3Com Router User Manual

							PIM-SM Configuration517
Ta b l e 588   Enable/Disable PIM-SM Protocol
By default, the interface disables PIM-SM protocol.
Note that PIM-SM only runs on specific interfaces. One interface can only run one 
multicast routing protocol at one time. 
Configuring the 
Candidate BSRIn a PIM-SM domain, there must be a unique bootstrap router to enable PIM-SM 
router to function normally. BSR takes charge of collecting and sending RP 
information. Several candidate bootstrap routers (C-BSR) generate one publicly 
acknowledged BSR by bootstrap message selection. Before the BSR information is 
known, C-BSRs view themselves as BSRs. They periodically broadcast bootstrap 
messages in PIM-SM domain (the broadcast address is 224.0.0.13). Such a 
message contains BSR address and priority.
BSR manages RP, and it collects and distributes the RP information in the whole 
network. RP is generated from the BSR election. 
Make the following configuration in the system view.
Ta b l e 589   Configure Candidate BSR
By default, no interface is configured to be a candidate BSR.
Use the pim command in system view to enter PIM view.
Configuring the 
Candidate RPIn the PIM-SM protocol, the shared tree (RP Path Tree) constructed by the routing 
multicast data regards the rendezvous point (RP) as its root, and the group 
members as its leaves. RP is generated from BSR selection. After the BSR is 
selected, all the C-RPs periodically unicast to BSR C-RP advertisements. BSR then 
selects the RP, and propagates it to the whole network. There may be several RPs, 
and each has different group service range. In this way, all the routers can get RP 
information.
In configuring candidate RP, we can specify the RP group service range. It can serve 
all the multicast groups, or just part of the groups. 
Make the following configuration in the system view.
Ta b l e 590   Configure Candidate RP
OperationCommand
Enable PIM-SM protocolpim sm
Disable PIM-SM protocolundo pim sm
OperationCommand
Configure an interface to be candidate 
BSRc-bsr interface-type 
interface-number hash-mask-length [ 
priority ]
Disable an interface from being candidate 
BSRundo c-bsr
OperationCommand 
						

							518CHAPTER 36: CONFIGURING PIM-SM
By default, no interface is configured to be candidate RP.
Use pim command in system view to enter PIM view.
Generally, only one C-BSR and one C-RP are configured in the network, and 
usually it is the same router. Only one C-BSR can be configured for a single router. 
The latter configured C-BSR replaces the formerly configured C-BSR. Subscribers 
are recommended to configure the C-RP and C-BSR at the loopback interface of 
the same router. This reduces the network oscillation caused by physical interface 
alternating UP/DOWN, because the router loopback interface is always UP.
Configuring the PIM-SM 
Domain BoundaryWhen the scale of a network is large, the network needs to be divided into several 
multicast domains. A different multicast domain can be in charge of a different RP. 
After the PIM domain boundary has been configured, the BSR message and RP 
message do not break through this boundary, but the other PIM messages are able 
to pass through the domain boundary. 
Make the following configuration in the interface view.
Ta b l e 591   Configure PIM-SM Domain Boundary
By default, no PIM-SM domain boundary is configured. 
Configuring the Time 
Interval for Sending a 
Hello MessageAfter the interface starts PIM-SM protocol, it will periodically transmits a hello 
message to all the PIM routers (group address is 224.0.0.13) to find PIM 
neighbors. the query interval timer determines this time interval. If the interface 
receives the Hello message, it means that there are adjacent PIM routers for this 
interface, and this interface can add the neighbor to its interface neighbor list. If 
the interface does not receive a hello message from the neighbors in the interface 
neighbor list within a specific period, it is assumed that the neighbor must have 
left the multicast network. The time interval for sending a hello message can be 
configured according to the bandwidth and the type of the network the interface 
connects to.
Make the following configuration in the interface view.
Ta b l e 592   Configure the Time Interval of Interface Sending Hello Message
Configure an interface to be candidate RPc-rp interface-type interface-number 
[ accept-policy acl-number [ priority 
] ]
Disable an interface from being candidate 
RPundo c-rp interface-type 
interface-number 
OperationCommand
Set PIM domain boundarypim bsr-boundary 
Delete PIM domain boundaryundo pim bsr-boundary
OperationCommand
Configure the time interval of interface 
sending Hello message pim timer hello seconds
Restore the default value of the time 
interval of interface sending Hello 
messageundo pim timer hello 
						

							Displaying and Debugging PIM-SM519
By default, the time interval of interface sending Hello message is 30 seconds. 
Configuring the 
Threshold of the 
Shortest Path
 
The PIM-SM router first forwards multicast data packets by the shared tree. But if 
the multicast data rate exceeds a certain threshold value, the router for the last 
hop of multicast packets starts the switch from the shared tree to the shortest 
path tree. 
Make the following configuration in the system view.
Ta b l e 593   Configure the Threshold of the Shortest Path Switching From the Shared Tree 
to Source
By default, the threshold value of the shortest path switches from the shared tree 
to source is zero. That is to say, after the router receives the first multicast data 
packet in the last hop, it switches immediately to the shortest path tree. 
Use the pim command in system view to enter PIM view.
Displaying and 
Debugging PIM-SMTa b l e 594   Display and Debug PIM-SM
OperationCommand
Configure the threshold value of the 
shortest path switching from the shared 
tree to source spt-switch-threshold { traffic-rate | 
infinity } [ accept-policy acl-number 
]
Restore the default threshold value of the 
shortest path switching from the shared 
tree to source undo spt-switch-threshold [ 
accept-policy acl-number ]
OperationCommand
Display multicast forwarding list 
informationdisplay multicast forwarding-table [ 
group-address ] [ source-address ]
Display multicast core routing tabledisplay multicast routing-table [ 
group-address ] [ source-address ]
Display BSR informationdisplay pim bsr-info
Display PIM protocol interface informationdisplay pim interface [ type number ]
Display PIM protocol multicast routing 
table informationdisplay pim routing-table [ *g [ 
group-address ] | **rp [ rp-address ] 
| { group-address | source-address } 
]
Display PIM adjacent routers informationdisplay pim neighbor [ interface type 
number ]
Display corresponding RP information of 
the multicast groupdisplay pim rp-info [ group-address ]
Turn on the switch of multicast 
forwarding table debugging informationdebugging multicast forwarding
Turn on the switch of PIM debugging 
informationdebugging pim common { all | event | 
packet | timer }
Turn on the switch of PIM-SM debugging 
informationdebugging pim sm { all | mbr | mrt | 
timer | warning | { recv | send } { 
assert | bootstarp | crpadv | jp | 
reg | regstop } } 
						

							520CHAPTER 36: CONFIGURING PIM-SM
After the above configuration, execute the display command in all views to 
display PIM-SM configuration, and to verify the effect of the configuration. 
Executethe 
debugging command in system view for the debugging of PIM-SM.
PIM-SM Configuration 
ExampleIn the actual network, because different manufacturers provide routing 
equipment, the routing protocols are different. Because the PIM protocol is 
independent of any specific unicast protocol, there is no need to pay attention to 
the unicast protocol. The the purpose of this example, the routers are mutually 
accessible.
Figure 164   PIM-SM comprehensive configuration networking diagram
1Configure Router A
aEnable PIM-SM protocol
[RouterA] multicast routing-enable
[RouterA] interface ethernet 0
[RouterA-Ethernet0] pim sm
[RouterA-Ethernet0] interface serial 0
[RouterA-Serial0] pim sm
[RouterA-Serial0] interface serial 1
[RouterA-Serial1] pim sm
bConfigure the threshold value of the multicast group switching from the shared 
tree to the shortest path tree to be 10kbps.
[RouterA]acl 5
[RouterA-acl-5]rule permit source 225.0.0.0 255.0.0.0
[RouterA-acl-5]pim
[RouterA-pim] spt-switch-threshold 10 accept-policy 5
2Configure Router B
aEnable PIM-SM protocol
[RouterB] multicast routing-enable
[RouterB] interface serial 0
[RouterB-Serial0] pim sm
[RouterB] interface serial 1
Hos t AHos t B
Router A
Router BRouter C
Router D e0
s0s0
s1 s1
s1
s0
s2
s0
e0 
						

							Troubleshooting PIM-SM521
[RouterB-Serial1] pim sm
[RouterB] interface serial 2
[RouterB-Serial2] pim sm
bConfigure the candidate BSR
[RouterB-pim] c-bsr serial 0 30 2
cConfigure the candidate RP
[RouterB-pim] acl 5
[RouterB-acl-5] rule permit source 225.0.0.0 255.0.0.0
[RouterB-acl-5] pim
[RouterB-pim] c-rp serial 0 accept-policy 5
dConfigure PIM domain boundary
[RouterB-Serial2] pim bsr-boundary
When the Serial 2 has been configured to be BSR, Router D will not be able to 
receive the BSR information sent by Router B, which will be excluded from this PIM 
domain. 
3Configure the Router C
aEnable PIM-SM protocol
[RouterC] multicast routing-enable
[RouterC] interface ethernet 0
[RouterC-Ethernet0] pim sm
[RouterC] interface serial 0
[RouterC-Serial0] pim sm
[RouterC] interface serial 1
[RouterC-Serial1] pim sm
Suppose Host A is the receiver of 225.0.0.1. Host B now begins sending data with 
the destination address 225.0.0.1. Router A receives the multicast data sent by 
Host B via Router B. When the multicast data rate of Host B exceeds 10kbps, 
Router A will be added to the shortest path tree, and the multicast data message 
sent by Host B will be received directly from Router C. 
Troubleshooting 
PIM-SMThe router cannot correctly establish the multicast routing table.
Follow these steps:
■Use the PIM-SM protocol to configure RP and BSR. First, use the display pim 
bsr-info command to check whether there is BSR information. If there is no 
such information, check whether there is unicast routing to the BSR. Then, use 
the 
display pim rp-info command to check whether the RP information is 
correct. If there is no RP information, check the unicast routing again.
■The display pim neighbor command can be used to check whether the 
neighbors have discovered each other. 
						

							522CHAPTER 36: CONFIGURING PIM-SM 
						

							VIII
SECURITY
Chapter 37Configuring Terminal Access Security
Chapter 38Configuring AAA and RADIUS Protocol
Chapter 39Configuring Firewall 
Chapter 40Configuring IPSec 
Chapter 41Configuring IKE  
						

							524 
						

							37
CONFIGURING TERMINAL ACCESS 
S
ECURITY
This chapter provides an overview to the security features provided for terminal 
access of 3Com routers and covers the following topics:
■Terminal Access Security Overview
■Configuring Terminal Access Security
■EXEC Configuration Example 
Terminal Access 
Security Overview3Com routers adopt cascade protection for the command line interface, and 
divide terminal access users into three types:
■Administrators
■Operators
■Guests
A guest user can only log onto the router to execute the interconnectivity test 
commands, such as ping, tracert, pad. An operator user can only view the running 
and debugging information of the router. An administrator user can not only view 
all the router information, but can also configure and maintain the router. All users 
need to authenticate the usernames and passwords when visiting the router.
The command line interface (CLI) provides the following features for terminal 
users:
■For security, password input is not displayed on the terminal screen.
■If an illegal user attempts to break into the system by testing different 
passwords, access is automatically denied if the wrong password is entered 
consecutively three times.
Users can set the terminal timeout time. If a terminal user makes no keyboard 
input within a certain time, the access is disconnected automatically, so as to avoid 
illegal access to the router.
Configuring Terminal 
Access SecurityTerminal access security includes tasks described in the following sections:
■Configuring a User
■Configuring User Login Authentication 
Configuring a UserPerform the following configurations in system view.
Ta b l e 595   Configure a User
OperationCommand 
						

							526CHAPTER 37: CONFIGURING TERMINAL ACCESS SECURITY
By default, no user is configured. 
Configuring User Login 
Authentication All users who access a router through a terminal are called terminal users. 3Com 
routers divide terminal users into five types: 
■Asynchronous port terminal user
■X.25 PAD calling user
■Console port user
■Dumb terminal user
■Telnet terminal user
3Com routers now support command line interpreters that access terminals from 
four types of interfaces:
■Remote X.25 PAD
■Asynchronous dialing port (working in interactive mode)
■Local console port
■Dumb terminal access mode
■Local/remote Telnet terminal
Perform the following configurations in system view.
Ta b l e 596   Configure EXECLogin Authentication
EXEC Configuration 
Example The following examples demonstrate how to configure login authentication for:
Configure a userlocal-user user-name service-type 
type [ password  cipher password ]
Delete a userundo local-user user-name
OperationCommand
Configure login authentication of terminal 
user from asynchronous portlogin async
Cancel login authentication of terminal 
user from asynchronous portundo login async
Configure login authentication of terminal 
user from Console portlogin con
Cancel login authentication of terminal 
user from Console portundo login con
Configure login authentication to dumb 
terminal access userlogin hwtty
Cancel terminal user login authentication 
to dumb terminal access userundo login hwtty
Configure login authentication to remote 
X.25 PAD calling userlogin pad
Cancel login authentication to remote 
X.25 PAD calling userundo login pad
Configure login authentication of terminal 
user via telnetlogin telnet
Cancel login authentication of terminal 
user via telnetundo login telnet