Technical data
Table Of Contents
- Preface
- Introduction
- Chapter 1. Advanced Topics
- Chapter 2. Planning For Router Configuration
- Important Terminology
- Collect your Configuration Information
- PPP Link Protocol (over ATM or Frame Relay)
- IP Routing Network Protocol
- IPX Routing Network Protocol
- Bridging Network Protocol
- RFC 1483 / RFC 1490 Link Protocols
- IP Routing Network Protocol
- IPX Routing Network Protocol
- Bridging Network Protocol
- MAC Encapsulated Routing: RFC 1483MER / RFC 1490MER Link Protocols
- IP Routing Network Protocol
- FRF8 Link Protocol
- IP Routing Network Protocol
- Dual Ethernet Router Configuration
- General Information
- Configuring the Dual Ethernet Router as a Bridge
- Configuring the Dual Ethernet Router for IP Routing
- Chapter 3. Configuring Router Software
- Configuration Tables
- Configuring PPP with IP Routing
- Configuring PPP with IPX Routing
- Configuring PPP with Bridging
- Configuring RFC 1483 / RFC 1490 with IP Routing
- Configuring RFC 1483 / RFC 1490 with IPX Routing
- Configuring RFC 1483 / RFC 1490 with Bridging
- Configuring MAC Encapsulated Routing: RFC 1483MER / RFC 1490MER with IP Routing
- Configuring FRF8 with IP Routing
- Configuring Mixed Network Protocols
- Configuring a Dual Ethernet Router for IP Routing
- Verify the Router Configuration
- Sample Configurations
- Sample Configuration 1 — PPP with IP and IPX
- Scenario
- Sample Configuration 1 — Diagram for Target Router (SOHO)
- Sample Configuration 1 — Tables For Target Router (SOHO)
- Sample Configuration 1 - Check the Configuration with the “list” Commands
- Information About Names And Passwords
- Sample Configuration 2 — RFC 1483 with IP and Bridging
- Scenario
- Sample Configuration 2 — Diagram for Target Router SOHO
- Sample Configuration 2 — Tables For Target Router (SOHO)
- Sample Configuration 2 - Check the Configuration with the “list” Commands
- Sample Configuration 3 — Configuring a Dual Ethernet Router for IP Routing
- Scenario
- Configuration Tables
- Chapter 4. Configuring Special Features
- Bridging Filtering and IP Firewall
- IP (RIP) Protocol Controls
- DHCP (Dynamic Host Configuration Protocol)
- General Information
- Manipulating Subnetworks and Explicit Client Leases
- Enabling/disabling a subnetwork or a client lease
- Adding subnetworks and client leases
- Setting the lease time
- Manually changing client leases
- Setting Option Values
- Concepts
- Commands for global option values
- Commands for specific option values for a subnetwork
- Commands for specific option values for a client lease
- Commands for listing and checking option values
- BootP
- About BootP and DHCP
- Enable/Disable BootP
- Use BootP to specify the boot server
- Defining Option Types
- Concepts
- Commands
- Configuring BootP/DHCP Relays
- Other Information
- NAT (Network Address Translation)
- Management Security
- Software Options Keys
- Encryption
- IP Filtering
- L2TP Tunneling - Virtual Dial-Up
- Introduction
- L2TP Concepts
- LNS, L2TP Client, LAC, and Dial User
- L2TP Client Example
- LNS and L2TP Client Relationship
- Tunnels
- Sessions
- Configuration
- Preliminary Steps to Configure a Tunnel
- Verification Steps
- Configuration Commands
- PPP Session Configuration
- Sample Configurations
- Simple L2TP Client Configuration Example
- Complete LNS and L2TP Client Configuration Example
- Configuration Process
- Chapter 5. Command Line Interface Reference
- Command Line Interface Conventions
- System Level Commands
- Router Configuration Commands
- Target Router System Configuration Commands (SYSTEM)
- Target Router Ethernet LAN Bridging and Routing (ETH)
- Remote Router Access Configuration (REMOTE)
- Asymmetric Digital Subscriber Line Commands (ADSL)
- Asynchronous Transfer Mode Commands (ATM)
- Dual Ethernet Router Commands (ETH)
- General information
- High-Speed Digital Subscriber Line Commands (HDSL)
- General information about HDSL
- ISDN Digital Subscriber Line (IDSL)
- General information about IDSL
- Symmetric Digital Subscriber Line Commands (SDSL)
- General information about SDSL
- Dynamic Host Configuration Protocol Commands (DHCP)
- L2TP — Virtual Dial-Up Configuration (L2TP)
- Bridging Filtering Commands (FILTER BR)
- Save Configuration Commands (SAVE)
- Erase Configuration Commands (ERASE)
- File System Commands
- Chapter 6. Managing the Router
- Simple Network Management Protocol (SNMP)
- TELNET Remote Access
- Client TFTP Facility
- TFTP Server
- BootP Server
- Boot Code
- Manual Boot Menu
- Access Manual Boot Mode
- Option 1: Retry Start-up
- Option 2: Boot from FLASH Memory
- Option 3: Boot from Network
- Option 4: Boot from Specific File
- Option 5: Configure Boot System
- Option 6: Set Time and Date
- Option 7: Set Console Baud Rate
- Option 8: Start Extended Diagnostics
- Identifying Fatal Boot Failures
- Software Kernel Upgrades
- Backup and Restore Configuration Files
- FLASH Memory Recovery Procedures
- Recovering Passwords and IP Addresses
- Batch File Command Execution
- Chapter 7. Troubleshooting
- Appendix A. Network Information Worksheets
- Configuring PPP with IP Routing
- Configuring PPP with IPX Routing
- Configuring PPP with Bridging
- Configuring RFC 1483 / RFC 1490 with IP Routing
- Configuring RFC 1483 / RFC 1490 with IPX Routing
- Configuring RFC 1483 / RFC 1490 with Bridging
- Configuring RFC 1483MER / RFC 1490MER with IP Routing
- Configuring FRF8 with IP Routing
- Configuring a Dual Ethernet Router for IP Routing
- Appendix B. Configuring IPX Routing
- Index
20
Security Configuration Settings
The router has one default system password used to access any remote router. This “system authentication
password” is utilized by remote sites to authenticate the local site. The router also allows you to assign a unique
“system override password” used only when connecting to a specific remote router for authentication by that
remote site. Each remote router entered in the remote router database has a password used when the remote site
attempts to gain access to the local router. This “remote authentication password” is utilized by the router to
authenticate the remote site.
Each remote router entered in the remote router database also has a minimum security level, known as the “remote
authentication protocol”, that must be negotiated before the remote router gains access to the local router. In
addition, a system-wide control, “system authentication protocol”, is available for overriding the minimum
security level in the entire remote router database.
Authentication Process
The authentication process occurs regardless of whether a remote router connects to the local router or vice versa,
and even if the remote end does not request authentication. It is a bi-directional process
, where each end can
authenticate the other using the protocol of its choice (provided the other end supports it).
During link negotiation (LCP), each side of the link negotiates what protocol is to be used for authentication
during the connection. If both the system and the remote router have PAP authentication, then PAP authentication
is negotiated.
Otherwise, the router
always
requests CHAP authentication first; if refused, PAP will be negotiated. If the remote
end does not accept either PAP or CHAP, the link is dropped; i.e., the router does not communicate without a
minimum security level. On the other hand, the router will accept any authentication scheme required by the
remote node, including no authentication at all.
During the authentication phase, each side of the link can request authentication using the method they negotiated
during LCP.
For CHAP, the router issues a CHAP challenge request to the remote side. The challenge includes the system
name and random number. The remote end, using a hash algorithm associated with CHAP, transforms the name
and number into a response value. When the remote end returns the challenge response, the router can validate the
response challenge value using the entry in the remote router database. If the response is invalid, the call is
disconnected. If the other end negotiated CHAP, the remote end can, similarly, request authentication from the
local router. The router uses its system name and password to respond to CHAP challenge.
For PAP, when a PAP login request is received from the remote end, the router checks the remote router PAP
security using the remote router database. If the remote router is not in the remote router database or the remote
router password is invalid, the call is disconnected. If the remote router and password are valid, the local router
acknowledges the PAP login request.
If PAP was negotiated by the remote end for the remote-side authentication, the router will issue PAP login
requests
only
if it knows the identity of the remote end. The identity is known if the call was initiated from the
router or the remote end returned a successful CHAP challenge response. For security reasons, the router will
never
identify itself using PAP without first knowing the identity of the remote router.
If PAP was negotiated by the remote end for the local side of the authentication process and the minimum security
level is CHAP, as configured in the remote router database, the link is dropped for a security violation.