Annex A codec (a simplified version of

G.729), requiring a bandwidth of 8 kbps.
g729br8: G.729 Annex B (the voice compression

technology using conjugate algebraic-code-excited
linear-prediction), requiring a bandwidth of 8 kbps.
g729r8: G.729 (the voice compression technology using

conjugate algebraic-code-excited linear-prediction),
Packet Assembly Interval of
G711
Packet assembly interval for g711alaw and g711ulaw codecs.

G723
Packet assembly interval for g723r53 and g723r63 codecs.
558
Item
Description

G726r16
Packet assembly interval for g726r16 codec.

G726r24

G726r32

G726r40

G729
Packet assembly interval for g729r8, g729br8, and g729a codecs.
NOTE:
Two communication parties can communicate normally only if they share some identical
coding/decoding algorithms. If the codec algorithm between two connected devices is inconsistent, or the
two devices share no common coding/decoding algorithms, the calling will fail.
Configuring other parameters of a local number

local number to be configured to enter the advanced settings configuration page.
icon of the
Figure 534 Configure other parameters of the local number

Item
Description
Number Selection Priority
Set the priority of the local number. The smaller the value, the higher the
priority.
Dial Prefix
Configure a dial prefix for the local number. For a trunk type call route, the
dial prefix is added to the called number to be sent out.
559
Item
Called Number
Sending Mode
DTMF
Transmission
Mode
DSCP Field Value
VAD
Description
Send a
Truncated
Called
Number
Send a truncated called number.
Send All
Digits of a
Called
Number
Send all digits of a called number.
Send
Certain
Number of
Digits
Send a certain number of digits (that are extracted from the end of a
number) of a called number. The specified value should be not greater
than the total number of digits of the called number.
In-band
Transmission
Specify the in-band SIP DTMF transmission mode.
Out-of-band
Transmission
Specify the out-of-band SIP DTMF transmission mode.
RFC2833
Adopt DTMF named telephone event (NTE) transmission mode. When you
adopt this transmission mode, you can configure the payload type field in
RTP packets.
Pre-defined
Set the DSCP value in the ToS field in the IP packets that carry the RTP
stream.
Customized
Input the customized DSCP value in the Customized text box.

The voice activity detection (VAD) discriminates between silence and
speech on a voice connection according to signal energies. VAD reduces
the bandwidth requirements of a voice connection by not generating
traffic during periods of silence in an active voice connection. Speech
signals are generated and transmitted only when an active voice segment
is detected. Researches show that VAD can save the transmission
bandwidth by 50%.
Enable
Disable
By default, VAD is disabled.
Configuring advanced settings of a call route

Configuring coding parameters of a call route
route to be configured to enter the advanced settings configuration page.
560
icon of the call
Figure 535 Configure coding parameters of the call route
For coding parameters configuration items of the call route, see Table 224.
Configuring other parameters for a call route

route to be configured to enter the advanced settings configuration page.
icon of the call
Figure 536 Configure other parameters of the call route
For the configuration items of other parameters of the call route, see Table 224 and Table 225.
Item
Description
Call Route Selection Priority
Set the priority of the call route. The smaller the value, the higher the
priority.
The Local End Plays Ringback

Tone
Enable
Disable
By default, the remote end instead of the local end plays ringback tones.
561
Advanced settings configuration example

Configuring out-of-band DTMF transmission mode for SIP
Two routers work as SIP UAs. After establishing a call connection, the calling and called parties adopt
DTMF SIP out-of-band transmission to make the transmission of DTMF digits more reliable.
Figure 537 Network diagram for configuring out-of-band DTMF transmission for SIP
1.
Configure voice basic calling settings.
For detailed configuration, see Configuring direct calling for SIP UAs through the SIP protocol
(configuring static IP address).
2.
Configure out-of-band DTMF transmission mode for SIP.
# Configure the out-of-band DTMF transmission mode on Router A for the call route
Select Voice Management > Call Route from the navigation tree, find call route 2222 in the list, and click
its icon
to enter its advanced settings page.
Figure 538 Configure out-of-band DTMF transmission mode
Select Out-of-band Transmission for DTMF Transmission Mode.
Click Apply.
# Configure out-of-band DTMF transmission mode on Router B for the local number.
562
Select Voice Management > Local Number from the navigation tree, find local number 2222 in the list,
and click its icon
to enter the advanced settings page.
Figure 539 Configure out-of-band DTMF transmission mode
Select Out-of-band Transmission for DTMF Transmission Mode.
Click Apply.
Configuraion verification
After a call connection is established, if one side presses the telephone keys, the DTMF digits are
transmitted to the other side using out of band signaling, and the other side hears short DTMF tones from
the handset.
563
SIP2SIP call settings

Configuring codec transparent transmission
Select Voice Management > Call Route from the navigation tree, and click the
to enter the following page.
icon of the target route
Figure 540 SIP-to-SIP Connections

Item
Description
Enable or disable codec transparent transmission.
If the SIP trunk device does not support the codecs supported by the calling
and called parties, you can enable codec transparent transmission so that
the SIP trunk device transparently transmits codec capability sets between
the two parties to complete codec negotiation.
Codec Transparent
By default, codec transparent transmission is disabled, and the SIP trunk

device participates in media negotiation between two parties.
Note: This option takes effect only for public-to-private call routes. To
enable this function for private-to-public call routes, perform the
configuration in Voice Management > SIP Trunk Management > Call Route.
For relation configuration information, see the chapter SIP trunk
configuration.
564
Dial plan
Dial plan overview
More requirements on dial plans arise with the wide application of VoIP. A desired dial plan should be
flexible, reasonable and operable, and be able to help a voice gateway to manage numbers in a unified
way, making number management more convenient and reasonable..
The dial plan process on the calling side differs from that on the called side. The following discusses these
two dial plan processes respectively.
Dial plan process

On the calling side
Figure 541 shows the dial plan operation process on the calling side.
Figure 541 Flow chart for dial plan operation process on the calling side
1.
The voice gateway on the calling side replaces the calling and called numbers according to the
number substitution rule on the receiving line.
2.
The voice gateway performs global number substitution.
3.
The gateway selects proper numbers based on the local number or call route selection priority rules
and replaces the calling and called numbers.
565
4.
The gateway initiates a call to the called side and sends the calling and called numbers.
On the called side

Figure 542 shows the dial plan operation process on the called side.
Figure 542 Flow chart for dial plan operation process on the called side
Local lines
PSTN
Local number/call
route
Processing sequence
on called side
Number substitution
Local number/call
route
Number substitution
Global
Global
Receive a call (called number)
1.
After receiving a voice call (the called number), the voice gateway on the called side performs
global calling/called number substitution.
2.
The voice gateway on the called side selects proper local numbers or call routes based on the local
number or call route selection priority rules. (Number substitution may also be involved during the
local number or call route selection.) If the called party is a local number, the gateway directly
connects the line. If the called party is a PSTN subscriber, the gateway initiates a call and sends the
calling and called numbers to the PSTN. The PBX in the PSTN connects the call.
Regular expression
You will frequently use some regular expressions when configuring number substitution rules. Regular
expressions are a powerful and flexible tool for pattern matching and substitution. They are not restricted
to a language or system and have been widely accepted.
When using a regular expression, you need to construct a matching pattern according to certain rules,
and then compare the matching pattern with the target object. The simplest regular expressions do not
contain any meta-character. For example, you can specify a regular expression hello, which only
matches the string hello.
To help you construct matching patterns flexibly, regular expressions support some special characters,
called meta-characters, which define the way other characters appear in the target object.
566
Table 227 Meta-characters

Meta-character
Meaning
0-9
Digits 0 through 9.
# and *
Each indicates a valid digit.
Wildcard, which can match any valid digit. For example, 555. can match any
number beginning with 555 and ending in four additional characters.
Hyphen (connecting element), used to connect two numbers (The smaller comes before
the larger) to indicate a range of numbers, for example, 1-9 inclusive.
[]
Delimits a range for matching. It can be used together with signs such as !, %, and +.
For example, [235-9] indicates one number of 2, 3, and 5 through 9.
()
Indicates a sub-expression. For example, (086) indicates the character string 086. It is
usually used together with signs such as !, %, and +. For example, (086)!010 can
match two character strings 010 and 086010.
A control character, indicating that the sub-expression before it appears once or does
not appear. For example, (010)!12345678 can match 12345678 and
01012345678.
A control character, indicating that the sub-expression before it appears one or more
times. However, if a calling number starts with the plus sign, the sign itself does not
have special meanings, and only indicates that the following is an effective number
and the whole number is E.164-compliant. For example, 9876(54)+ can match
987654, 98765454, 9876545454, and so on, and +110022 is an
E.164-compliant number.
A control character, indicating that the sub-expression before it appears multiple times
or does not appear. For example, 9876(54)% can match 9876, 987654,
98765454, 9876545454, and so on.
NOTE:
The sub-expression (one digit or digit string) before a control character such as !, +, and % can appear
for the times indicated by the control character. For example, (100)+ can match 100, 100100,
100100100, and so on. Once any number of them is matched, the match is considered an exact match.
In the longest match mode, the voice gateway will ignore subsequent digits dialed by the subscriber after
an exact match. (For the case that the gateway needs to wait for subscribers to continue dialing after an
exact match, refer to the T mode.)
The characters (\) and (|) are mainly used in regular expressions and cannot be used as common
characters. The character (\) is an escape character. If you want a control character to represent itself,
you need to add the escape character (\) before it. For example, (\+) represents the character (+) itself
because (+) is a control character in regular expressions. The character (|) means that the current
character (string) is the character (string) on either the left or the right. For example, 0860108888|T
means that the current character string is either 0860108888 or T.
T mode: If the character T is in the number set in a local number or call route, it means that the voice
gateway should wait for more digits until the number exceeds the maximum length or the dial timer
expires.
If a number starts with the plus sign (+), note the following when you use it on a trunk: The E&M, R2, and
LGS signaling uses DTMF, and as the plus sign (+) does not have a corresponding audio, the number
cannot be transmitted to the called side successfully. While the DSS1 signaling uses ISDN, the above
problem does not exist. Therefore, you should avoid using a number that cannot be identified by the
signaling itself; otherwise, the call will fail.
567
Introduction to dial plan functions

Number match
Dial terminator
In areas where variable-length numbers are used, you can specify a character as the dial terminator so
that the voice gateway can dial out the number before the dialing interval expires. The dial terminator
identifies the end of a dialing process, and a call connection will be established based on the received
digits when the dial terminator is received: The voice gateway will not wait for further digits even if the
longest match mode has been globally configured.
Maximum number of local numbers or call routes found before a search process stops
This function enables you to define the maximum number of qualified local numbers or call routes to be
found before a search process stops. Even if the number of local numbers or call routes meeting call
requirements is greater than the defined maximum number, the system will match against the local
numbers or call routes that are found in the search according to the configured maximum number.
Number match mode

You can specify a match mode, either longest match or shortest march.
For example, you have configured two destination numbers 0106688 and 01066880011 on the device
respectively.
When a subscriber dials 01066880011:
If the device is configured to use the shortest match mode, the dialed number will match 0106688.
Namely, the device will establish a call connection to 0106688 at the remote end, without
processing the last four digits 0011.
If the device is configured to use the longest match mode, the dialed number will match
01066880011. Namely, the device will establish a call connection to 01066880011 at the remote
end.
When a subscriber dials 0106688:
If the device is configured to use the shortest match mode, it will match 0106688.
If the device is configured to use the longest match mode, it will wait for further digits. After the dial
timer expires, the device will ignore the configured longest match mode and automatically use
shortest match mode to establish a call connection.
When a subscriber dials 0106688#, if you configure the longest match mode and a dial terminator of
# on the device, the device will as well ignore the configured longest match mode and use shortest
match mode to establish a call connection.
Number match policy

A number match policy can be in either servicefirst mode or numberfirst mode.
If the number-first mode is applied, a dialed number will match first against numbers and then local
service numbers or the service feature codes (when the service feature switch is enabled). For example,
if a local service feature number is *40*1234 and the number *40 is configured for a local number or
call route, *40*1234 dialed by a subscriber will first match the number *40 (*40 is dialed out as the
called number), and the local service corresponding to the local service code *40*1234 will not be
triggered.
568
Entity type selection priority rules

You can configure the priorities for different types of entities. When multiple local numbers or call routes
are qualified for a call connection, the system selects a suitable local number or call route whose entity
type has the highest priority.
Match order of number selection rules

You can configure the match order of local number or call route selection rules. The system selects a local
number or call route according to the configured rules, which include exact match, priority, random
selection, and longest idle time.
The match order of rules determines the application sequence of the rules:
If there are multiple rules, the system first selects a local number or call route according to the first
rule.
If the first rule cannot decide which local number or call route should be selected, the system applies
the second rule. If the second rule still cannot decide a local number or call route, the system applies
the third rule.
If all the rules cannot decide which local number or call route should be selected, the system selects
a local number or call route with the smallest ID.
After the random selection rule is applied, there will be no local number or call route selection
conflict. Therefore, the random selection rule can only serve as a rule with the lowest priority or
serve as a unique rule separately.
Call control
Call authority control
To configure call authority control, you can assign subscriber numbers to a number group, and then bind
the group, which has authorities configured, to a local number or call route.
When a subscriber originates a call that matches the local number or call route that has bound with a
number group, the system compares the calling number with each number in the number group. If a
match is found, the calling is permitted; otherwise, the system finds the next matching local number or
call route until the calling is permitted or denied. For related configuration of this function, see
Configuring a number group.
Maximum-call-connection set
You can limit the total call connections for local numbers or call routes according to the network scale to
control communication traffic. You can bind a local number or call route to a maximum-call-connection
set, after that, the number of call connections of the local number or call route is restricted.
Number substitution
A number substitution rule list defines some number substitution methods. It can be used wherever
number substitution is necessary. There is no limitation on where and how many times it is used. Therefore,
a number substitution rule list may be bound globally and bound to different local numbers/call routes
and lines.
The characteristics of global calling/called number substitution or calling/called number substitution on
local numbers/call routes and lines are as follows:
Global number substitution: The voice gateway substitutes calling and called numbers of all
incoming and outgoing calls according to the number substitution rules configured in dial program
569
view. Multiple number substitution rule lists can be bound for global calling and called number
substitution of incoming and outgoing calls. If there is no match in the first number substitution rule
list, the voice gateway will match against other number substitution rule lists.
Number substitution on local numbers or call routes: The voice gateway substitutes the calling and
called numbers based on the number substitution rule lists bound to local numbers or call routes.
Number substitution on a specific line: The voice gateway substitutes the calling and called
numbers of incoming calls based on the number substitution rules configured on the receiving line.
Configuring dial plan

Configuring number match
Select Voice Management > Dial Plan > Number Match from the navigation tree to enter the number
match configuration page, as shown in Figure 543.
Figure 543 Number match configuration page

Item
Description
Configure a special character as the dial terminator for length-variable telephone
numbers.
Dial Terminator
Note that if you set the argument character to # or *, and if the first character of the
configured local number or call route is the same as the argument character (# or
*), the device will take this first character as a common number rather than a dial
terminator.
By default, no dial terminator is configured.
Max Count of Numbers

Found before Search
Stops
Number Match Mode
Set the maximum number of local numbers or call routes found before a search
process stops.
Longest Number Match: Matches the longest number.

Shortest Number Match: Matches the shortest number.
By default, the shortest-number match mode is adopted.
570
Item
Description
Number Match Policy
Service first
Number first
Select Based on Voice

Entity Type
Select the Enable radio button, the sequence of the voice entities in the Selection
Sequence box determines the match order, and you can click the Up and Down
buttons to move a voice entity.
Selection Sequence
By default, entities are not selected by type.

At present, the Web interface does not support the configuration of VoFR entities.
First Rule in the Match

Order
Second Rule in the Match
Order
Exact match: The more digits of a digit string are matched from left to right, the
higher the precision is. The system stops using the rule once a digit cannot be
matched uniquely.
Priority: Number priorities are divided into 11 levels numbered from 0 to 10. The
smaller the value is, the higher the priority is. That means level 0 has the highest
priority.
Random selection: The system selects at random a number from a set of

qualified numbers. After the random selection rule is applied, there will be no
number selection conflict. The random selection rule can only serve as a rule
with the lowest priority or serve as a unique rule separately.
Third Rule in the Match
Order
Longest idle time: The longer the voice entity is idle, the higher the priority is.
You can select one to three rules to form a sequence. The voice gateway will first
select a number according to the first rule. If the voice gateway fails to decide
which number should be selected according to the first rule, it will apply the second
rule, and so on.
By default, the match order of rules for the number selection is exact match->
priority-> random selection.
Configuring call control

Configuring a number group
Follow these steps to configure call control:
Step1
Configure a number group and numbers in the group.
Step2
Bind the local numbers, call routes, or IVR numbers to the number group.
2.
Add a number group
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to enter the
number group page, as shown in Figure 544.
Figure 544 Number group page
Click Add to enter the number group configuration page, as shown in Figure 545.
571
Figure 545 Number group configuration page

Item
Description
Group ID
ID of the number group
Description
Description of the number group
Numbers in the
Group
Add
3.
Input subscriber numbers to be added into the group in the text box. You can add a
number by clicking Add.
Bind local numbers to the call number group
Click Not Bound in the Local Numbers Bound column to enter the local call number binding page as
Figure 546 Local number binding page

Item
Description
Binding Mode
Permit the calls from the number group

Deny the calls from the number group
Click the checkbox in front of the ID column, and then click Apply to complete local number binding.
572
NOTE:
A local number can be bound to multiple number groups in the same binding mode, that is, a local
number can either permit or deny the calls from bound number groups.
4.
Bind call routes to the call number group
Click Not Bound in the Call Routes Bound column to enter the call route binding page.
The configuration of call route binding is similar to that of local number binding, and thus omitted here.
NOTE:
A call route can be bound to multiple number groups in the same binding mode, that is, a call route can
either permit or deny the calls from bound number groups.
5.
Bind IVR numbers to the call number group
Click Not Bound in the IVR Numbers Bound column to enter the IVR number binding page.
The configuration of IVR number binding is similar to that of local number binding, and thus omitted here.
Configuring a max-call-connection set

Follow these steps to configure a max-call-connection set:
Step1
Configure a max-call-connection set and specify the maximum number of call connections in this set.
Step2
Bind the local numbers, call routes, or IVR numbers to the max-call-connection set.
2.
Add a max-call-connection set
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click
the Max-Call-Connection Set tab to enter the max-call-connection set configuration page, as shown in
Figure 547.
Figure 547 Max-call-connection set page
Click Add to enter the Max-Call-Connection Set Configuration page as shown in Figure 548.
Figure 548 Max-call-connection set configuration page
573

Item
Description
Connection Set ID
ID of the max-call-connection set
Max Number of Call

Connections in the Set
Maximum number of call connections in the max-call-connection set
3.
Bind local numbers to a max-call-connection set
Click Not Bound in the Local Numbers Bound column to enter the local call number binding page shown
in Figure 549.
Figure 549 Local number binding page
Click the checkbox in front of the ID column, and then click Apply to complete local number binding.
4.
Bind call routes to a max-call-connection set
Click Not Bound in the Call Routes Bound column to enter the call route binding page.
The configuration of call route binding is similar to that of local number binding, and thus omitted here.
5.
Bind IVR numbers to a max-call-connection set
Click Not Bound in the IVR Numbers Bound column to enter the IVR number binding page.
The configuration of IVR number binding is similar to that of local number binding, and thus omitted here.
Configuring number substitution

Follow these steps to configure number substitution:
Step1
Add a number substitution list.
Step2
Bind a number substitution list to global, local numbers, call routes, or lines.
2.
Add a number substitution list
Select Voice Management > Dial Plan > Number Substitution from the navigation tree to enter the
number substitution list page, as shown in Figure 550.
574
Figure 550 Number substitution list page
Click Add to enter the number substitution configuration page.

Figure 551 Number substitution configuration page

Item
Description
Number Substitution
Rule List ID
ID of the number substitution rule list
575
Item
Description
End-Only: Reserves the digits to which all ending dots (.) in the input number
correspond.
Left-to-Right: Reserves from left to right the digits to which the dots in the input
number correspond.
Right-to-Left: Reserves from right to left the digits to which the dots in the input
Dot Match Rule
number correspond.
By default, the dot match rule is End-Only.
The dots here are virtual match digits. Virtual match digits refer to those matching the
variable part such as ., +, %, !, and [] in a regular expression. For example, when
1255 is matched with the regular expression 1[234]55, the virtual match digit is 2,
when matched with the regular expression 125+, the virtual match digit is 5, and
matched with the regular expression 1..5, the virtual match digits are 25.
Rule ID
ID of the number substitution rule

Input number involved in number substitution, in the format of [ ^ ] [ + ] input number
[ $ ], up to 31 characters. The signs are explained as follows:
^: Caret. The match begins with the first character of a number string. That is, the
device begins with the first character of the match string to match a user number.
Input Number
+: Plus sign. The sign itself does not have special meanings. It only indicates that the
following string is an effective number and the number is E.164-compliant.
$: Dollar sign. It indicates that the last character of the match string must be
matched. That is, the last digit of a user number must match the last character of the
match string.
string: String consisting of characters such as 0 to 9, #, *, ., !, and %.

Output Number
Input Number Type
Output Number Type
Output involved in number substitution, in the format of ^(+)![0-9#*.]+$.

Types of the input number and output number involved in number substitution.
Input Numbering Plan

Output Numbering
Plan
Input and output numbering plans involved number substitution.

Set the preferred number substitution rule of the current number substitution rule list.
Applied First (only one

rule can be applied
first)
In a voice call, the system first uses the preferred number substitution rule for number
substitution. If this rule fails to apply or is not configured, it will try to apply all other
rules in order until one or none of them applies.
During a number substitution process, there may be multiple rules, but only one of
them can be set as the preferred one. Moreover, the latest configuration will overwrite
the previous one.
By default, this function is disabled.
Add a Rule
3.
Click this button to save the configured rule.
Bind a number substitution list to global, local numbers, call routes, or lines
Click Not Bound in the Global Binding, Local Numbers Bound, Call Routes Bound, or Bound Line column
to enter the corresponding binding page. The configurations of these bindings are similar to that of local
number binding in call control, and thus omitted here.
576
Dial plan configuration examples

Configuring number match mode
As shown in Figure 552, configure different number match modes for calls from Telephone A to
Telephone B and Telephone C.
FX
S
1/
Figure 552 Network diagram for number match mode configuration
S
FX
1
1/
1.
Shortest number match
Configure Router A.
# Add a local number: specify the number ID as 1000, the number as 10001234$, and the bound line
as line 1/0 on the local number configuration page.
# Add a call route: specify the call route ID as 2000, the destination number as 20001234$, and the
destination address as 1.1.1.2 on the call route configuration page.
# Add a call route: and specify the call route ID as 2001, the destination number as 200012341234$,
and the destination address as 1.1.1.2 on the call route configuration page.
Configure Router B.
as 1/0 on the local number configuration page.
# Add a local number: specify the number ID as 2001, the number as 200012341234$, and the bound
line as 1/1 on the local number configuration page.
When you dial number 20001234 at Telephone A, the number 20001234 matches call route 2000, and
Telephone B is alerted because the device adopts the shortest match mode by default.
2.
Longest number match
# Configure Router A. Select Voice Management > Dial Plan > Number Match from the navigation tree
to enter the number match configuration page, as shown in Figure 553.
577
Figure 553 Number match mode configuration page
Select Longest Number Match for Number Match Mode.
Click Apply.
After you dial number 20001234 at Telephone A and wait for some time (during this period, you can
continue dialing), the dialed number 20001234 matches call route 2000 and Telephone B is alerted.
If you continue to dial 1234 during that period, the dialed number 200012341234 matches call route
2001 and Telephone C is alerted.
3.
Dial terminator
# Configure Router A. Select Voice Management > Dial Plan > Number Match from the navigation tree
to enter the dial terminator configuration page, as shown in Figure 554.
Figure 554 Dial terminator configuration page
Type # for Dial Terminator.
Click Apply.
After you dial 20001234# at Telephone A, the number immediately matches call route 2000 and
Telephone B is alerted.
578
Configuring the match order of number selection rules

As shown in Figure 555, configure different number selection rule match orders for calls from Telephone
A to Telephone B.
Figure 555 Network diagram for match order of number selection rules configuration
1.
Configure Router A
# Configure call route selection priority
Select Voice Management > Call Route from the navigation tree to enter the call route list page. Find the
call route with the ID of 2000 in the list, and click its corresponding icon
to enter the advanced setting
page.
Figure 556 Call route selection priority configuration page
Select 10 from the Call Route Selection Priority drop-down list.
Click Apply.
# Add a call route: specify the call route ID as 2001, the destination number as 2000123.$, and the
579
Select Voice Management > Call Route from the navigation tree to enter the call route list page. Find the
call route with the ID of 2001 in the list, and click its corresponding icon
to enter the advanced setting
page.
Figure 557 Cal route selection priority configuration page
Select 5 from the Call Route Selection Priority drop-down list.
Click Apply.
# Add a call route: specify the call route ID as 2002, the destination number as 2000....$, and the
2.
Configure Router B
3.
Configure the match order of number selection rules: the first rule is exact match, the second rule
is priority, and the third rule is random selection.
Configure Router A. Select Voice Management > Dial Plan > Number Match from the navigation tree to
enter the page for configuring the match order of number selection rules, as shown in Figure 558.
580
Figure 558 Match order of number selection rules configuration page
Select Exact Match from the First Rule in the Match Order drop-down list.
Select Priority from the Second Rule in the Match Order drop-down list.
Select Random Selection from the Third Rule in the Match Order drop-down list.
Click Apply.
After you dial number 20001234 at Telephone A, the number matches call route 2000.
4.
Configure the match order of number selection rules as follows: the first rule is priority, the second
rule is exact match, and the third rule is random selection.
enter the page for configuring the match order of number selection rules.
Select Priority from the First Rule in the Match Order drop-down list.
Select Exact Match from the Second Rule in the Match Order drop-down list.
581
Select Random Selection from the Third Rule in the Match Order drop-down list.
Click Apply.
After you dial number 20001234 at Telephone A, the number matches call route 2002.
5.
Configure the number selection rule as random selection.
enter the page for configuring the match order of number selection rules.
Select Random Selection from the First Rule in the Match Order drop-down list.
Click Apply.
After you dial number 20001234 at Telephone A, the number matches call route 2000, 2001, or 2002
at random.
Configuring entity type selection priority rules

Network diagram
As shown in Figure 561, there are an IP connection and a PRI connection between Router A and Router
B. Configure different entity type selection priority rules for calls from Telephone A to Telephone B.
Figure 561 Network diagram for voice entity type selection priority rule configuration
1.
Configure Router A
Select Voice Management > Digital Link Management from the navigation tree to enter the digital link list
page. Find the digital link VE1 5/0 in the list, click its corresponding icon
to enter the E1 parameters
configuration page.
582
Figure 562 E1 parameters configuration page
Select PRI Trunk Signaling for Working Mode.
Select Internal for TDM Clock Source. (Internal is the default setting)
Select the Network Side Mode for ISDN Working Mode.
Click Apply.
trunk route line as 5/0:15 on the call route configuration page. In addition, you need to select the Send
All Digits of a Called Number radio button in the Called Number Sending Mode area when you
configure the advanced settings of this call route.
2.
Configure Router B
583
Select Voice Management > Digital Link Management from the navigation tree to enter the digital link list
page. Find the digital link VE1 5/0 in the list, click its corresponding icon
to enter the E1 parameters
configuration page.
Select PRI Trunk Signaling for Working Mode.
Select User Side Mode for ISDN Working Mode. (User Side Mode is the default setting)
Select Line for TDM Clock Source.
Click Apply.
3.
Configure the system to first select VoIP entity.
enter the number match configuration page.
584
Figure 564 Entity type selection priority rule configuration page (I)
Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second
is POTS, the third is VoFR, and the last is IVR.
Click Apply.
After you dial 20001234 at Telephone A, the number will match call route 2000 (VoIP entity).
4.
Configure the system to first select POTS entity.
enter the number match configuration page.
Figure 565 Entity type selection priority rule configuration page (II)
Configure the order of the voice entities in the Selection Sequence box: the first is POTS , the second
is VOIP, the third is VoFR, and the last is IVR.
Click Apply.
After you dial 20001234 at Telephone A, the number will match call route 1001 (POTS entity).
585
Configuring call authority control

As shown in Figure 566, Router A, Router B, and Router C are located at place A, place B, and place C,
respectively, and they are all connected to the SIP server to allow subscribers to make SIP calls. When
VoIP links fail for some reason, PSTN links that provide backup for VoIP links can be automatically
brought up. It is required that subscribers whose telephone numbers beginning with 1100 at place A can
originate calls to place B while subscribers whose telephone number beginning with 1200 can originate
calls to both place B and place C.
Figure 566 Network diagram for call authority control configuration
Place B
Place A
110000
Router B
2100
1100..
PBX
Router A
110099
IP
120000
PSTNs
central office
2200
PBX
Router C
1200..
3100
PSTNs
central office
PBX
120099
SIP server
3200
PSTNs
central office
Place C
1.
Configure Router A
# Configure two number groups.

Configure Router A. Select Voice Management > Dial Plan > Call Authority Control from the navigation
tree, and then click Add to enter the number group configuration page.
Figure 567 Number group configuration page
586
Type 1 for Group ID.
Type 1100.. for Numbers in the Group.
Click Add to add numbers into the group.
Click Apply.
Enter the number group configuration page again to add another number group:
Type 2 for Group ID.
Type 1200.. for Numbers in the Group.
Click Add to add numbers into the group.
Click Apply.
# Add a call route for place B: specify the call route ID as 2000, the destination number as 2..., and use
a proxy server for SIP routing on the call route configuration page.
# Crete a call route for place C: specify the call route ID as 3000, the destination number as 3...,and use
a proxy server for SIP routing on the call route configuration page.
# Add a call route for place B: specify the call route ID as 2100, the destination number as 2, and trunk
route line as 5/0:15 on the call route configuration page. In addition, you need to select the Send All
Digits of a Called Number radio button in the Called Number Sending Mode area when you configure
the advanced settings of this call route.
# Add a call route 3 for place C: specify the call route ID as 3100, the destination number as 3..., and
the trunk route line as 5/1:15 on the call route configuration page. In addition, you need to select the
Send All Digits of a Called Number radio button in the Called Number Sending Mode area when you
configure the advanced settings of this call route.
# Bind a call route to number group 1 to allow that subscribers whose telephone numbers beginning with
1100 at place A can originate calls to place B.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to enter the page
Figure 568 Binding call route configuration page (I)
Click Not Bound in the Call Routes Bound column to enter the call route binding page of number group
1.
587
Figure 569 Call route binding page (I)
Select Permit the calls from the number group for Binding Mode.
Select the checkbox of call route 2100.
Click Apply.
# Bind a call route to the number group 2 to allow that subscribers whose telephone number beginning
with 1200 can originate calls to both place B and place C.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to enter the page
Figure 570 Binding call route configuration page (II)
Click Not Bound in the Call Routes Bound column to enter the call route binding page of number group
2.
588
Figure 571 Call route binding page (II)
Select Permit the calls from the number group for Binding Mode.
Select the checkboxes of call routes 2100 and 3100.
Click Apply.
2.
Configure Router B
# Add a call route: specify the call route ID as 2100, the destination number as 2, and the trunk route
line as 1/0:15 on the call route configuration page. In addition, you need to select the Send All Digits of
a Called Number radio button in the Called Number Sending Mode area when you configure the
advanced settings of this call route.
3.
Configure Router C
# Add a call route: specify its call route ID as 3100, the destination number as 3..., and the trunk route
line as 1/0:15 on the call route configuration page. In addition, you need to select the Send All Digits of
a Called Number radio button in the Called Number Sending Mode area when you configure the
Configuring number substitution

As shown in Figure 572, there is a PBX to form a local telephony network respectively at place A and
place B. The following requirements should be met:
These two local telephony networks communicate through two voice gateways. Subscribers in one
PBX network can make ordinary calls to remote subscribers in the other PBX network over a VoIP
network.
Configure two FXO trunk lines between each router and its PBX and enable hunt group to realize
trunk line backup.
There are a financial department, market department, and sales department at both place A (area
code 021) and place B (area code 010). A department at place A only needs to know the telephone
numbers of the local departments and the area code of place B when calling a department at place
B. For example, the financial department at place B can dial 3366 to call the local market
department. The financial department at place B can dial 0103366 to call the market department
at place A, and the caller ID displayed on the terminal at place A is 0211234, namely, area code
of place B + telephone number of the financial department at place B.
589
Figure 572 Network diagram for a voice dial plan
The PBX (calling side) at place B changes the called number to an intermediate number.
The PBX (called side) at place A changes the received intermediate number to a local number before
initiating the call.
NOTE:
The following configuration supports dial planbased calls from place B to place A only.
1.
Configure Router B
# Set the IP address of the Ethernet interface to 2.2.2.2.

# Add a call route for place A: specify the call route ID as 10, the destination number as 010., the call
route type as SIP, the SIP routing as IP routing, and the destination address as 1.1.1.1 on the call route
configuration page.
# Add a call route: specify the call route ID as 100, the destination number as ...., and the trunk route line
as 1/0 on the call route configuration page. In addition, you need to select the Send All Digits of a
Called Number radio button in the Called Number Sending Mode area when you configure the
advanced settings of this call route; you also need to select the Enable radio button in the Hunt Group
area when you configure the call services of this call route.
# Add a call route: specify the call route ID as 101, the destination number as ...., and the trunk route
line as 1/1 on the call route configuration page. In addition, you need to select the Send All Digits of a
advanced settings of this call route; you also need to select the Enable radio button in the Hunt Group
# Add a number substitution rule list for called numbers of outgoing calls.
Select Voice Management > Dial Plan > Number Substitution from the navigation tree, click Add to enter
the number substitution configuration page.
590
Figure 573 Number substitution configuration page (I)
Type 21101 for Number Substitution Rule List ID.
Add three number substitution rules as shown in Figure 573.
Click Apply.
# Add another number substitution rule list for calling numbers of outgoing calls.
591
Figure 574 Number substitution configuration page (II)
Click Apply.
# Enter the call route binding page of number substitution list 21101.
Figure 575 Call routing binding page of number substitution list 21101
Select Apply Call Routing Binding Rule to Called Numbers for Binding Mode.
Select call route 10.
Click Apply.
# Enter the call route binding page of number substitution list 21102.
592
Figure 576 Call routing binding page of number substitution list 21102
Select Apply Call Routing Binding Rule to Calling Numbers for Binding Mode.
Click Apply.
2.
Configure Router A
# Set the IP address of the Ethernet interface to 1.1.1.1.

# Add a call route: specify the call route ID as 1010, the destination number as ., and the trunk route
line as FXO line 1/0 on the call route configuration page. In addition, you need to select the Send All
the advanced settings of this call route; you also need to select the Enable radio button in the Hunt Group
# Add a call route: specify the call route ID as 2010, the destination number as ...., and to the trunk route
line as FXO line 1/1 on the call route configuration page. In addition, you need to select the Send All
the advanced settings of this call route; you also need to select the Enable radio button in the Hunt Group
# Add number substitution rule list 101 for called numbers of incoming calls.
Select Voice Management > Dial Plan > Number Substitution from the navigation tree, and click Add to
enter the number substitution configuration page.
593
Figure 577 Number substitution configuration page (III)
Click Apply.
# Add another number substitution rule list for calling numbers of incoming calls.
594
Figure 578 Number substitution configuration page (IV)
Click Apply.
# Enter the global binding page of number substitution list 101.

Figure 579 Global binding page of number substitution list 101
Select Incoming Calling for Incoming Binding Type.
Click Apply.
# Enter the global binding page of number substitution list 102.
595
Figure 580 Global binding page of number substitution list 102
Select Incoming Called for Incoming Binding Type.
Click Apply.
596
Call connection
Introduction to SIP
The Session Initiation Protocol (SIP) is an application layer control protocol that can establish, modify,
and terminate multimedia sessions such as IP phone calls, multimedia session and multimedia
conferences. It is the core component in the multimedia data and control architecture of the IETF (RFC
3261).
SIP is responsible for signaling control in IP networks and communication with soft switch platforms,
intending to build a next generation value-added service platform to deliver better value-added services
to telecom carriers, banks, and financial organizations.
SIP is used for initiating sessions. It sets up and terminates a multimedia session involving a group of
participants and dynamically adjusts and modifies session characteristics such as required session
bandwidth, media type (voice, video, or data), media encoding/decoding format, and
multicast/unicast. SIP is based on text encoding and constructed by taking HTTP, a quite mature protocol,
as a model. Easy to extend and implement, it is suitable for implementing Internet-based multimedia
conference systems.
Terminology
Multimedia session
According to RFC2327, a multimedia session is a set of multimedia senders and receivers and the data
streams flowing from senders to receivers. A multimedia conference is an example of a multimedia
session.
A session is identified by a set of username, session ID, network type, address type, and address.
User agent
A user agent (UA), or a SIP endpoint, is a SIP-enabled multimedia session endpoint. Usually, a
SIP-enabled router serves as a SIP UA.
There are two types of UAs: user agent client (UAC) and user agent server (UAS). To make a call, a SIP
endpoint needs to process the SIP request as a UAS and initiate the SIP request as a UAC.
A UAC is a device that initiates a session request. It can be a calling SIP endpoint or a proxy server
forwarding a request to a called endpoint for example.
A UAS is a device that generates a response to a SIP request. It can be a called SIP endpoint or a proxy
server receiving a request from a calling endpoint for example.
Proxy server
A proxy server is a device that forwards session requests to a called UA on behalf of a calling UA (a SIP
endpoint) and responds to the calling UA on behalf of the called UA.
When the proxy server receives a request from a calling UA, it first location server its registrar for
information on called UA location and call policies of calling UA and called UA. If the location
information of the called UA is available and the calling UA is allowed to make the call, the proxy server
then forwards the request to the called UA.
597
Redirect server
A redirect server sends a new connection address to a requesting client.
For example, when receiving a request from a calling UA, the redirect server searches for the location
information of the called UA and returns the location information to the UA. This location can be that of
the called UA or another proxy server, to which the UA can initiate the session request again. The
subsequent procedure is the same as that for calling a called UA directly or for calling a proxy server.
Location server
A location server is a device that provides UA information to proxy and redirect servers; it retains UA
information received by a registrar. The location server and registrar can locate on the same server as
two logical components or locate on different devices.
Registrar
A registrar receives UAs registrations. The registration information (for example, the local telephone
number) is usually stored on the location server for future retrieval. The location server and the registrar
are both logical components and are usually co-located.
Functions and features of SIP

Functions
SIP supports five basic functions:
Locating called SIP endpoints, the most powerful function of SIP. For this purpose, SIP can use the
registration information of SIP endpoints on the registrar. In addition, it can enhance its user
location service by using other location services provided by the domain name server (DNS) and
lightweight directory access protocol (LDAP).
Determining user availability, making sure whether a called endpoint can participate in a session.
SIP supports multiple address description and addressing styles, SIP-URI (for example, SIP:
123456@172.18.24.11), Tel-URL (for example, Tel: +1312000), and SIPS-URI (SIPS:
123456@172.18.24.11). Thus, a SIP caller can identify whether a callee is attached to a PSTN
network by callee's address, and then initiate and set up the call to the callee through the gateway
connected to the PSTN.
Determining user capabilities, that is, the media type and media parameters of a called endpoint.
In a message exchange process, each SIP endpoint sends such information in messages so that all
other participants can learn about its capabilities.
Setting up a session, or session parameters, at both callee and caller sides. Two parties can select
the appropriate capabilities for session setup through negotiation about media type and media
parameters to be used.
Managing sessions by modifying session parameters or terminating sessions.
Features
The following are the features delivered by SIP:
Open standards. It can accommodate new functions, products, and services introduced by different
service providers.
Flexible configuration. It accommodates a wide range of dialup, wire, and wireless devices, allows
highly flexible configurations, and can work with other systems.
Scalable system. The system allows expansion as enterprises grow.
598
Support to remote users. With SIP, an enterprise network can extend to all its users, wherever they
are.
Consistent communication method. Management becomes easier as the result of consistency in

dialup mode and system access method used by branches, SOHOs, and traveling personnel.
Quick launch. The system can be updated quickly to accommodate new branches and personnel,
as well as changes resulted from job rotation or relocation.
Easy to install and maintain. Even unprofessional individuals can install and maintain SIP systems.
SIP messages
SIP messages, falling into SIP request messages and SIP response messages, are encoded in text mode.
SIP request messages include INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER. RFC 3261 defines the
following six request messages:
INVITE: Used to invite a user to join a call.
ACK: Used to acknowledge the response to a request.
OPTIONS: Used to query for the capabilities.
BYE: Used to release an established call.
CANCEL: Used to give up a call attempt.
REGISTER: Used to register with the SIP registrar.
SIP response messages, used to respond to SIP requests, indicate the status of a call or registration,
succeeded or failed. Response messages are distinguished by status codes. Each status code is a 3-digit
integer, where the first digit defines the class of a response, and the last two digits describe the response
message in more detail.
Table 233 Status codes of response messages
Code
Description
Class
100 199
The request is received and is being processed.
Provisional
200 299
The request is successfully received, understood, and accepted.
Success
300 399
A further action needs to be taken in order to process the request.
Redirection
400 499
The request contains bad syntax and thus cannot be processed.
Client error
500 599
The request cannot be processed due to UAS or server error.
Server error
600 699
The request cannot be processed by any UAS or server.
Global error
SIP fundamentals
Registration
In a complete SIP system, all SIP endpoints working as UAs should register with SIP registrars, providing
information such as location, session capabilities, and call policy.
Normally, a SIP UA sends its registrar a REGISTER request at startup or in response to an administratively
registration operation, carrying all the information that must be recorded. Upon receipt of the request, the
registrar sends back a response notifying receipt of the request, and a 200 OK (SUCCESS) message if
the registration is accepted. See the following figure.
599
Figure 581 Message exchange for a UA to register with a Registrar
Call setup
SIP operates in the Client/Server mode and sets up calls through communication between UA and proxy
server.
Figure 582 Network diagram for call setup involving a proxy server
In the above figure, Telephone A wants to call Telephone B; and Router A and Router B work as SIP
endpoints (UAs).
The following is the procedure for connecting a call from Telephone A to Telephone B:
1.
Telephone A sends the number of Telephone B.
2.
Upon receipt of the call, Router A sends a session request (INVITE) to the proxy server.
3.
The proxy server consults its database for information corresponding to the number of Telephone
B. If such information is available, it forwards the request to Router B.
4.
Router B, after receiving the request, responds to the proxy server and makes Telephone B ring if
Telephone B is available.
5.
The proxy server forwards the response to Router A. The response discussed here includes two
provisional response messages (100 Trying and 180 Ringing) and one success response (200
OK).
Figure 583 illustrates the complete call setup procedure.

Figure 583 Call setup procedures involving a proxy server
600
This is a simplified scenario where only one proxy server is involved and no registrar is present. A
complex scenario, however, may involve multiple proxy servers and registrars.
Call redirection
When a SIP redirect server receives a session request, it sends back a response indicating the address of
the called SIP endpoint instead of forwarding the request. The calling and called endpoints thus can send
request and response to each other directly. See Figure 584.
Figure 584 Call redirection procedure for UAs
601
This is a common application. Fundamentally, a redirect server can respond with the address of a proxy
server as well. The subsequent call procedures are the same as the call procedures involving proxy
servers.
Support for transport layer protocols

As an application layer protocol, SIP supports three transport layer protocols, including:
UDP: UDP is a connectionless protocol and does not provide reliability; therefore, SIP connections
established over UDP are unreliable.
TCP: Ensures transmission reliability for SIP messages. TCP provides connection-oriented and
reliable transmission for SIP-based VoIP communications. Using TCP, SIP need not consider packet
loss and retransmission issues.
Transport layer security (TLS): Ensures transmission security for SIP messages. For more information,
see Signaling encryption.
The above three transport layer protocols have their own benefits, and you can select a protocol based
on your network environment. At present, the system does not support transport layer protocol switchover
during communication.
SIP security
Signaling encryption
TLS runs over TCP and provides a complete set of authentication and encryption solutions for application
layer protocols. When establishing a TLS connection, both sides need to authenticate each other by
using their own digital certificates, and can communicate with each other only after passing
602
authentication. SIP messages are encrypted during SIP over TLS transmissions to prevent your data from
being sniffed and increases the security of voice communications.
Media flow encryption

Real-time Transport Protocol (RTP) and Real-time Transport Control Protocol (RTCP) are currently
supported media flow protocols. RTP provides end-to-end real-time transmission for real-time data such
as audio and video data. RTCP monitors data transmission in real time and performs congestion and
traffic control in time. RTP and RTCP can work together to optimize the transmission efficiency by
providing efficient replies and minimizing overheads.
Media flows are transmitted in plain text. To ensure transmission security, the Secure Real-Time Transport
Protocol (SRTP) was introduced.
SRTP provides for encryption of the RTP/RTCP packet payload, for authentication of the entire RTP/RTCP
packet, and for packet replay protection.
The first step of SRTP encryption is to negotiate encryption information, which can only be carried in the
crypto header field of the Session Description Protocol (SDP) at present. The initiator sends its encryption
information to the receiver for negotiation. If the negotiation is successful, the receiver returns
corresponding encryption information. After a session is established, each end uses its own key to
encrypt sent RTP/RTCP packets and uses the key of the peer to decrypt received RTP/RTCP packets.
SDP negotiation includes the following cryptographic attributes:
1.
Cryptographic attributes
Attribute
Description
Remarks
Tag
The tag attribute is an identifier for a particular cryptographic

attribute to determine which of the several offered cryptographic
attributes was chosen by the receiver.
Required
Crypto-Suite
The crypto-suite attribute defines the encryption and

authentication algorithm. At present, the device supports suites
AES_CM_128_HMAC_SHA1_80 and
AES_CM_128_HMAC_SHA1_32.
Required
Key Parameters
The key parameters attribute defines key information, including

the key generation algorithm and the key value.
Required
Session
Parameters
The session parameters attribute defines session parameters,

such as key generation rate, UNENCRYPTED_SRTP,
UNENCRYPTED_SRTCP, UNAUTHENTICATED_SRTP, and FEC.
Optional
Not supported at
present.
When SRTP is used to encrypt RTP/RTCP packets, the encryption engine, if enabled, encrypts and
authenticates RTP/RTCP packets. If the encryption engine is disabled, the CPU encrypts and
authenticates RTP/RTCP packets. For more information about the encryption engine, see the H3C MSR
Series Routers Security Configuration Guide.
NOTE:
At present, SRTP is available only for SIP calls. SIP trunk devices do not support SRTP. For information
about SIP trunk, see the chapter SIP trunk management.
603
TLS-SRTP combinations
TLS protects control signaling, and SRTP encrypts and authenticates voice media flows. You can use them
separately or together. The following table shows four combinations of TLS and SRTP.
1.
TLS
TLS-SRTP combinations
SRTP
Description
Signaling packets are secured. Personal information is protected.
On
On
Media packets are secured. Call conversations are protected.

Recommended.
Off
On
On
Off
Off
Off
Signaling packets are not secured. Personal information is not protected.

Media packets are secured. Call conversations are protected.
Signaling packets are secured. Personal information is protected.
Media packets are not secured. Call conversations are not protected.
Signaling packets are not secured. Personal information is not protected.
Media packets are not secured. Call conversations are not protected.
Support for SIP extensions
Strict SIP routing is supported. In a complicated network environment where a request from SIP UAC
to SIP UAS needs to pass through multiple proxy servers, SIP uses the Route header field and the
Record-Route header field to ensure that requests in the dialog can be routed through these proxy
servers.
The new update method for SIP defined in RFC 3311 is supported. It is mainly used to update
parameters of a session, such as switching codecs, switching the voice to the media server, and
mute operation before the session is established, but has no impact on normal call procedures.
604
SIP connection configuration

Configuring connection properties
Configuring registrar
connection properties configuration page as shown in Figure 585.
Figure 585 Registrar configuration page

Item
Description
Registrar State
Enable: Select the radio button to enable the SIP registrar.

Disable: Select the radio button to disable the SIP registrar.
605
Item
Description
UDP: Applies the UDP transport layer protocol when the device registers to the
main registrar.
Main Registrar Transport

Layer Protocol
TCP: Applies the TCP transport layer protocol when the device registers to the
main registrar.
TLS: Applies the TLS transport layer protocol when the device registers to the
main registrar.
By default, the UDP protocol is applied.
SIP: Specifies the SIP scheme as the URL scheme when the device registers to the
Main Registrar URL
Scheme
main registrar.
SIPS: Specifies the SIPS scheme as the URL scheme when the device registers to
the main registrar.
By default, the SIP scheme is applied.
Main Registrar Address
IP address or domain name of the main registrar
Main Registrar Port

Number
Port number of the main registrar
Aging Time for the Main

Registrar
Registration aging time for the main registrar
UDP: Applies the UDP transport layer protocol when the device registers to the
backup registrar.
Backup Registrar
Transport Layer Protocol
TCP: Applies the TCP transport layer protocol when the device registers to the
backup registrar.
TLS: Applies the TLS transport layer protocol when the device registers to the
backup registrar.
SIP: Specifies the SIP scheme as the URL scheme when the device registers to the
Backup Registrar URL
Scheme
backup registrar.
SIPS: Specifies the SIPS scheme as the URL scheme when the device registers to
the backup registrar.
Backup Registrar Address
IP address or domain name of the backup registrar
Backup Registrar Port

Number
Port number of the backup registrar
Aging Time for the

Backup Registrar
Registration aging time for the backup registrar
Username
Username used for authentication.
Password
Password used for authentication.
Authentication
Information Field for
Handshake
Authentication
Authentication information field used for handshake authentication between the

registrar and the SIP UA
Domain Name for

Handshake
Authentication
Domain name used for handshake authentication between the registrar and the SIP
UA
606
Configuring proxy server

Select Voice Management > Call Connection > SIP Connection from the navigation tree to enter the proxy
server configuration page, as shown in Figure 586.
Figure 586 Proxy server configuration page

Item
Description
Use Server Group
Click the checkbox and select a server group from the drop-down list as the proxy
server. You can add a server group on the page that can be accessed by selecting
Voice Management > Call Connection > SIP Server Group Management from the
navigation tree.

for SIP Calls
UDP: Applies the UDP transport layer protocol when the device initiates a call.
TCP: Applies the TCP transport layer protocol when the device initiates a call.
TLS: Applies the TLS transport layer protocol when the device initiates a call.
URL Scheme
SIP: Specifies the SIP scheme as the URL scheme.

SIPS: Specifies the SIPS scheme as the URL scheme.
Proxy Server Address
IP address or a domain name of the proxy server.
Proxy Server Port Number
Port number of the proxy server
Configuring session properties

Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the
Session Properties tab to enter the session properties configuration page.
Configuring source address binding

Introduction to SIP support for source IP address binding
With this function, you can specify a source IP address for SIP signaling or media streams that go out of
the gateway. SIP support for source IP address binding is implemented by binding a static IP address or
the primary IP address of an interface.
Static IPv4 address binding: The source IP address specified for SIP calls is the bound IP address.
607
Source address interface binding: In a large network, an interface obtains its IP address from a
DHCP or PPPoE server. In this scenario, you can use this function to configure an interface as the
source of SIP signaling and media streams to avoid manual IP address configuration, thus
facilitating network management.
Currently, source IP address binding is supported on the Layer 3 Ethernet interface, GigabitEthernet
interface, or dialer interface.
NOTE:
For information about DHCP, see the H3C MSR Series Routers Layer 3IP Services Configuration Guide.
Configuring source address binding

Session Properties tab to enter the session properties configuration page, as shown in Figure 587.
Figure 587 Source address binding configuration page

Item
Description
Configure media stream binding mode or disable media stream binding.
Media Stream Binding

Mode
None: Disables media stream binding.

IPv4 Address Binding: Binds the media stream to a static IPv4 address.
Interface Binding: Binds the media stream to an interface.
IPv4 Address Bound with

the Media Stream
If IPv4 Address Binding is selected as the media stream binding mode, you need to
type the IPv4 address to be bound in this text box.
Interface Bound with the

Media Stream
If Interface Binding is selected as the media stream binding mode, you need to
specify the interface to be bound from the drop-down list. At present, only the Layer
3 Ethernet interface, GE interface, and dialer interface are supported.
Configure the signaling stream binding mode or disable signaling stream binding.
Signaling Stream Binding

Mode
None: Disables signaling stream binding.

IPv4 Address Binding: Binds the signaling stream to an IPv4 address.
Interface Binding: Binds the signaling stream to an interface.
IPv4 Address Bound with

the Signaling Stream
If IPv4 Address Binding is selected as the signaling stream binding mode, you need
to type the IPv4 address to be bound in this text box.
Interface Bound with the

Signaling Stream
If Interface Binding is selected as the signaling stream binding mode, you need to
specify the interface to be bound from the drop-down list. At present, only Layer 3
Ethernet interfaces, GE interfaces, and dialer interfaces are supported.
608
Table 237 Application of the source address binding settings in different states
Settings made when
Result
For SIP media streams, the source IP address binding settings
The call is active
will not take effect until the next SIP call.
For SIP signaling streams, the source IP address binding

settings take effect immediately.
The bound interface or the interface whose

IP address is bound has been shut down
The source IP address binding settings will not take effect, and
the original sending mode of the signaling streams or media
streams is restored; after the interface is up, the source IP
address binding settings take effect immediately.
The bound static IP address has been

removed or modified, or the bound
interface has been removed
The source IP address binding settings are removed.
The bound hot-swappable interface have

been disconnected
The source IP address binding settings are cancelled, and

restored next time the interface is connected.
The physical layer or link layer of the

corresponding interface is down
The source IP address binding settings never take effect and the
gateway automatically gets an IP address to send packets.
The DHCP lease duration expires and the

interface dynamically obtains a new IP
address from the DHCP server
The new IP address will be used as the source IP address.
The SIP registrar is enabled
The subsequent registration update messages use the source IP

address newly bound to signaling streams to initiate registration.
Configuring SIP listening

Session Properties tab to enter the page as shown in Figure 588.
Figure 588 Configure SIP listening
609

Item
Description
UDP: Specifies UDP as the transport layer protocol for incoming SIP calls and
enables UDP listening port 5060.
TCP: Specifies TCP as the transport layer protocol for incoming SIP calls and
enables TCP listening port 5060.
TLS: Specifies TLS as the transport layer protocol for incoming SIP calls and
enables TLS listening port 5061. If you select this option, you must select a
certificate from the Certificate drop-down list.
SIP Listening Transport
Layer Protocol
By default, both the UDP and TCP listening ports are enabled, and the TLS listening
port is disabled.
Configure this item in either of the following two scenarios:
If the device is the call receiver, you need to enable the listening port of the
transport layer protocol used by the incoming calls.
If TCP or TLS is selected as the transport layer protocol when the device initiates
a call, you must specify it as the SIP listening transport layer protocol in this item.
Otherwise, no register request can be initiated.
Note that reset the setting for this item deletes the currently established connections.
Configuring media security

Session Properties tab to enter the page as shown in Figure 589.
Figure 589 Configure media security
Table 239 Configuration item

Item
Description
RTP: Specifies the Real-time Transport Protocol (RTP) as the media flow protocol
for SIP calls.
SRTP: Specifies the Secure Real-time Transport Protocol (SRTP) as the media flow
protocol for SIP calls.
By default, the RTP protocol is applied.
Media Protocol
When both the RTP and SRTP protocols are specified as the media flow protocols
for SIP calls:
If the device is the call initiator, both two media flow protocols are carried in the
INVITE message for the receiver to select.
If the device is the call receiver, the SRTP protocol is first used for media flow
negotiation. If the negotiation fails, the RTP protocol is used.
610
Configuring caller identity and privacy

Session Properties tab to enter the caller identity and privacy configuration page, as shown in Figure
590.
Figure 590 Caller identity and privacy configuration page

Item
Description
None: Neither the P-Preferred-Identity header field
nor the P-Asserted-Identity header field is added.
P-Assented-Identity: Adds the P-Asserted-Identity
Caller Identity
Presentation
Restriction Mode
header field. The Privacy header field indicates

whether caller identity presentation is enabled or
not, and the P-Asserted-Identity header field
contains the callers number.
P-Preferred-Identity: Adds the P-Preferred-Identity

header field. The Privacy header field indicates
whether caller identity presentation is enabled or
not, and the P-Asserted-Identity header field
contains the callers number.
The default setting is None, that is, caller identity
presentation is enabled.
Caller ID presentation can be

disabled by adding the
P-Preferred-Identity,
P-Asserted-Identity, or
Remote-Party-ID header field.
When the P-Preferred-Identity

or P-Asserted-Identity header
field is added, the Privacy
header field will be added.
When the Privacy header
field is set to none, caller
identity presentation is
allowed. When the Privacy
header field is set to id, caller
identity presentation is
restricted.
Remote-Party-ID header field:
Add the
Remote-Party-ID
Header Field
Enable: Adds the Remote-Party-ID header field.

Disable: Removes the Remote-Party-ID header field.
By default, the Remote-Party-ID header field is not
added.
611
privacy=off indicates caller

identity presentation and
privacy=full indicates caller
identity screening. The
calling information can be
transparently transmitted by
adding the Remote-Party-ID
header field.
The Remote-Party-ID header field
can be used together with the
P-Preferred-Identity header field
or P-Asserted-Identity header
field. If so, the Remote-Party-ID
header field takes precedence
over the P-Preferred-Identity
header field or the
P-Asserted-Identity header field.
Configuring SIP session refresh

Introduction to SIP Session Refresh
In a high-volume traffic environment, if a BYE message gets lost for a session, the call proxy server will not
know that the session has ended, and thus still maintains the state information for the call, which wastes
resources of the server. To solve this problem, the RFC 4082 defines a session timer mechanism for SIP
sessions: the UA sends periodic re-INVITE or UPDATE requests (referred to as session refresh requests) to
notify the proxy server about the current state of the session. The interval for sending session refresh
requests is determined through the negotiation of both sides.
Two new header fields are added to the session refresh requests:
Session-Expires: Conveys the maximum session duration, that is, if no refresh request is received
during this time, the session is considered ended.
Min-SE: Conveys the minimum session duration, which is used to avoid frequent refresh requests
from occupying network bandwidth.
Configuring SIP session refresh

Session Properties tab to enter the SIP session refresh configuration page, as shown in Figure 591.
Figure 591 SIP session refresh configuration page

Item
SIP Session Refresh
Session Expiration
Description
Enable: Enables SIP session refresh.
Disable: Disables SIP session refresh.
You can configure Session Expiration and Min Session Refresh Interval only after
the SIP session refresh function is enabled.
Maximum and minimum session durations of SIP sessions.
By default,
The periodic refresh of SIP sessions is not enabled automatically. Namely, if

Min Session Refresh
Interval
periodic refresh of SIP sessions is disabled on the called party but enabled on
the calling party, the called party will enable periodic refresh of SIP sessions
after negotiation.
The minimum session duration is 90 seconds,
Configuring compatibility
Session Properties tab to enter the compatibility configuration page as shown in Figure 592.
612
Figure 592 Compatibility configuration page

Item
Description
The devices of some vendors do not strictly follow the SIP protocol. To interoperate with such devices, you need
to configure the SIP compatibility options.
Enable: Configures the device to use the address (IP address or DNS domain
Use the address in the To
header field as the
address in the From
header field
name) in the To header field as the address in the From header field when
sending a SIP request.
Disable: Does not use the address in the To header field as the address in the
From header field. That is, the From header field contains the source address
and the To header field contains the destination address.
By default, the SIP compatibility function is disabled.
Configure the source of the called number.
Request-Line Header Field: Obtains the called number from the Request-Line
Source of the Called
Number
field.
To Header Field: Obtains the called number from the To header field.
By default, the called number is obtained from the request-line, which is the start
line in an SIP request message.
Carry the x-param compatibility option:

3. If the device receives a re-INVITE request with the a=X-modem field, it will reply
with a 200 OK response carrying the a=X-modem field in the SDP field.
4. If the device receives a re-INVITE request with the a=X-fax field, it will reply with
a 200 OK response carrying the a=X-fax field.
SIP Fax and Modem
Pass-through
5. When the device initiates a fax pass-through operation, the a=X-fax field is
carried in the re-INVITE request. When the device initiates a modem
pass-through operation, the a=X-modem field is carried in the re-INVITE
request.
Compatible with T.38 fax: the device can recognize T.38-specific description
fields, and fax parameters T38FaxTranscodingJBIG, T38FaxTranscodingMMR,
and T38FaxFillBitRemoval, which are in the SDP fields of the re-INVITE requests
and 200 OK responses, do not contain :0.
By default, the compatibility options are not carried in re-INVITE requests.
UAC Product Name
Product name of the UAC
UAC Product Version
Product version of the UAC
613
Item
Description
UAS Product Name
Product name of the UAS
UAS Product Version
Product version of the UAS
Configuring advanced settings

NOTE:
Registration timers are available to SIP trunk accounts. For information about SIP trunk, see the chapter
SIP trunk management.
Configuring registration parameters
Advanced Settings tab to enter the configuration page as shown in Figure 593.
Figure 593 Configure advanced settings

Item
Description
Re-registration Interval
Set the interval for the local number or SIP trunk account to re-register with the
registrar after a registration failure.
Registration Expiration
Time
Set the registration expiration time. A local number or an SIP trunk account expires
after it has registered with the registrar for a specified period of time, which is the
registration expiration interval.
Registration Percentage
To ensure the validity of registration information of a local number or an SIP trunk
614
Item
Description
account on the registrar, the local number or SIP trunk account must re-register with
the registrar at a specified time before the registration expiration interval is
reached. You can set the registration percentage or lead time before registration to
set the time when the local number or SIP trunk account re-registers with the
registrar.
When the time, which is registration expiration interval multiplied by expiration

Lead Time Before
Registration
percentage, is reached, the local number or SIP trunk account re-registers with
the registrar.
When the time, which is registration expiration interval minus lead time before
expiration, is reached, the local number or SIP trunk account re-registers with
the registrar.
You can configure both timers. In this case, the actual re-registration time is
decided by the timer that expires first. In other words, the local number or SIP trunk
account tries to re-register with the registrar when any one of the two timers
expires.
Parking: The SIP trunk device sends the OPTIONS or REGISTER message to the
current server. When the current server is not available, the SIP trunk device
selects the member server with the second highest priority in the SIP server
group as the current server even if the original current server recovers. Before the
parking mode is applied, you need to set OPTIONS or REGISTER as the
keep-alive mode on the page that can be accessed by selecting Voice
Management > Call Connection > SIP Server Group Management from the
navigation tree.
Homing: The SIP trunk device sends the OPTIONS messages to both the current
Redundancy Mode
server and the member server with the second highest priority in the SIP server
group. When the current server is not available, the SIP trunk device selects the
member server with the second highest priority as the current server. Once the
original current server recovers or a server with a higher priority than the current
server is available in the SIP server group, the SIP trunk device selects the
original current server or the server with the highest priority as the current server.
Before the homing mode is applied, you need to set OPTIONS as the keep-alive
mode on the page that can be accessed by selecting Voice Management > Call
Connection > SIP Server Group Management from the navigation tree.
By default, parking mode is applied.
Enable: Configures the Contact header fields of the REGISTER messages to

Carry VCX Authentication
Information
contain the dt parameter. This option is used when the device communicates
with a VCX device.
Disable: Configures the Contact header fields of the REGISTER messages not to
contain the dt parameter.
By default, the Contact header fields of the REGISTER messages do not contain the
dt parameter.
615
Item
Description
Fuzzy telephone number registration refers to the use of a wildcard (including the
dot . and the character T), rather than a standard E.164 number in the match
template of a POTS entity.
After enabling fuzzy telephone number registration, the voice gateway (router)
retains dots and substitutes asterisks (*) for Ts when sending REGISTER messages.
Fuzzy Telephone Number

Registration
Enable: Enables fuzzy telephone number registration.

Disable: Disables fuzzy telephone number registration.
By default, the function is disabled.
IMPORTANT:
To use the fuzzy telephone number registration function, make sure that the registrar
and the location server also support the function.
Configuring voice mailbox server

Introdunction to MWI
The message waiting indication (MWI) feature allows a voice gateway to notify a subscriber of
messages got from a voice mailbox server. For example, when a call destined to subscriber A is
forwarded to the voice mailbox server, the server will notify the state change to the voice gateway. If
there is any mew message or voice mail, when subscriber A picks up the phone, subscriber A will hear
the message waiting tone without needing to query the mailbox.
Follow these steps to configure MWI:
Step1
Configure voice mailbox server
Step2
Enable MWI for local numbers.
Configuring voice mailbox server

Advanced Settings tab to enter the voice mailbox server configuration page as shown in Figure 594.
Figure 594 Voice mailbox server configuration page
616

Item
Description
UDP: Specifies UDP as the transport layer protocol to be used during the
subscription.
TCP: Specifies TCP as the transport layer protocol to be used during the
subscription.
TLS: Specifies TLS as the transport layer protocol to be used during the
subscription.
By default, UDP is adopted.
URL Scheme
SIP: Specifies SIP as the URL scheme to be used during subscription.

SIPS: Specifies SIPS as the URL scheme to be used during subscription.
By default, SIP is adopted.
Server Address
The voice mailbox server address, which can be either an IP address or a domain
name.
Port Number
Port number of the voice mailbox server
Subscription Valid Time
Effective time of the subscription
Re-subscription Time
Subscription retry interval
Voice Mailbox Number
Set the voice mailbox number.

6. Binding Mode: Indicates that the MWI function is bound with the voice mailbox
and the voice mailbox server has set up subscription information for the user
agent (UA). Therefore, the UA can receive NOTIFY messages without sending
SUBSCRIBEs to the voice mailbox server.
Binding Mode
7. Non-binding Mode: Indicates that the voice mailbox server does not set up
subscription information for the UA automatically, so the UA has to send a
SUBSCRIBE to the server and after that it can get NOTIFY messages from the
server. Non-binding mode falls into two categories:
Loose Match: Indicates that strict consistency check is not needed, so the call ID
that the NOTIFY is sent to can be different from the call ID that proposed the
subscription.
Strict Match: Indicates that strict consistency check is needed, so the call ID that
the NOTIFY is sent to must be the same as the call ID that proposed the
subscription.
NOTE:
Generally, the voice gateway sends a SUBSCRIBE to the server, and receives a NOTIFY from the server if
the subscription is successful, and gets the status of the voice mailbox afterwards.
Configuring signaling security

Advanced Settings tab to enter the configuration page as shown in Figure 595.
617
Figure 595 Configure signaling security

Item
Description
TCP Connection
Aging Time
Sets the aging time for TCP connections. If the idle time of an established TCP
connection reaches the specified aging time, the connection will be closed.
TLS Connection Aging

Time
Sets the aging time for TLS connections. If the idle time of an established TLS
connection reaches the specified aging time, the connection will be closed.
Configuring call release cause code mapping

No matter whether a voice call is cleared normally or abnormally, a message with the call release cause
code will be sent. The default SIP status code to PSTN release cause code mappings and PSTN release
cause code to SIP status mappings are used for communication between a SIP network and a PSTN. To
adapt to more complex network applications, you can change the default mappings.
Configuring PSTN call release cause code mappings

PSTN Release Cause Code Mapping tab to enter the configuration page shown in Figure 596.
618
Figure 596 PSTN release cause code mapping configuration page
You can input the SIP status code into the corresponding SIP Status Code (400-699) text box. Because the
PSTN release cause code 16 corresponds to a SIP request message, instead of a SIP status code, you can
configure no SIP status code for 16. You can click Load Default Value to restore the default mappings
between PSTN release cause codes and SIP status codes.
Configuring SIP status code mappings

Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the SIP
Status Code Mapping tab to enter the page as shown in Figure 597.
619
Figure 597 SIP status code mapping configuration page
You can select the values in the PSTN Release Cause Code text boxes. You can also click Load Default
Value to restore the default mappings between PSTN release cause codes and SIP status codes.
SIP connection configuration examples

Configuring basic SIP calling features
For how to implement direct SIP calling through static IP addressing, see the chapter Basic
settings.
For how to configure domain name involved SIP calling, see the chapter Basic settings.
For how to configure proxy server involved SIP calling, see the chapter Basic settings.
Configuring caller ID blocking

Router A and Router B work as SIP UAs. Use Telephone 1111 to call telephone 2222. It is required to block
calling number 1111.
Figure 598 Network diagram for caller ID blocking
620
1.
Configure basic voice calls
# Configure a local number and the call route to Router B.
Configure a local number: specify the local number ID as 1111 and the number as 1111, and bind the
number to line line 1/0 on the local number configuration page.
2222, the call route type as SIP, the SIP routing as IP routing, and the destination address as
192.168.2.2 on the call route configuration page.
2.
Configure caller identity and privacy.
# Disable the sending of calling information on Route A

Select Voice Management > Local Number from the navigation tree, and then click the corresponding
icon
to enter the call services configuration page as shown in Figure 599.
Figure 599 Configure call services of the calling party
Select Do Not Deliver for Calling Information Delivery.
Click Apply.
# Configure the P-Asserted-Identity header field.

Select Voice Management > Call Connection > SIP Connection from the navigation tree, and then click
the Session Properties tab to enter the session properties configuration page as shown in Figure 600.
621
Figure 600 Configure caller identity presentation restriction mode
Select P-Asserted-Identity for Caller Identity Presentation Restriction Mode.
Click Apply.
After the above configuration, when you use telephone 1111 to call telephone 2222, the calling number
1111 will not be displayed on telephone 2222.
Configuring SRTP for SIP calls

Two routers Router A and Router B work as SIP UAs. It is required that SIP calls use the SRTP protocol to
protect call conversations.
Figure 601 Network diagram for configuring SRTP for SIP calls
Eth2/1
192.168.2.1/24
Router A
Internet
Eth2/1
192.168.2.2/24
Router B
2222
1111
1.
For detailed configuration, see Configure basic voice calls.

2.
Specify SRTP as the media flow protocol for SIP calls.
# Specify SRTP as the media flow protocol for SIP calls on Router A and Router B.
Session Properties tab to enter the media security configuration page as shown in Figure 602.
Figure 602 Configure media security
Select SRTP for Media Protocol.
Click Apply.
SIP calls use the SRTP protocol to encrypt and authenticate media flows, and call conversations are well
protected.
622
Configuring TCP to carry outgoing SIP calls

Two routers Router A and Router B work as SIP UAs. It is required that SIP calls between the two parties
be carried over TCP.
Figure 603 Network diagram for configuring TCP for outgoing SIP calls
Eth2/1
192.168.2.1/24
Router A
Internet
Eth2/1
192.168.2.2/24
Router B
2222
1111
1.

2.
Specify the transport layer protocol
# Specify TCP as the transport layer protocol for outgoing calls on Router A.
Session Properties tab to enter the transport layer protocol configuration page as shown in Figure 604.
Figure 604 Specify transport layer protocol for outgoing calls
Select TCP for Transport Layer Protocol for SIP Calls.
Click Apply.
# Specify TCP as the transport layer protocol for incoming SIP calls. (Optional, because the TCP listening
port is enabled by default.)
Figure 605 Specify listening transport layer protocol
623
Select TCP for SIP Listening Transport Layer Protocol.
Click Apply.
SIP calls from telephone 1111 to telephone 2222 are carried over TCP. You can view information about
TCP connections on the TCP Connection Information tab page by selecting Voice Management > States
and Statistics > SIP UA States from the navigation tree and clicking the TCP Connection Information tab.
Configuring TLS to carry outgoing SIP calls

Two routers Router A and Router B work as SIP UAs. It is required that the SIP calls between the two
parties be carried over TLS.
Figure 606 Network diagram for configuring TCP for outgoing SIP calls
NOTE:
The certification authority (CA) server runs RSA Keon in this configuration example.
CAUTION:
To ensure that the certificate on the device can be used, be sure that the device system time falls within the
validity time of the certificate.
1.
Retrieve the CA certificate from the certificate issuing server.
For more information about how to retrieve the CA certificate from the certificate issuing server, see the
chapter Certificate management.
2.

3.
Specify the transport layer protocol on Router A
# Specify TLS as the transport layer protocol for outgoing calls on Router A.
624
Figure 607 Specify transport layer protocol for outgoing calls
Select TLS for Transport Layer Protocol for SIP Calls.
Click Apply.
# Specify TLS as the transport layer protocol for incoming SIP calls.
Figure 608 Specify listening transport layer protocol
Select TLS for SIP Listening Transport Layer Protocol.
Click Apply.
4.
Specify the transport layer protocol on Router B
The configuration procedure is the same with that on Router A.
SIP calls from telephone 1111 to telephone 2222 are carried over TLS. You can view information about TLS
connections on the TLS Connection Information tab page by selecting Voice Management > States and
Statistics > SIP UA States from the navigation tree and clicking the TLS Connection Information tab.
625
SIP server group management

A SIP server group is used to manage the registrar and call servers. A SIP server group can be configured
with up to five member servers. An index represents the priority of a member server in the SIP server
group. The smaller the index value, the higher the priority. The currently used SIP server is called the
current server. Each server in the SIP server group can be the current server, but there is only one current
server at a time.
Configuring a SIP server group

Select Voice Management > Call Connection > SIP Server Group Management from the navigation tree
to enter the server group configuration page as shown in Figure 609.
Figure 609 Configure a SIP server group

Item
Description
Server Group ID
ID of the SIP server group.
Server Group Name
The name of a SIP server group identifies the SIP server group. The domain name
of the carrier server is usually used as the name of a SIP server group. If the name
of a SIP server group is not configured, the host name specified on the account
management page (which can be accessed by selecting Voice Management > SIP
Trunk Management > Account Management from the navigation tree) is used to
identify the group, if any; otherwise, the IP address or domain name of the current
server in the SIP server group is used to identify the group.
626
Item
Description
Description
Description of the SIP server group

Enable or disable the real-time switching function.
With the real-time switching function enabled, if the SIP trunk device receives no
Real-Time Switching
response message or receives response message 408 or 5XX (excluding 502,

504, 505, and 513) after sending registration requests to the SIP server, the SIP
trunk device tries to connect to the member server with the second highest
priority value in the SIP server group, and so on, until it successfully connects to
a SIP server or have tried all the servers in the group.
With the real-time switching function enabled, if the SIP trunk device receives no
response message or receives response message 403, 408 or 5XX (excluding
502, 504, 505, and 513) after initiating a call, the SIP trunk device tries to
connect to the member server with the second highest priority value in the SIP
server group, and so on, until it successfully connects to a SIP server or have
tried all the servers in the group.
The keep-alive function is used to detect whether the SIP servers in a SIP server
group are reachable. The SIP trunk device selects the current server according to
the detect result and the redundancy mode. If the keep-alive function is disabled,
the current server is always the one with the highest priority in the SIP server group.
Keep-Alive Mode
Disabled: Disable the keep-alive function.

Options: The SIP trunk device periodically sends OPTIONS messages to detect
the servers. If the SIP trunk device receives response message 408 or 5XX
(excluding 502, 504, 505, and 513) from a SIP server after sending an
OPTIONS message, it considers the SIP server unreachable.
Register: The REGISTER message can be used to detect the SIP servers. If the SIP
trunk device receives response message 408 or 5XX (excluding 502, 504, 505,
and 513) from a SIP server after sending a REGISTER message, it considers the
SIP server unreachable.
Interval for Sending
OPTIONS Messages
Set the interval for sending OPTIONS messages to the SIP servers when the
keep-alive mode is set to Options.
Server ID
Set server ID. A SIP server group can be configured with up to five member servers.
An index represents the priority of a member server in the SIP server group. The
smaller the index value, the higher the priority.
UDP: Specify UDP as the transport layer protocol for the connection between
the SIP trunk device and the SIP server.
TCP: Specify TCP as the transport layer protocol for the connection between the
SIP trunk device and the SIP server.
TLS: Specify TLS as the transport layer protocol for the connection between the
SIP trunk device and the SIP server.
By default, the UDP protocol is adopted.
URL Scheme
SIP: Specify the SIP scheme as the URL scheme.

SIPS: Specify the SIPS scheme as the URL scheme.
By default, the SIP URL scheme is adopted.
Server Address
IPv4 address or domain name of the SIP server.
Port Number
Specify a port number of the SIP server.
NOTE:
For more configuration examples of SIP server group, see the chapter SIP trunk management.
627
SIP trunk configuration

Overview
Background
As shown in Figure 610, on a typical telephone network, internal calls of the enterprise are made through
the internal PBX, and external calls are placed over a PSTN trunk.
Figure 610 Typical telephone network
With the development of IP technology, many enterprises have deployed SIP-based IP-PBX networks as
shown in Figure 611. Internal calls of the enterprise are made by using the SIP protocol, and external calls
are still placed over a PSTN trunk. The problem is that the enterprises have to maintain both the SIP
network and PSTN trunk, which increases the difficulty of network management.
Figure 611 SIP+PSTN network
SIP + PSTN network
Enterprise
intranet
SIP
PSTN trunk
PSTN
Router
IP-PBX
Router
As more enterprise IP-PBX networks run SIP and more Internet Telephone Service Providers (ITSPs) use SIP
to provide basic voice communication structures, enterprises urgently need a technology that uses SIP to
connect the enterprise IP-PBX network to the ITSP, thus to realize an all IP-based network. This technology
is called SIP trunk. A typical SIP trunk network is shown in Figure 612.
628
The SIP trunk function can be embedded into the voice gateway or the firewall deployed at the edge of
an enterprise private network. The device providing the SIP trunk function is called the SIP trunk device,
or the SIP trunk gateway.
Figure 612 All IP-based network
All IP-based network
ITSP
Enterprise
intranet
SIP
SIP
SIP trunk
Router
IP-PBX
SIP server
SIP trunk device
SIP server
Features
SIP trunk has the following features:
1.
Only one secure and QoS guaranteed SIP trunk link is required between a SIP trunk device and the
ITSP. The SIP trunk link can carry multiple concurrent calls, and the carrier only authenticates the
link instead of each SIP call carried on this link.
2.
The internal calls of the enterprise are placed by the enterprise IP-PBX. The outbound calls of the
enterprise are forwarded by the SIP trunk device to the ITSP, and are finally routed to the PSTN by
the device in the ITSP. Enterprises do not need to maintain the PSTN trunk and thus save the costs
of hardware and maintenance.
3.
By setting destination addresses, the enterprise can select to connect to multiple ITSPs, to make full
use of the ITSPs all over the world, and save call costs.
4.
With the SIP trunk device deployed, the entire network can use the SIP protocol to better support
IP communication services, like voice, conference, and instant messaging.
5.
A SIP trunk device differs from a SIP proxy server. The SIP trunk device initiates a new call request
to the ITSP on behalf of the user after receiving a call request from the user, and both the user and
the ITSP communicate only with the SIP trunk device. During the forwarding process, the SIP trunk
device forwards both signaling messages and RTP media messages.
Typical applications
The SIP trunk device is deployed between the enterprise IP-PBX and the ITSP. All internal calls are placed
by the enterprise IP-PBX. All outbound calls are forwarded by the SIP trunk device to the ITSP through the
SIP trunk link. Figure 613 shows a typical SIP trunk network.
629
Figure 613 SIP trunk network diagram

ITSP
Enterprise
IP
SIP trunk
Router
SIP server
IP-PBX SIP trunk device
SIP server

SIP trunk-related protocols and standards are as follows:
RFC 3261
RFC 3515
SIPconnect Technical Recommendation v1.1
Configuring SIP trunk

Table 247 SIP trunk configuration task list
Task
Remarks
Enabling the SIP trunk function
Required
Configuring a SIP
server group
Configuring a SIP trunk

account
Configuring a call route

for outbound calls
Creating a SIP server group
Required
Enabling the real-time switching,

keep-alive, and redundancy functions
Required if there are multiple servers

in a SIP server group
Configuring a SIP trunk account
Required
Configuring registration parameters for a

SIP trunk account
Optional
Configuring a call route for a SIP trunk

account
Required
Configuring fax and Modem parameters of

the call route of a SIP trunk account
Optional
Configuring advanced settings of the call

route of a SIP trunk account
Optional
630
Task
Remarks
Configuring a call route for inbound calls
Required
Enabling the SIP trunk function

Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree.
Figure 614 Configure services

Item
SIP Trunk Function
Description
Enable the SIP trunk function before you can use other SIP trunk functions. H3C
recommends you to not use a device enabled with the SIP trunk function as a SIP
UA.
Enable
Disable
By default, the SIP trunk function is disabled.
Configuring a SIP server group

Creating a SIP server group
Select Voice Management > Call Connection > SIP Server Group Management from the navigation tree.
On the server group configuration page that appears, create a SIP server group.
Enabling the real-time switching, keep-alive, and redundancy functions
Select Voice Management > Call Connection > SIP Server Group Management from the navigation
tree. On the server group configuration page that appears, configure the real-time switching and
keep-alive functions.
Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click
the Advanced Settings tab, where you can specify the redundancy mode.
For more information about how to configure a SIP server group, real-time switching, and keep-alive
function, see the chapter SIP server group management.
For more information about how to configure the redundancy function, see the chapter SIP connection
configuration.
631

A SIP trunk account contains information allocated to users by the carrier, including authentication
username, authentication password, host name, host user name, and the associated SIP server group.
Select Voice Management > SIP Trunk Management > Account Management from the navigation tree,
and click Add. The following page appears.
Figure 615 Configure a SIP trunk account

Item
Description
Account ID
Type a SIP trunk account ID.
SIP Server Group

for Registration
Select the SIP server group used by the SIP trunk account for registration. SIP server groups
can be configured in Voice Management > Call Connection > SIP Server Group
Management.
By default, a SIP trunk account has no SIP server group specified for registration.
Registration
Aging Time
Set the registration aging time. If you do not configure this item, the system uses the
registration aging time configured in Voice Management > Call Connection > SIP
Connection.
Host Username
Type the host username allocated by the ITSP to the SIP trunk account.
Host Name
Type the host name allocated by the ITSP to the SIP trunk account.
632
Item
Description
Enable
Disable
Account Status
By default, the SIP trunk account is enabled.

Disabling a SIP trunk account that is already involved in a connection does not delete the
connection. In other words, the disable configuration takes effect to the next call that uses
this account.
Enable
Disable
Registration
Function
By default, the registration function of the SIP trunk account is disabled.
Authentication
Username
Type the authentication username for the SIP trunk account.
Authentication
Password
Type the authentication password for the SIP trunk account.
To perform registration, you also need to provide the host username or associate the
account with a SIP server group.
Configuring registration parameters for a SIP trunk account

Select Voice Management > Call Connection > SIP Connection from the navigation tree and click the
Advanced Settings tab to configure registration parameters for a SIP trunk account. For more information
about registration parameter configuration, see the chapter SIP connection configuration.
Configuring a call route for outbound calls

Configuring a call route for a SIP trunk account
To use a SIP trunk account to call an external user, you need to first bind the SIP trunk account to a call
route, and then configure the call route in one of the following methods:
Bind a SIP server group
Specify IP routing
Specify the proxy server used for outbound calls
Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and click
Add.
633
Figure 616 Configure a call route

Item
Description
Call Route ID
Type a call route ID.
Destination Number
Type the called telephone number.
Bound Account
Select a SIP trunk account to be bound to the voice entity.
Description
Type a description for the call route.
SIP Trunk Routing
Proxy
Server
Use a SIP proxy server to complete calling. If you select this option, you need
to configure the proxy server beforehand in Voice Management > Call
Connection > SIP Connection.
Select one of the following transport layer protocols.
Transport
Layer
Protocol
UDP
TCP
TLS
By default, UDP is selected.
IP
Routing
SIP URL
Scheme
Destinati
on
Address
Port
Number
SIP: Specifies the SIP scheme.

SIPS: Specifies the SIPS scheme.
By default, the SIP scheme is selected.
Type the destination address and port number of the called

party.
634
Item
Description
Bind to
server
group
Status
Server
Group
Select a server group. You can create a SIP server group in Voice
Management > Call Connection > SIP Server Management.
Enable
Disable
Configuring fax and Modem parameters of the call route of a

SIP trunk account
Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and click the
icon of the call route to be configured to enter the call route fax and Modem configuration page.
The fax and Modem parameters of the call route of a SIP trunk account are the same as those of a call
route. For more information about fax and Modem parameters, see the chapter Fax and Modem.
Configuring advanced settings of the call route of a SIP trunk

account
Configuring call match rules
icon of the call route to be configured to enter the advanced settings configuration page.
Figure 617 Advanced settings

Item
Description
You can control call route selection by configuring the prefix of source host name, prefix of destination host
name, or the source IP address as the call match rules. If you select several call match rules, only the calls that
match all rules are permitted.
635
Item
Description
Specify the prefix of a source host name as a call match rule. The specified source
Match a Source Host

Name Prefix
host name prefix is used to match against the source host names of calls. If the
INVITE message received by the SIP trunk device carries the Remote-Party-ID
header, the source host name is abstracted from this header field; if the INVITE
message received by the SIP trunk device carries the Privacy header, the source
host name is abstracted from the P-Asserted-Identity or P-Preferred-Identity header
field; if the INVITE message received by the SIP trunk device does not carry any of
the above mentioned three header fields, the host name in the From header field
of the INVITE message is used as the source host name.
The prefix of a source host name consists of 1 to 31 characters, which are not
case-sensitive and can include letters, digits, underlines (_), hyphens (-), asterisk
(*), and dots (.). An asterisk represents a character string of any length, for
example, t*m can match the source host names tom, tim, and so on.
Specify the prefix of a destination host name as a call match rule. The specified
Match a Destination
Host Name Prefix
destination host name prefix is used to match against the destination host names
of calls. The host name in the To header field of an INVITE message received by
the SIP trunk device is used as the destination host name.
The prefix of a destination host name consists of 1 to 31 characters, which are not
case-sensitive and can include letters, digits, underlines (_), hyphens (-), asterisk
(*), and dots (.). An asterisk represents a character string of any length, for
example, b*y can match the destination host names boy, boundary, and so on.
IPv4
address
Specify a source IP address as a call match rule. The value must be in

dotted notation and can include dots (.), multiplication signs (x), asterisks
(*), and digits, where x represents any number between 0 and 9, *
represents any number between 0 and 255, and x and * can appear
multiple times in one source IP address. Fuzzy matching is supported. For
example, 100.1.x.3 indicates any IP address between 100.1.0.3 and
100.1.9.3, and 192.*.*.* indicates any IP address between 192.0.0.1
and 192.255.255.255.
DNS
Specify a domain name as a call match rule. A domain name is not

case-insensitive and can include letters, digits, hyphens (-), underscores
(_), asterisk (*), and dots (.), with a maximum length of 255 characters.
If you provide this parameter, the specified domain name is used to
match against the source addresses of calls, and a whole-word match is
considered a match. For example, if the domain name is configured as
sohu, sohu.com is not a match. However, fuzzy matching is supported.
An asterisk represents a character string of any length, for example, i*n
can match the source addresses ilison, iverson, inn, and so on.
Server
Group
Specify the index of a SIP server group as a call match rule.
Match a Source
Address
Configuring coding parameters

The coding parameters of the call route of a SIP trunk account are the same as those of a call route. For
more information about coding parameters, see the chapter Advanced settings.
Configuring other parameters

Other parameters of the call route of a SIP trunk account are the same as those of a call route. For more
information about other parameters, see the chapter Advanced settings.
636
Configuring codec transparent transmission

icon of the target call route to enter the SIP-to-SIP Connections configuration page.
Figure 618 SIP-to-SIP Connections

Item
Description
Enable or disable codec transparent transmission.
If the SIP trunk device does not support the codecs supported by the calling
and called parties, you can enable codec transparent transmission so that
the SIP trunk device transparently transmits codec capability sets between
the two parties to complete codec negotiation.
Codec Transparent
By default, codec transparent transmission is disabled, and the SIP trunk

device participates in media negotiation between two parties.
Note: This option takes effect only for private-to-public call routes. To
enable this function for public-to-private call routes, perform the
configuration in Voice Management > Call Route. For relation configuration
information, see the chapter Local Number and Call Route.
Configuring a call route for inbound calls

Select Voice Management > Call Route from the navigation tree, and click Add to enter the call route
configuration page. Specify the call route type as SIP.
For more information about call route, see the chapters Local number and call route and Basic
settings.
SIP trunk configuration examples

Configuring a SIP server group with only one member server
The enterprise private network has a SIP trunk device. Router A is a private network device, and Router
B is a public network device. Configure a SIP server group with only one member server so that all calls
between the enterprise private network and public network are made through the SIP trunk device.
637
Figure 619 Network diagram for configuring a SIP server group with only one member server
1.
Configure Router A
# Configure a local call number.

Select Voice Management > Local Number from the navigation tree and click Add.
Figure 620 Configure a local number
Click Apply.
# Configure a call route.

638
Select Voice Management > Call Route from the navigation tree and click Add.
Type 1.1.1.2 for Destination Address.
Click Apply.
2.
Configure the SIP trunk device
# Enable the SIP trunk function.

Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree.
Figure 622 Configure services
Select Enable for SIP Trunk Function.
Click Apply.
# Create SIP server group 1. Add a SIP server into the server group: the ID and the IPv4 address of the
server are 1 and 10.1.1.2 respectively.
and click Add.
639
Figure 623 Configure server group
Type 1 for Server Group ID.
Type 1 for Server ID.
Type 10.1.1.2 for Server Address.
Click Add the Server.
Click Apply.
# Create SIP trunk account 1 with the host user name 2000, and associate the account with SIP server
group 1.
Select Voice Management > SIP Trunk Management > Account Management from the navigation tree,
and click Add.
640
Figure 624 Configure a SIP trunk account
Type 1 for Account ID.
Select server-group-1 from the SIP Server Group for Registration drop-down list.
Type 2000 for Host Username.
Select Enable for Registration Function.
Click Apply.
# Configure the call route for the outbound calls from private network user 2000 to public network user
1000 by binding SIP server group 1 to the VoIP voice entity.
Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and click
Add.
641
Figure 625 Configure a call route for the SIP trunk account
Select account1 from the Bound Account drop-down list.
Select Bind to Server Group for SIP Trunk Routing.
Select server-group-1 from the Server Group drop-down list.
Click Apply.
# Configure the call route for the inbound calls from public network user 1000 to private network user
2000. Configure the IP address of the peer end as 1.1.1.1, which is the address of the interface on Router
A.

642
Select IP Routing for SIP Route Type.
Type 1.1.1.1 for Destination Address.
Click Apply.
3.
Configure Router B
# Configure a local call number.
Select Voice Management > Local Number from the navigation tree and click Add.
Figure 627 Configure a local number
Click Apply.
# Configure a call route.


643
Click Apply.
# Configure the IPv4 address of the registrar as 10.1.1.2 and enable the registrar.
Connection Properties tab.
Figure 629 Configure connection properties
Click Apply.
1.
On the SIP trunk device, display SIP trunk account information.
Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree.
You can see that the private network account 2000 has registered with the server at 10.1.1.2.
2.
All calls between the private network and public network are made through the SIP trunk device.
On the SIP trunk device, you can see in Voice Management > States and Statistics > Call Statistics that
all calls between the private network and public network are made through the SIP trunk device.
3.
On the SIP server of the carrier, you can view only the interface address of the SIP trunk device,
which means that the SIP trunk device can filter the information of the enterprise private network
users.
Configuring a SIP server group with multiple member servers

The enterprise private network has a SIP trunk device. Router A is a private network device, and Router
B is a public network device. Configure a SIP server group with multiple member servers so that all calls
between the enterprise private network and public network are made through the SIP trunk device. The
carrier is required to provide multiple servers to ensure call reliability.
644
Figure 630 Network diagram for configuring a SIP server group with multiple member servers
ITSP-A
SIP server
10.1.1.3/24
Enterprise private network

Public network
1.1.1.1/24 1.1.1.2/24
2.1.1.1/24
2000
Router A
IP
SIP trunk
SIP trunk device
2.1.1.2/24
Router B
1000
SIP server
10.1.1.2/24
# Enable the SIP trunk function. (Procedure omitted)
# Create SIP server group 1. Add two SIP servers into the server group: the IP addresses are 10.1.1.2 and
10.1.1.3, and the server with the address 10.1.1.2 has a higher priority. Enable the real-time switching
function of SIP server group 1. Set the keep-alive mode for SIP server group 1 to Options.
and click Add.
645
Figure 631 Configure server group
Type 1 for Server Group ID.
Select Enable for Real-Time Switching.
Select Options for Keep-Alive Mode.
Click Apply.
# Set the redundancy mode for SIP server group 1 to parking. (Optional. The redundancy mode for a SIP
server group is parking by default.)
Advanced Settings tab.
646
Figure 632 advanced settings
Select Parking for Redundancy Mode.
Click Apply.
Other configurations on the SIP trunk device and on other devices are the same as those described in
Configuration procedure.
1.
When the SIP server with IP address 10.1.1.2 fails, the SIP server with IP address 10.1.1.3 takes
over communications between the enterprise private network and public network. After that, the
communications recover.
2.
When the SIP server with IP address 10.1.1.2 recovers, it does not take over call processing and
the SIP server with IP address 10.1.1.3 keeps working.
Configuring call match rules

The enterprise private network has a SIP trunk device. Router A1 and Router A2 are private network
devices, and Router B is a public network device.
Users connected to Router A2 are not allowed to call public network users.
All calls between the enterprise private network and public network are made through the SIP trunk
device.
647
Figure 633 Network diagram for configuring call match rules
# Configurations on the SIP trunk device and on other devices are the same as those described in
Configuration procedure.
# Configure Router A2: Configure a local number 2001 and a call route to Router B. For the
configuration procedure, see Configure Router A.
# Configure Router B: Configure a call route to Router A2. For the configuration procedure, see
Configure Router B.
# Configure the SIP trunk device: Select Voice Management > Call Route from the navigation tree and
click Add to configure the call route for calls from the number 1000 to 2001. Type the 3.3.3.1 (the IP
address of the interface on Router A2) as the Destination Number.
# Configure call match rules on the SIP trunk device: specify that calls with source IP address 1.1.1.1 are
permitted.
icon of the call route to be configured to enter the advanced settings configuration page.
Figure 634 Advanced settings
648
Select IPv4 Address from the Match a Source Address drop-down list.
Type 1.1.1.1 for IPv4 Address.
Click Apply.
1.
Enterprise private network users connected to Router A1 can call public network users, but private
network users connected to Router A2 cannot call public network users.
2.
Public network users can call any private network user.
649
Data link management

Introduction to data link management
Overview
Introduction to E1 and T1
Plesiochronous digital hierarchy (PDH) includes two major communications systems: ITU-T E1 system and
ANSI T1 system. The E1 system is dominant in Europe and some non-Europe countries. The T1 system is
dominant in USA, Canada and Japan.
E1 and T1 use the same sampling frequency (8 kHz), PCM frame length (125 s), bits per code (8 bits)
and timeslot bit rate (64 kbps). They differ in these aspects:
E1 adopts A law coding/decoding of 13-segment but T1 adopts law coding/decoding of

15-segment.
Each PCM primary frame of E1 contains 32 timeslots but that of T1 contains 24 timeslots. Each PCM
primary frame of E1 contains 256 bits but that of T1 contains 193 bits. Therefore, E1 provides
2.048 Mbps bandwidth and T1 provides 1.544 Mbps bandwidth.
E1 and T1 voice functions

E1 and T1 mainly provide voice and signaling trunks to the PSTN. To realize this function, the router must
have E1 and T1 voice interfaces and be configured with functions required for transmitting voice over E1
and T1 lines.
The E1 and T1 voice physical interfaces are respectively VE1 and VT1 interfaces.
PSTN and routers are connected through E1/T1 trunks, as shown in Figure 635.
Figure 635 Network diagram for an E1/T1 voice system
E1/T1 voice transmission allows a router to provide more channels of voice communication, greatly
improving router utilization and broadening service range.
650
E1 and T1 interfaces
E1 interface
An E1 interface is logically divided into timeslots (TSs) with TS16 being a signaling channel.
On E1 interfaces, you may create PRI groups or TS sets.
You may use an E1 interface as an ISDN PRI or CE1 interface:
1.
As an ISDN PRI interface, the E1 interface adopts DSS1 or QSIG signaling. As TS0 is used to
transfer synchronization information and TS16 is used as a D channel to transfer signaling, you
may arbitrarily bind any timeslots other than TS0 and TS16 as a logical interface, which is
equivalent to an ISDN PRI interface.
2.
As a CE1 interface with a signaling channel, the E1 interface can adopt R2 signaling, digital E&M
signaling, or digital LGS signaling.
When R2 signaling is adopted, every 32 timeslots form a primary frame (PCM30 for example),
where TS0 is used for frame synchronization, TS16 for digital line signaling, and other 30 timeslots
for voice transmission. Every 16 primary frames form one multiframe. In each multiframe, TS0 in
even primary frames conveys frame alignment signal (FAS) and TS0 in odd primary frames conveys
nonFAS (NFAS) about link status information. NFAS provides control signaling for primary rate
multiplexing. In the first primary frame, frame 0, the high-order four bits in TS16 convey multiframe
FAS (MFAS) and the lower-order four bits convey non-multiframe FAS (NMFAS); TS16 in each of
other 15 primary frames conveys line status information for two timeslots. For example, TS16 in
frame 1 conveys the digital line signaling status of TS1 and TS17 while that in frame 2 conveys the
digital line signaling status of TS2 and TS18, and so on.
When digital E&M signaling is adopted, the E1 interface functions as a digital E&M interface. On
the interface, timeslot division and functions are the same as those with R2 signaling.
When digital LGS signaling is adopted, the E1 interface functions as a digital FXO or FXS interface.
On the interface, timeslot division and functions are the same as those with R2 signaling.
NOTE:
After you create a TS set and configure signaling on an E1 voice interface card, the system can
automatically create the voice subscriber line for the TS set.
After TSs of an E1 interface are bound to form a PRI group, the system will automatically generate the
corresponding voice subscriber line.
At present, the Web interface supports only the PRI trunk signaling.
T1 interface
A T1 interface can be physically divided into 24 timeslots numbered TS1 through TS24.
You may use a T1 interface as an ISDN PRI interface. The interface adopts DSS1 or QSIG signaling. On
the interface, except TS24 used as D channel for signaling, you may arbitrarily bundle other timeslots
into an interface logically equivalent to an ISDN PRI interface.
In addition to DSS1 and QSIG signaling, T1 interfaces support R2 signaling, digital E&M signaling, and
LGS signaling. Configured with digital E&M signaling, a T1 interface is used as a digital E&M interface;
with digital LGS signaling, a digital FXO or FXS interface.
651
NOTE:
Like E1 voice interface cards, T1 voice interface cards also have the features of voice subscriber lines.
At present, the Web interface supports only the PRI trunk signaling.
Features of E1 and T1
E1 and T1 are characterized by the following:
Signaling modes
Fax function
Signaling modes
E1/T1 interfaces support these types of signaling:
DSS1/QSIG user signaling, adopted on the D channel between ISDN user and network interface
(UNI). It comprises a data link layer protocol and a Layer 3 protocol used for basic call control.
ITU-T R2 signaling, which falls into digital line signaling and interregister signaling. Digital line
signaling is transmitted in TS16 (ABCD bits) of E1 trunk. It conveys status information about E1
trunks to describe whether the trunks are occupied, released, or blocked. Interregister signaling
conveys information about address, language and discriminating digits for internal calls, echo
suppressor, caller properties and callee properties in multi-frequency compelled approach (forward
and backward) in each timeslot.
Digital E&M signaling, similar to R2 signaling. It transmits E (recEive) and M (transMit) call control
signals similar to analog E&M signaling in TS16, alignment signals in TS0, and voice signals in
other timeslots. In digital E&M signaling, when an E1 trunk detects and sends connection signaling,
it looks at the signal in TS16. Digital E&M signaling provides three start modes, immediate, wink,
and delay, to adapt to different devices for more reliable connection.
Digital loop-start and ground-start signaling (LGS). Digital loop start signaling is used between
telephones and switches to identify the off-hook/on-hook state, while ground-start signaling is used
between switches. They differ in that the two parties in conversation must check grounding state
before closing the line in the ground-start approach.
Fax function
The fax function is available on E1/T1 voice interfaces to set up fax channels and transmit/receive fax
data.

E1/T1 voice supports SIP and recommendations in ITU-T H.323 framework, and G.711, G.729, and
G.723.1 Annex A (5.3 K and 6.3 K) in ITU standards.
Table 253 Protocols supported by E1/T1
Item
E1 Voice
T1 Voice
Framing format
Cyclic redundancy check 4 (CRC4),

non-CRC4
Super frame (SF), extended super frame (ESF)
Line coding
format
High-density bipolar 3 (HDB3), alternate

mark inversion (AMI)
Bipolar 8 zeros substitution (B8ZS), alternate

mark inversion (AMI)
652
Introduction to BSV interface

The BRI S/T voice (BSV) interface supports simultaneous transmission of voice and data, can receive,
send, compress, de-compress digital PCM voice traffic, and realizes VoIP function through other WAN
interfaces of the router.
Generally, a BSV interface is used to connect an ISDN digital telephone, and also can be used as a trunk
interface connecting to a PBX digital trunk. If it cooperates with an FXS or FXO interface, a BSV interface
can realize flexible routing policies for voice callings.
Configuring digital link management

You can click the link of a digital link name to enter the page displaying the link state. For details, see
Displaying ISDN link state.
Configuring VE1 line

Select Voice Management > Digital Link Management from the navigation tree, and then click the
icon of the VE1 line to be configured to enter the E1 parameters configuration page.
Figure 636 E1 parameters configuration page (I)

Item
Description
Physical Parameters Configuration

Configure the working mode of the E1 interface.
Working Mode
None: Remove the existing bundle.

PRI trunk signaling: Bundle timeslots on an E1 interface into a PRI group.
By default, no PRI group is created.
Bound Timeslot
Number
Specify the timeslots to be bundled.
Frame Check Mode
CRC4: Perform cyclic redundancy check (CRC).

NO_CRC4: Do not perform CRC.
653
Item
Description
Line Coding
HDB3: The line coding format is high-density bipolar 3 (HDB3)

AMI: The line coding format is alternate mark inversion (AMI)
Internal: Set the internal crystal oscillator time division multiplexing (TDM) clock as
the TDM clock source on the E1 interface. After that, the E1 interface obtains clock
from the crystal oscillator on the main board. If it fails to do that, the interface
obtains clock from the crystal oscillator on its E1 card. Because SIC cards are not
available with crystal oscillator clocks, E1 interfaces on SIC cards can only obtain
clock from the main board. The internal clock source is also referred to as master
clock mode in some features.
Line: Set the line TDM clock as the TDM clock source on the E1 interface. After
that, the E1 interface obtains clock from the remote device through the line. The
line clock source is also referred to as slave clock mode in some features.
Line primary: Set the E1 interface to preferably use the line TDM clock as the TDM
clock source. After that, the E1 interface always attempts to use the line TDM clock
prior to any other clock sources.
By default, the TDM clock source for an E1 interface is the internal clock.
TDM Clock Source
When digital voice E1 interfaces perform TDM timeslot interchange, it is important for
them to achieve clock synchronization to prevent frame slips and bit errors.
Depending on your configurations on E1 interfaces at the CLI, the system adopts
different clocking approaches. When there is a subcard VCPM on the main board,
the clock distribution principle is as follows:
If the line keyword is specified for all interfaces, the clock on the interface with the
lowest number is adopted. In case the interface goes down, the clock on the
interface with the second lowest number is adopted.
If line primary is specified for interface X and line or internal is specified for other
interfaces, the clock on interface X is adopted.
If line is specified for interface X and internal is specified for other interfaces, the
clock on interface X is adopted.
Normally, you cannot set the clock source for all interfaces in a system as internal
to prevent frame slips and bit errors. You can do this however if the remote E1
interfaces adopt the line clock source.
When there is no VCPM on the main board, the configuration of each MIM/FIC is
independent but only one interface can be set as line primary.
Status
Enable: Enable the E1 interface.

Disable: Disable the E1 interface.
If you select the PRI Trunk Signaling radio button, the page as shown in Figure 637 appears.
654
Figure 637 E1 parameters configuration page (II)
NOTE:
You are not allowed to configure the following parameters on an ISDN interface if there is still a call on it:
ISDN Overlap-Sending, Switch to ACTIVE State Without Receiving a Connect-Ack Message, Carry High
Layer Compatibility Information, Carry Low Layer Compatibility Information, or ISDN Call Reference
Length. These parameters can take effect only if it is configured when there is no call on the interface.
Alternatively you can manually disable the ISDN interface, configure the parameters, and then enable the
interface again. The operations, however, will lead to the disconnection of calls existing on the interface.
Item
Description
ISDN Parameters Configuration

ISDN Protocol Type
Set the ISDN protocol to be run on an ISDN interface, including DSS1, QSIG,
and ETSI.
By default, an ISDN interface runs DSS1.
655
Item
Description
ISDN Working Mode
ISDN working mode to be set, which can be network side mode or user side
mode.
By default, an ISDN interface operates in user side mode.
Configure local ISDN B channel management.
Disable: Local ISDN B channel management is disabled and is in the

charge of ISDN switch.
Common management: The device operates in local B channel

management mode to select available B channels for calls. However, the
ISDN switch still has a higher priority in B channel selection. If a locally
selected B channel is different from that selected by the ISDN switch, the
one indicated by the ISDN switch is used for communication.
Forced management: The device operates in forced local B channel

ISDN Timeslot Management
management mode. In this mode, the device indicates in the Channel ID

information element of a call Setup message that the local B channel is
mandatory and unchangeable. If the ISDN switch indicates a B channel
different from the local one, the call will fail.
By default, the local ISDN B channel management is not enabled and is in the
It is very important to put appropriate control on the B channels used for calls
in process, especially in PRI mode. Proper channel management can improve
call efficiency and reduce call loss. Normally, the centralized B channel
management provided by exchanges can work well. For this reason, you are
recommended to adopt the management function provided by exchanges in
most cases, despite that the ISDN module can provide the channel
management function as well.
Set a B channel selection method:
Ascending order: Select B channels in ascending order.

Descending order: Select B channels in descending order.
ISDN Timeslot Order
When operating in B channel local management mode, the device selects B

channels in ascending order by default.
When the exchange manages B channels, these options take no effect. If you
select the Disable radio button in the ISDN Timeslot Management area, these
options take no effect.
ISDN Overlap-Sending
Max Number of Digits that

Can Be Sent Each Time
Enable: Set the ISDN interface to send the called number in overlap mode.
In this mode, the digits of each called number will be sent separately and
the maximum number of the digits sent each time can be set.
Disable: Set the ISDN interface to send the called number in full-sending
mode. In this mode, all the digits of each called number will be collected
and sent at a time.
By default, the ISDN interface sends the called number in

full-sending mode.
Enable: Enable the ISDN interface to convert received Progress messages
Progress-to-Alerting
Conversion
into Alerting messages.
Disable: Disable the progress-to-alerting conversion function.

This option just takes effects on messages received on an ISDN interface.
656
Item
Description
Enable for outgoing direction: Configure the ISDN protocol to switch to the
ACTIVE state after receiving a Connect message without having to send a
Connect-Ack message.
Enable for incoming direction: Configure the ISDN protocol to switch to the
ACTIVE state to start Connect and voice service communications after
sending a Connect message without having to wait for a Connect-Ack
message.
Enable for bidirectional directions: Configure the ISDN protocol to switch

to the ACTIVE state after receiving or sending a Connect message without
having to wait for or send a Connect-Ack message.
Disable (default): Configure the ISDN protocol not to ignore the
Switch to ACTIVE State

Without Receiving or Sending
a Connect-Ack Message
Connect-Ack messages, that is, the ISDN protocol must wait for the
Connect-Ack message in response to the Connect message before it can
switch to the ACTIVE state to start data and voice service communications.
By default, in the event that the device is communicating with an ISDN switch:
The ISDN protocol must wait for the Connect-Ack message in response to
the Connect message before it can switch to the ACTIVE state to start data
and voice service communications.
After the ISDN protocol receives a Connect message, it needs to send a

Connect-Ack message in response.
IMPORTANT:
In the event that the device is communicating with an ISDN switch, its
settings must be the same as those on the switch.
You are not allowed to configure this drop-down list on an ISDN interface
if there is still a call on it. Configuration of this drop-down list can take
effect only if it is configured when there is no call on the interface.
Alternatively, you can manually disable the interface, configure this
drop-down list, and then enable the interface. The operations, however,
will lead to the disconnection of the calls existing on the interface.
Enable: Configure ISDN to carry the higher layer compatibility (HLC)

information element in Setup messages when placing voice calls.
Carry High Layer

Compatibility Information
Disable: Disable ISDN from carrying the HLC information element in the
Setup messages when placing voice calls.
By default, the HLC information element is carried in Setup messages when
ISDN places voice calls.
Enable: Configure ISDN to carry the lower layer compatibility (LLC)

information element in Setup messages when placing voice calls.
Carry Low Layer Compatibility

Information
Disable: Disable ISDN from carrying the LLC information element in the
By default, the LLC information element is carried in Setup messages when
657
Item
Description
Enable for outgoing direction: Configure the ISDN protocol to send Setup
messages without the Sending-Complete Information Element when
placing a call.
Enable for incoming direction: Configure the ISDN protocol to ignore the
Sending-Complete Information Element in Setup messages when receiving

a call.
Ignore the Sending-Complete

Information Element in Setup
Messages
Enable for bidirectional directions: Configure the ISDN protocol to ignore

the Sending-Complete Information Element in Setup messages when
receiving a call, and to send Setup messages without the
Sending-Complete Information Element when placing a call.
Disable (default): Configure ISDN not to ignore the Sending-Complete

Information Element in Setup messages. During data exchange between
the device and an ISDN switch, for an incoming call, if a Setup message
does not contain the Sending-Complete Information Element, the number is
not received completely; for an outgoing call, a Setup message containing
the Sending-Complete Information Element indicates that the number is
sent completely.
ISDN Sliding Window Size
Set the sliding window size on an ISDN BRI interface.
ISDN T302 Timer Duration
Configure the duration of the ISDN protocol Layer 3 timer T302.

Set the length of the call reference used when a call is placed on an ISDN
interface.
ISDN Call Reference Length
The call reference is equal to the sequence number that the protocol assigns to
each call. It is one or two bytes in length and can be used cyclically.
When the device receives a call from a remote device, it can automatically
identify the length of the call reference. However, some devices on the
network do not have this capability. In the event that the device is required to
place calls to such a device connected to it, you must configure the device to
use the same call reference length configured on the connected device.
Configuring VT1 line

icon of the VT1 line to be configured to enter the T1 parameters configuration page.
658
Figure 638 T1 parameters configuration page (I)

Item
Description
Physical Parameters Configuration

Configure the working mode of the T1 interface.
Working Mode
None: Remove the existing bundle.

PRI Trunk Signaling: Bundle timeslots on a T1 interface into a PRI group.
By default, no PRI group is created.
Bound Timeslot
Number
Specify the timeslots to be bundled.
Frame Check Mode
ESF: Perform extended super frame (ESF).

SF: Perform super frame (SF).
Line Coding
B8ZS: The line coding format is bipolar 8 zeros substitution (B8ZS).

AMI: The line coding format is alternate mark inversion (AMI).
659
Item
Description
Internal: Set the internal crystal oscillator TDM clock as the TDM clock source on
the T1 interface. After that, the T1 interface obtains clock from the crystal oscillator
on the main board. If it fails to do that, the interface obtains clock from the crystal
oscillator on its T1 card. Because SIC cards are not available with crystal
oscillator clocks, T1 interfaces on SIC cards can only obtain clock from the main
board. The internal clock source is also referred to as master clock mode in some
features.
Line: Set the line TDM clock as the TDM clock source on the T1 interface. After
that, the T1 interface obtains clock from the remote device through the line. The
line clock source is also referred to as slave clock mode in some features.
Line primary: Set the T1 interface to preferably use the line TDM clock as the TDM
clock source. After that, the T1 interface always attempts to use the line TDM clock
prior to any other clock sources.
By default, the TDM clock source for an T1 interface is the internal clock.
TDM Clock Source
When digital voice T1 interfaces perform TDM timeslot interchange, it is important for
them to achieve clock synchronization to prevent frame slips and bit errors.
Depending on your configurations on T1 interfaces at the CLI, the system adopts
different clocking approaches. When there is a subcard VCPM on the main board,
the clock distribution principle is as follows:
If the line keyword is specified for all interfaces, the clock on the interface with the
lowest number is adopted. In case the interface goes down, the clock on the
interface with the next second number is adopted.
If line primary is specified for interface X and line or internal is specified for other
interfaces, the clock on interface X is adopted.
If line is specified for interface X and internal is specified for other interfaces, the
clock on interface X is adopted.
Normally, you cannot set the clock source for all interfaces in a system as internal
to prevent frame slips and bit errors. You can do this however if the remote T1
interfaces adopt the line clock source.
When there is no VCPM on the main board, the configuration of each MIM/FIC is
independent but only one interface can be set as line primary.
Status
Enable: Enable the T1 interface.

Disable: Disable the T1 interface.
If you select the PRI Trunk Signaling radio button, the page as shown in Figure 639 appears.
660
Figure 639 T1 parameters configuration page (II)
ISDN protocol types supported by VT1 are DSS1, ATT, ANSI, ETSI, NTT, QSIG, NI2, and 5ESS. Table
255 describes the ISDN parameters configuration items.
Configuring BSV line

icon of the BSV line to be configured to enter the BSV parameters configuration page.
661
Figure 640 BSV parameters configuration page

Item
Description
ISDN Protocol Type
Set the ISDN protocol to be run on an ISDN interface, including DSS1, ANSI,
NI, NTT, and ETSI.
By default, an ISDN interface runs DSS1.
ISDN Working Mode
ISDN working mode to be set, which can be network side mode or user side
mode.
By default, an ISDN interface operates in user side mode.
662
Item
Description
Configure local ISDN B channel management.
Disable: Local ISDN B channel management is disabled and is in the

Common management: The device operates in local B channel

management mode to select available B channels for calls. However, the
ISDN switch still has a higher priority in B channel selection. If a locally
selected B channel is different from that selected by the ISDN switch, the
one indicated by the ISDN switch is used for communication.
Forced management: The device operates in forced local B channel

ISDN Timeslot Management
management mode. In this mode, the device indicates in the Channel ID

information element of a call Setup message that the local B channel is
mandatory and unchangeable. If the ISDN switch indicates a B channel
different from the local one, the call will fail.
By default, the local ISDN B channel management is not enabled but is in the
It is very important to put appropriate control on the B channels used for calls
in process, especially in PRI mode. Proper channel management can improve
call efficiency and reduce call loss. Normally, the centralized B channel
management provided by exchanges can work well. For this reason, you are
recommended to adopt the management function provided by exchanges in
most cases, despite that the ISDN module can provide the channel
management function as well.
Set a B channel selection method:
Ascending order: Select B channels in ascending order.

Descending order: Select B channels in descending order.
ISDN Timeslot Order
When operating in B channel local management mode, the device selects B

channels in ascending order by default.
When the exchange manages B channel, these options take no effect. If you
select the Disable radio button in the ISDN Timeslot Management area, these
options take no effect.
ISDN Overlap-Sending
Max Number of Digits that

Can Be sent Each Time
Enable: Set the ISDN interface to send the called number in overlap mode.
In this mode, the digits of each called number will be sent separately and
the maximum number of the digits sent each time can be set.
Disable: Set the ISDN interface to send the called number in full-sending
mode. In this mode, all the digits of each called number will be collected
and sent at a time.
By default, the ISDN interface sends the called number in

full-sending mode.
Enable: Enable the ISDN interface to convert received Progress messages
Progress-to-Alerting
Conversion
into Alerting messages.
Disable: Disable the progress-to-alerting conversion function.

This option just takes effects on messages received on an ISDN interface.
663
Item
Description
Enable for outgoing direction: Configure the ISDN protocol to switch to the
ACTIVE state after receiving a Connect message without having to send a
Connect-Ack message.
Enable for incoming direction: Configure the ISDN protocol to switch to the
ACTIVE state to start Connect and voice service communications after
sending a Connect message without having to wait for a Connect-Ack
message.
Enable for bidirectional directions: Configure the ISDN protocol to switch

to the ACTIVE state after receiving or sending a Connect message without
having to wait for or send a Connect-Ack message.
Disable (default): Configure the ISDN protocol not to ignore the
Switch to ACTIVE State

Without Receiving a
Connect-Ack Message
Connect-Ack messages, that is, the ISDN protocol must wait for the
Connect-Ack message in response to the Connect message before it can
switch to the ACTIVE state to start data and voice service communications.
By default, in the event that the device is communicating with an ISDN switch:
The ISDN protocol must wait for the Connect-Ack message in response to
the Connect message before it can switch to the ACTIVE state to start data
and voice service communications.
After the ISDN protocol receives a Connect message, it needs to send a

Connect-Ack message in response.
IMPORTANT:
In the event that the device is communicating with an ISDN switch, its
settings must be the same as those on the switch.
You are not allowed to configure this drop-down list on an ISDN interface
if there is still a call on it. Configuration of this drop-down list can take
effect only if it is configured when there is no call on the interface.
Alternatively, you can manually disable the interface, configure this
drop-down list, and then enable the interface. The operations, however,
will lead to the disconnection of the call existing on the interface.
Enable: Configure ISDN to carry the HLC information element in Setup

messages when placing voice calls.
Carry High Layer

Compatibility Information
Disable: Disable ISDN from carrying the HLC information element in the
By default, the HLC information element is carried in Setup messages when
Enable: Configure ISDN to carry the LLC information element in Setup

messages when placing voice calls.
Carry Low Layer Compatibility

Information
Disable: Disable ISDN from carrying the LLC information element in the
By default, LLC information element is carried in Setup messages when ISND
places voice calls.
664
Item
Description
Enable for outgoing direction: Configure the ISDN protocol to send Setup
messages without the Sending-Complete Information Element when
placing a call.
Enable for incoming direction: Configure the ISDN protocol to ignore the
Sending-Complete Information Element in Setup messages when receiving

a call.
Enable for bidirectional directions: Configure the ISDN protocol to ignore

Ignore the Sending-Complete
Information Element in Setup
Messages
the Sending-Complete Information Element in Setup messages when

receiving a call, and to send Setup messages without the
Sending-Complete Information Element when placing a call.
Disable (default): Configure the ISDN not to ignore the Sending-Complete

Information Element in Setup messages. When the data exchange
performed between the device and an ISDN switch, for an incoming call,
the device checks the received Setup messages for the Sending-Complete
Information Element to determine whether or not the number is received
completely. If a Setup message does contain the Sending-Complete
Information Element, the number is not received completely; for outgoing
calls, a Setup message containing the Sending-Complete Information
Element indicates that the number is sent completely.
Configure the Q.921 permanent link function.
Enable: The BRI interface sets up a data link connection automatically and
Q.921 Permanent Link
maintain the connection even when no calls are received from the network
layer. If the two-tei mode is also enabled on the interface, two such
connections will be present.
Disable: Disable the Q.921 permanent link function on the BRI interface.
This parameter is available only when the User Side Mode radio button in the
ISDN Working Mode area is selected.
ISDN two-tei
Enable: Each call on the BRI interface uses a different EI.

Disable: All calls on all the B channels on the BRI interface use one TEI
value.
Point-to-Multipoint: A BRI interface operating on the network side can have

ISDN Link Mode
multiple end devices attached to it.
Point-to-Point: Configure the BRI interface operates in point-to-point mode.

Enable: Specify an ISDN BRI interface to be in the permanent active state
at the physical layer.
BSV Permanent Active State at

the Physical Layer
Disable: The BRI interfaces operating on the network side are not in the
permanent active state at the physical layer.
This parameter is available only when the Network Side Mode radio button in
the ISDN Working Mode area is selected.
BSV Remote Powering
Enable: Enable remote powering on an ISDN BRI interface.

Disable: Disable remote powering on an ISDN BRI interface.
This parameter is available only when the Network Side Mode radio button in
the ISDN Working Mode area is selected.
ISDN Sliding Window Size
Set the sliding window size on an ISDN BRI interface.
ISDN T302 Timer Duration
Configure the duration of the ISDN protocol Layer 3 timer T302.
665
Item
Description
Set length of the call reference used when a call is placed on an ISDN
interface.
The call reference is equal to the sequence number that the protocol assigns to
each call. It is one or two bytes in length and can be used cyclically.
ISDN Call Reference Length
Status
When the device receives a call from a remote device, it can automatically
identify the length of the call reference. However, some devices on the
network do not have this capability. In the event that the device is required to
place calls to such a device connected to it, you must configure the device to
use the same call reference length configured on the connected device.
Enable: Enable the BSV interface.

Disable: Disable the BSV interface.
Displaying ISDN link state

Select Voice Management > Digital Link Management from the navigation tree, and then click the name
of the target digital link (taking a VE1 digital link as an example) to enter the page displaying the link
state as shown in Figure 641.
Figure 641 Displaying ISDN link state
E1 and T1 voice configuration example

Configuring E1 voice DSS1 signaling
As shown in Figure 642, Telephones in City A and City B communicate with each other through Router
A and Router B over an IP network.
Router A is connected to a PBX through an E1 voice subscriber line, and to the telephone at
0101003 through an FXS voice subscriber line.
666
Router B is connected only to a PBX through an E1 voice subscriber line.
The two routers communicate with their respective PBX by exchanging DSS1 user signaling through an
ISDN interface. The one-stage dialing mode is configured on the two routers.
Figure 642 Network diagram for using DSS1 signaling on E1 interfaces
Router A
FXS: line 3/0
010-1003
Eth2/1
1.1.1.1/24
WAN
Line 1/1:15
Eth2/1
2.2.2.2/24
Router B
Line 1/1:15
E1
E1
010-1001
0755-2001
PBX
PBX
010-1002
0755-2002
1.
Configure Router A
# Configure an ISDN PRI group.

icon of E1 1/1 to enter the E1 parameters configuration page.
Select the PRI Trunk Signaling radio button. For other options, use the default settings.
Click Apply.
# Configure local numbers and call routes.
Configure a local number in the local number configuration page: The number ID is 1003, the
number is 0101003, and the bound line is 3/0.
Configure a call route in the call route configuration page: The call route ID is 1001, the destination
number is 0101001, and the trunk route line is 1/1:15. In addition, to select the Send All Digits of a
number is 0101002, and the trunk route line is 1/1:15. In addition, select the Send All Digits of a
667
number is 0755...., and the call route type is SIP, the SIP routing type is IP routing, and the
destination address is 2.2.2.2.
2.
Configure Router B.
# Configure an ISDN PRI group.

icon of E1 1/1 to enter the E1 parameters configuration page.
Select the PRI Trunk Signaling radio button. For other options, use the default settings.
Click Apply.
# Configure call routes.
Called Number radio button in the Called Number Sending Mode area if you configure the
number is 010...., the call route type is SIP, the SIP routing mode is IP routing, and the destination
address is 1.1.1.1.
Telephones in City A and City B can communicate with each other.
Select Voice Management > Statistics > Call Statistics from the navigation tree to enter the Active
Call Summary page, and you can view the statistics of active calls.
name of the target digital link line 1/1:15 to enter the page displaying the link state.
668
Line management
Line management overview
FXS voice subscriber line
A foreign exchange station (FXS) interface uses a standard RJ-11 connector and a telephone cable to
directly connect with an ordinary telephone or a fax machine. An FXS interface accomplishes signaling
exchange based on the level changes on the Tip/Ring line and provides ring, voltage, and dial tone.
FXO voice subscriber line

A foreign exchange office (FXO) interface uses a RJ-11 connector and a telephone cable to connect local
calls to a public switched telephone network (PSTN) or PBX. Like an FXS interface, an FXO interface
accomplishes signaling exchange based on the level changes on the Tip/Ring line. An FXO interface
can be connected only to an FXS interface.
E&M subscriber line

E&M introduction
An ear & mouth or receive & transmit (E&M) interface uses a RJ-48 telephone cable to connect a PBX. The
PBX sends signals on the M (M represents mouth) line and receives signals on the E (E represents ear) line.
The voice router receives M signals from the PBX and sends E signals to the PBX. An E&M interface can
only be connected to another E&M interface.
When E&M is applied in voice communication, two or four voice wires can be used. Besides, there are
two or four signaling wires. Therefore, 4-wire analog E&M actually has six wires at least. The 2-wire
mode provides full duplex voice transmission and voice is transmitted in two directions on the two wires.
The 4-wire mode is equivalent to the simplex mode and every two wires are responsible for the voice
transmission in one direction.
E&M start mode

An E&M interface supports E&M signaling and divides each voice connection into trunk circuit side and
signaling unit side (similar to DCE and DTE).
An E&M interface provides on-hook/off-hook signals and minimizes the interference. Because an E&M
interface does not provide any dial tone, one of the following three signaling technologies is used to start
dialing:
Immediate start: In this mode, the caller picks up the phone, and some time later, the dialed number
is sent to the called side. During this period, whether the called side has been ready for receiving
the called number is not checked. After the called information is received, the callee can pick up the
phone to answer the call.
Figure 645 Immediate start mode
669
Delay start. In this mode, the caller first picks up the phone to seize the trunk line, and the called side
(such as the peer PBX) also enters the off-hook state in response to the off-hook action of the caller.
The called side (PBX) will be in the off-hook state until it is ready for receiving the address
information. After it is ready, it will enter the on-hook state and this interval is the so-called dial
delay. The calling side sends the address information, and the called side (PBX) connects the call to
the callee. Thus, the two parties can begin the communication.
Figure 646 Delay start mode
Wink start. In this mode, the caller first picks up the phone to seize the trunk line, and the called side
(such as the peer PBX) is in the on-hook state until receiving a connection signal from the calling side.
Then, the called side will send a wink signal to make an acknowledgement and enter the ready
state. Upon receiving the wink signal, the calling side begins to send the address information and
the called side connects the call to the callee. Thus, the two parties can begin the communication.
Figure 647 Wink start mode
One-to-one binding between FXS and FXO voice subscriber

lines
The one-to-one binding between FXS voice subscriber lines and FXO voice subscriber lines enhances the
reliability of voice solutions. For industry-specific users, highly reliable communication over FXS voice
670
subscriber lines is required. That is, dedicated FXO voice subscriber lines can be used for communication
over PSTN when the IP network is unavailable. The one-to-one binding between FXS voice subscriber
lines and FXO voice subscriber lines can meet this requirement.
The one-to-one binding between FXS voice subscriber lines and FXO voice subscriber lines provides the
following functions:
Dedicated FXO voice subscriber lines: The dedicated FXO voice subscriber lines can be used only
for the bound FXS voice subscriber lines and PSTN-originated calls received over dedicated FXO
voice subscriber lines are directly connected to the bound FXS voice subscriber lines.
Consistent state between bound FXS and FXO voice subscriber lines: The on-hook/off-hook state of
the bound FXS and FXO voice subscriber lines is consistent. If an FXO subscriber line receives a
PSTN-originated call when the corresponding FXS voice subscriber line goes off-hook, the calling
party will hear busy tones.
Echo adjustment function

Echo is that the user hearing his own voice in the telephone receiver while he his talking. This is because
analog signals leak into the receiving path of the user. The echo adjustment function provided by the VoIP
gateway can cancel echoes to some extent.
You can cancel echoes in three ways: adjust echo duration, adjust echo cancellation parameters, and
enable the nonlinearity function of echo cancellation.
Adjusting echo duration

Table 258 Adjust echo duration
Symptom
A user hears his own voice in

conversation.
Reason
Adjustment method
The echo duration is so long that the

convergence time of echo cancellation on
the network becomes longer.
Shorten echo duration
The echo duration is so short that

long-duration echoes are not completely
cancelled.
Prolong echo duration
Adjusting echo cancellation parameters

Table 259 Adjust echo cancellation parameters
Symptom
Parameters adjusted
Effect
A user hears his own voice or

loud background noises from
the peer when speaking.
Speed up the convergence of

comfortable noise amplitudes
Too fast convergence may make noises

uncomfortable.
There are loud environment

noises.
Increase the maximum

amplitude of comfortable noises.
Too large amplitude may make noises

uncomfortable.
A user hears his voice when

speaking.
Enlarge the control factor of

mixed proportion of noises.
Too high a control factor leads to audio

discontinuity.
671
Symptom
Parameters adjusted
Effect
There are echoes when both

parties speak at the same time.
Enlarge the judgment threshold

for bidirectional conversation.
Too high a judgment threshold slows

down the convergence of the filter
factor.
Enabling the nonlinear function of echo cancellation

The nonlinear function of echo cancellation, also known as residual echo suppression, means the
removal of residual echoes after echo cancellation when the user at the local end does not speak.
Line management configuration

Select Voice Management > Line Management from the navigation tree to enter the line list page, as
show in Figure 648.
Figure 648 Line list page
Configuring an FXS voice subscriber line

Select Voice Management > Line Management from the navigation tree, and then click the
icon of the
FXS line to be configured to enter the FXS line configuration page, as show in Figure 649.
672
Figure 649 FXS line configuration page

Item
Description
Basic Configurations
Description
Description of the FXS line

Maximum interval for the user to dial the next digit
Max Interval for Dialing the

Next Digit
This timer will restart each time the user dials a digit and will work in this way
until all the digits of the number are dialed. If the timer expires before the
dialing is completed, the user will be prompted to hook up and the call is
terminated.
Max Interval between

Off-hook and Dialing the First
Digit
Maximum interval in seconds between off-hook and dialing the first digit
Max Duration of Playing

Ringback Tones
Upon the expiration of the timer, the user will be prompted to hook up and the
call is terminated.
Maximum duration in seconds of playing ringback tones.
673
Item
Description
Status
Enable
Disable
Advanced Settings
Dial Delay Time
Dial delay in seconds
Lower Limit for Hookflash

Detection
The time range for the duration of an on-hook condition that will be detected
as a hookflash. That is, if an on-hook condition that lasts for a period that falls
within the hookflash duration range (namely, the period is longer than the
lower limit and shorter than the upper limit) is considered a hookflash.
Upper Limit for Hookflash

Detection
Input Gain on the Voice
Interface
When the voice signals on the line

attenuate to a relatively great extent,
increase the voice input gain value.
Output Gain on the Voice

Interface
When a relatively small voice signal

power is needed on the output line,
increase the voice output gain value.
Electrical Impedance
Each country corresponds to an impedance value. Thus, you can specify an

impedance value by specifying a country. By default, the electrical
impedance on the FXO or FXS voice subscriber line is the impedance value
corresponding to China.
Packet Loss Compensation

Mode
Comfortable Noise Function
IMPORTANT:
Gain adjustment may lead to call
failures. H3C recommends that you do
not adjust the gain. If necessary, do it
with the guidance of technical
personnel.
You can specify either of the following packet loss compensation algorithms:
Specific algorithm of the device

Universal frame erasure algorithm
You can use this function to generate some comfortable background noise to
replace the toneless intervals during a conversation. If no comfortable noise is
generated, the toneless intervals will make both parties in conversation feel
uncomfortable.
Enable
Disable
By default, the comfortable noise function is enabled.
Echo Cancellation Function
Enable
Disable
Echo Duration
After enabling this function, you can set the echo duration, that is, the time that
elapses from when a user speaks to when he hears the echo.
Nonlinear Function of Echo

Cancellation
Enable
Disable
Set the DTMF detection sensitivity level.
Low: In this mode, the reliability is high, but DTMF tones may fail to be
detected.
DTMF Detection Sensitivity
Level
Medium: In this mode, the reliability is medium. If you select this option,
you can specify the Frequency Tolerance of Medium DTMF Detection
Sensitivity Level. The greater the value, the higher the probability of false
detection. Support for this option varies with installed cards.
High: In this mode, the reliability is low and detection errors may occur.
674
Configuring an FXO voice subscriber line

icon of the
FXO line to be configured to enter the FXO line configuration page, as show in Figure 650.
Figure 650 FXO line configuration page

Item
Description
Description
Description of the FXO line
675
Item
Description
Max Interval for Dialing

the Next Digit
This timer will restart each time the user dials a digit and will work in this way until all
the digits of the number are dialed. If the timer expires before the dialing is
completed, the user will be prompted to hook up and the call is terminated.
Max Interval between

Off-hook and Dialing
the First Digit
Upon the expiration of the timer, the user will be prompted to hook up and the call is
terminated.
Max Duration of
Playing Ringback Tones
Status
Enable
Disable
Advanced Settings
Delay off-hook: In this mode, you need to configure a dedicated line number,
Off-hook Mode
which the system uses to connect the call to the callee automatically. The
communication can be performed over the FXO subscriber line only after the
callee picks up the telephone.
Immediate off-hook: In this mode, when a call arrives, the FXO interface goes
off-hook immediately and then the caller performs the second stage dialing.
Bind an FXS voice subscriber line to the FXO voice subscriber line. This drop-down list
is available only when you select the Delay Off-hook radio button in the Off-hook
Mode area.
Binding FXS Line
To keep the consistent off-hook/on-hook state between the bound FXS and FXO lines,
the specified FXS line must be the one to which the dedicated line number points. In
addition, only the bound FXS line is allowed to originate calls to the FXO line by
restricting incoming calls.
Delay Ring
Immediate Ring
Ring Mode
Duration before a
Forced On-hook
You can select the Delay Ring option to quicken ringing synchronization between the
FXO voice subscriber line and its bound FXS voice subscriber line. However, for the
telephone supporting calling identification display, the calling number will be
displayed after the second ringing tone.
In some countries, PBXs do not play busy tones, or the busy tones played by them
only last for a short period of time. When noise is present on a transmission link, the
configuration of silence threshold and silence duration for automatic on-hook cannot
solve the problem that the resource of the FXO interface cannot be released. In this
case, you can specify the duration before a forced on-hook to solve the problem.
No duration is configured by default.
IMPORTANT:
Once the duration before a forced on-hook is configured, the call will be automatically
disconnected when the duration expires, even if the call is currently going on.
Dial Delay Time
Configure the dial delay time.

By default, the dial delay is 1 second.
676
Item
Description
Set the silence threshold.
VAD Threshold
If the amplitude of voice signals from the

switch is smaller than this value, the system
regards the voice signals as silence.
Normally, the signal amplitude on the links
without traffic is in the range of 2 to 5.
By default, the silence threshold is 20.
Set the silence duration for automatic
on-hook.
On-hook Duration for

VAD
Upon expiration of this duration, the system

performs on-hook automatically.
By default, the silence duration for automatic
on-hook is 7,200 seconds (namely, 2 hours).
Silence detection-based automatic

on-hook prevents the case that the
resource of the FXO interface
cannot be released owing to busy
tone detection failure when the
busy tone parameters provided by
the connected PBX are special.
When the signal values of two
successive sampling points are less
than the silence detection
threshold, the system considers that
the line goes into the silent state. If
the line stays in the silent state
longer than the silence duration for
automatic on-hook, the system will
automatically disconnect the call.
Configure the interval between on-hook and off-hook.

By default, the interval between on-hook and off-hook is 500 milliseconds.
Interval between
On-hook and Off-hook
In the delay off-hook mode, the on-hook/off-hook state of FXS and FXO lines is
consistent. When an FXS line goes off-hook, the FXO line to which the FXS line is
bound goes off-hook, too. When the FXS line in the off-hook state needs to connect
the FXO line to originate a call over PSTN, the FXO line must first perform an on-hook
operation, and then perform an off-hook operation to send the called number. This
task is to set the interval between the on-hook and off-hook operations.

Interface
When the voice signals on the line attenuate to

a relatively great extent, increase the input
gain value.
Output gain on the

Voice Interface
When a relatively small voice signal power is

needed on the output line, increase the voice
output gain value.
Time for CID Check
Configure the time for CID check.
Number of Rings after

CID Check to Off-hook
Set the number of rings after CID check to

off-hook. The greater the value, the later the
FXO line goes off-hook.
Electrical Impedance
Each country corresponds to an impedance value. Thus, you can specify an

impedance value by specifying a country. By default, the electrical impedance on
the FXO or FXS voice subscriber line is the impedance value corresponding to China.
Packet Loss
Compensation Mode
Comfortable Noise
Function
IMPORTANT:
failures. H3C recommends that you
do not adjust the gain. If necessary,
do it with the guidance of technical
personnel.
By default, CID check is performed
between the first and the second
rings, and the FXO line goes
off-hook as soon as the check
completes.
You can specify either of the following packet loss compensation algorithms:
Specific algorithm of the device

Universal frame erasure algorithm
You can use this function to generate some comfortable background noise to replace
the toneless intervals during a conversation. If no comfortable noise is generated, the
toneless intervals will make both parties in conversation feel uncomfortable.
Enable
Disable
677
Item
Busy Tone Sending
Duration of Busy Tone
Description
Enable
Disable
With the busy-tone sending function enabled, you can set the duration of busy tones.
Echo Cancellation
Function
Enable
Disable
Echo Duration
Nonlinear Function of
Echo Cancellation
Enable
Disable
DTMF Detection
Sensitivity Level
Low: In this mode, the reliability is high, but DTMF tones may fail to be detected.
Medium: In this mode, the reliability is medium. If you select this option, you can
specify the Frequency Tolerance of Medium DTMF Detection Sensitivity Level. The
greater the value, the higher the probability of false detection. Support for this
option varies with installed cards.
Configuring an E&M subscriber line

icon of the
E&M line to be configured to enter the E&M line configuration page, as shown in Figure 651.
678
Figure 651 E&M line configuration page

Item
Description
Description
Description of the E&M line

Select the E&M interface cable type: 4-wire or 2-wire.
By default, the cable type is 4-wire.
Cable Type
When configuring the cable type, make sure that the cable type is
the same as that of the peer device; otherwise, only unidirectional
voice service is available.
The configuration will be applied to all E&M interfaces of the card.
679
Item
Description
Types 1, 2, 3, and 5 are the four signal types (that is, types I, II, III,
and V) of the analog E&M subscriber line.
When configuring the signal type, make sure that the signal type is
the same as that of the peer device.
Signal Type
The configuration will be applied to all analog E&M lines in the

corresponding slot.
Max Interval for Dialing the Next Digit
This timer will restart each time the user dials a digit and will work in
this way until all the digits of the number are dialed. If the timer
expires before the dialing is completed, the user will be prompted to
hook up and the call is terminated.
Max Duration the System Waits for the

First Digit
Maximum duration for the system to wait for the first digit of a
number
Max Duration of Playing Ringback

Tones
Status
Enable
Disable
Advanced Settings
Start
Mode
Immediate
Start
Delay
Start
Wink
Start
Delay Time
before the Calling
Party Sends
DTMF Signals in
Immediate Start
Mode
Delay time before the calling party sends DTMF signals in the
immediate start mode
Delay Signal
Duration in Delay
Start Mode
Delay signal duration in the delay start mode
Delay Time
before the Called
Party Sends a
Delay Signal in
Delay Start Mode
Delay time from when the called party detects a seizure signal to
when it sends a delay signal in the delay start mode
Delay Time
before the Called
Party Sends a
Wink Signal in
Wink Start Mode
Delay time from when the called party receives a seizure signal to
when it sends a wink signal in the wink start mode
Duration of a
Wink Signal
Send by the
Called Party in
Wink Start Mode
Time duration the called party sends wink signals in the wink start
mode
680
Item
Description
Max Time the
Calling Party
Waits for a Wink
Signal in Wink
Start Mode
Input Gain on the Voice Interface
Output Gain on the Voice Interface
SLIC Chip Output Gain
The maximum amount of time the calling party waits for a wink
signal after sending a seizure signal in the wink start mode
When the voice signals on the

line attenuate to a relatively
great extent, increase the voice
input gain value.
When a relatively small voice
signal power is needed on the
output line, increase the voice
output gain value.
IMPORTANT:
Gain adjustment may lead to a
call failure. H3C recommends
that you do not adjust the gain. If
necessary, do it with the
guidance of technical personnel.
Configure the output gain of the SLIC chip. The bottom layer tunes
the signal gain through the SLIC chip.
By default, the output gain of the SLIC chip is 0.8 dB.
You can use this function to generate some comfortable background

noise to replace the toneless intervals during a conversation. If no
comfortable noise is generated, the toneless intervals will make both
parties in conversation feel uncomfortable.
Enable
Disable
Enable
Disable
Echo Duration
After enabling this function, you can set the echo duration, that is, the
time that elapses from when a user speaks to when he hears the
echo.

Cancellation
Enable
Disable
Configuring an ISDN line

icon of the
ISDN line to be configured to enter the ISDN line configuration page, as show in Figure 652.
NOTE:
ISDN lines include BSV interfaces (for information about the BSV interface, see the chapter Data link
management. and ISDN lines generated by binding timeslots of digital E1 interfaces or T1 interfaces into
PRI sets. For the latter, before configuring the ISDN line, you need to perform the following configuration:
select Voice Management > Line Management from the navigation tree, and then click the
icon of the
line to be configured to enter the corresponding parameters configuration page, and in the Working
Mode area, select the PRI Trunk Signaling radio button to create the ISDN line.
681
Figure 652 ISDN line configuration page

Item
Description
Description
Description of the ISDN line
You can use this function to generate some comfortable background noise to
replace the toneless intervals during a conversation. If no comfortable noise is
generated, the toneless intervals will make both parties in conversation feel
uncomfortable.
Enable
Disable
Enable
Disable
Echo Duration

Cancellation
Enable
Disable

Interface

increase the input gain value.
Output Gain on the Voice

Interface

682
IMPORTANT:
failures. H3C recommends that you
do not adjust the gain. If necessary,
do it with the guidance of technical
personnel.
Item
Description
Configure a companding law used for quantizing signals.
A-law, used in China, Europe, Africa, and South America.

-law, used in USA.
Companding Law
IMPORTANT:
A BRI interface does not support this configuration item.
Low: In this mode, the reliability is high, but DTMF tones may fail to be
DTMF Detection Sensitivity

Level
detected.
Enable
Disable
Status
Configuring a paging line

icon of the
paging line to be configured to enter the audio interface configuration page, as shown in Figure 653.
Figure 653 Configure SIC-audio page interface

Item
Description
Line Description
Description of the paging line
Voice Interface Output

Gain
When a relatively small voice signal power is needed on the output line, increase the
voice output gain value.
IMPORTANT:
Gain adjustment may lead to call failures. H3C recommends that you do not adjust
the gain. If necessary, do it with the guidance of technical personnel.
Enable
Disable
Silent Mode
By default, the silent mode is disabled.

IMPORTANT:
If the silent mode is enabled on an audio interface, the interface cannot transmit data.
683
Item
Voice Output Gain
Description
Set the value of the audio input gain, in the range of -24.0 to 12.0 with a step of 1.
IMPORTANT:
Configuring an MoH line

icon of the
paging line to be configured to enter the music on hold (MoH) interface configuration page, as shown
in Figure 654.
Figure 654 Configure SIC-audio MoH interface

Item
Description
Line Description
Description of the MoH line
Voice Interface Output

Gain
IMPORTANT:
Enable
Disable
Silent Mode
By default, the silent mode is disabled.

IMPORTANT:
If the silent mode is enabled on an audio interface, the interface cannot transmit data.
Voice Output Gain
Set the value of the audio input gain, in the range of -19.5 to 41.5 with a step of 2.
IMPORTANT:
684
Line management configuration examples

Configuring an FXO voice subscriber line
As shown in Figure 655, the FXO voice subscriber line connected to Router B works in the private-line
auto ring-down (PLAR) mode, and the default remote phone number is 010-1001.
Dialing the number 0755-2003 on phone 0755-2001 connects to Router B. Since Router B works in the
private-line mode (that is, the hotline mode), it requests connection to the preset remote number 010-1001
at Router A.
FXS Line 1/0
Figure 655 Network diagram for FXO
1.
Configure Router A
# Create a call route and local number.
Configure a call route in the call route configuration page: The call route ID is 10000, the
destination number is 0755...., and the destination address is 2.2.2.2.
Create a local number in the local number configuration page: The number ID is 1001, the number
is 0101001, and the bound line is 1/0.
2.
Configure Router B
# Create call routes.
Create a call route in the call route configuration page: The call route ID is 10000, the destination
number is 010.., and the destination address is 1.1.1.1.
Create a call route in the call route configuration page: The call route ID is 10001, the destination
number is 07552001, the call route type is Trunk, and the trunk route line is 1/0. In addition, select
the Send All Digits of a Called Number radio button in the Called Number Sending Mode area
when you configure the advanced settings of this call route.
# Configure the hotline number

10001 to enter the call services configuration page.
685
icon of call route
Figure 656 Hotline number configuration page
Type 0101001 in the Hotline Numbers text box.
Click Apply.
If you dial the number 0755-2003 on phone 0755-2001, a connection is established to number 010-1001
at Router A.
Configuring one-to-one binding between FXS and FXO

Router A and Router B are connected over an IP network and a PSTN. Telephone A attached to
Router A can make calls to Telephone B attached to Router B over the IP network or the PSTN.
Usually, Telephone A makes calls to Telephone B over the IP network. In the case that the IP network
is unavailable, Router A sends calls from Telephone A through the bound FXO interface to
Telephone B over PSTN.
Figure 657 Network diagram for one-to-one binding between FXS and FXO
686
Configure one-to-one binding between FXS and FXO voice subscriber lines.
When the IP network is available, the VoIP entity is preferably used to make calls over the IP
network.
When the IP network is unavailable, the POTS entity is used to make calls through the bound FXO
voice subscriber line over the PSTN.
NOTE:
Router A and Router B are routable to each other.
The configuration of interface IP addresses is omitted.
1.
Configure Router A
# Configure a local number and two call routes.
destination number is 210., and the destination address is 192.168.0.76.
number is 0101001, and the bound line is 3/0.
Configure the backup call route 10001 for the FXO line in the call route configuration page: The
destination address is .T, call route type is Trunk, and the trunk route line is 4/0. In addition, select
# Configure call authority control.

Add to enter the permitted call number group configuration page.
687
Figure 658 Permitted call number group configuration page
Type 1 in the Group ID text box.
Type 0101001 in the Numbers in the Group text box and click Add.
Click Apply.
Not Bound to enter the call route binding page of permitted call number group 1.
Figure 659 Call route binding page
Select the Permit the calls from the number group radio button.
Click Apply.
# Configure the hotline number.

688
icon of call route
Click Apply.
# Configure the delay off-hook binding for the FXO line.

FXO line 4/0 to enter the FXO line configuration page.
Figure 661 FXO line delay off-hook binding configuration page
Select the Delay Off-hook radio button.
Select subscriber-line 3/0 from the Binding FXS Line drop-down list.
Click Apply.
# Configure the system to first select VoIP entity.

689
icon of
match configuration page.
Figure 662 Entity type selection sequence configuration page
Select Enable in the Select Based on Voice Entity Type area.
Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second
Click Apply.
2.
Configure Router B
# Configure a local number and two call routes.
destination number is 010., and the destination address is 192.168.0.71.
number ID is 2101002, and the bound line is 3/0.
Configure the backup call route 10001 for the FXO line in the call route configuration page: The
destination address is .T, call route type is Trunk, and the trunk route line is 4/0. In addition, select
# Configure call authority control.

Add to enter the permitted call number group configuration page.
690
Figure 663 Permitted call number group configuration page
Type 1 in the Group ID text box.
Type 2101002 in the Numbers in the Group text box and click Add.
Click Apply.
Not Bound to enter the call route binding page of permitted call number group 1.
Figure 664 211 Call route binding page
Select the Permit the calls from the number group radio button.
Click Apply.
# Configure the hotline number.

691
icon of call route
Click Apply.
# Configure the delay off-hook binding for the FXO line.

FXO line 4/0 to enter the FXO line configuration page.
icon of the
Figure 666 FXO line delay off-hook binding configuration page
Select the Delay Off-hook radio button.
Select subscriber-line 3/0 from the Binding FXS Line drop-down list.
Click Apply.
# Configure the system to first select VoIP entity.

match configuration page.
692
Figure 667 Entity type selection sequence configuration page
Select Enable in the Select Based on Voice Entity Type area.
Configure the order of the voice entities in the Selection Sequence box: the first is VoIP, the second
Click Apply.
In the case that the IP network is unavailable, calls can be made over PSTN.
693
SIP local survival

Introduction
IP phones have been deployed throughout the headquarters and branches of many enterprises and
organizations. Typically, a voice server is deployed at the headquarters to control calls originated by IP
phones at branches.
The local survival feature enables the voice router at a branch to automatically detect the reachability to
the headquarter voice server, and process calls originated by attached IP phones when the headquaters
voice server is unreachable. The headquarters voice server will take over call services from the branch
voice router when the failure is removed.
Figure 668 shows a typical network diagram for the local survival feature.
Figure 668 Network diagram for the local survival feature
The following describes the local survival feature in detail:

1.
When the WAN link from a branch to the headquarters is normal, all IP phones at the branch are
registered with the headquarters voice server and the headquarters voice server processes calls
originated by branch IP phones.
2.
When the WAN link to the headquarters or the primary server fails:
The branch voice router can accept registrations from its attached IP phones.
The branch voice router ensures the normal call services between its IP phones, between its IP
phones and FXS interfaces, and between its FXS interfaces.
IP phone users at the branch can place or receive PSTN calls through FXS interfaces on the voice
router.
3.
When the WAN link or the primary server recovers, the branch voice router rejects registrations
from IP phones and the headquarters voice server takes over call processing.
694
Configuring SIP local survival

Service configuration
Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to enter
the page as shown in Figure 669.
Figure 669 Configure service

Item
Description
Server Running State
Enable: Enables the local SIP server.

Disable: Disables the local SIP server.
By default, the local SIP server is disabled.
IP Address Bound to the

Server
Type the IP address of the local server, which can be a local interfaces IP address,
or a loopback address such as 127.0.0.1. The IP address of a local interface is
recommended because a loopback address cannot accept registrations from
remote users.
When the local SIP server is enabled, the IP address of the local server must be
provided.
Port Bound to the Server
Type the port number of the local SIP server
Registration Aging Time

of the Client
Type the maximum registration interval of clients
695
Item
Description
Alone: The local SIP server in alone mode acts as a small voice server.
Alive: The local SIP server in alive mode supports the local survival feature. That
is, when the communication with the remote server fails, the local SIP server
accepts registrations and calls; when the communication resumes, the remote
server accepts registrations and calls again and the local SIP server rejects
registrations and calls. In the alive mode, Options messages will periodically be
sent to the remote server.
Server Operation Mode
By default, the local SIP server operates in alone mode.

Type the IP address of the remote SIP server.
Remote Server IP address
When the alive mode is selected, the IP address of the remote SIP server must be
provided.
Remote Server Port
Type the port number of the remote SIP server
Interval for Sending Probe

Packets
Interval for sending Options messages to the remote SIP server.
User management
Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click
Add to enter the page as shown in Figure 670.
Figure 670 Configure user

Item
Description
User ID
Type the ID of a user to be registered
Telephone Number
Type the telephone number of the user
Authentication Username
Type the name of the user for authentication
Type the password of the user for authentication

Type the maximum registration interval of the user.
Registration Aging Time
By default, the maximum registration interval of clients set in Service configuration

is used.
696
Trusted nodes
Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to enter the
Figure 671 Configure a trusted node

Item
Description
Type the IP address of the trusted node.
IP address
Port
By default, no trusted node is

configured.
Type the port number of the trusted

node
A trusted node can directly originate

calls without being authenticated by the
local SIP server. You do not need to
configure user information for the
number of the trusted node.
Up to eight trusted nodes can be
configured. Whether a trusted node is
reachable is determined by its IP
address rather than its port number.
Call-out route
The local SIP server uses a static routing table to forward outgoing calls. If the called number of a call
matches a static route, the local SIP server forwards the call to the specified destination. The called
number does not need to register on the local SIP server. For example, as an external number, 5552000
does not need to register on the local SIP server. Configure a static route entry with the area prefix of 333
and called number of 5552000 on the local SIP server. Upon receiving a call from local number 1000
to external number 5552000, the local SIP server adds the area prefix 333 to the calling number, and
forwards the call to the destination specified in the static route entry.
Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and click Add
to enter the page as shown in Figure 672.
697
Figure 672 Configure a call-out route

Item
Description
ID
Type the ID of the call-out route.
Destination
Number Prefix
Type the destination number prefix and length. Suppose the destination number prefix is
4100, and the number length is 6. This configuration matches destination numbers that
are 6-digit long and start with 4100.
Number length
A dot can be used after a number to represent a character. Currently, this configuration
does not support other characters.
Destination IP
address
Type the destination IP address and port number.
Port Number
Area Prefix
Type the area prefix added before the calling numbers of outgoing calls.
Area prefix
When the local SIP server is connected to the extranet, external users can originate calls to internal users
registered with the local SIP server. For calls from external users to internal users, the local SIP server
removes the configured area prefix from each called number to converts it to an internal short number.
For example, if an external user dials number 01050009999, the local SIP server checks whether any
area prefix matches the called number. If the area prefix 0105000 is available, the local SIP server
removes the prefix 0105000 from the called number and sends the call to 9999.
Select Voice Management > SIP Local Survival > Area Prefix from the navigation tree to enter the page
Figure 673 Configure a call-in number prefix
Input the call-in number prefix, and click Add a Prefix.

698
Up to eight call-in number prefixes can be configured. The local SIP server adopts longest match to deal
with a called number.
Call authority control

Configure a call rule set
Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and
click Add to enter the page as shown in Figure 674.
Figure 674 Configure a call rule set

Item
Description
Rule Set ID
Type the ID of the call rule set
Rule
Rule ID
Type the rule ID
Call Direction
Outgoing: Applies the rule to outgoing calls

Incoming: Applies the call to incoming calls
Call Authority
Permit: Permits the matching calls

Deny: Denies the matching calls
Type the number match pattern.
Number Pattern
A dot can be used after a number to represent a character. Currently, this

configuration does not support other characters.
Apply the call rule set

click the
icon of the call rule set to enter the page as shown in Figure 675.
699
Figure 675 Apply the call rule set

Item
Description
Rule Set ID
Displays the call rule set ID
Applied Globally
Enable: Applies the call rule set to all registered users.

Disable: Specifies that the call rule set does not apply to any registered users.
In the Available register users text box, select registered users and click << to
Register users bound to

the rule set
add them to Register users bound to the rule set.
In the Register users bound to the rule set text box, select registered users and
click >> to unbind them.
Users in the Available register users text box are added in User management.
SIP local survival configuration examples

Configuring local SIP server to operate in alone mode
Configure the local SIP server on Router C to operate in alone mode so that the phones register with the
local SIP server and they can make and receive calls through the local SIP server.
700
Figure 676 Network diagram for the local SIP server in alone mode
1.
Configure Router C
# Configure the router to operate in the alone mode.

the following page.
Figure 677 Configure alone mode
Select Enable for Server Running State.
Type 2.1.1.2 in IP Address Bound to the Server.
Select Alone for Server Operation Mode.
Click Apply.
# Configure user 1000.

Add to enter the following page.
701
Figure 678 Configure a user
Type 1000 for User ID.
Type 1000 for Telephone Number.
Type 1000 for Authentication Username.
Type 1000 for Authentication Password.
Click Apply.
# Configure user 5000 in the similar way.

2.
Configure Router A
Configure a local number in the local number configuration page: The ID is 1000, the number is
1000, the bound line is line2/0, the user name is 1000, and the password is 1000.
Configure a call route to Router B in the call route configuration page: The ID is 5000, the
destination number is 5000, the routing type is SIP, and the SIP routing method is proxy server.
Configure SIP registration in the connection properties configuration page: Enable SIP registration,
and configure the main registrars IP address as 2.1.1.2.
3.
Configure Router B
Configure a call route to Router A in the call route configuration page: The ID is 1000, the
Configure SIP registration in the connection properties configuration page: Enable registration, and
configure the main registrars IP address as 2.1.1.2.
Select Voice Management > States and Statistics > Local Survival Service States from the
navigation tree. You can find that numbers 1000 and 5000 have been registered with the local SIP
server on Router C.
Phones 1000 and 5000 can call each other through the local SIP server.
702
Configuring local SIP server to operate in alive mode

Router A and Router B carry out call services through the remote voice server VCX. Configure the local
SIP server on Router A to operate in alive mode, so that calls can be originated or received through
Router A when the VCX fails. When the VCX recovers, it will take over call services again.
Figure 679 Network diagram for the local SIP server in alive mode
1.
Configure Router A
# Configure the IP address of Ethernet 1/1 as 1.1.1.2, and the IP address of the sub interface as 2.1.1.2.
(Omitted)
# Configure the local SIP server to operate in alive mode.

the following page.
Figure 680 Configure alive mode

703
Select Alive for Server Operation Mode.
Type 3.1.1.1 for Remote Server IP Address.
Click Apply.

Click Apply.
# Configure user 5000 in the similar way.

2.
Configure Router A
1000, and the bound line is line2/0.
and configure the main registrars IP address as 3.1.1.2, and the backup registrars IP address as
2.1.1.2.
3.
Configure Router B
5000, and the bound line is line2/0.
and configure the main registrars IP address as 3.1.1.2, and the backup registrars IP address as
2.1.1.2
704
When the VCX fails, the local SIP server on Router A starts to accept registrations from phones,
which then can call each other through Router A. Select Voice Management > States and Statistics
> Local Survival Service States from the navigation tree. You can find that numbers 1000 and 5000
have been registered with the local SIP server on Router A.
When the VCX recovers, Router A disables the local SIP server, and the phones register with the
VCX again.
Configuring call authority control

The numbers for Department A in a company are in the range of 1000 to 1999, while those for
Department B are in the range of 5000 to 5999. The following restrictions need to be implemented:
Phones in Department A and Department B cannot originate external calls.
Phone 5000 is not allowed to call phone 1000.
Figure 682 Network diagram for call authority control
1000
Eth1/1
Eth1/1
1.1.1.1/24 1.1.1.2/24
Router A
Eth1/2
2.1.1.2/24
5000
Eth1/1
2.1.1.1/24
Router C
1111
Router B
5555
1.
Configure the local SIP server on Router C
# Configure the local SIP server to operate in alone mode.

the following page.
705
Click Apply.

Click Apply.
706
# Configure users with phone numbers 1111, 5000, and 5555 in the similar way.
# Configure call rule set 0.

click Add to enter the following page.
Figure 685 Configure call rule set 0
Type 0 for Rule Set ID.
Add three rules as shown in Figure 685.
Click Apply.
# Apply call rule set 0.

click the
icon of call rule set 0 to enter the following page.
707
Figure 686 Apply call rule set 0
Select Enable for Applied Globally.
Click Apply.
# Configure call rule set 2.

Figure 687 Configure call rule set 2
708
Type 2 for Rule Set ID.
Add a rule as shown in Figure 687.
Click Apply.
# Apply call rule set 2.

click the
icon of call rule set 2 to enter the following page.
Figure 688 Apply call rule set 2
Click 5000 in Available register users, and then click << to add it to Register users bound to the
rule set.
Click Apply.
2.
Configure Router A
Configure a local number in the local number configuration page: The ID is 1111, the number is 1111,
the bound line is line2/1, the user name is 1111, and the password is 1111.
3.
Configure Router B
709
navigation tree. You can find that numbers 1000, 1111, 5000, and 5000 have been registered with
the local SIP server on Router C.
The four phones cannot call external numbers, and phone 5000 cannot call phone 1000.
Configuring an area prefix

The internal numbers of a company are four-digit long and the area prefix is 8899. An external user
needs to dial the area prefix 8899 before an internal number. The local SIP server on Router C removes
the area prefix from the dialed number and calls the four-digit internal number. The external phone
attached to Router A is not registered with Router C; the internal phone attached to Router B is registers
with Router C.
Figure 689 Network diagram for area prefix configuration
1.

the following page.
710
Click Apply.
# Configure Router A as a trusted node.

Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to enter the
following page.
Figure 691 Configure a trusted node
Click Apply.
# Configure area prefix 8899.

Select Voice Management > SIP Local Survival > Area Prefix from the navigation tree to enter the
following page.
711
Figure 692 Configure an area prefix
Type 8899 for Area Prefix.
Click Add a Prefix.
Click Apply.

Figure 693 Configure user 5000
Click Apply.
2.
Configure Router A
Configure a local number in the local number configuration page: The ID is 55661000, the number
is 55661000, and the bound line is line2/0.
destination number is 88995000, the routing type is SIP, and the destination address is 2.1.1.2.
3.
Configure Router B
712
navigation tree. You can find that number 5000 has been registered with the local SIP server on
Router C.
Place a call from phone 55661000 to phone 88995000. The local SIP server on Router C removes
the area prefix 8899 from the called number, and alerts internal phone 5000. Pick up phone 5000.
The call is established.
Configuring a call-out route

The internal numbers of a company are four-digit long and the area prefix is 8899. External phone
55665000 attached to Router B is not registered with the local SIP server on Router C; internal phone
1000 attached to Router A is already registered with Router C. When a user in the company dials the
external number, the local SIP server will route the call according to the configured call-out route and add
area prefix 8899 to the calling number.
Figure 694 Network diagram for call route configuration
1.

Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to

713
Click Apply.
# Configure a call-out route

Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and click Add
to enter the following page.
Figure 696 Configure a call-out route
Type 0 for ID.
Type 55665000 for Destination Number Prefix, and 8 for Number Length.
Type 8899 for Area Prefix.
Click Apply.

Figure 697 Configure user 1000

714
Click Apply.
2.
Configure Router A
destination number is 55665000, the routing type is SIP, and the routing method is proxy server.
3.
Configure Router B
Configure a local number in the local number configuration page: The ID is 55665000, the number
is 55665000, and the bound line is line2/0.
destination number is 1000, the routing type is SIP, and the routing method is proxy server.
navigation tree. You can find that number 1000 has been registered with the local SIP server on
Router C.
Place a call from phone 1000 to phone 55665000. The local SIP server on Router C adds prefix
8899 before the calling number, and sends the call to phone 55665000. Pick up phone
55665000. The call is established.
715
IVR
Overview
Interactive voice response (IVR) is extensively used in voice communications. You can use the IVR system
to customize interactive operations and humanize other services. If a subscriber dials an IVR access
number, the IVR system plays the prerecorded voice prompts to direct the subscriber on how to proceed,
for example, dial a number.
Advantages
A conventional interactive voice system uses fixed audio files and operations. IVR enables you to
customize your own interactive system by adding, modifying, and removing audio files. IVR has the
following advantages.
Customizable voice prompts

Voice prompts can be saved as audio files on voice devices, and played to subscribers. You can record
personalized voice prompts, convert the format of the audio files by using the converter provided by H3C,
and then upload the converted files to the voice devices. The adding, modifying and removing
operations in the IVR system are simple and easy to use, and the configurations take effect instantly.
Various codecs
The IVR system supports four codecs for voice prompts: G.711alaw, G.711ulaw, G.723r5, and G.729r8.
The converter provided by H3C can transcode among these four codecs. Each kind of codec has its
advantages and disadvantages: G.711alaw and G.711ulaw provide high quality of voice, while
requiring greater memory space; G.723r53 and G.729r8 provide relatively low quality of voice, while
requiring less memory space.
Flexible node configuration

To simplify configuration, the IVR system uses nodes as basic units for configuration. You can define three
types of nodes: call node, jump node, and service node. Each node type has a single function, and you
can combine them to realize complex functions.
call node: Executes a secondary call.
jump node: Jumps to another node according to the input of the subscriber.
service node: Executes various operations, such as executing an immediate secondary call, auto
jumping, terminating a call, and playing an audio file.
Customizable process
You can customize the interactive process easily. For example, configure custom IVR access numbers,
voice prompts, and combinations of keys and voice prompts.
716
Successive jumping
The IVR process can realize successive jumping at most eight times from node to node.
Error processing methods

The IVR system provides three error processing methods: terminate the call, jump to a specified node, and
return to the previous node. You can select an error processing method for a call node, a jump node, or
globally to handle errors.
Timeout processing methods

The IVR system provides three timeout processing methods: terminate the call, jump to a specified node,
and return to the previous node. You can select a timeout processing method for a call node, a jump node,
or globally to handle the keypress timeout event.
Various types of secondary calls

The IVR system supports immediate secondary call, normal secondary call, and extension secondary
call:
A subscriber makes an immediate secondary call without the need of dialing the number of the
called party. Immediate secondary calls are executed by service nodes.
A subscriber makes a normal secondary call by dialing the number of the called party. Normal
secondary calls are executed by call nodes. You can configure a node to match the length of a
number, matching the terminator, or matching the number.
A subscriber makes an extension secondary call by dialing the extension number of the called
party. Extension secondary calls are executed by call nodes.
Configuring IVR
Uploading media resource files
Select Voice Management > IVR Services > Media Resources Management from the navigation tree to
enter the following page.
Figure 698 Media file list
717
You can click
to save the media resource file to a specified directory.
Click Add. The following page appears.

Figure 699 Configure media resource

Item
Description
Media Resource ID
Set a media resource ID.
Rename Media Resource
Type a name for the media resource file.
Upload Media Resource
Upload media resource files for g729r8, g711alaw, g711ulaw, and g723r53.
Importing a media resource through an MOH audio input port

Select Voice Management > IVR Services > Media Resources Management from the navigation tree, and
click the Audio Card List tab.
Figure 700 Audio card list
Click
of a media resource to enter the following page.
718
Figure 701 Modify a media resource

Item
Description
Media resource ID
Set a media resource ID
Configuring the global key policy

Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and click the
Global Key Policy tab.
Figure 702 Global key policy

Item
Description
Input Error Processing Method

719
Item
Description
Max Count of Input Errors
Type the maximum number of input errors.
Play Voice Prompts for

Input Errors
Enable
Disable
Not enabled by default.
Voice Prompts
Select a voice prompt file. You can configure voice prompt files in Voice
Management > IVR Services > Media Resources Management.
Voice Prompts Play Count
Set the number of voice prompts.
Input Timeout Processing Method

Max Count of Input
Timeouts
Set the maximum number of input timeouts.
Timeout Time
Set the timeout time.

Input Timeout
Enable
Disable
Voice Prompts
Voice Prompts Play Count
Set the number of voice prompts.
Configuring IVR nodes

You can configure three types of IVR nodes: call node, jump node, and service node.
Avoid the following misconfiguration.
No operation is configured for a node.
Several nodes form a loop. The subscriber has no other options except jumping around these
nodes.
The IVR process jumps from node to node for more than eight times.
Configuring a call node

Use call nodes to configure the secondary call function. You can configure two kinds of dial plans for a
call node: normal secondary call and extension secondary call. If you configure both dial plans for a call
node, the extension secondary call plan takes precedence over the normal secondary call plan.
To handle input errors and input timeouts, you need to configure error processing and timeout processing
methods for a node. If you do not configure the methods, global processing methods apply.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, click the Call
Node List tab, and click Add to enter the following page.
720
Figure 703 Configure a call node

Item
Description
Node ID
Type a node ID.
Description
Type a description for the node.

721
Item
Description
Enable
Disable
Play Voice Prompts
The following options are available for playing voice prompts:
Mandatory play: Only after the voice prompts end can the subscriber press keys
effectively.
Voice prompts: Select a voice prompt file. Voice prompt files can be configured
in Voice Management > IVR Services > Media Resources Management.
Play count: Number of play times.

By default, mandatory play is disabled, and the play count is 1.
Input Method
Input Error Processing

Method
Terminate the call

Jump to a specified node
Return to the previous node
By default, the node uses the input error processing method configured in the
global key policy.
Specify A Node
Specify the node to which the subscriber is directed when the number of input
errors reaches the maximum.
Max Count of Input Errors
Maximum number of input errors

Input Errors
Enable
Disable
Voice Prompts
Select a voice prompt file. Voice prompt files can be configured in Voice
Play Count
Number of play times
Input Timeout Processing

Method
Terminate the call

By default, the node uses the input timeout processing method configured in the
global key policy.
Specify A Node
Specify the node to which the subscriber is directed when the number of input
timeouts reaches the maximum.
Max Count of Input

Timeouts
Maximum number of input timeouts
Timeout Time
Timeout time

Input Timeout
Enable
Disable
Voice Prompts
Play Count
Number of play times
722
Item
Description
Secondary-Call
Number Match Mode
Match the terminator of the numbers

Match the length of the numbers
Match the local number and route
Either the number match mode or the extension secondary call must be configured
at least.
Length of Numbers
Type the number length.
Terminator
Type the terminator.
Extension Secondary-Call
Extension Number
Corresponding Number
Associate the extension number with the corresponding number. You can click
Add a Rule to configure a rule for executing the secondary call.
By default, no extension secondary call is configured.
Configure a jump node

You can configure the following functions for a jump node: playing audio files, jumping to another node,
and terminating a call, and configure error processing and timeout processing methods for the jump
node. If you do not configure these methods, the jump node uses the global methods
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, click the Jump
723
Figure 704 Configure a jump node
724

Item
Description
Node ID
Type a node ID.
Description
See Table 275 for description about other items.

Map actions with keys. Actions include:
Key mapping
Terminate the call

Jump to a specified node. If this option is selected, you need to select the target
node from the Specify a node dropdown list.

No key mapping is configured by default.
Configure a service node

The functions of a service node include playing audio files, jumping to another node, executing
immediate secondary call, and terminating a call.
You can configure at most three functions for a service node. If an executed function is to jump to another
node or to terminate a call, the rest functions will not be executed.
Because a service node has no need to wait for subscriber input, the error processing and timeout
processing methods are unavailable for a service node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, click the Service
Figure 705 Configure a service node
725

Item
Description
Node ID
Type a node ID.
Description
Terminate the call

Jump to a specified node. If this operation is selected, you must select a node
from the Specify A Node dropdown list.
Operation Configuration
Return to the previous node.

Play voice prompts. If this operation is selected, you must select a voice prompt
file from the Voice Prompt File dropdown list.
Immediate secondary-call. If this operation is selected, you must type the

secondary call number in the Secondary-call Number text box.
Execution Order
Select the execution order.
Configuring access number management

Configuring an access number
Select Voice Management > IVR Services > Access Number Management from the navigation tree, and
Figure 706 Configure an access number

Item
Description
Number ID
Type a number ID (30000 to 39999).

726
Item
Description
Number
Type the access number.
Bind to Menu
Bind a node in the dropdown list to the access number. You can configure the
nodes in Voice Management > IVR Services > Advanced Settings.
Description
Type a description for the access number.
Enable. The following registration parameters are configurable when Enable is

Register Function
selected. .
Disable
Register Username
Type the user name for registration.
Register Password
Type the password for registration.
Cnonce Name
Type the cnonce name for handshake authentication.

Type the realm name for handshake authentication.
Realm Name
Status
IMPORTANT:
The realm name must be consistent with that configured on the server. Otherwise,
authentication will fail. If no realm name is configured, the device trusts the realm
name from the server.
Enable: Enables the access number.

Disable: Disables the access number.
Configuring advanced settings for the access number

click the
icon of the configured access number to enter the following page.
Figure 707 Configure advanced settings
For information about advanced settings, see the chapter Advanced settings.
727
IVR configuration examples

Configure a secondary call on a call node (match the
terminator of numbers)
As shown in Figure 708, configure an IVR access number and call node functions on Router B to meet the
following requirements.
After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio
file welcome.wav.
The subscriber dials 50# at Telephone A to originate a secondary call and then Telephone B1 rings.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav.
If no number is dialed at Telephone A within the timeout time, Router B plays the audio file
timeout.wav.
Figure 708 Network diagram for secondary call configuration (terminator match)
1.
Configure Router A
# Configure a local number and call route.
Configure a local number in the local number configuration page: The number ID is 100; the
number is 100; the bound line is line 1/0.
Configure a route to Router B in the call route configuration page: The route ID is 300; the
destination number is 300; the SIP routing method is IP routing; the destination IP address is 1.1.1.2;
the DTMF transmission mode is out-of-band.
2.
Configure Router B
# Configure local numbers in the local number configuration page.
Local number 500: The number ID is 500; the number is 500; the bound line is line 1/0.
Local number 50: The number ID is 50; the number is 50; the bound line is line 1/1.
# Upload g729r8 media resource files.

728
Figure 709 Upload a media resource file
Type 10001 for Media Resource ID.
Type welcome for Rename Media Resource.
Click the Browse button of g729r8 codec to select the target file.
Click Apply.
Use the same method to upload other g729r8 media resource files timeout, input_error, and bye.
# Configure global error and timeout processing methods to achieve the following purposes:
If no number is dialed at Telephone A within the timeout time, Router B plays audio file timeout.wav;
if number of timeouts reaches four, Router B terminates the call.
input_error.wav; if the number of input errors reaches three, Router B terminates the call.
Select Voice Management > IVR Services > Advanced Settngs from the navigation tree, and select the
729
Figure 710 Configure the global key policy
Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice Prompts
dropdown list.
Type 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice
Prompts for Input Timeout; select timeout from the Voice Prompts dropdown list.
Click Apply.
Configure the call node to achieve the follow purpose:
The subscriber dials the number 300 at Telephone A, and hears the voice prompts of audio file
welcome.wav. After that, the subscriber dials 50# at Telephone A, and Telephone B1 rings.
Select Voice Management > IVR Services > Advanced Settngs from the navigation tree, select the
Configure Call Node tab, and click Add to enter the following page.
730
Type 10 for Node ID.
Type play-welcome for Description.
Select Enable for Play Voice Prompts; select welcome from the Voice Prompts dropdown list.
Select Match the terminator of the numbers from the Number Match Mode dropdown list; type #
for Terminator.
Click Apply.
# Configure the access number.

731
Select play-welcome from the Bind to Menu dropdown list.
Click Apply.
Verification
Dial the number 300 at Telephone A, and the call node plays audio file welcome.wav.Then, dial 50# at
Telephone A, and Telephone B1 rings.
Configure a secondary call on a call node (match the number

length)
file welcome.wav. Configure the number match length as 3, that is, when the subscriber dials 500
that matches number length 3, Telephone B2 rings.
input_error.wav.
timeout.wav.
732
Figure 713 Network diagram for secondary call configuration (number length match)
1.
Configure Router A
See 1.
2.
Configure Router B
# Configure the call node.

733
Figure 714 Configure the call node
Select Match the length of the numbers from the Number Match Mode dropdown list; type 3 for
Length of Numbers.
Click Apply.
For other settings, see 2.
Verification
Dial 300 at Telephone A, and Router B plays the audio file welcome.wav. Then dial 500, and Telephone
B2 rings.
734
Configure a secondary call on a call node (match a number)

file welcome.wav. Configure number match so that when the subscriber dials 50, Telephone B1
rings.
input_error.wav.
timeout.wav.
Figure 715 Network diagram for secondary call configuration (match the number)
1.
Configure Router A
See 1.
2.
Configure Router B
# Configure a call node.

735
Select Match the local number and route from the Number Match Mode dropdown list.
Click Apply.
Verification
B1 rings.
736
Configure an extension secondary call on a call node

file welcome.wav. Then the subscriber dials 0, and Router B makes an extension secondary call so
that Telephone B rings.
input_error.wav.
timeout.wav.
Figure 717 Network diagram for extension secondary call configuration
1.
Configure Router A
See 1.
2.
Configure Router B

737
Select 0 for Extension Number.
Select 500 for Corresponding Number.

738
Click Apply.
Verification
B rings.
Configure a jump node

As shown in Figure 719, configure an IVR access number and jump node functions on Router B to meet
the following requirements.
file welcome.wav. Then if the subscriber dials #, Router B terminates the call.
input_error.wav.
timeout.wav.
Figure 719 Network diagram for jump node configuration
1.
Configure Router A
See 1.
2.
Configure Router B
# Configure a jump node.

Configure Jump Node tab, and click Add to enter the following page.
739
740
Select Terminate the call for Key#.
Click Apply.
Verification
Dial 300 at Telephone A, and Router B plays the audio file welcome.wav. Then dial #, and the call is
terminated.
Configure an immediate secondary call on a service node

As shown in Figure 721, configure an IVR access number and service node functions on Router B to meet
After the subscriber dials 300 (the IVR access number) from Telephone A, Telephone B rings.
input_error.wav.
timeout.wav.
Figure 721 Network diagram for service node configuration
1.
Configure Router A
See 1.
2.
Configure Router B
# Configure a service node.

Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the
Configure Service Node tab, and click Add to enter the following page.
741
Add two operations as shown in Figure 722.
Click Apply.
# Configure an access number.

742
Select call500 from the Bind to Menu dropdown list.
Click Apply.
Verification
Dial 300 at Telephone A. Telephone B rings.
Configure a secondary call on a service node

As shown in Figure 724, configure an IVR access number and service node functions on Router B to meet
file bye.wav, and then terminates the call.
input_error.wav.
timeout.wav.
Figure 724 Network diagram for service node configuration
743
1.
Configure Router A
See 1.
2.
Configure Router B
# Configure a servcie node.

Type reject-call for Description.
Click Apply.

744
Select reject-call from the Bind to Menu dropdown list.
Click Apply.
Verification
Dial number 300 at Telephone A. Router B plays the audio file bye.wav, and then terminates the call.
Configure a call node, jump node, and service node

As shown in Figure 727, configure an IVR access number and configure a call node, jump node, and
service node on Router B to meet the following requirements:
After the subscriber dials 300 at Telephone A, Router B plays the audio file welcome.wav. Then,
If the subscriber presses the * key at Telephone A, the call jumps to the service node and the
subscriber hears voice prompts of the audio file bye.wav. After that, the service node releases the
call;
If the subscriber presses the # key at Telephone A, the call jumps to the call node and the subscriber
hears the voice prompts of the audio file call.wav. After that, if the subscriber dials 1, Telephone B
rings.
745
Figure 727 Network diagram for call, jump and service nodes configuration
1.
Configure Router A
See 1.
2.
Configure Router B
# Configure a local number in the local number configuration page.

The number ID is 500; the number is 500; the bound line is line 1/0.
# Upload a g729r8 media resource file.
Figure 728 Upload a g729r8 media resource file
Type welcome for Rename Media Resource.
Click Apply.
Use the same method to upload other g729r8 media resource files timeout, input_error, and bye.
# Configure global error and timeout processing methods to achieve the following purposes:
If no number is dialed at Telephone A within the timeout time, Router B plays audio file timeout.wav;
if number of timeouts reaches four, Router B terminates the call.
746
input_error.wav; if the number of input errors reaches three, Router B terminates the call.
Select Voice Management > IVR Services > Advanced Settngs from the navigation tree, and select the
Figure 729 Configure the global key policy
Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice Prompts
dropdown list.
Type 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice
Prompts for Input Timeout; select timeout from the Voice Prompts dropdown list.
Click Apply.

747
Type play-call for Description.
Select Enable for Play Voice Prompts; select Enable for Mandatory Play; select call from the Voice
Prompts dropdown list.
Type 1 for Extension Number; type 500 for Corresponding Number; click Add a Rule.
748
Click Apply.
# Configure a service node.

Type reject-call for Description.
Click Apply.
# Configure a jump node.

Configure Jump Node tab, and click Add to enter the following page.
749

750
Select Enable for both Play Voice Prompts and Mandatory Play.
Select welcome from the Voice Prompts dropdown list.
Select Jump to a specified node from the Key* dropdown list, and reject-all from its Specify a node
dropdown list.
Select Jump to a specified node from the Key# dropdown list, and play-all from its Specify a node
dropdown list.
Click Apply.

Select play-welcome from the Bind to Menu dropdown list.
Click Apply.
Verification
Dial 300 at Telephone A. Router B plays the audio file welcome.wav. Then,
If you press the * key at Telephone A, the call jumps to service node 20 and you hear voice prompts
of the audio file bye.wav. After that, the service node releases the call;
If you press the # key at Telephone A, the call jumps to call node 10 and you hears the voice
prompts of the audio file call.wav. After that, if you dial 1, Telephone B rings.
Customizing IVR services

You can customize your own IVR systems to automate services such as service query and save costs.
751
Create a menu
Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree,
and click Add to create a menu. The following describes settings for different types of menus, including
jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, and
secondary call.
Configure a Jump menu

Select Jump from the Menu Type dropdown list to enter the following page.
Figure 734 Configure a jump menu

Item
Description
Menu Node ID
Type a menu ID.
Menu Name
Type a menu name.
752
Item
Menu Type
Play Voice Prompts
When the User Enters
the Menu
Description
Select Jump.
By default, Jump is selected.
Select an audio file.
No audio file is selected by default.
Select one of the following methods.

Method
Terminate the call

Jump
Return to the previous menu
By default, no method is set.
Specify A Menu
Input Error Prompts
Specify the target menu.

This setting is available when the Input Error Processing Method is Jump to a menu.
Input Timeout
Processing Method
Terminate the call

By default, no method is set.
Specify A Menu
Timeout Prompts

This setting is available when the Input Timeout Processing Method is Jump to a Menu.
Map keys with operations, which include
Key Mapping
Terminate the call

Jump to a menu
No key mapping is configured by default.
Jump to submenu is available when the operation is Jump to a menu.
Configure a Terminate the call menu

Select Terminate the call from the Menu Type dropdown list to enter the following page.
753
Figure 735 Configure a Terminate the call menu

Item
Description
Menu Node ID
Type a menu ID.
Menu Name
Type a menu name.
Menu Type
Play Voice Prompts
When the User Enters the
Menu
Select Terminate the call.

Configure a menu of type Enter the next menu

Select Enter the next menu from the Menu Type dropdown list to enter the following page.
Figure 736 Enter the next menu

Item
Description
Menu Node ID
Type a menu ID.
Menu Name
Type a menu name.
Menu Type
Select Enter the next menu.

754
Item
Description
Play Voice Prompts

Menu
Jump to the next menu
Select the target menu.
Configure a menu of type Return to the previous menu

Select Return to the previous menu from the Menu Type dropdown list to enter the following page.
Figure 737 Return to the previous menu

Item
Description
Menu Node ID
Type a menu ID.
Menu Name
Type a menu name.
Menu Type
Play Voice Prompts
Menu
Select Return to the previous menu.

Configure a Dial immediately menu

Select Dial immediately from the Menu Type dropdown list to enter the following page.
Figure 738 Dial immediately menu
755

Item
Description
Menu Node ID
Type a menu ID.
Menu Name
Type a menu name.
Menu Type
Select Dial immediately.

Play Voice Prompts

Menu
Call immediately
Type the target number.
Configure a Secondary-call menu

Select Secondary-call from the Menu Type dropdown list to enter the following page.
Figure 739 Secondary-call menu

Item
Description
Menu Node ID
Type a menu ID.

756
Item
Description
Menu Name
Type a menu name.
Menu Type
Play Voice Prompts
Menu
Select Secondary-call.

Method
Terminate the call

Jump to a menu
By default, the menu uses the input error processing method configured in the
global key policy.
Specify A Menu
Input Error Prompts

Select an audio file. Voice prompt files can be configured in Voice Management >
IVR Services > Media Resources Management.
Input Timeout Processing

Method
Terminate the call

Jump to a menu
By default, the menu uses the input timeout processing method configured in the
global key policy.
Specify A Menu
Timeout Prompts

Select an audio file. Voice prompt files can be configured in Voice Management >
IVR Services > Media Resources Management.
Select one of the following policies:
Normal Secondary-Call
Number Matching Policy
Match the terminator of the numbers

Match the length of the numbers
Match the local number and route
By default, no policy is configured.
Match Number Length
Type the number length.
Match Number
Terminator
Type the number terminator.
Extension Secondary-Call Number Matching Policy

Extension number
Corresponding number
Type an extension number and the corresponding number, and click Add to
associate them.
By default, no extension secondary call is configured.
Bind an access number

After configuring a menu, click Next to enter the following page.
757
Figure 740 Bind an access number
Select the check box of the target access number, and click Apply.
Customize IVR services

Enter the Customize IVR Services interface
and click the
icon of the target menu to enter the Customize IVR Services page.
NOTE:
To perform any operation to the previous page, you must close the Customize IVR Services page first;
otherwise, errors will occur.
Figure 741 Customize IVR services
758
Add a submenu
Select Add A New Node from the Jump to submenu dropdown list of Key 0. Click OK on the popup
dialog box to enter the following page.
Figure 742 Add a submenu
You can configure the type of the new menu as jump, terminate the call, enter the next menu, return to the
previous menu, dial immediately, or secondary-call. For information about the menu configuration, see
Create a menu.
NOTE:
If new settings are made on the page, click Apply to save them first before you select Add a new menu.
Otherwise, the new settings may get lost.
Delete a menu
Enter the Customize IVR Services page, click the target menu, and click Delete the menu. On the popup
page, click OK.
NOTE:
If you delete a menu that is referenced by another menu, the operation deletes the reference relation in
the menu but not the menu.
If you delete a menu that is referenced within itself, the delete operation deletes both the reference
relation and the menu.
Custom IVR service configuration examples

Company A needs a custom IVR system to achieve the following purposes.
759
1.
Voice menu system of Company A
When a user dials the access number 300, the system plays the audio file Hello.wav. Then,
If the user dials 0, the system jumps to the marketing and sales department menu.
If the user dials 1, the system jumps to the telecom product sales department menu.
If the user dials 2, the system jumps to the government product sales department menu. If the user dials
#, the system terminates the call.
2.
Marketing and sales department menu
This menu plays the audio file Welcome1.wav. Then,
If the user dials 0, the system dials the number 500 to call the attendant.
If the user dials 1, the system jumps to the major financial customer department menu.
If the user dials 2, the system jumps to the carrier customer department menu.
If the user dials 3, the system jumps to the SME department menu.
If the user dials *, the system returns to the previous menu.

3.
Telecom product sales department menu
If the user dials 1, the system plays the audio file that introduces product A.
If the user dials 2, the system plays the audio file that introduces product B.
If the user dials 3, the system plays the audio file that introduces product C.
If the user dials *, the system returns to the previous menu.

4.
Government production sales department
If the user dials 1, the system plays the audio file that introduces product D.
If the user dials 2, the system plays the audio file that introduces product E.
If the user dials 3, the system plays the audio file that introduces product F.
If the user dials *, the system returns the previous menu.
1.
Upload media resource files
# Upload a media resource file.

760
Figure 743 Configure media resource
Type Hello for Rename Media Resource.
Click Apply.
Use the same method to upload other g729r8 media resource files. You can see these uploaded files in
Voice Management > IVR Services > Media Resources Management, as shown in Figure 744
Figure 744 Media file list
2.
Configure the access number
# Configure the access number.
761
Type Voice Menu Access Number for Description.
Click Apply.
# Create a menu.
and click Add to create a menu.
Figure 746 Configure a menu
Type 1 for Menu Node ID.
Type Voice Menu System of Company A for Menu Name.
Select Jump from the Menu Type dropdown list, and Hello from the Play Voice Prompts When the
User Enters the Menu dropdown list.
Click Next.
# Bind the access number.
762
Figure 747 Bind the access number
Select the checkbox of the access number 30000, and click Apply.
3.
Configure the voice menu system
# Enter the Customize IVR Services page.

Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree
to enter the page shown in Figure 748. Click the
icon of the menu to enter the Customize IVR Services
page shown in Figure 749.
Figure 748 Menu list
763
Figure 749 Customize IVR services
# Add submenus for the marketing and sales department, telecom product sales department, and
government product sales department.
Select the voice menu system of Company A from the navigation tree to enter the following page.
Figure 750 Voice menu system of Company A
Select Add A New Node from the Jump to submenu dropdown list of key 0.
Click OK on the popup dialog box to enter the following page.
764
Figure 751 Create a submenu for the marketing and sales department
Type Marketing and Sales Dept for Menu Description.
Select Jump from the Menu Type dropdown list, and welcome1 from the Player Voice Prompts When
the User Enters the Menu dropdown list.
Click Apply.
Configure submenus for the telecom product department and government product department as per
Figure 752 and Figure 753.
Figure 752 Add a submenu for the telecom product sales department
Figure 753 Add a submenu for the government product sales department
Return to the Customize IVR Service page.
765
Figure 754 Voice menu system of Company A
Select Terminate the call from the Operation dropdown list of key #.
Click Apply.
4.
Configure the marketing and sales department submenu
Select Marketing and Sales Dept from the navigation tree.

Figure 755 Marketing and sales department submenu
Select Jump from the Operation dropdown list, and Add A New Node from the Jump to submenu
dropdown list for key 0.

766
Type Attendant for Menu Description.
Select Dial immediately from the Menu Type dropdown list, and type 500 for Call immediately.
Click Apply.
Use the same method to add submenus for the major financial customer department, carrier customer
department, and SMB department.
Figure 757 Marketing and sales department submenu
Select Return to the previous node from the Operation dropdown list of key *.
Click Apply.
After the configuration, the marketing and sales department submenu is as shown in Figure 757.
5.
Configure the telecom product sales department submenu
Select Telecom Product Sales Dept from the navigation tree.
767
Figure 758 Telecom product sales department submenu
Select Jump from the Operation dropdown list, and Attendant from the Jump to submenu dropdown
list of key 0.
Select Jump from the Operation dropdown list, and Add A New Node from the Jump to submenu
dropdown list of key 1.

Type Introduction to Product A for Menu Description.
Select Return to the previous node from the Menu Type dropdown list, and ProductA from the Play
Voice Prompts When the User Enters the Menu dropdown list.
Click Apply.
Use the same method to add submenus for introductions to Products B and C. After that, return to the
Customize IVR Services page.
768
Figure 760 Telecom product sales department submenu
Select Return to the previous node from the Operation dropdown list of key *.
Click Apply.
After the configuration, the telecom product sales department submenu is as shown in Figure 760.
6.
Configure the government product sales department submenu
Select Government Product Sales Dept from the navigation tree. Configure the submenu as shown in
Figure 761. The configuration procedure is identical with the configuration of the telecom product sales
department submenu.
769
Figure 761 Government product sales department submenu
After all the configuration, the Customize IVR Services page is as shown in Figure 761.
770
Global configuration
Select Voice Management > Advanced Configuration > Global Configuration from the navigation tree to
enter the global configuration page, as shown in Figure 762.
Figure 762 Global configuration page

Item
Description
Silent: The calling party does not play any tones to the called party during call
Tone Playing Mode for

Call Hold
hold.
Playing music: The calling party plays the specified tones to the called party
during call hold.
By default, the tone playing mode is the silent mode.
Media Resource
Call Progress Tones
Country Mode
Select the media resource if you select the Playing Music option. You can upload
media resource files in Voice Management > IVR Services > Media Resources
Management.
Configure the device to play the call progress tones of a specified country or region.
By default, the call progress tones of China are specified.
771
Item
Description
Backup rule:
8. StrictOne of the following three conditions will trigger strict call backup:
The device does not receive any reply from the peer after sending out a call
request.
Backup Rule
The device fails to initiate a call to the IP network side.

The device fails to register on the voice server.
9. Loose: Loose call backup is triggered if any of the above mentioned three
conditions or the following condition happens: the device receives a reject reply
(with a number from 3xx to 6xx except 300, 301, 302, 305, 401, 407, and 422)
after sending a call request.
Call Backup Switch

Time
Specifies the time duration in seconds for switching from the current VoIP link to
another VoIP link or a PSTN link (that is, the call backup switching time) in case of a
VoIP call failure.
Number of Saved Call

Records
Set the maximum number of call history records that can be stored.
Related Time
Parameters of DTMF
Duration of Sending DTMF Digits

Interval of Sending DTMF Tones
DSCP Value in the ToS

Field of the IP Packets
Carrying RTP Stream
Set the DSCP value in the ToS field in the IP packets that carry the RTP stream
globally.
DSCP Value in the ToS

Field of the IP Packets
Carrying Voice
Signaling
Set the DSCP value in the ToS field in the IP packets that carry the voice signaling
globally.
Batch configuration
Local number
Creating numbers in batch
Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree,
and then click the Create Numbers in Batch link in the Local Number area to enter the page for creating
numbers in batch, as shown in Figure 763.
772
Figure 763 Creating numbers in batch

Item
Description
Start Number
Specify the start number, and then a serial of consecutive numbers starting with the start
number will be bound to the selected voice subscriber lines. For example, if you specify
the start number as 3000 and select lines 3/0 and line 3/1, then line 3/0 is bound to
number 3000, and line 3/1 is bound to number 3001.
You can set the register username and password in one of the following three ways:
Register Mode
Username and Password are the Same as Number

No Username and No Password
Username and Password are Specified Uniformly: If you select this option, you need
to set the username and password.
Register Username
Username used for registration and authentication
Register Password
Password used for registration and authentication
Selected FXS Lines

Available FXS Lines
Select an FXS voice subscriber line in the Available FXS Lines box, click < to add the line
into the Selected FXS Lines box.
FXS Lines
Select an FXS voice subscriber line in the Selected FXS Lines box, click > to remove the
line from the box.
Click << to add all FXS voice subscriber lines in the Available FXS Lines box in to the
Selected FXS Lines box; click >> to remove all FXS voice subscriber lines from the
Selected FXS Lines box.
Fax and Modem

and then click the Fax and Modem link in the Local Number area to enter the local number fax and
modem configuration page, as shown in Figure 764.
773
Figure 764 Local number fax and Modem configuration page

Item
Description
Configure the protocol used for fax communication with other devices.
T.38: Use T.38 fax protocol. With this protocol, a fax connection can be set up
quickly.
Standard T.38: Use the standard T38 protocol of H323 or SIP. The fax negotiation
mode depends on the protocol used (H323 or SIP).
Fax Protocol
G.711 A-law
G.711 -law
The pass-through mode is subject to such factors as packet loss, jitter and delay, so the
clocks on both communication sides must be kept synchronized. At present, only
G.711 A-law and G.711 law are supported, and the VAD function should be
disabled.
As defined in ITU-T, the error correction mode (ECM) is required by the half-duplex and
half-modulation system running ITU-T V.34 protocol for fax message transmission.
Besides, the G3 fax terminals working in full duplex mode are required to support
half-duplex mode, namely, ECM.
ECM Fax
The fax machines using ECM can correct errors, provide the automatic repeat request
(ARQ) function, and transmit fax packets in the format of HDLC frames. On the
contrary, the fax machines using non-ECM cannot correct errors and they transmit fax
packets in the format of binary strings.
Enable: Enable ECM.

Disable: Disable ECM.
By default, ECM is disabled.
To use ECM, fax machines on both sides and the gateway must support ECM.
You must enable ECM mode for the local numbers and call routes corresponding to the
fax sender and receiver in the ECM mode.
774
Item
CNG Fax Switchover

Function
Description
The calling tone (CNG) fax switchover is used to implement the fax mailbox service
through communication with the VCX. When the local fax machine A originates a fax
call to the peer fax machine B, if B is busy or is unattended, A can send the fax call to
the fax mailbox of the VCX. With CNG fax switchover enabled, the voice gateway can
switch to the fax mode once it receives a CNG from A.
Enable
Disable
Configure the codec type and switching mode for SIP Modem pass-through function.
Standard G.711 A-law: Adopt G.711 A-law as the codec type and use Re-Invite
Codec Type and
Switching mode for
SIP Modem
Pass-through
switching for SIP Modem pass-through.
Standard G.711 -law: Adopt the G.711 -law codec type and Re-Invite switching
mode.
NTE Compatible G.711 A-law: Adopt the G.711 A-law codec type and
NTE-compatible switching mode.
NTE Compatible G.711 -law: Adopt the G.711 -law codec type and
Configure the value of NTE payload type for the NTE-compatible switching mode.
NET Payload Type
Field
This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible
G.711 -law is selected in the Codec Type and Switching Mode for SIP Modem
Pass-through drop-down list.
Select the Number(s)
Select the checkboxes of specific local numbers and then click the Apply to Selected
Number(s) button to apply the above fax and Modem settings to the selected local
numbers.
Call services
and then click the Call Services link in the Local Number area to enter the local number call services
775

Item
Description
Configure call forwarding:
Enable
Disable
By default, call forwarding is disabled.
Call Forwarding
After a call forwarding function is enabled, you can input the corresponding
forwarded-to number:
The Forwarded-to Number for Call Forwarding no Reply: Input the forwarded-to
number.
The Forwarded-to Number for Call Forwarding Busy: Input the forwarded-to number.
The Forwarding Unconditional: Input the forwarded-to number.
The Forwarded-to Number for Call Forwarding Unavailable: Input the forwarded-to
number.
776
Item
Description
Configure call hold:
Enable
Disable
By default, call hold is disabled.
Call Hold
After call hold is enabled, you can set the Max Time Length the Held Party Can Wait
parameter as needed.
IMPORTANT:
The Max Time Length the Held Party Can Wait is only applied to the held party of a call,
that is, the receiver of call hold.
Configure call transfer:
Enable
Disable
Call Transfer
By default, call transfer is disabled.

Call hold must be enabled before you can configure call transfer.
After call transfer is enabled, you can set the Call Transfer Start Delay parameter as
needed.
Configure three-party conference:
Three-Party
Conference
Enable
Disable
By default, three-party conference is disabled.
The three-party conference function depends on the call hold function. Therefore, you
need to enable the call hold function before configuring three-party conference.
Configure call waiting:
Enable
Disable
By default, call waiting is disabled.
Call Waiting
After call waiting is enabled, you can configure the following parameters as needed:

By default, two call waiting tones are played once, and if the value of Number of Tones
in a Call Waiting Tone is greater than 1, the Interval for Playing Call Waiting Tones is
15 seconds.
Configure hunt group:
Hunt Group
Enable
Disable
By default, hunt group is disabled.
Configure Feature service:
Feature Service
Enable
Disable
By default, Feature service is disabled.
777
Item
Description
Configure message waiting indicator (MWI):
Enable
Disable
Message Waiting
Indicator
By default, MWI is disabled.

IMPORTANT:
Generally, the voice gateway sends a SUBSCRIBE to the server, and receives a NOTIFY
from the server if the subscription is successful, and gets the status of the voice mailbox
afterwards.
Processing Priority
When the Line is
Busy
Specify the processing sequence of services when the line is busy.
Select the check boxes of desired local numbers, and then click the Apply to Selected
Number(s) button to apply the above call services settings to the selected local numbers.
Advanced settings
and then click the Advanced Settings link in the Local Number area to enter the local number advanced
settings page, as shown in Figure 766.
Figure 766 Local number advanced settings page
778

Item
Description
Codecs and Priorities
Codec with the Second Priority

Codec with the Third Priority
Codec with the Lowest Priority
Specify DTMF transmission mode:
DTMF Transmission
Mode
In-band Transmission
Out-of-band Transmission
RFC2833: Adopt DTMF named telephone event (NTE) transmission mode. When
you adopt this transmission mode, you can configure the payload type field in RTP
packets.
Specify number sending mode:
Number Sending
Mode
Send a Truncated Called Number

Send All Digits of a Called Number
Send Certain Number of Digits: Send certain number of digits (that are extracted
from the end of a number) of a called number. The specified value should be not
greater than the total number of digits of the called number.
Number Selection
Priority
Set the priority of the local number. The smaller the value, the higher the priority.
Configure a dial prefix for the local number. For a trunk type call route, the dial prefix
is added to the called number to be sent out.
Dial Prefix
Enable
Disable: Remove the configured dial prefix.
If you select to enable the function, you need to input the dial prefix.
VAD
The voice activity detection (VAD) discriminates between silence and speech on a voice
connection according to their energies. VAD reduces the bandwidth requirements of a
voice connection by not generating traffic during periods of silence in an active voice
connection. Speech signals are generated and transmitted only when an active voice
segment is detected. Researches show that VAD can save the transmission bandwidth
by 50%.
Enable
Disable
Select the check boxes of desired local numbers, and then click the Apply to Selected
Number(s) button to apply the above advanced settings to the selected local numbers.
Call route
Fax and Modem
and then click the Fax and Modem link in the Call Route area to enter the call route fax and modem
779
Figure 767 Call route fax and Modem configuration page

Item
Description
Specify the protocol used for fax communication with other devices.
T.38: Use T.38 fax protocol. With this protocol, a fax connection can be set up
quickly.
Standard T.38: Use the standard T38 protocol of H323 or SIP. The fax negotiation
mode depends on the protocol used (H323 or SIP).
Fax Protocol
G.711 A-law
G.711 -law
The pass-through mode is subject to such factors as packet loss, jitter and delay, so the
clocks on both communication sides must be kept synchronized. At present, only
G.711 A-law and G.711 law are supported, and the VAD function should be
disabled.
As defined in ITU-T, the error correction mode (ECM) is required by the half-duplex and
half-modulation system running ITU-T V.34 protocol for fax message transmission.
Besides, the G3 fax terminals working in full duplex mode are required to support
half-duplex mode, namely, ECM.
ECM Fax
The fax machines using ECM can correct errors, provide the automatic repeat request
(ARQ) function, and transmit fax packets in the format of HDLC frames. On the
contrary, the fax machines using non-ECM cannot correct errors and they transmit fax
packets in the format of binary strings.
Enable: Enable ECM for fax.

Disable: Disable ECM for fax.
By default, ECM fax is disabled.
ECM can work only if fax machines on both sides support ECM and the gateway is
configured with ECM.
You must enable ECM mode for the local numbers and call routes corresponding to the
fax sender and receiver in the ECM mode.
780
Item
CNG Fax Switchover

Function
Description
The calling tone (CNG) fax switchover is used to implement the fax mailbox service
through communication with the VCX. When the local fax machine A originates a fax
call to the peer fax machine B, if B is busy or is unattended, A can send fax call to the
fax mailbox of the VCX. With CNG fax switchover enabled, the voice gateway can
switch to the fax mode once it receives a CNG from A.
Enable
Disable
Configure the codec type and switching mode for SIP Modem pass-through function.
Standard G.711 A-law: Adopt the G.711 A-law codec type and Re-Invite switching
Codec Type and
Switching mode for
SIP Modem
Pass-through
mode.
Standard G.711 -law: Adopt the G.711 -law codec type and Re-Invite switching
mode.
NTE Compatible G.711 A-law: Adopt the G.711 A-law codec type and
NTE Compatible G.711 -law: Adopt the G.711 -law codec type and
Configure the value of the NTE payload type for the NTE-compatible switching mode.
NET Payload Type
Field
This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible
G.711 -law is selected in the Codec Type and Switching Mode for SIP Modem
Pass-through drop-down list.
Select the Route(s)
Select the check boxes of call routes, and then click the Apply to Selected Route(s)
button to apply the above fax and Modem settings to the selected call routes.
Advanced settings
and then click the Advanced Settings link in the Call Route area to enter the call route advanced settings
Figure 768 Call route advanced settings page
781

Item
Description
Codecs and Priorities
Codec with the Second Priority

Codec with the Third Priority
Codec with the Lowest Priority
Specify DTMF transmission mode:
DTMF Transmission
Mode
In-band Transmission
Out-of-band Transmission
RFC2833: Adopt DTMF named telephone event (NTE) transmission mode. When
you adopt this transmission mode, you can configure the payload type field in RTP
packets.
By default, the value of the NTE payload type field is 101.
Route Selection
Priority
VAD
Set the priority of the call route. The smaller the value, the higher the priority.
The VAD discriminates between silence and speech on a voice connection according
to their energies. VAD reduces the bandwidth requirements of a voice connection by
not generating traffic during periods of silence in an active voice connection. Speech
signals are generated and transmitted only when an active voice segment is detected.
Researches show that VAD can save the transmission bandwidth by 50%.
Enable
Disable
Select the Route(s)
Select the check boxes of desired call routes, and then click the Apply to Selected
Route(s) button to apply the above advanced settings to the selected call routes.
Line management
FXS line configuration
and then click the FXS Line Configuration link in the Line Management area to enter the FXS line
782
Figure 769 FXS line configuration page

Item
Max Interval for
Dialing the Next
Digit
Max Interval
between Off-hook
and Dialing the First
Digit
Dial Delay Time
Description
the digits of the number are dialed. If the timer expires before the dialing is completed,
the user will be prompted to hook up and the call is terminated.
terminated.
Configure dial delay time.
By default, the dial delay time is 1 second.
Input Gain on the

Voice Interface

Output Gain on the

Voice Interface

IMPORTANT:
Gain adjustment may lead to call failures.
You are not recommended to adjust the
gain. If necessary, do it with the guidance
of technical personnel.

DTMF Detection
Sensitivity Level
783
Item
Description
Select the Line(s)
Select the check boxes of desire lines, and then click the Apply to Selected Line(s) button
to apply the above settings to the selected FXS lines.
FXO line configuration

and then click the FXO Line Configuration link in the Line Management area to enter the FXO line
Figure 770 FXO line configuration page

Item
Max Interval for
Dialing the Next
Digit
Max Interval
between Off-hook
and Dialing the First
Digit
Dial Delay Time
Input Gain on the
Voice Interface
Description
terminated.
Configure dial delay time.
By default, the dial delay time is 1 second.
784
IMPORTANT:
Item
Description
Output Gain on the

Voice Interface



DTMF Detection
Sensitivity Level
Select the Line(s)
Select the check boxes of desired lines, and then click the Apply to Selected Line(s)
button to apply the above settings to the selected FXO lines.
E&M line configuration

and then click the E&M Line Configuration link in the Line Management area to enter the E&M line
Figure 771 E&M line configuration page

Item
Max Interval for
Dialing the Next
Digit
Input Gain on the

Voice Interface
Description
785
IMPORTANT:
Item
Description
Output Gain on the

Voice Interface

Select the Line(s)
Select the check boxes of desired lines, and then click the Apply to Selected Line(s)
button to apply the above settings to the selected E&M lines.

ISDN line configuration

and then click the ISDN Line Configuration link in the Line Management area to enter the ISDN line
Figure 772 ISDN line configuration page

Item
Description
Input Gain on the

Voice Interface

increase the voice input gain.
Output Gain on the

Voice Interface

increase the voice output attenuation
value.
Select the Line(s)
Select the check boxes of desired line, and then click the Apply to Selected Line(s) button
to apply the above settings to the selected ISDN lines.
IMPORTANT:
SIP local survival services

and then click the Create Users in Batches link in the SIP Local Survival Services area to enter the page
786
Figure 773 Create users in batches

Item
Description
Start Number
Specify the telephone number of the first

user to be registered.
Register User Quantity
Number of users to be registered.
For example, if you specify the start

number as 2000 and set the register
user quantity to 5, the device
automatically generates five registered
users with telephone numbers from
2000 to 2004.
Set the registration mode:

Registration Mode
No username and password

Username and password are the same as the number
Username and password are specified uniformlyIf you select this option, you
need to specify the authentication username and authentication password.
Authentication
Username
Type the name of the user for authentication.
Authentication
Password
Type the password of the user for authentication.
787
States and statistics

Line states
Use this page to view information about all voice subscriber lines.
Select Voice Management > States and Statistics > Line States from the navigation tree. The Line State
Information page appears.
Figure 774 Line state information page
This page supports two types of voice subscriber lines:
Analog voice subscriber linesFXS, FXO, paging, music on hold (MoH), and E&M.
Digital voice subscriber linesBSV, VE1, and VT1.
Table 297 Information items

Item
Description
Name
Voice subscriber line name

Voice subscriber line type:
Type
Description
BRI
PRI
FXS
FXO
EM
PAGE
MOH
ISDN PRI
ISDN BRI
Voice subscriber line description
788
Item
Description
Physical Down: The voice subscriber line is physically down. (Possibly because
Subscriber Line Status
no physical link is present or the link has failed)
UP: The voice subscriber line is administratively down.

Shutdown: The voice subscriber line is both administratively and physically up.
Displaying detailed information about analog voice subscriber

lines
For analog voice subscriber lines FXS, FXO, paging, MoH, and E&M, you can click the Details link to
view details.
Figure 775 Paging line details
Displaying detailed information about digital voice subscriber

lines
For digital voice subscriber lines BSV, VE1, and VT1, you can click the Details link to view details about
the line.
789
Figure 776 ISDN line details
You can click a timeslot (TS) link to view the details about the TS.
Figure 777 Timeslot details
Call statistics
The following pages display call statistics.
Active Call Summary pageDisplays statistics about ongoing calls.
History Call Summary pageDisplays statistics about ended calls.
790
Displaying active call summary

Select Voice Management > States and Statistics > Call Statistics from the navigation tree. The Active Call
Summary page appears.
Figure 778 Active call summary page

Field
Type
Description
Call type
At present, only Speech and Fax are supported.
Call status
UnknownThe call status is unknown

ConnectingA connection attempt (outgoing call) is being
made.
Status
ConnectedA connection attempt (incoming call) is being

made.
ActiveThe call is active.
Displaying history call summary

Select Voice Management > States and Statistics > Call Statistics from the navigation tree and click the
History Call Summary tab.
Figure 779 History call summary page
791
SIP UA states
The following pages show SIP UA states.
TCP Connection Information pageDisplays information about all TCP-based call connections.
TLS Connection Information pageDisplays information about all TLS-based call connections.
Number Register Status pageDisplays number register information when you use SIP servers to
manage SIP calls.
Number Subscriber Status pagesDisplays the subscription status information of Message

Waiting Indication (MWI) when MWI is in use.
Displaying TCP connection information

Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree. The TCP
Connection Information page appears.
Figure 780 TCP connection information

Field
Description
Connection ID
Call connection ID, automatically generated by the system
Local Address
IP address of the calling party
Local Port
Port number of the calling party
Remote Address
IP address of the called party
Remote Port
Port number of the called party

Connection state:
Connection State
Idle
Connecting
Established
Displaying TLS connection information

Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree. The TLS
Connection Information page appears.
792
Figure 781 TLS connection information
For information items, see Table 299.
Displaying number register status

Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the
Number Register Status tab.
Figure 782 Number register status

Field
Description
Number
Registered phone number
Registrar
Address of the registrar, in the format of IP address plus port number or domain
name
Remaining Aging Time (Sec)
Remaining aging time of a number, that is, the remaining time before the next
registration
Status of the number, including
Status
offlineNot registered
onlineRegistered
loginBeing registered
logoutBeing deregistered
dnsinDNS query is being performed before registration.
dnsoutDNS query is being performed before deregistration.
Displaying number subscription status

Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the
Number Subscription Status tab.
793
Figure 783 Number subscription status

Field
Description
Number
Phone number
Subscription Server
MWI server address, in the format of IP address plus port number or domain
name
Remaining Aging Time (Sec)
Remaining aging time of the subscription, that is, the remaining time before
the next subscription
Subscription status, including
Status
offlineNot subscribed
onlineSubscribed
loginThe subscription is being proposed.
logoutThe subscription is being canceled.
Local survival service states

Select Voice Management > States and Statistics > Local Survival Service States from the navigation tree.
The Local Survival Service States page appears.
Figure 784 Local survival service states

Field
Server Operation Mode
Description
Alone
Alive
794
Field
Description
Server Status
Enabled
Disabled
User ID
User ID
Phone Number
Registered phone number

State of the registered user:
State
OnlineThe user is online.

OfflineThe user is offline.
SIP trunk account states

Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree.
The SIP Trunk Account States page appears.
Figure 785 SIP trunk account states

Field
Description
Aging Time
Aging time
Registration status of the SIP trunk account:
Status
DisabledNot in use.
OfflineNot registered.
OnlineRegistered.
LoginBeing registered.
LogoutBeing deregistered.
DnsinDNS query is being performed before registration.
DnsoutDNS query is being performed before deregistration.
Server group information

Select Voice Management > States and Statistics > Server Group Information from the navigation tree.
The Server Group Information page appears.
795
Figure 786 Server group information
This page displays the configuration information of server groups. For how to configure server groups,
see the chapter SIP server group management.
IVR information
The following pages show IVR information.
IVR Call States pageDisplays information about ongoing IVR calls.
IVR Play States pageDisplays information about ongoing IVR playing.
Displaying IVR call states

Select Voice Management > States and Statistics > IVR Information from the navigation tree. The IVR Call
States page appears.
Figure 787 IVR call states

Field
Description
Corresponding Access Number
IVR access number corresponding to the called number
Current Menu Node
Current menu node ID

Current state:
State
Idle: The node is idle.

Playing a media file
Waiting for input: The node is waiting for the input of the subscriber.
Calling: The node is calling a number.
796
Displaying IVR play states

Select Voice Management > States and Statistics > IVR Information from the navigation tree. The IVR
Play States page appears.
Figure 788 IVR play states

Field
Description
Play Count
Play times of the media file
Play State
Playing
Not playing
Play Type
PSTN: The called party is from PSTN.

IP: IP address of the peer media.
797
Index
ABCDEFGILMNOPQRSTUVW
Configuration management,449
Configuration prerequisites,226
Access control configuration example,172
Configuration procedure,226
Access control overview,170
Configuration task list,63
ACL overview,255
Configuring a call route for inbound calls,637
Advanced settings,498
Configuring a call route for outbound calls,633
Advanced settings configuration example,562
Configuring a CE1/PRI interface,52
Advantages,716
Configuring a CT1/PRI interface,55
Appendix Packet Priorities,280
Configuring a GRE over IPv4 tunnel,411
Application control configuration example,199
Configuring a RADIUS scheme,354
Application control overview,196
Configuring a SIP server group,626
Attack protection configuration examples,189
Configuring a VLAN and its VLAN interface,58
Attack protection overview,182
Configuring access control,170
Configuring access number management,726
Basic service overview,32
Configuring advanced settings,614
Basic service setup,495
Configuring advanced settings of a call route,560
Basic settings,500
Configuring advanced settings of a local number,557
Basic settings,498
Configuring an ACL,256
Batch configuration,772
Configuring an ADSL/G.SHDSL interface,48
Blacklist and white list,133
Configuring an Ethernet interface,44
Bridging configuration example,309
Configuring an SA interface,47
Configuring application control,196

Configuring ARP automatic scanning,381
Call services,498
Configuring basic services,32
Call services configuration examples,538
Configuring bridging,307
Call statistics,790
Configuring call release cause code mapping,618
Channel busy test,151
Configuring call services of a call route,536
Client mode configuration example,121
Configuring call services of a local number,533
Common web interface elements,17
Configuring codec transparent transmission,564
Configuration examples of local number and call

route,503
Configuring connection properties,605

Configuring data transmit rates,127
Configuration guidelines,254
Configuring DHCP,231
Configuring dial plan,570
Configuring digital link management,653
Configuring DNS,216
Configuring fax and Modem,524
Configuring fixed ARP,382
Configuring gratuitous ARP,374
798
Configuring intrusion detection,187
Configuring IPsec VPN,385
E1 and T1 voice configuration example,666
Configuring IVR,717
Echo adjustment function,671
Configuring IVR nodes,720
Enabling learning of dynamic ARP entries,373
Configuring L2TP,398
Enabling the client mode,118
Configuring login control,368
Configuring MAC address filtering,178
Fax and Modem,498
Configuring MSTP,341
Configuring NAT,158
FoIP overview,522
Configuring periodic sending of gratuitous ARP

packets,380
G
Global configuration,771
Configuring PKI,422
Gratuitous ARP overview,371
Configuring QoS,266
GRE over IPv4 tunnel configuration example,413
Configuring session properties,607
GRE overview,411
Configuring SIP local survival,695

Configuring SIP trunk,630
Configuring syslog,473
Integrated service management,31
Configuring the blacklist and white list functions,133
Introduction,694
Configuring the blacklist function,184
Introduction to advanced settings,553
Configuring the global key policy,719
Introduction to basic settings,499
Configuring traffic ordering,213
Introduction to call services,529
Configuring URL filtering,174
Introduction to data link management,650
Configuring user groups,313
Introduction to DHCP,230
Configuring user isolation,136
Introduction to dial plan functions,568
Configuring user-based load sharing,211
Introduction to PKI,421
Configuring web page redirection,202
Introduction to RADIUS,354
Configuring WiNet,481
Introduction to SIP,597
Configuring wireless access service,65
Introduction to the web interface,2
Configuring wireless QoS,138
Introduction to the web-based NM functions,4
Creating a static ARP entry,372
IPsec VPN configuration example,393
Customizing IVR services,751
IVR configuration examples,728
IVR information,796
DDNS configuration example,227
DDNS overview,225
L2TP configuration example,406
DHCP configuration examples,240
L2TP overview,397
Dial plan configuration examples,577
Line management configuration,672
Dial plan overview,565
Line management configuration examples,685
Displaying ARP entries,371
Line management overview,669
Displaying device information,26
Line states,788
Displaying radio,130
Local survival service states,794
Displaying wireless access service,82
Logging in to the web interface,1
District code,151
Logging out of the web interface,2
DNS overview,216
Login control configuration example,369
Domain name resolution configuration example,219
Login control overview,368

799
Service management,453
Setting a district code,151
MAC address filtering overview,178
SIP connection configuration examples,620
Managing the 3G modem,154
SIP local survival configuration examples,700
Managing web-based NM through CLI,21
SIP Modem pass-through function,524
MSTP configuration example,347
SIP security,602
SIP trunk account states,795
NAT configuration examples,164
SIP trunk configuration examples,637
SIP UA states,792
Overview,211
SNMP agent configuration,284

SNMP agent configuration,466
Overview,480
SNMP configuration example,468
Overview,213
SNMP configuration example,297
Overview,204
SNMP overview,466
Overview,63
SNMP overview,283
Overview,202
Software upgrade (for the MSR 20/30/50 series),465
Overview,495
Software upgrade (for the MSR 900/MSR 20-1X

series),464
Overview,307
Overview,313
Static ARP configuration example,374
Overview,328
Static route configuration example,207
Overview,265
Support for SIP extensions,604
Overview,477
Support for transport layer protocols,602
Overview,384
System time,458
Overview,380
Overview,154
Overview,158
Tools operations,478
Overview,58
TR-069 configuration,460
Overview,628
Troubleshooting web browser,22
Overview,716
URL filtering configuration example,176
PKI configuration examples,433
URL filtering overview,174
Precautions,209
User group configuration example,320
User isolation,136
User level,4
QoS configuration examples,275
User management,456
RADIUS configuration example,359
Viewing the general information and statistics of an

interface,56
Reboot,453
Removing ARP entries,372
Route configuration,204
WiNet configuration example,486
Wireless access configuration examples,89
Server group information,795
Wireless QoS configuration example,147
800

MSR Configuration

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

MSR Configuration

Transféré par

Droits d'auteur :

Formats disponibles

H3C MSR Series Routers

Web-Based Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

All rights reserved

About the H3C MSR documentation set

Field technical support and servicing engineers

Network administrators working with the MSR series

An alert that calls attention to essential information.

An alert that contains additional or supplementary information.

Network topology icons

Port numbering in examples

About the H3C MSR documentation set

The device summary information and how to use the function.

How to use the basic configuration wizard.

How to configure a WLAN.

How to configure 3G Management.

How to configuring access control, URL filter and attack protection.

How to configure Web Page Redirection.

How to add and delete IPv4 routes.

How to configure user-based load sharing.

How to configure traffic ordering.

How to configure DNS and DDNS.

How to configure a DHCP address pool.

How to configure QoS, line rate and IPv4 ACL.

How to configure SNMP-related parameters.

How to configure basic bridging functionalities.

How to configure user groups.

How to configure CWMP-related parameters.

How to configure RADIUS parameters.

How to configure Login-Control-related parameters.

How to configure ARP parameters.

How to configure IPsec and IKE parameters.

How to configure L2TP parameters.

How to configuring PKI parameters.

How to configuring Certificate parameters.

28. System Management

How to configure System Management.

29 SNMP (Lite Version)

How to configure SNMP (Lite Version) parameters.

How to configure Syslog related parameters.

How to use ping and trace route to locate network faults.

How to configure WiNet parameters.

How to use the VoIP basic configuration wizard.

How to configure the VoIP dial policy.

How to configure VE1, VT1, and BSV links related parameters.

How to configure SIP local survival related parameters.

How to configure global key policy,IVR nodes,access number management

How to read the summary information of calls and connections.

Logging in to the web interface1

Displaying device information 26

Basic services configuration 32

Basic service overview 32

WAN interface configuration 44

Viewing the general information and statistics of an interface 56

Wireless configuration overview 63

Wireless service configuration 65

Configuring wireless access service 65

Client mode 118

Enabling the client mode118

Radio configuration 124

Configuring data transmit rates127

WLAN security configuration 133

Blacklist and white list133

WLAN QoS configuration 138