(IILFLHQW 1HWZRUNV 5RXWHU )DPLO\ 7HFKQLFDO 5HIHUHQFH *XLGH Part No.
Efficient Networks®
Software License and Limited Warranty Copyright 2002, Efficient Networks, Inc. All rights reserved. Printed in the U.S.A. Efficient Networks and SpeedStream are registered trademarks, and the Efficient Networks logo is a trademark of Efficient Networks, Inc. All other names may be trademarks, service marks or registered trademarks held by their respective companies. This document is for information purposes only, Efficient Networks is not responsible for errors or omissions herein.
Software License and Limited Warranty B. After receiving an RMA, the end user shall ship the product or defective component, including power supplies and cable, where applicable, freight or postage prepaid and insured, to EFFICIENT at 4849 Alpha Road, Dallas Texas 75244, U.S.A.
Efficient Networks® Router family Technical Reference Guide Table of Contents Contents 1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 How This Manual is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 2 Product Overview . . . . . . . . . . . .
Table of Contents Efficient Networks® Router family Technical Reference Guide Contents PPP Link Protocol (over ATM or Frame Relay) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 RFC 1483/RFC 1490 Link Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 MAC Encapsulated Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12 Configuring Your Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Efficient Networks® Router family Technical Reference Guide Table of Contents Contents BootP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 BootP Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 BootP Service by the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 Relaying BootP Requests . . . . . . . . . . . . . .
Table of Contents Efficient Networks® Router family Technical Reference Guide Contents Client-Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 Radius Client Configuration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 Radius Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13 Controlling Remote Management . . . . . . . . . . . . . . . . . . .
Efficient Networks® Router family Technical Reference Guide Table of Contents Contents Main Mode and Aggressive Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-54 Additional IKE Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-55 Security Associations (SAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-55 IKE Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents Efficient Networks® Router family Technical Reference Guide Contents Sample VRRP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23 L2TP Tunneling - Virtual Dial-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26 Advantages of Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26 L2TP Concepts . . . . . . . . . . . . . . . . . . . . . . . .
Efficient Networks® Router family Technical Reference Guide Table of Contents Contents Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 User Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Router Information Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Easy Setup. . .
Table of Contents Efficient Networks® Router family Technical Reference Guide Contents Secure Shell (SSH) Configuration List Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-45 Secure Shell Configuration page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-46 Firewall Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50 QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Efficient Networks® Router family Technical Reference Guide Chapter 1: Introduction CHAPTER 1 CHAPTER 1 INTRODUCTION This manual contains information on the advanced functions, features, and management of your router. This manual is intended for small and home office users, remote office users, and other networking professionals who are installing and maintaining bridged and routed networks.
Efficient Networks® Router family Technical Reference Guide Chapter 1: Introduction Document Conventions Table explains the standard conventions used throughout this document. Table 1-1: Document Conventions Convention Description Example Boldface Buttons, check-boxes, or other items that represent selection made from screens or menus. Click Apply to affect the changes Italics Keywords, new words, documentation titles, listed parameters, and other terms of special interest. ...saves the dhcp.
Efficient Networks® Router family Technical Reference Guide Chapter 1: Introduction Table 1-2: Common Abbreviations BER Basic Encoding Rules or Bit Error Rate B-HLI Broadband High Layer Information B-ICI Broadband Intercarrier Interface B-ISSI Broadband Inter-Switching System Interface B-LLI Broadband Low Layer Information BOM Beginning of Message BUS Broadcast Unknown Server CBR Constant Bit Rate CDV Cell Delay Variation CLI Command Line Interface CLP Cell Loss Priority CMISE Comm
Efficient Networks® Router family Technical Reference Guide Chapter 1: Introduction Table 1-2: Common Abbreviations Page 1-4 LOP Loss of Pointer (UNI Fault Management) LOS Loss of Signal (UNI Fault Management) MAC Media Access Control NG-IAD Next Generation - Integrated Access Device NIU Network Interface Unit OAM Operations and Management OCD Out-of-Cell Delineation PCM Pulse Code Modulation PCR Peak Cell Rate POST Power-On Self Test POTS Plain Old Telephone System PTI Payload Ty
Efficient Networks® Router family Technical Reference Guide Chapter 1: Introduction Table 1-2: Common Abbreviations VPCI Virtual Path Connection Identifier VPI Virtual Path Identifier WMI Web Management Interface Efficient Networks® Page 1-5
Chapter 1: Introduction Efficient Networks® Router family Technical Reference Guide This page intentionally left blank.
Efficient Networks® Router family Technical Reference Guide Chapter 2: Product Overview CHAPTER 2 CHAPTER 2 PRODUCT OVERVIEW This chapter provides background information applicable to the Efficient Networks Router Family.
Chapter 2: Product Overview Efficient Networks® Router family Technical Reference Guide WAN Interfaces Routers are available whose WAN interfaces conform to various DSL standards. The WAN interface of the router is displayed on the Web Management Router Information Page or on the via the command line interface each time the router reboots, as in the following SHDSL example: Efficient 5950 G.SHDSL [ATM] Router (120-5950-001) v6.0.
Efficient Networks® Router family Technical Reference Guide Chapter 2: Product Overview IDSL IDSL (ISDN DSL) A hybrid of ISDN and DSL; it’s an always on alternative to dial up ISDN. Does not support voice connections on the same line. • Speed - 144 Kbps • Max. Distance From CO - 35,000 ft. (6.6 miles)* • Key Applications - As an alternate solution: it has a longer range than other DSLs, and is more affordable than dial-up ISDN.
Chapter 2: Product Overview Efficient Networks® Router family Technical Reference Guide Virtual Connections The router’s wide area network (WAN) interface uses Asynchronous Transfer Mode (ATM) virtual connections (VCs) to transport data. The system provides unlimited VC support. ATM Asynchronous Transfer Mode (ATM) is a networking technology that provides support for a wide variety of services and applications.
Efficient Networks® Router family Technical Reference Guide Chapter 2: Product Overview Routing offers advantages over bridging because: • It limits broadcasts to the local LAN segment. • It limits the protocols that are routed beyond the LAN segment. • Routed protocols allow networks to grow as large as needed. • Filters and firewalls can provide screens for improved security and managed traffic flow.
Chapter 2: Product Overview Efficient Networks® Router family Technical Reference Guide Bridging has these capabilities: • Allows protocols that cannot be routed (such as NETBIOS) to be forwarded. • Allows optimizing internetwork capacity by localizing traffic on LAN segments. • Extends the physical reach of networks beyond the limits of each LAN segment. • Bridge filtering may increase network security. Our bridging support includes the IEEE 802.
Efficient Networks® Router family Technical Reference Guide Chapter 2: Product Overview When to Use Routing or Bridging or Both The following charts describe the operational characteristics of the router when you enable routing, bridging, or both routing and bridging. Table 2-2: Routing vs.
Efficient Networks® Router family Technical Reference Guide Chapter 2: Product Overview Routing and Bridging Controls The router can be configured to perform general routing and bridging while allowing you to set specific controls. • One remote router can be designated as the outbound default bridging destination. All outbound bridging traffic with an unknown destination is sent to the default bridging destination. • Bridging can be enabled or disabled for specific remote routers.
Efficient Networks® Router family Technical Reference Guide Chapter 2: Product Overview The router supports the following WAN encapsulations: • PPP (VC multiplexing) • PPP (LLC multiplexing) • PPPoE (PPP over Ethernet) • RFC 1483 (for ATM) • RFC 1483 with MAC encapsulated routing (for ATM) • FRF8 (for ATM) • RFC 1490 (for Frame Relay) • RFC 1490 with MAC encapsulated routing (for Frame Relay) • The packet formats for these encapsulation methods are given in “Encapsulation Options” on page
Chapter 2: Product Overview Efficient Networks® Router family Technical Reference Guide RFC 1974 PPP Stac LZS Compression Protocol RFC 1990 Multi-Link Protocol (MLP) RFC 1994 User Authentication PAP / CHAP RFC 2104 HMAC: Keyed-Hashing for Message Authentication RFC 2131 Dynamic Host Configuration Protocol (DHCP) RFC 2132 DHCP Client RFC 2364 PPP over AAL5 RFC 2401 Security Architecture for the Internet Protocol RFC 2402 IP Authentication Header RFC 2403 The Use of HMAC-MD5-96 within ESP and AH RFC 2404 Th
Efficient Networks® Router family Technical Reference Guide Chapter 2: Product Overview Encapsulation Options This section describes the packet format for each encapsulation option supported by the router. NOTE: The same encapsulation method must be used by both ends of the connection (the router and the DSLAM). PPP This protocol uses VC multiplexing, as defined in RFC 2364; it dedicates a virtual circuit to PPP traffic only.
Chapter 2: Product Overview Efficient Networks® Router family Technical Reference Guide RFC 1483 or RFC 1490 Bridging User data packets are prepended by the sequence 0xAAAA0300 0x80c20007 0x0000 followed by the Ethernet frame containing the packet. 802.1D Spanning Tree packets are prepended with the header 0xAAAA0300 0x80C2000E. Routing IP packets are prepended with the header 0xAAAA0300 0x00000800. IPX packets are prepended with the header 0xAAAA0300 0x00008137.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup CHAPTER 3 CHAPTER 3 INSTALLATION AND SETUP This chapter describes the steps necessary to plan and deploy your router with basic operation.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Remote Routers Throughout this document, many references are made to "local routers" and "remote routers." A local router is the router you are configuring, and the is any other router that connect to the local router. For additional information on Remote Routers, see “Controlling Remote Management” on page 5-15. Local router. Router that you are configuring. Also referred to as target router. Remote routers.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Protocols to be Used The information needed to configure the router depends on the link protocol and network protocols that are to be used. The link protocol and network protocols used are generally determined by your Network Service Provider. This section is organized into sub-sections that apply to specific protocols.
Chapter 3: Installation and Setup • Efficient Networks® Router family Technical Reference Guide For Remote Routers: Although the system names and authentication passwords for the remote routers are defined by the service provider, you must have this information because the local router uses it to authenticate the remote router. The name and password are used in both PAP and CHAP authentication. To see how this information is used, see “PAP/CHAP Security Authentication” on page 5-20.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup NOTE: An Ethernet route is usually defined when there are multiple routers on the Ethernet that cannot exchange routing information. This feature is only used in special circumstances. • For the WAN interface: The following information is defined by your network service provider.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide IPX Routing Network Protocol System Names and Authentication Passwords for the Local Router and All Remote Routers • For the Local Router: You define a system name and authentication password for the local router. Remote routers check the system name and authentication password to authenticate the local router.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup You need the following information (most likely from your network administrator) for IPX routing. Internal Network Number It is a logical network number that identifies an individual Novell server. It specifies a route to the services (i.e., file services, print services) that Novell offers. It must be a unique number.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Bridging Network Protocol To configure bridging as the network protocol and PPP as the link protocol, you need the following information: System Names and Authentication Passwords for the Local Router and All Remote Routers • For the Local Router: You define a system name and authentication password for the local router.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup DNS Internet Account Information (optional) The Domain Name Service (DNS) maps host names to IP addresses. DNS is performed by Domain Name Servers. The router can get DNS information automatically. Or, you can choose to configure DNS manually.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide IP Routing Entries • For the Ethernet interface: Ethernet IP Address (Local LAN) An Ethernet LAN IP address and subnet mask are required for the router’s local Ethernet LAN connection. This information is defined by the user or your network administrator. TCP/IP Ethernet Routes You normally do not need to define an Ethernet IP route.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup DLCI number (for RFC 1490) The DLCI (Data Link Connection Identifier) number applies to Frame Relay routers only. Get your DLCI from your service provider. IPX routing entries IPX routes define the paths to specific destinations. Routers need them so servers and clients can exchange packets. A path to a file server is based on the Internal Network Number of the server.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Bridging Network Protocol To configure bridging as the network protocol and RFC 1483 or RFC 1490 as the link protocol, you need the following information: VPI and VCI numbers (for RFC 1483) The VPI and VCI numbers apply to ATM routers only. Your router may have been preconfigured with VPI/VCI numbers. If not, get these numbers from your Network Service Provider.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup If you are connecting to multiple remote sites, get additional VPI and VCI numbers from your Network Service Provider. These numbers identify the remote destination and must, therefore, be unique for each remote. DLCI number (for RFC 1490MER) The DLCI number applies to Frame Relay routers only.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide If NAT is not enabled, you may need to specify a source WAN IP address for the WAN connection to the remote router. TCP/IP Remote Routes If you are using RFC 1483MER or RFC 1490MER, the IP route includes an IP address, subnet mask, metric (a number representing the perceived cost in reaching the remote network or station), and a gateway.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Microsoft Windows Windows 98 Step 1 On your desktop, right click on the Network Neighborhood icon. Step 2 The Network dialog should appear. Under the Configuration tab, from the network components installed, select TCP/IP. Step 3 Click Properties to display TCP/IP properties. Step 4 In the TCP/IP Properties dialog, select the IP Address tab.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Step 6 Click OK. Step 7 Click OK buttons to close each dialog. NOTE: You may need to restart your PC for these changes to take effect.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Windows NT 4 Step 1 On your desktop, right click on the Network Neighborhood icon. Step 2 The Network dialog should appear. Under the Protocols tab, from the network protocols installed, select TCP/IP Protocol. Step 3 Click Properties to display TCP/IP properties. Step 4 In the Microstate TCP/IP Properties dialog, select the IP Address tab.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Step 6 Click OK. Step 7 Click OK buttons to close each dialog. NOTE: You may need to restart your PC for these changes to take effect.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Windows 2000 Step 1 On your desktop, right click on the My Network Places icon. Step 2 The Network and Dial-up Connections window should appear. Right click on the Local Area Connection icon. Step 3 From the menu, select Properties. Step 4 The Local Area Connection Properties dialog should appear. From the list of components, select Internet Protocol (TCP/IP).
Chapter 3: Installation and Setup Step 5 Step 6 Page 3-20 Efficient Networks® Router family Technical Reference Guide Click Properties. The Internet Protocol (TCP/IP) Properties dialog should appear. Select Obtain an IP address automatically and Obtain DNS server address automatically.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Step 7 Click OK. Step 8 Click OK buttons to close each dialog. NOTE: You may need to restart your PC for these changes to take effect.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Windows ME Step 1 On your desktop, right click on the Network Places icon (shown below). Step 2 From the displayed menu, select Properties. Step 3 The Network dialog should appear. Under the Configuration tab, from the network components installed, select the TCP/IP Protocol associated with your network card (see the example below). Step 4 Click Properties to display TCP/IP properties.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Step 6 Under the IP Address tab, click to select the option to Obtain an IP address automatically. Step 7 Click OK. Step 8 Click OK buttons to close each dialog. NOTE: You may need to restart your PC for these changes to take effect.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Windows XP Step 1 On your desktop, click on the My Network Places icon (shown below). Step 2 The My Network Places screen should appear. Under the Network Tasks menu, select View Network Connections. Step 3 The Network Connections screen should appear. Click the Local Area Connection icon.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Step 4 The Local Area Connection Properties dialog should appear. From the list of items, select Internet Protocol (TCP/IP). Step 5 Click Properties. Step 6 Click OK buttons to close each dialog. NOTE: You may need to restart your PC for these changes to take effect.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Apple Macintosh To configure TCP/IP and DHCP on your Macintosh, please select your version of the Mac OS from the following list: • Mac OS 9.x • Mac OS X Mac OS 9.x Step 1 Page 3-26 Under the Apple menu, select Control Panels and then TCP/IP.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Step 2 The TCP/IP control panel should appear. From the Configure pull-down menu, select: Using DHCP Server. Step 3 Complete the fields shown with any information supplied by your service provider. Step 4 Click on the upper left square in the menu bar to close the TCP/IP control panel.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Mac OS X Step 1 Under the Apple menu, select System Preferences. Step 2 The System Preferences window should appear. Click to select the Network icon.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Step 3 The Network window should appear. Select the TCP/IP tab. Step 4 From the Configure pull-down menu, select Using DHCP. Step 5 Enter any information supplied by your service provider. Step 6 Click Save button to save and exit the Network window.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Linux Step 1 From a terminal window, run linuxconfig. Step 2 The Config dialog should appear. Enter any information specified by your service provider in the fields under the appropriate Adapter tab.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Step 3 When settings are completed, Click Accept. Step 4 To update the system status, ensure that the "Activate the changes" button is highlighted, then click Act/Changes.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Installation Verify the Package Contents Your package should contain the items listed below. If you determine anything to be damaged or missing, please contact the dealer from whom the equipment was purchased.
Efficient Networks® Router family Technical Reference Guide Step 5 Chapter 3: Installation and Setup Connect the AC power adapter to the Router then to AC power outlet.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Establishing a Connection To start the configuration, communication must be established with the router. The system can be accessed in the following ways: • Ethernet connection - via an Ethernet port on the rear of the router. • Serial - local via the MGMT Console serial port on the rear of the router.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Step 2 Restart the PC and power on the router. Step 3 Open a terminal window or start a terminal session on the PC. Step 4 The router displays the login prompt. Login with the username superuser. Username: Step 5 The router displays the password prompt, enter the login password (default password is admin.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Terminal Sessions The router supports both local access and remote access.
Efficient Networks® Router family Technical Reference Guide Step 4 Chapter 3: Installation and Setup In the Com 1 (or 2) Properties page, enter the following port settings and click OK: Bits per second: 9600a Data bits: Parity: Stop bits: Flow control: a To 8 None 1 Hardware use a baud rate other than 9600, see “Option 7: Set Console Baud Rate” on page 4-39.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Terminal Session for Macintosh or UNIX To open a terminal window emulation in a Macintosh or UNIX environment, a VT100 terminal emulation program is required. Step 1 Start your VT100 terminal emulator.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Telnet Session for Remote Access From the local area network you can use TELNET to login in using the Ethernet IP address. NOTE: Remote access to the router configuration can be disabled or restricted. For further information, see “Controlling Remote Management” on page 5-15. Step 1 Make sure that your PC and router addresses are in the same subnetwork. For example, the router address could be 192.168.254.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Configuring the Router Having planned your configuration and acquired the necessary information as described in Planning the Configuration, you are ready to configure your router. If you will be configuring the system though the Web management Interface, please refer to the User Reference Guide located on this CD. The content to follow details the configuration via the command line interface.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Configuration Tables The following tables provide step-by-step instructions for enabling standard configurations of the following network protocol/link protocol combinations via the command line interface. For instruction on protocol/link configuration via the Web Management Interface, see “Easy Setup” on page 8-4.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Configuring PPP with IP Routing This table outlines configuration commands for the PPP link protocol with the IP Routing network protocol.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Table 3-2: PPP with IP Routing (Cont.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Table 3-3: PPP with IPX Routing (Cont.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Configuring PPP with Bridging This table outlines configuration commands for the PPP link protocol with the Bridging network protocol.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Table 3-4: PPP with Bridging (Cont.) Steps If NAT is not enabled: Settings Commands You may need to enter a Source WAN Port Address remote setsrcipaddr IP and IPX Routing TCP/IP Routing Must be disabled eth ip disable IPX Routing Must be disabled eth ipx disable Store Reboot save reboot a Enter this information if you are using PPP in an ATM environment.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Table 3-5: RFC 1483 / RFC 1490 with IP Routing (Cont.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Configuring RFC 1483 / RFC 1490 with IPX Routing This table outlines configuration commands for the RFC 1483 and RFC 1490 link protocols with the IPX Routing network protocol.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Table 3-6: RFC 1483 / RFC 1490 with IPX Routing (Cont.) Steps IPX Routing Settings Commands Must be enabled Store Reboot eth ipx enable save reboot a Enter b this information if you are using RFC 1483 in an ATM environment. Enter this information if you are using RFC 1490 in a Frame Relay environment.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Table 3-7: RFC 1483 / RFC 1490 with Bridging (Cont.) Steps Settings IPX Routing Commands Must be disabled Store Reboot eth ipx disable save reboot a Enter b this information if you are using RFC 1483 in an ATM environment. Enter this information if you are using RFC 1490 in a Frame Relay environment.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup Table 3-8: RFC 1483MER / RFCMER 1490 with IP Routing (Cont.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide Test IP Routing to a Remote Destination • Using the TCP/IP ping command, contact a remote router from a local LANconnected PC. When you enter the ping command, the router will connect to the remote router using the DSL line. • If remote or local WAN IP addresses are required, verify that they are valid.
Efficient Networks® Router family Technical Reference Guide Chapter 3: Installation and Setup If you cannot access the remote server: • Check that the local Ethernet LAN IPX network number is correct. • Verify that the WAN link network number is the same as the remote WAN link network number. • Check cable connections and pinouts. • Verify that the IPX routes and IPX SAPs you have specified are correct.
Chapter 3: Installation and Setup Efficient Networks® Router family Technical Reference Guide This page intentionally left blank.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management CHAPTER 4 CHAPTER 4 SYSTEM MANAGEMENT This chapter provides information on a variety of system features and procedures. These features include: • DHCP (Dynamic Host Configuration Protocol) • BootP Service • Network Address Translation (NAT) • Key Enabled Features • Spanning Tree • Boot Code Options • Software Kernel Upgrades • Quality of Service (QOS) • Misc.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide DHCP (Dynamic Host Configuration Protocol) The router supports DHCP and can act as the DHCP server. (The router’s DHCP server disables itself if it locates other active DHCP servers on the network or if a DHCP server on the WAN has been explicitly specified.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management NOTE: For information on configuring the PC for DHCP, see “Configuring Your Computer” on page 3-14. DHCP Client Requests Before becoming active, the router’s DHCP server attempts to locate other active DHCP servers on the network, such as Windows NT servers. If one is detected, the router’s DHCP server disables itself. When the WAN link activates and the source IP address or mask is undefined (i.e. 0.0.0.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide Manipulating Subnetworks and Explicit Client Leases Enabling/Disabling a Subnetwork or a Client Lease To enable/disable a subnetwork or a client lease, use the commands: -> dhcp enable all | -> dhcp disable all| Examples To enable the subnetwork 192.168.254.0 if that subnetwork exists, enter: -> dhcp enable 192.168.254.0 To enable the client lease 192.168.254.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Example 1: The following command creates a subnetwork 192.168.254.0 with a subnet mask of 255.255.255.0: -> dhcp add 192.168.254.0 255.255.255.0 Example 2: The following command deletes the subnetwork 192.168.254.0 and deletes all client leases associated with that subnetwork: -> dhcp del 192.168.254.0 Adding Explicit or Dynamic Client Leases Client leases may either be created dynamically or explicitly.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide Dynamic Client Leases Dynamic client leases are created from the pool of IP addresses associated with that subnetwork. To set or change the pool, use: -> dhcp set addresses To clear the values from the pool, use: -> dhcp clear addresses NOTE: Any client leases that currently exist will not be affected.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Commands The following commands are used by network administrators to control lease time.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide To release the client lease so it becomes available for other assignments, enter: -> dhcp clear expire Setting Option Values Administrators can set values for global options, for options specific to a subnetwork, or for options specific to a client lease. NOTE: See RFC 2131/2132 for the description of various options. The DHCP server returns values for options explicitly requested in the client request.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management -> dhcp clear valueoption Example: To set the global value for the domain name server option, enter: -> dhcp set valueoption domainnameserver 192.168.254.2 192.168.254.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide -> dhcp list definedoptions This command lists all available options starting with the string “name”. -> dhcp list definedoptions To list the lease time, enter: -> dhcp list lease Example: This command lists the subnet 192.168.254.0 including any options set specifically for that subnet: -> dhcp list 192.168.254.0 Managing BootP Administrators can enable and disable BootP and specify the BootP server.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Specify the Boot (TFTP) Server The following commands let the administrator specify the TFTP server (boot server) and boot file name. The administrator should first configure the IP address of the TFTP server and file name (kernel) from which to boot.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide Configuring BootP/DHCP Relays BootP/DHCP relays are used by system administrators when the DHCP configuration parameters are acquired from a BootP/DHCP server other than the router’s DHCP server. This function allows configuration information to be centrally controlled. Enabling a BootP/DHCP relay disables DHCP on the router because, by definition, only one policy mechanism can be supported.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management To list the definition for all options that are well-known AND have a name starting with “h”, type: -> dhcp list definedoptions h Example: To define a new option with a code of 128, a minimum number of IP addresses of 1, a maximum number of IP addresses of 4, of type “IP address”, enter: -> dhcp add 128 1 4 ipaddress This information implies that: • Some DHCP client will know about the option with code 128.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide Clearing All DHCP Information If necessary, you can clear all DHCP information from memory, including all leases and all global DHCP information. To do so, enter this command: -> dhcp clear all records At this point, the DHCP information is cleared from memory, but the DHCP.DAT file remains unchanged. To clear the information from the DHCP.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management BootP Service This section first discusses what BootP is and then describes the BootP service available from the router. BootP Concepts BootP refers to the Bootstrap Protocol. In general, BootP requests have these purposes: • To obtain an IP address to use. • To obtain a TFTP server address and file information to continue the booting up process.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide Relaying BootP Requests The DHCP relay list is an optional list of IP addresses of servers on the network. You create the list manually; addresses are not automatically added or removed. You add addresses to the list using the dhcp addrelay command and remove addresses from the list using the dhcp delrelay command.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Network Address Translation (NAT) Network Address Translation (NAT) allows devices on the LAN to use private IP addresses that aren’t recognized on the Internet. The router supports the following NAT techniques: Masquerading: Classic NAT: Selective NAT: One NAT IP address is assigned to many PC IP addresses. One NAT IP address is assigned to one PC IP address.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide Masquerading With masquerading, multiple local (PC) IP addresses are mapped to a single global IP address. Many local (PCs) IP addresses are therefore hidden behind a single global IP address. The advantage of this type of NAT is that users only need one global IP address, but the entire local LAN can still access the Internet. This NAT technique requires not only remapping IP addresses but also TCP and UDP ports.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management NOTE: ww.xx.yy.zz is the IP address that the user on the local LAN assigns. Server Configuration This section is intended for users and network administrators who wish to allow WAN access to a Web server, FTP server, SMTP server, etc., on their local LAN, while using NAT. NAT needs a way to identify which local PC [local IP address(es)] should receive these server requests.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide -> remote addserver 192.168.1.2 tcp ftp router1 When the local router receives a request from router1 to communicate with the local Telnet server, the local router sends the request to 192.168.1.3. If router1 asks to talk to the local FTP server, the local router sends the request to 192.168.1.2. Example 2 Assume that the local LAN network is 192.168.1.0 255.255.255.0.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management The second command gets an error due to port overlap. If the second server entry was allowed and the remote end sends a server request to port 9000, the router wouldn’t know whether to send the request to 192.168.1.10 or 192.168.1.11. Not enough memory was available to create an entry. This condition should not ordinarily occur because the amount of memory needed for a server entry is less than 30 bytes.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide Server Request Hierarchy As shown earlier, multiple system addserver, remote addserver, and eth ip addserver commands can designate different servers for different protocols, ports, and interfaces. When handling a request from a remote router (to which the local router has NAT enabled), the local router searches the server list for the appropriate server.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Classic NAT With classic NAT, one PC IP address is translated to one NAT IP address. This NAT technique is primarily used to make certain hosts on a private LAN globally visible and give them the ability to remap these IP addresses as well.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide IP Address Range The range of local LAN IP addresses to be remapped is defined by to inclusive. These addresses are mapped one-to-one to the public addresses. The range of public IP addresses is defined by only. The rest of the range is computed automatically (from to + number of addresses remapped - 1) inclusive.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Range Overlap Rules • The per-interface commands, remote addhostmapping and eth ip addhostmapping have these range overlap rules: Private IP address ranges cannot overlap for an interface. Public IP address ranges cannot overlap for an interface. • The global command, system addhostmapping, has these range overlap rules: Private IP address ranges cannot overlap for a system.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide system selnat addpolicy trans and one that will, based on the destination address, allow the private address to remain visible. These commands are: system selnat addpolicy notrans When policies are created, they are sorted and assigned a policy number on the basis of the subnet mask.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Viewing Policies The policy listing is sorted by policy number; showing more specific policies first followed by the more general policies. To list the Selective NAT policies, use the following command: system selnat list The following response would be displayed from the examples policies added previously: -> system selnat list Remote address 1. 10.2.2.2/255.255.255.255 2. 12.16.32.0/255.255.255.0 3. 0.0.0.0/0.0.0.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide -> system addserver tcp t120 All IP addresses on the LAN can continue to connect to addresses outside the LAN, but only the specified IP address can receive the specified TCP connections from the outside. Scenario 2: Interface-Specific Server Connection Scenario 2 is the same as scenario 1, except that you want to limit the connections from outside to a specific interface.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Key Enabled Features The router has several optional features that can be enabled by purchasing Feature Activation keys. Depending on the router configuration when ordered, the Feature Activation keys may have been installed during the router manufacturing process or may need to be installed in the field. These optional features are: • 3DES Encryption • DES Encryption • Internal V.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide NOTE: Feature keys are generated for a particular device by serial number, feature name, and expiration date, and when added, are stored in the system’s memory in an encrypted format; for security purposes, this renders the key information ambiguous and not recoverable. NOTE: The following commands (key add, update, unrevoke, and delete require a save command to make the changes persistent across a reboot.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Key Rules The following rules apply when adding or deleting feature keys.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Listing the Installed Feature Keys To determine which software options are available for your router, refer to the “Key Enabled Feature List Page” on page 8-27 or use the following command. -> key list A typical response is shown below.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Feature Status The current feature status is specified by a 1 in one of the following columns: • En - indicates the feature is currently enabled. • Rv - indicates the feature has been revoked. • Ex - indicates the feature key has expired. If all columns contain a 0 and the feature key has been added, the feature is currently disabled.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide Spanning Tree The Spanning Tree algorithm allows a bridge to dynamically discover the subnet topology and create a loop free path. When Spanning Tree is enabled, the bridge will transmit configuration Bridge Protocol Data Units (PDUs) to other bridges and from the information received, determine a "root" bridge and a "destination" bridge.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management It does the following major tasks: • Reads flash memory and does a CRC check and magic number before proceeding • Performs a power on self test (POST) • Initializes interface controllers, RAM, and LEDs • Detects interface types (WAN, console, Ethernet) • Detects optional VPN hardware (Rapid Secure DES) • Reports to the console: CRC check, flash memory and RAM sizes, DSL type, and POST results • Checks whe
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Manual Boot Mode When the router is shipped, it is set for automatic boot from flash memory. To change these boot defaults, you must enter manual boot mode. In manual boot mode, you can: • change the boot options to allow for network booting. • change the order of boot procedures. • perform a manual boot.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Option 2: Boot from Flash Memory Select option 2. Boot from Flash memory to perform a manual boot from flash memory. If the boot is unsuccessful, the router returns to manual boot mode. (When you first receive the router, it defaults to booting from flash during power-up or automatic reboot.
Chapter 4: System Management 1. 2. 3. 4. Efficient Networks® Router family Technical Reference Guide Configure boot order, currently "flash, then network" Set permanent IP address, currently not defined Set permanent TFTP boot server, currently not defined Set permanent IP gateway (boot only), currently not defined (Option 5 for model 5950 only) 5. Set file name to boot from (FLASH and TFTP), currently "kernel.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management 3. Select option 4 to Boot through the IP gateway. In this procedure, the router on the local LAN can boot from a boot server that is not connected directly. Instead, the path to the boot server can include other networks (including the WAN, if adequate routers exist). The gateway must be located on the local LAN and be reachable by the local router. 4.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide [1] DRAM test [2] Parity test [3] POST firmware CRC test [4] Real-Time Clock chip test [5] Timers and Interrupts test [6] Multi-port UART (internal loopback) test [7] Multi-port HDLC (internal loopback) test [8] SCC2 External Loopback test [9] SCC3 External Loopback test [a] SCC4 External Loopback test [b] Ethernet Transceiver (internal loopback) test [-] Deselect all tests [+] Select all tests [.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management The error patterns are listed in the following table. (Any other pattern of flashing LEDs indicates an internal error. Should this occur, return the router to the factory for repair or replacement.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Routers with Six LEDs If your router has six LEDs, the pattern of the four LEDs labeled TEST, LINK, WAN, and LANT may indicate a fatal error. The error patterns are listed in the following table. (Any other pattern of flashing LEDs indicates an internal error. Should this occur, return the router to the factory for repair or replacement.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Software Kernel Upgrades You can upgrade the software kernel by downloading a new version from the LAN or from the WAN. What is the Software Kernel? The software kernel is the router operating system; it handles task management, memory management, events coordination, and configuration control.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide CAUTION: Warning: Before performing this procedure, make sure that you can successfully boot from the network using the manual boot procedure option 3 or 4. Refer to the section “Option 3: Boot from Network” on page 4-37. Step 1 Copy the router software file KERNEL.F2K (or KERNEL.FPL for an IDSL router) to a directory where it can be accessed by a TFTP server.
Efficient Networks® Router family Technical Reference Guide Step 7 Chapter 4: System Management When you are satisfied that the new kernel is performing as expected, copy the kernel into flash memory in the router by typing the two following commands: -> copy tftp@xxx.xxx.xxx.xxx:sfilename kernel.f2k -> sync where xxx.xxx.xxx.xxx is the TFTP server IP address, SFILENAME is the server filename of the kernel, and KERNEL.F2K is the name of the file loaded from flash memory by the boot procedure.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management -> copy tftp@xxx.xxx.xxx.xxx:sfilename kernel.f2k -> sync where xxx.xxx.xxx.xxx is the TFTP server IP address, sfilename is the server filename of the kernel, and KERNEL.F2K is the name of the file. If you do not specify the server address, a permanent or more recent override TFTP server address will be used, if you have previously defined one.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Differentiated Services Framework (DiffServ) is a facility to prioritize the requirements of each Class of Service (CoS) according to policies and apply policies to network traffic. DiffServ is suited to Metropolitan Area Networks or private networks where control over the infrastructure is guaranteed, and differentiated services can be deployed end-to-end.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide QoS Deployment Example To understand how priority and weight can be used to decide service levels for your applications, consider the following example: A company decides to use QoS between a branch office and headquarters.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management bandwidth beyond the 50% minimum will be occupied by these high priority applications in the absence of other traffic. Conversely, when no IP telephony or videoconferencing sessions are occurring, their 50% reserved bandwidth is available for use by other applications, as queued according to their respective priorities. Concurrently, FTP traffic will queue as medium priority for processing by the router.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide Policies QoS policies are created to specify how data is queued and processed according to it’s Diffserv priority. This section provides an overview of how to manage QoS policies. Creating Policies When creating a policy, two options are available from the command line.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management qos set -sa 192.168.1.5 192.168.1.12 mypolicy Dest IP - Specifies the destination IP address or range of IP addresses or disables destination address checking. The command line usage for entering this parameter is: -da off | [:] Protocol - Specifies the protocol by protocol number or explicitly TCP or UDP or disables protocol checking.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide -du Repetition - Specifies the policy as a one-time, repeating, or always-on policy.
Efficient Networks® Router family Technical Reference Guide Chapter 4: System Management Deleting Policies Policies can be deleted by using the following commands: NOTE: A QoS policy status must be disabled before it can be modified or deleted. -> qos del Deletes a single QoS policy as specified. -> qos del all Deletes all QoS policies.
Chapter 4: System Management Efficient Networks® Router family Technical Reference Guide Misc. Administrative Functions The following procedures are miscellaneous functions that facilitate administration of the router. Setting the System Time and Date Automatic SNTP requests are generated if the system needs to get the time. You can specify an SNTP server using the sntp server command and a UTC offset with the sntp offset command.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security CHAPTER 5 CHAPTER 5 SYSTEM SECURITY This chapter discusses security features of your Efficient Networks router. A variety of standard features as well as key enabled features provide the following categories of security: • Local Security • Network Security • Data Security Local security entails limiting and controlling access to the router through any of the user interfaces (serial, WAN and LAN).
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide User Authentication User authentication is feature that provides local protection against unauthorized configuration and operation of router. User accounts are established and are then authenticated via three-tiered scheme: • User verification - Verifies the validity of the user account by username and password. If the user exists, the account status (enabled/disabled) is verified.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security There are two methods for creating a user account via the command line interface: • Creating an account with a Username and Password, then adding specific Management Classes and Access Privileges. • Creating an account with a Username and Password and assigning privileges through built-in Templates. Username and Password A username and password is the minimum requirement for adding a user account.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Access to system operation can be further administered by granting read or write privileges to a user. These privileges are summarized in Table 5-2. Table 5-2: Read / Write Privileges Read-Onlya Interface Write / Both Command Line Allowed execution of commands that generate a response only, (e.g. list commands). All write commands are disabled.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Table 5-3: User Templates (Cont.
Chapter 5: System Security a Efficient Networks® Router family Technical Reference Guide The Voice Manager template option is not available on non-voice products. Initial (Default) Setting When the router is shipped from the factory with a default configuration, a single Super User account exists with the following username and password: Username: superuser Password: admin CAUTION: After the initial login, you will be required to change the factory default password.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security -> user set lookup radius Subsequent user lookup commands do not edit the existing configuration but overwrite the values; if two methods are desired, they must both be specified.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Managing User Accounts The following section provides an overview of commands that facilitate the management of existing user accounts through the command line interface. For information on the managing user accounts through the Web management interface, see “User Management” on page 8-17.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security -> user set password myname newsecret Enable / Disable an account The following commands enable or disable an existing user account. The following characteristics apply when enabling or disabling an account: • Enabling an account activates the assigned account privileges. • Disabling an account de-activates an account, but does not modify any account privileges.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Changing account access The Access Privileges for an account can be added or deleted with the following commands: -> user add access lan myname -> user delete access console myname Adding a read only class account In the following example, a user account is created with read-only privilege for the management class operations defined in the Network template; the user is enabled and can access the router.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Once the RADIUS server receives the request, it validates the RADIUS client that sent the request. A request from a client for which the RADIUS server does not have a shared secret is discarded. If the client is valid, the RADIUS server consults a database of users to find the user whose name matches the request.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Server Information Configuration For the RADIUS client and server to transact, the RADIUS client must know the location and sequence of the RADIUS server(s). The location is defined by IP address (in dotted-decimal notation) and port value. When configuring the RADIUS server address: • On the command line the primary server is specified as ’1’ and the secondary server is specified as ’2’.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Radius Server Configuration While vendor specific RADIUS servers may vary in their operation and configuration, the following information will be required for transacting with the router’s RADIUS client. For information on adding user accounts and specific privileges, see the RADIUS Server vendor documentation.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Table 5-4: RADIUS Server Attribute Value List Privilege Hex value Comment Serial-Console Port 0x00010000 Serial-Console Port Access LAN Port 0x00020000 LAN Port Access WAN Port 0x00040000 WAN Port Access Account Enabled 0x80000000 Account Enabled Page 5-14 Efficient Networks®
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Controlling Remote Management Several methods are available for controlling remote management of the system, these methods include: • Disabling Remote Management by disabling post access for the specified service. • Validating Clients based on the remote IP address. • Restricting Remote Access by re-defining conventional (or default) port numbers to alternate port numbers.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide -> system snmpport default2 -> snmp snmpport default2 -> system httpport default -> system syslogport default Validating Clients The following commands are used to validate clients for Telnet, SNMP, HTTP, or Syslog. They define a range of IP addresses that are allowed to access the router via that interface. Only the IP addresses in the range specified for the interface can access the router via that interface.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Restricting Remote Access To allow remote management while making it more difficult for non-authorized persons to access the router, you may redefine the ports to a less well-known value.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Disabling WAN Management You can allow management of the router on the local LAN, but not over the WAN. If the router has been configured to use Network Address Translation (NAT), you can define two servers that do not exist on the LAN side to handle WAN SNMP and Telnet requests, and thus WAN management of the router cannot occur. The following example shows how this is done. It assumes there is no computer at 192.168.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security The following command is used to enable and disable secure mode. When secure mode is enabled, management access of the system is allowed only through secure channels for untrusted interfaces. system securemode set NOTE: When secure mode is enabled, all current non-secure connections via an untrusted interface will be terminated immediately with the exception of inbound file transfers.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security PAP/CHAP Security Authentication The router supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol) under PPP. Security authentication may not be required due to the nature of the connection in a DSL environment (traffic occurs on a dedicated line/virtual circuit. However, authentication may be specifically required by the remote end, the ISP, or the NSP.
Efficient Networks® Router family Technical Reference Guide New York Chapter 5: System Security 1 Challenge New York & encrypted number Chicago System Name=Chicago System Password=abc System Name=New York System Password=xyz Remote Router Database Remote=Chicago Password=abc 2 Hashes random Remote Router Database Remote=New York number and Password=xyz secret “abc” Chicago & encrypted secret Performs same hash with number and secret “abc” and compares results 3 .....Accepted/Rejected.......
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide PAP Authentication For PAP, when a PAP login request is received from the remote end, the router checks the remote router PAP security using the remote router database. If the remote router is not in the remote router database or the remote router password is invalid, the call is disconnected. If the remote router and password are valid, the local router acknowledges the PAP login request.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Authentication Levels The router also uses security levels, as follows: • Remote authentication protocol — Each remote router entered in the remote router database has a minimum security level that must be negotiated before the remote router gains access to the local router.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Packet arrives at interface Packet destined for router acting as host Input filters Packet destined for another interface Network Address Translation Transmit filters Receive filters Network Address Translation Output filters Packet sent out interface Figure 5-3: IP Filtering Process Receive Filters The router next compares the packet to the list of receive filters for this interface.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Output Filters Finally, the router compares the packet to the list of output filters for this interface. The first filter that matches the packet determines whether the packet is accepted, dropped, or rejected. If no filter matches the packet, the packet is accepted. The packet, if accepted, is then sent out the interface.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Filter Examples Example 1: Input Filters Vs. Receive Filters The following commands add a filter to the beginning of the Input Filters list. -> remote ipfilter insert input drop -p tcp -dp 23 internet When used, the input filter matches any packet for remote interface internet that has protocol TCP and destination port 23.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security -> remote ipfilter append input accept -p tcp -dp 23 -da 10.0.1.1 internet -> remote ipfilter append input drop -p tcp -dp 23 internet The filter order is important; packets are compared to filters in the order that the filters appear in the filter list. Any Telnet packet that doesn’t match the first filter is dropped by the second filter.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security eth eth eth eth ip ip ip ip filter filter filter filter flush flush flush flush input output transmit receive # HTTP from LAN to WAN will be accepted remote ipfilter insert input accept -p tcp -sp 80 internet remote ipfilter insert output accept -p tcp -dp 80 internet # DNS from LAN to WAN will be accepted remote ipfilter insert input accept -p udp -sp 53 internet remote ipfilter insert output accept -p udp -dp 53
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Example 4: Medium Security Firewall The following lists the filters installed when you request medium security via the Web management interface.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security # E-mail - SMTP remote ipfilter remote ipfilter remote ipfilter remote ipfilter and POP3 requests from LAN to WAN accepted insert input accept -p tcp -sp 25 internet insert output accept -p tcp -dp 25 internet insert input accept -p tcp -sp 110 internet insert output accept -p tcp -dp 110 internet # Drop all packets remote ipfilter append input drop internet remote ipfilter append output drop internet # Watch the resu
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security # SSL accepted remote ipfilter insert input accept -p tcp -sp 443 internet remote ipfilter insert output accept -p tcp -dp 443 internet # HTTP from LAN to WAN will be accepted remote ipfilter insert input accept -p tcp -sp 80 internet remote ipfilter insert output accept -p tcp -dp 80 internet # FTP from LAN to WAN will be accepted remote ipfilter insert input accept -p tcp -sp 20:21 internet remote ipfilter insert outp
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide # NNTP tcp remote ipfilter insert output accept -p tcp -sp 1024:65535 -dp 119 internet # IMAP2 tcp/udp remote ipfilter insert output accept -p tcp -sp 1024:65535 -dp 143 internet # certain other non-privileged ports to non-privileged ports remote ipfilter insert output accept -p tcp -sp 1024:65535 -dp 1024:65535 internet # Allow NTP, who, Kali, CuSeeMe out to the WAN # NTP remote ipfilter insert transmit accept -p udp -
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security # Turn on ip filter watch for debugging remote ipfilter watch on internet save Efficient Networks® Page 5-33
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Stateful Firewall The Built-in Firewall Filters consist of a set of rules that are examined each time a packet is transmitted or received from the public network. It examines the packet’s header information and matches it against a set of defined rules. If it finds a match, the corresponding action is performed. If not, the packet is accepted.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security command - This parameter defines the list to which the firewall rule will be assigned. The valid options are: allow | deny For example: -> firewall allow -a ftp -sa 192.168.1.34 -d out protocol | application -The following parameters specify the (-p) or (-a) characteristics that a packet must have in order to match the firewall rule.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Application -a imap | telnet | bootp | nntp | rpc | tftp | smtp | dns | ftp | rexec | rsh | rlogin | syslog | winframe | rdp | http | https | ntp | smb | ras | realaudio | netmeeting | aolim| quicktime | cuseeme | netshow | pptp | nfs | nis | traceroute | sqlnet | ipsec Packets must match the assigned application characteristics. -> firewall allow -a ftp -sa 192.168.1.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security message logging - Specify one of these options to determine when watch messages are displayed for this firewall rule. The messages are sent to the console serial port and a Syslog server, if configured. There are two options: -q | -v Quiet - If -q (quiet) is specified, no messages are displayed for this firewall rule, even if the rule causes a packet to be dropped. This is the default setting for firewall allow rules.
Chapter 5: System Security • Efficient Networks® Router family Technical Reference Guide The order in which the rules are evaluated are - Deny rules first and then allow rules. Thus, in this example, when it evaluates the deny rules for an FTP packet going from 192.168.1.20, it would find a matching deny rule and hence the packet would be dropped. For packets from any other address in the subnet, the deny rules would not match and so the allow rules would be evaluated next.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Rule Modification To modify a previously entered rule, the following command structure is used. -> firewall modify When modifying the rule, it is not necessary to enter the parameters that will not be modified. The firewall rule number can be viewed by using the firewall list command. For example, to change the source port of the following rule (#16): 16.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Port Information - When port information is entered, the source port value is preceded with -sp and the destination port with -dp. The parameters are: -sp | [:] Modifies the source port, specified port range, or ICMP type. -dp | [:] Modifies the destination port, specified port range, or ICMP type.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Message Logging - Modifies the message logging function. -q | -v Quiet - If -q (quiet) is specified, no messages are displayed for this firewall rule, even if the rule causes a packet to be dropped. This is the default setting for firewall allow rules. Verbose - If -v (verbose) is specified, a message is displayed every time this firewall rule matches a packet, regardless of the rule action.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide The information displayed includes: • Time and Date • Protocol • Source IP address • Source Port Number / ICMP Type • Destination IP address • Destination Port Number / ICMP Code • Reason for drop Message Logging The message logging function configured in the creation of firewall rules can be enabled or disabled on the “Stateful Firewall Configuration Page” on page 8-60 of the WMI or by entering the follow
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security The firewall shall, by default, drop any packet that is not explicitly accepted by the firewall rules, and allow only the services that are explicitly enabled by the security policy. In addition, the firewall will log all the DoS attacks it detects. The following sections provide an overview of this protection.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide UDP Flood Attack Similar to ICMP flood, the User Datagram Protocol (UDP) Flood denial of service attack prays on the chargen service of one router and the echo service of another.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Finger Bomb In this attack, an intruder can disrupt services by causing excessive processing on the target system. In order to run this attack, the hacker could execute the command: finger rob@example.com@example.com@example.com…… This causes excessive CPU time by forcing the target server to recursively execute the finger until it reaches the end of the list.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Encryption Encryption is a key-enabled feature. The following section applies only to routers with the encryption option enabled. For more information, see “Key Enabled Features” on page 4-29. To read about IPSec encryption, see IPSec (Internet Protocol Security).
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Sample Configuration Suppose that the routers SOHO (the local router) and HQ (the remote router) described in Chapter 3, Installation and Setup are to be configured to use PPP DES encryption.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Observe the following guidelines: • Specify DESE_1_KEY if the same key is to be used in both directions. Specify DESE_2_KEY if the keys are to be different. Using the same keys in both directions can significantly reduce the time needed to compute the DES keys from the Diffie-Hellman exchange. • The optional file name on the command is the name of the file containing the Diffie-Hellman values.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security File Format for the Diffie-Hellman Number File The default values used to generate keys are listed at the end of this section. If you want to use values other than the defaults, you can create your own Diffie-Hellman number file. The file should follow these rules: • The file should be 192 bytes, in binary format, consisting of two 96-byte numbers, with the most significant byte in the first position.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide IPSec (Internet Protocol Security) IPSec security is a key-enabled software option for your router. The following section applies only to routers with the encryption option enabled (see “Key Enabled Features” on page 4-29). Use the key list command to check that IPSec is available on your router. NOTE: Almost all IPSec capabilities can be selected using the graphic interface.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security The router supports both IPSec encapsulation methods. It can serve as the endpoint of a tunnel mode connection or as the endpoint of a transport mode connection. Also, while operating in tunnel mode, the router does allow transport mode traffic to flow through it. Tunnel mode is the default encapsulation mode for the router. It is used when the IPSec packet comes from either another device or from the encrypting device.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide If ESP encryption is selected, ESP automatically encrypts the data portion (payload) of each packet using the chosen encryption method, DES (56-bit keys) or 3DES (168bit keys). CAUTION: Restrictions may exist on the export of the DES and 3DES encryption options outside the United States or Canada.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security ESP Protocol: New IP Header ESP Header Original IP Header Rest of original IP packet (headers and data) ESP Trailer ESP Authentication Encrypted Authenticated AH Protocol: New IP Header AH Header Original IP Header Rest of original IP packet (headers and data) Authenticated Figure 5-5: ESP and AH Security Because VPN users are likely to be using a variety of protocols, a common set of security attributes mus
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Main Mode and Aggressive Mode The router supports two Phase 1 IKE modes: main mode and aggressive mode. These modes apply only to the Phase 1 negotiations, not to the ensuing data transmission. Main mode is used when both source and destination IP addresses are known. In main mode, only two options require definition initially—the remote peer IP address and the shared secret.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Additional IKE Settings In addition to the peer identification and shared secret described earlier, IKE requires that the router be configured with the following information: • Session authentication • Phase 1 IKE message authentication • Phase 1 IKE message encryption • One of the following for each IKE proposal: – IPSec AH packet authentication – IPSec ESP data authentication – IPSec ESP data encryption –
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide The session initiator creates a cookie and sends it to the responder, with a zero placeholder in the responder cookie area. The responder then creates a cookie and fills in the zeros. All packets will contain these two cookies until the Phase 1 SA expires. IKE Peer commands next establish the identity of local and remote peers.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security The following commands define the peer connection. -> ike peers set mode Sets the peer connection to either main or aggressive mode. Main mode is used when the IP addresses of both ends are known. Aggressive mode is used when the address of one end can change, as with a typical modem or DSL connection.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide IKE Proposal Commands The IKE proposal commands define the proposals exchanged during the Phase 1 SA. -> ike proposals add Defines the name of a new IKE proposal. -> ike proposals delete Deletes an existing IKE proposal. -> ike proposals list Lists the IKE proposals. The following commands specify the contents of the proposals exchanged.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Defines the name of a new IKE IPSec proposal. -> ike ipsec proposals add Defines the name of a new IKE IPSec proposal. -> ike ipsec proposals delete Deletes an existing IKE IPSec proposal. -> ike ipsec proposals list Lists the IKE IPSec proposals. The followings proposals set commands specify the contents of the proposals exchanged.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide -> ike ipsec proposals set espauth Determines whether ESP message authentication is requested and, if it is requested, the hash algorithm used. • MD5 - Use ESP encapsulation and authenticate using hash algorithm Message Digest 5. • SHA1 - Use ESP encapsulation and authenticate using hash algorithm Secure Hash Algorithm-1.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security IKE IPSec Policy Commands The IKE IPSec policy commands specify the filtering parameters for the IPSec SA. -> ike ipsec policies add Defines the name of a new IPsec policy. -> ike ipsec policies delete Deletes an existing IPSec policy. -> ike ipsec policies list Lists the IPSec policies.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Requires that the data come from the specified source IP address and mask. -> ike ipsec policies set dest Requires that the data be intended for the specified destination IP address and mask. -> ike ipsec policies set translate on | off Determines whether the router applies NAT (network address translation) before the packets are encrypted by IPSec.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Main Mode Example The following example lists two setup files that configure two routers for an IKE main mode connection. The two routers are referred to as the home office router and the branch office router. 192.168.16.X 192.168.19.X 192.168.17.200 Home Office Private Network Home Office Router 192.168.18.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security # # # # # # Describe the branch office IKE phase 1 connection DES encryption MD5 authentication Diffie-Hellman group 2 key exchange 24-hour timeout Unlimited data ike ike ike ike ike # # # # # proposals proposals proposals proposals proposals add set set set set branch_proposal encryption des branch_proposal message_auth md5 branch_proposal dh_group 2 branch_proposal lifetime 86400 branch_proposal Describe the des
Efficient Networks® Router family Technical Reference Guide # # # # # Chapter 5: System Security Branch office example using IKE Home router private network addresses are 192.168.16.X Home router public address is 192.168.17.200 Branch router private network addresses are 192.168.19.X Branch router public address is 192.168.18.201 # Describe the home office peer # IKE main mode is used because the home office has a fixed IP address # (192.168.17.200).
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security ike ipsec policies ike ipsec policies home_policy ike ipsec policies home_policy ike ipsec policies ike ipsec policies add home_policy set source 192.168.19.0 255.255.255.0 set dest 192.168.16.0 255.255.255.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security #Describe the branch office peer #IKE aggressive mode is required because the branch office does not have a fixed IP address. #The shared secret is “ThisIsASecret12345;)” ike ike ike ike ike ike ike ike peers peers peers peers peers peers peers peers add set set set set set set set branch_peer mode aggressive branch_peer address 0.0.0.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide IPSec Commands The following commands allow you to define an IPSec connection without IKE. NOTE: If you define a tunnel using IPSec commands, the keys will remain static. This could pose a security risk and is not recommended. Use of IKE for key management is recommended. -> ipsec flush Clears all IPSec definitions. -> ipsec add Defines an SA name. -> ipsec delete Deletes an existing SA name.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security -> ipsec set authentication Selects authentication using either SHA-1 (Secure Hashing Algorithm 1) or MD5 (Message Digest 5) -> ipsec set enckey Specifies the encryption key (in hexadecimal, 64 bits for DES or 192 bits for 3DES). -> ipsec set authkey Specifies the authentication key (hexadecimal).
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide SSH Secure Shell (SSH) is a key-enabled feature that allows secure network services over an insecure network such as the public Internet. The objective of SSH is to make a secure functional equivalent for telnet.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Another perspective of the SSH protocol illustrates that it consists of three major components: • Transport Layer Protocol - The transport layer protocol provides server authentication, confidentiality, and integrity. The transport layer is typically run over a TCP/IP connection, but may also be used on top of any other reliable data stream. This phase is also known as the Protocol Identification phase.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Client Requests (commands) Server Figure 5-12: Session Presentation Phase Once the secure session has been established, the user (on the client end) must still provide a username and password for further authentication. If the user has the proper privileges, access to the authorized management facilities are granted.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security SSH Sessions For SSH to be operational, the following must be performed: • Add the enabling feature key • Generate or install a public/private key pair Assuming these steps have been performed, secure connections to the system are available. When SSH is enabled (default mode), it listens on port 22 for a client to initiate a secure session.
Chapter 5: System Security • Efficient Networks® Router family Technical Reference Guide Key pairs can also be generated with SSH corporations Key Generation software (only) offline and then installed onto the system.
Efficient Networks® Router family Technical Reference Guide Chapter 5: System Security Blowfish Blowfish is a block cipher that encrypts data in 8-byte blocks. The algorithm consists of two parts: a key-expansion part and a data-encryption part. Key expansion converts a variable-length key of at most 56 bytes (448 bits) into several subkey arrays totaling 4168 bytes. The resulting key supported is 128-bits.
Chapter 5: System Security Efficient Networks® Router family Technical Reference Guide Configure Bridge Filtering Bridge filtering allows you to control the packets transferred across the router. This feature can be used to enhance security or improve performance. The filtering is based on matched patterns within the packet at a specified offset. Two filtering modes are available: • “Deny” mode will discard any packet matched to the “deny” filters in the filter database and let all other packets pass.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management CHAPTER 6 CHAPTER 6 CONNECTION MANAGEMENT IP Subnets You may configure the router to provide access to multiple IP subnets on the Ethernet network. (This feature does not apply to IPX or bridged traffic.) Each IP subnet is referenced as a logical (or virtual) Ethernet interface. You may define multiple logical interfaces for each physical Ethernet interface (that is, port) in the router.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide NOTE: When you stop or restart an interface, interface changes are discarded if they have not been saved. Interface Routing and Filtering After the eth add and eth ip addr commands define the Ethernet logical interface, other eth commands can reference it, including: -> eth ip addroute Adds an Ethernet IP route that uses the logical Ethernet interface. The route is added to the default routing table.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management The address ranges assigned to the virtual routing tables may not overlap. All source IP addresses not assigned to a virtual routing table are routed using the default routing table. You can add routes to the default routing table using the eth ip addroute and remote addiproute commands. Procedures Unlike changes to the default routing table, changes to IP virtual routing tables take effect immediately.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management RIP Controls The Routing Information Protocol (RIP) control options allows you to decide what routing information you want to receive and what routing information you choose to share on the network. For a remote interface, the default is to not send or receive IP RIP packets. If you choose to use this default, you must use the remote addiproute command to configure static routes for this WAN link.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management The available RIP options on these commands are: rxrip - Receive IP RIP packets txrip - Send IP RIP packets rxrip1 - Receive and process RIP-1 packets only txrip1 - Send RIP-1 packets only rxrip2 - Receive and process RIP-2 packets only txrip2 - Send RIP-2 packets only rxdef - Receive the default route txdef - Advertise this router as the default router avdfr Advertising the Local Site The default is to keep t
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management ARP ARP is a low-level protocol within TCP/IP that "maps" IP addresses to hardware MAC addresses. ARP works by broadcasting an ARP request with the IP address out onto the network. The node with that IP address responds to the request with the MAC address of its Ethernet adapter. (The MAC address is hard-coded on the Ethernet adapter).
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Dial Backup The Dial Backup capability provides a backup asynchronous modem connection to the Internet when the default DSL link goes down. If your router model is equipped with an internal modem and the feature key is present, the backup connection uses the internal modem; otherwise the backup connection uses an external modem. The modem connection is provided through the MGMT (console) port.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide To set a restriction for an IPSec tunnel, use the ike ipsec policies set interface command. The interface that you specify on the command is the remote interface that the tunnel is to be restricted to. To restrict the tunnel to the backup interface, specify the remote name that you created for the dialup parameters as described in “Specifying the Dialup Parameters” on page 6-9.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Optionally, Dial Backup can actively test the status of the DSL link by pinging IP addresses. For this option, you must specify at least one IP address; default values are provided for: • Ping interval, number of samples, and minimum success rate Step 4 Specify the modem parameters (if the default values are not appropriate).
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management # Specify the primary phone number to be used when dialing out. This # phone number begins with 9 (to get an outside line), a comma (for # a 2-second pause), and finally the seven-digit local number. remote setphone async 1 9,5554218 backup # Specify the bit rate for the preceding phone number. # The bit rate can be 38400, 57600, 115200, or 230400.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Setting DSL Link Conditions After you define the backup connection parameters in a remote profile, the following information is included when you enter the command system list: -> system list Backup............................... yes Retry Interval In Minutes.......... 30 Stability Interval In Minutes......
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management The default retry period is 30 minutes. To change the retry period, enter this command: -> system backup retry Addresses to Ping Dial Backup can also actively determine whether the DSL link is up by pinging IP addresses. It does so only if you provide it with one or more IP addresses. You could choose to ping addresses that are vital to your application.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management To clear the ping list of all addresses, enter: -> system backup delete all all NOTE: If you clear the ping list of all addresses, pinging is not used to determine if the DSL link is down. Instead, the state of the DSL physical layer is the only criterion used to determine failure and restoration.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management During the ping test, every address in a group contributes to the current success rate of the group; as soon as the current success rate falls below the minimum success rate, the group has failed.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Dial Setting The string for the dial setting can be either ATDT for tone dialing or ATDP for pulse dialing. The default is tone dialing. To select pulse dialing, use this command: -> system modem dial atdp Disabling and Re-Enabling Dial Backup Note: Because Dial Backup uses the console port, you must use the Web GUI interface or a Telnet session to disable Dial Backup.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide VRRP Backup When a router is defined as a static default gateway and no other dynamic routing protocol or router discovery protocol is used (such as RIP), the gateway becomes a critical link in the network. If that router fails, that critical link would be broken. It, therefore, may be appropriate to set up other routers as backups that can serve as the static default gateway if necessary.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management IP Address Every logical interface is assigned its own IP address, or range of addresses, that is unique on the LAN. The VRRP interface must be assigned the IP address that serves as the default static gateway for other devices on the LAN. For example, assume that the gateway IP address is 192.168.100.254. If the default logical interface (0:0) is to be the VRRP interface, it is assigned the gateway address.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide A VRID has these characteristics: • Integer from 1 through 255; thus, a LAN can have up to 255 VRIDs. • Unique on the LAN, but can be reused on other LANs. • The same VRID must be defined in all routers that make up the Virtual Router, that is, the original router and all routers that are to serve as its backups.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Defining VRRP Attributes Each time you define a VRID in a router, you must define an attribute record for it in that router. The following sections describe how to define the record and set the attributes. NOTE: The VRRP attribute commands do not require a restart or reboot to take effect. However, you do need to save your changes if they are to persist after a restart or reboot.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide Time Interval Attribute (default, 1 second) The time interval value specifies how often VRRP advertisement packets are sent. It also determines how quickly a backup router can recognize that another VRRP router is down. If the backup does not receive a VRRP packet from another VRRP router during the master down interval, the backup assumes the other router is down.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management NOTE: Our implementation does not validate the IP addresses in the advertisement packet or authenticate using an authentication header.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Disabling or Deleting VRRP To disable a Virtual Router in a router, you delete its VRID in that router. To do so, use the command: -> eth vrrp delete [] This command deletes the VRRP attribute record defined for that VRID. It also disassociates the VRRP IP and MAC addresses from the logical interface.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Sample VRRP Configuration The sample configuration shown here is for two routers, one master and one backup. It is assumed that either router can route Internet traffic for the Ethernet LAN containing devices that use a static default gateway address 192.168.100.254. LAN with Static Gateway 192.168.100.254 VRRP Routers Mgmt. Addr. 192.168.254.253 Gateway Addr. 192.168.100.254 Master Router Internet Mgmt.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide eth ip vrid 7 # # A VRRP attribute record is defined for VRID 7. eth vrrp add 7 # # This router is the master router so it is given priority 255. eth vrrp set priority 255 7 # # This is a simple password to authenticate VRRP packets. eth vrrp set password abcdefgh 7 # # Use the default time interval (1 second) and preemption option (preempt). # # Save the changes and then reboot.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management # In this example, the VRRP interface is the default logical interface 0:0, # (The VRRP interfaces for the master and backup routers may have different numbers.) # # The VRRP IP address must be the same as that of the master router. eth ip addr 192.168.100.254 255.255.255.0 # # The VRRP interface must be assigned the same VRID as in the master router.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide L2TP Tunneling - Virtual Dial-Up This section has four parts: • The Introduction provides a general overview of L2TP tunneling. • The L2TP Concepts section explains LNS, L2TP client, LAC, dial user, tunnels, and sessions. • Configuration describes preliminary configuration steps and verification steps and lists commands associated with the configuration of L2TP and PPP sessions.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management L2TP Concepts This section defines the major L2TP concepts and illustrates them with L2TP client examples. It also describes the creation and destruction of tunnels and sessions. Definitions An L2TP tunnel is created between an L2TP client and an L2TP network server (LNS). The client and server control the tunnel using the L2TP protocol.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Remote User Logical Link Company PPP session running over the tunnel L2TP Client: Dial User+LAC (ISDN router) PC TUNNEL LNS Router Company LAN/server Physical Link Physical Link INTERNET IP traffic to the Internet PPP session ISDN line DSL/ATM traffic Figure 6-1: L2TP Example Tunnels • Tunnels are virtual paths that exist between an L2TP client and an L2TP server.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management A tunnel session automatically times out after the data session stops. When instructed to destroy a session, the L2TP client closes any PPP session associated with that session. The L2TP client may also send control messages to the LNS indicating that the L2TP client wishes to end the PPP session. When the LNS wants to hang up the call, it sends control messages destroying the session.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Step 2 Try to establish IP connectivity (using the ping or tracert commands). a. “Pinging” from the L2TP client or LNS to the opposite tunnel endpoint should succeed (this tests the tunnel path). b. “Pinging” from a tunnel endpoint IP address to an IP address within the tunnel will probably fail due to the existence of the IP firewall.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management NOTE: Verify that the IP address of the other end of the tunnel is correctly routed. It should not be routed through the tunnel itself, but over a physical link. You may also specify the source IP address for the tunnel as an address other than the WAN interface IP address, such as the Ethernet IP address.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide Assumptions In this example, the following information is assumed: • The server side (the company) has an LNS router connected to the Internet. • The client side has an existing route to the Internet with the remote “Internet” (refer to the following Note, if you need sample configuration commands). • IP routing is enabled (refer to the following Note, if you need sample configuration commands).
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management 3. Shared_Secret 4. 10.0.0.1 L2TP tunnel configuration commands. These commands would be used to set up the L2TP tunnel information for our example: l2tp l2tp l2tp l2tp add set set set Work_Router ourtunnel Home_Router Work_Router chapsecret Shared_Secret Work_Router address 10.0.0.1 Work_Router PPP remote configuration PPP remote-specific questions: 1.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide 4. Does the remote router dynamically assign an IP address for this PPP session? – If yes: - – If no and the home router is to behave as a LAN at home: - – Use IP address translation (NAT) Which IP address and network mask does the home router use for its LAN at home? Use the eth ip addr command to set the LAN at home. Do not enable IP address translation (NAT) for the remote (company) router.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Complete LNS and L2TP Client Configuration Example The following information and illustration (Figure 6-2) provide a configuration example of an LNS and L2TP Client. Assumptions IP Addresses The LNS server’s LAN IP address is 192.168.100.1 (LNSserver) with a mask of 255.255.255.0. The LNS has a WAN IP address of 192.168.110.1, which is used as the tunnel endpoint. The LNS connects to the remote internet.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide Remote User Company PPP session running over the tunnel L2TP Client: PC soho router (ISDN) lacclient (see Note 1) lnsserver (see Note 3) LNS: LNSserver router TUNNEL tunnelAtHome (see Note 2) (DSL) 192.168.100.1 tunnelAtWork (see Note 2) Router on the LAN side: 192.168.101.1 CO LAN 192.168.110.1 LAN: 192.168.100.0 IP traffic to the Internet IP traffic to the Internet LAN: 192.168.101.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Set up ISDN parameters: isdn set switch ni1 isdn set dn 5551000 5553000 isdn set spids 0555100001 0555300001 Define DHCP settings for DNS servers, domain, wins server: dhcp set value DOMAINNAMESERVER 192.168.100.68 dhcp set value DOMAINNAME efficient.com dhcp set value WINSSERVER 192.168.100.
Chapter 6: Connection Management eth eth eth eth ip ip ip ip Efficient Networks® Router family Command Line Interface Guide enable addr 172.16.0.1 255.255.255.0 opt rxdef off addroute 192.168.101.1 255.255.255.0 172.16.0.254 1 Create a DHCP pool of addresses: dhcp add 172.16.0.0 255.255.255.0 dhcp del 192.168.254.0 dhcp set addr 172.16.0.2 172.16.0.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Set up ISDN parameters: isdn set switch ni1 isdn set dn 5552000 5554000 isdn set spids 0555200001 0555400001 Define a remote (soho): remote remote remote remote remote remote save reboot add soho setauthen chap soho setpassw sohopasswd soho setphone isdn 1 5551000 soho setphone isdn 2 5553000 soho addiproute 192.168.101.0 255.255.255.
Chapter 6: Connection Management remote remote remote remote remote remote remote remote remote remote Efficient Networks® Router family Command Line Interface Guide add internet setphone isdn 1 5552000 internet setphone isdn 2 5554000 internet setauthen chap internet setpasswd internet internet addiproute 0.0.0.0 0.0.0.0 1 internet setsrcipaddr 192.168.110.1 255.255.255.255 internet addiproute 192.168.101.1 255.255.255.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management PPPoE (PPP over Ethernet) PPPoE is a method of delivering PPP sessions over an Ethernet LAN connected to a DSL line, as defined in the document RFC 2516. It was designed to maintain the established PPP interface for the end user and the service provider, while improving service through use of a DSL line.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management In addition, if the remote entry should be used only for PPPoE traffic, define it as “PPPoE only” using this command: -> remote setbroptions only on For a Dual-Ethernet router, an Ethernet interface can be designated as “PPPoE only” using this command: -> remote setbroptions pppoe only on PPPoE Client PPPoE configuration requires creation of a new remote router entry to serve as the
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management If your service provider charges by the hour, you may want a PPPoE session to timeout after a period of no traffic. However, if you do use a timeout, bringing up a PPPoE session takes 2-3 seconds longer.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management # # Enable bridging through the remote. remote enabridge PPPoEbridge # # Turn off the Spanning Tree Protocol. remote setbroptions stp off PPPoEbridge # # Allow only PPPoE traffic through this remote.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management # ----------------------------------------------# Save the configuration changes and then reboot. save reboot Managing PPPoE Sessions Each PPPoE session is listed with the other interfaces in the output from an ifs command. In the following example, the PPPoE session is shown as the last line of the output. -> ifs Interface Connection Speed In % Out % Protocol State ETHERNET/0 10.0.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide Flags ............... 1 To close a PPPoE session before it terminates, use the pppoe close command. The session is specified by its number. (Use the PPPoE/n number from the ifs output or the PPPoE/Ifs number from the pppoe list output.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Transport (Layer-2) VPNs Virtual Circuits A Layer-2 VPN is typically an ATM or Frame Relay (FR) link over a high-speed DSL, T1, or a T3 line. With both of these protocols (ATM and Frame Relay), a dedicated line can actually be connected to multiple sites simultaneously by means of PVCs (Permanent Virtual Circuits).
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide Network (Layer-3) VPNs Tunneling Tunneling has been in existence for many years and recently has become the answer to cutting long distance WAN access costs. This is what most of us think of as "VPN". Tunneling uses some Layer-1 and Layer-2 technology already in place. It also uses a public (or private) IP network to connect multiple sites together.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Technology Standards IPSec This protocol encrypts each IP packet that is destined for a tunnel and puts new header information on it to transport it to its destination. The new header information is what creates the "tunnel" effect. This protocol can create a tunnel and encrypt data, but only IP packets can be encrypted and transported. No other protocols are transported through the tunnel.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide Tunnel Server Function The L2TP tunnel server receives tunnel "calls" and controls the tunnel once it is created. It is responsible for multiple tunnels simultaneously. The server can run as a service on a network server or as a stand-alone device on the network. Location The L2TP tunnel server is usually located at the edge of a LAN where it connects to the WAN.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Location This software is installed on the workstation for the purpose of creating a tunnel to a LAN. Service Provider-based VPNs Tunneling from a POP or access concentrator VPN services can be provided to users by creating and terminating the tunnels at the Internet Service Provider (ISP) Point of Presence (POP) on the Internet.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide Workstation Client to LAN Server Tunneling from a Workstation to a Server on the Enterprise LAN This is a common approach to VPN. The workstations at the remote offices or homes have special software installed that allows them to connect to the tunnel server on the Corporate LAN. The connection is transparent to the Internet and each workstation is authenticated and managed independently on its own tunnel.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Types of VPNs used Both ATM PVCs and tunneling VPNs can be practical for LAN-to-LAN connections. If all of the LANs are local and the connections don’t need to vary, then ATM might be the best solution. If even one location is far away from the others or if many different connection possibilities must be present, then tunneling makes more sense.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide DES Encryption with Dynamic Key Exchange: When running an encrypted tunnel, the encryption keys are dynamically exchanged to make it almost impossible to expose the data. Each tunnel is a virtual interface: All elements of NAT, DHCP, Firewall, routing, bandwidth thresholds, inactivity time-outs, etc. can be configured on a per-tunnel basis, and are independent "virtual" interfaces.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Step 1: Configure Both Routers for Internet Connectivity This configuration example assumes the routers are already configured to connect to the Internet. The configuration uses PPP for the link protocol and has IP routing only. Branch Office Configuration: This router has an IP address of 10.0.0.1 on the LAN and 200.10.10.5 on the WAN. NAT is on and it tunnels to another network (10.2.0.0).
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide NOTE: You cannot ping the tunnel endpoint, only the LAN behind it. The eth ip addr 10.2.0.1 255.255.255.0 command sets the Ethernet address of the corporate router. You may not need to change this setting unless both LAN subnets of the VPN are identical. Each LAN of a VPN solution must be a unique subnet.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Set LAC and/or LNS. In this case, both will allow this router to establish and receive a tunnel. l2tp set type all tunnelb Add the remote profile for the IP network on the other end of the tunnel. This name must match the name in the command "l2tp set oursysname " on the Corporate router. remote add corp Define the authentication password expected for this PPP link.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide Define the name of our tunnel for authentication purposes. This tunnel device sends the name "tunnelb" when challenged to identify itself by the tunnel peer. Branch Office asks "Who are you?" and Corporate says "I am tunnelb" and Branch Office authenticates. This setting must match the name in the command "l2tp add " on the Branch Office router.
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management Add an IP route to the LAN on the other end of the tunnel PPP link. A route must be added for each subnet that exists on the Branch Offfice LAN. remote addiproute 10.0.0.0 255.255.255.0 1 cust save reboot Step 3: Configure Encryption and Key Exchange Branch Office Configuration: Enable encryption on the PPP link that goes through the tunnel.
Chapter 6: Connection Management Page 6-60 Efficient Networks® Router family Command Line Interface Guide Efficient Networks®
Efficient Networks® Router family Command Line Interface Guide Chapter 6: Connection Management VPN with IP Filtering and MS Networking When setting up Secure VPN and Firewall functions, the configuration of routers is not complete until each user can log onto the corporate domain controller for access to all resources on the LAN. UDP relay and WINS server commands will allow MS networking to function through a VPN tunnel. The following items must be configured: 1.
Chapter 6: Connection Management Efficient Networks® Router family Command Line Interface Guide This page intentionally left blank.
Efficient Networks® Router family Technical Reference Guide Chapter 7: Monitoring System Performance CHAPTER 7 CHAPTER 7 MONITORING SYSTEM PERFORMANCE This chapter discusses the tools available to monitor and troubleshoot the router’s operation as well as survey network functions. Syslog Client The router can act as a Syslog client, automatically sending system event messages to one or more Unix Syslog servers.
Efficient Networks® Router family Technical Reference Guide Chapter 7: Monitoring System Performance SNMP The Simple Network Management Protocol (SNMP) is a member of the TCP/IP protocol suite designed to provide network management interoperability among different vendors’ management applications and equipment. SNMP provides for the exchange of messages between a management client and a management agent.
Efficient Networks® Router family Technical Reference Guide Chapter 7: Monitoring System Performance Table 7-1: Supported MIBs Group ICMP Group Definition These groups provide connection, status, and statistical information for each of the protocols of the system. TCP Group UDP Group SNMP Group ATM Group This group provides information for ATM Physical Layer. Bridge MIB State and statistical information within the bridging system. Enterprise MIB Router-specific objects for configuration purposes.
Chapter 7: Monitoring System Performance Efficient Networks® Router family Technical Reference Guide Configuring SNMP The router provides SNMP agent support for accepting SNMP requests for status, statistics, and configuration information as read-only operations and remote configuration (write-operations) by an SNMP manager is allowed after authentication. The SNMP configuration parameters are described in the following paragraphs.
Efficient Networks® Router family Technical Reference Guide Chapter 7: Monitoring System Performance Sets the SNMP password. -> snmp addtrapdest -> snmp deltrapdest Commands to creates or delete trap manager entries. -> snmp settrapenable on | off Enables and disables trap message transmission. -> snmp addsnmpfilter [] | lan -> snmp delsnmpfilter [] | lan Commands to creates or delete the client range for SNMP access.
Chapter 7: Monitoring System Performance Efficient Networks® Router family Technical Reference Guide Troubleshooting Software problems usually occur when the router’s software configuration contains incomplete or incorrect information. This section discusses: • Diagnostic tools that are available to help identify and solve problems that may occur with your router.
Efficient Networks® Router family Technical Reference Guide Chapter 7: Monitoring System Performance Table 7-2: LED State Sequence State Normal Sequence PWR - green State 1 Power ON Duration 5 Sec. TEST - amber LINK or WAN - off State 2 All lights flash 1 Sec. State 3 PWR - green 5 Sec. TEST - green PWR - green A hardware problem has been detected. Contact Technical Support. 1. Check that the DIP switches are all up. 2. Check that the correct software was loaded.
Chapter 7: Monitoring System Performance Efficient Networks® Router family Technical Reference Guide History Log The History Log utility is a troubleshooting tool which displays the router’s activity. It can be accessed from a terminal emulation session or from Telnet. To see message explanations, refer to the System Messages section. Accessing History Log through Telnet Step 1 Click Connect and then Remote System. Step 2 Enter the router’s IP address. Step 3 Click Connect.
Efficient Networks® Router family Technical Reference Guide Chapter 7: Monitoring System Performance If the terminal window display has a problem: • Ensure your console is plugged in and turned on. • Verify that you are on the right communications port (Com1, Com2). • Check the configuration parameters for speed, parity, etc. Make sure the console is not in an XOFF state. Try entering a “ctrl q”. Verify that the RS232 device attached to the console is configured as a DTE.
Chapter 7: Monitoring System Performance Efficient Networks® Router family Technical Reference Guide Connection Problems If you cannot connect your PC to the target router for configuration: • For a LAN connection, verify that the router’s IP address matches the IP address previously stored into the router’s configuration.
Efficient Networks® Router family Technical Reference Guide Chapter 7: Monitoring System Performance Remote Network Access Problems Bridging • Make sure to reboot if you have made any bridging destination or control changes. • All IP addresses must be in the same IP subnetwork (IP is being bridged). • Check that a bridging default destination has been configured and is enabled. • Be sure to reboot if the bridging destination or status has been changed.
Chapter 7: Monitoring System Performance Efficient Networks® Router family Technical Reference Guide TCP/IP Routing Page 7-12 • Check that Ethernet LAN TCP/IP Routing has been enabled (eth list command). • The IP addresses of the local and remote networks belong to different IP subnetworks. • Make sure that there is an existing route to the remote network. • Make sure that there is a route back from the remote network. • There must be a source WAN IP address defined if you are using NAT.
Efficient Networks® Router family Technical Reference Guide Chapter 7: Monitoring System Performance IPX Routing • Check that IPX routing has been enabled and that the remote end is enabled for IPX routing. • Validate that the IPX WAN network number matches the remote router’s WAN network number. • Check that IPX SAPs correctly identify the servers and applications on the remote network and have valid network numbers, node numbers, etc. • Check that every SAP has a router to its internal network.
Chapter 7: Monitoring System Performance Efficient Networks® Router family Technical Reference Guide Telnet Access Problems • Ensure that the router has a valid IP address. • Check that the Ethernet cable is plugged in. Software Download Problems • Ensure that a TFTP server is properly set up to locate the router software. • Verify that the router is loading from the network and not from FLASH memory.
Efficient Networks® Router family Technical Reference Guide Chapter 7: Monitoring System Performance If you hear clicking during heavy data downloads, check that the DSLAM supports quality of service (QoS) and that the ATM switch has the voice PVC provisioned for vRT and the data at a lower priority. You may also be able to reduce or eliminate clicking by adjusting the jitter buffer (see “Adjusting the Jitter Buffer” on page 10-4..
Chapter 7: Monitoring System Performance Efficient Networks® Router family Technical Reference Guide remote setauthen chap lacclient remote addiproute 192.168.101.0 255.255.255.0 1 lacclient # Define a tunnel named tunnelAtHome.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface CHAPTER 8 CHAPTER 8 WEB MANAGEMENT INTERFACE The Efficient Networks router family provides two user interfaces methods: a Web Management Interface (WMI) that is web-browser (HTTP) based and a console type Command Line Interface (CLI). This section provides the an overview on how to use the browser based interface.
Chapter 8: WEB Management Interface Object Page 8-2 Efficient Networks® Router family Technical Reference Guide Description Radio Button Radio buttons are used to select a single parameter from a list of parameters when only one may be selected. When a radio button is selected, it will usually deselect the previous selection. Checkbox Check boxes are used to select or de-select a single item. The item is usually from a set of parameters where more than one selection is allowed.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Router Information Page The primary page in the Web User Interface is the Router Information page. This screen displays basic router information and router configuration settings. It also provides links to other router setup and control forms.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Easy Setup The Easy Setup screens are designed to provide an easy step-by-step configuration of the Wide Area Network (WAN) and Local Area Network (LAN). The information required for completing these forms is obtained from your service provider. A broader overview of the configuration parameters can be found in Chapter 3, Installation and Setup. Specific instruction for your router may vary.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface On the Protocol Selection page, begin the Easy Setup procedure by performing the following: NOTE: The Easy Setup procedure can be exited at any time during the configuration by clicking Cancel. If the procedure is cancelled, no changes will be made and the WMI will return to the Router Information Page. Step 1 Enter the ATM Permanent Virtual Circuit (PVC) information: VPI / VCI.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Point-to-Point Protocol over ATM Selection of Point-to-Point Protocol over ATM will display the following PPP Configuration page. To continue the Easy Setup procedure with PPP over ATM, continue with the following steps: Step 1 Enter the PPP User Name and Password in the fields provided. A PPP Username and password are required for authentication when the connection is being established.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface If IP Routing enabled is selected, click to select the following options: Step 3 – NAT Enabled - Network Address Translation (NAT) allows multiple workstations on your LAN to share a single, public IP address. All outgoing traffic appears to originate from the router’s IP address. – Block Net BIOS Traffic - NetBIOS is a PC networking protocol that can keep network connections open inadvertently.
Chapter 8: WEB Management Interface Step 2 Efficient Networks® Router family Technical Reference Guide Enter the PPPoE Service Name in the field provided. PPPoE requires the domain name of your network service provider. Use * as a default (for all services). Enter the domain name of your network service provider in the Service Name field. Step 3 Enter the timeout interval (measured in seconds) into the PPPoE Timer field. PPPoE Timer will set a timeout interval for periods of inactivity.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface A PPP Username and password are required for authentication when the connection is being established. Step 2 Enter the PPPoE Service Name in the field provided. PPPoE requires the domain name of your network service provider. Use * as a default (for all services). Enter the domain name of your network service provider in the Service Name field.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide RFC 1483 Networking Selection of RFC 1483 will display the following RFC 1483 Networking configuration page. To continue the Easy Setup procedure with RFC 1483, continue with the following steps: Step 1 Click to select one of the following. • Bridging enabled • IP routing enabled If bridging is selected, all traffic to remote computers that is not routed will be bridged. Next, continue to Step 2.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Selection of this option will allow only PPPoE traffic to be bridged, all other traffic will be dropped. Step 3 Obtain an IP address, select from the two bulleted options below: • IP configuration automatically from a DHCP server on the WAN Using DHCP. (1) Click the radio button to select this option. • Configure IP Routing manually.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide RFC 1483 MAC Encapsulated Routing Selection of RFC 1483 MAC Encapsulated Routing (MER) will display the following RFC 1483 MER Networking configuration page. To continue the Easy Setup procedure with RFC 1483 MER, continue with the following steps: Step 1 Click to select one of the following.
Efficient Networks® Router family Technical Reference Guide Step 2 Chapter 8: WEB Management Interface Optional, click to select Only bridge PPPoE traffic. Proceed to Step 4. Selection of this option will allow only PPPoE traffic to be bridged, all other traffic will be dropped. Step 3 Obtain an IP address, select from the bulleted options below: • Obtain configuration automatically from WAN using DHCP (1) Click the radio button to select this option. • Configure IP routing manually.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Dynamic Host Configuration Protocol The next step in Easy Setup is configuration of DHCP. DHCP dynamically assigns IP configuration information to PCs on the LAN, thus avoiding the need to set IP configurations for each PC manually. For more information on DHCP, see “DHCP (Dynamic Host Configuration Protocol)” on page 4-2. This configuration form also provides for configuration of DNS (Domain Name Service).
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Selection of manual DNS configuration requires a minimum of one DNS Server Address and a Domain Name. This information should be provided by the Service Provided. Enter the DNS information as described below: a. Enter the Domain Name in the field provided. This sets the router’s DNS domain name b. Enter the IP address of the Primary DNS Server in the field provided.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Local Area Network Configuration The final screen in Easy Setup is for Local Area Network (LAN) configuration. To continue the Easy Setup procedure by configuring the LAN IP address, continue with the following steps: Step 1 Enter the IP Address in the field provided. The IP address is the network address of your router. This address must be globally unique, unless NAT has been enabled.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface User Management The User Management forms allow the management of user accounts. User Management Navigation From the Main Menu, select: > User Management > User Lookup Configuration > Secure Mode Configuration User Management Main Page The User Management Main page displays a listing of the current user accounts as well as providing the ability to manage user accounts.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Adding A User Account To add a user account, perform the following procedure. For additional information on user account configuration, see “User Authentication” on page 5-2. Step 1 From the User Management Main page, click New User. The Add/Modify User page is displayed. Step 2 Enter the User Name in the field provided. Step 3 Enter the user password information a.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Privileges can be configured in a number of ways. • From the buttons across the top of the configuration form, click to select a User Template. To facilitate configuration, pre-configured templates have been built that contain pre-set privileges based on common user roles. Once a template has been selected, user privileges can still be modified manually.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide The Add/Modify User page is displayed. As required, edit the current user account information as required. CAUTION: Changing the password or privileges of an existing user account may terminate a user’s current activity. NOTE: The User Name cannot be modified for an existing account. Step 3 Edit the user password information a. Enter the new Password in the field provided. b.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Privileges can be configured in a number of ways. • From the buttons across the top of the configuration form, click to select a User Template. To facilitate configuration, pre-configured templates have been built that contain pre-set privileges based on common user roles. Once a template has been selected, user privileges can still be modified manually.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide User Lookup Configuration The User Lookup Configuration page allows the administrator to define the search order (primary and secondary) for user login requests. The User Look Configuration page is shown below. The selection options are as follows: • Local - Local will query the local user database, held in flash memory.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Secure Mode Configuration Secure Mode is a feature that can restrict system access to the use of only secure channels. Secure mode can be employed for the WAN interface, LAN interface or both. When secure mode is enabled, an interface can be designated as trusted, indicating that unsecure connections are allowed via the specified interface.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Change Password The Change Password form allows the current user to change their password. Change Password Navigation From the Main Menu, select: > Change password To change a password, perform the following: Step 1 Enter the new password in the field provided. Step 2 Re-enter the new password in the field provided. Step 3 Click Apply to save the password change.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Access Control Form The Access Control form is used to configure access restrictions for user’s attempting administrative control of the system; serial console access is restricted here since physical limitations can restrict access. Each remote access method can be set to one of three levels of accessibility as shown in the Access Control page below: • Enabled, no restrictions.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Examples The following examples illustrate the three levels of restricting access. The examples apply to Telnet, Web, SNMP and Syslog Server management access. • This example places no restrictions on the selected management method. • This example would limit Telnet access to LAN-side hosts only. • This example would limit Telnet access to LAN-side hosts only.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Key Enabled Feature List Page The Key Enabled Feature List page provides a listing of the key-enabled features available on your router, the feature’s key status as well as the key-string. A typical Key Enabled Feature List page is shown below.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Add Feature Page The Add Feature page is the form used to add the key strings enabling system features. A feature activation key is a 76-character string, unique to a particular router by serial number. The Key Add page is shown below. To add a feature key, perform the following: Step 1 Copy and paste, or manually enter the Key string in the space provided.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Delete Feature Page The Delete Feature page is used to delete an active key from the system. When a key is deleted, all feature configuration information is cleared and access is removed. Features with a key state of Manufacturing or Legacy cannot be deleted. If desired, the feature can be added again re-using the original activation key; this will not change the expiration date.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Update Feature Page Some feature keys are generated with a expiration date. If continued use of the feature is desired, an update key will be necessary to extent the key expiration date. The Update Feature page is used to replace an existing Activation key with a new Activation key. The Feature Update page is shown below.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Feature Enabled/Disable Page When a feature has been key-enabled, it may be disabled pending additional configuration or as operational requirements may bear. The Key Enable / Disable page is used to change the state of an enabled or disabled feature; this page is shown below.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Revoke Feature Page If a feature is no longer necessary or desired, or if you have been directed to render the feature non-functional through the Revoke Feature page (shown below). To revoke a feature key, perform the following: Step 1 From the pull-down menu, select the Feature to revoke. Step 2 Click Apply. Step 3 Verify the feature key is has been revoked: a. Click the Key Management Main Page link. b.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Unrevoke Feature Page The Unrevoke Feature page is used to nullify a revocation key and re-enable the feature activation key. To Unrevoke a revoked feature key, perform the following: Step 1 Copy and paste, or manually enter the Key string in the space provided. Step 2 Click Apply to enter the string Step 3 Verify the feature key is has been unrevoked: a. Click the Key Management Main Page link. b.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Router Clock Page This function enables you to set the date and time on your router. Router Clock Navigation From the Main Menu, select: > Router Clock The current date and time from your PC are displayed in the field labeled Current Date and Time. To synchronize the date and time on your router with the current date and time displayed, click on the Synchronize Router Clock button.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface DCHP Configuration DHCP is a TCP/IP service protocol to provide dynamic leasing of IP addresses and other configuration information to client hosts on the network. The router can perform as a DHCP server with central management of your IP address pool for simple and safe TCP/IP configuration and IP address conservation. For additional information, see “DHCP” on page 4-2.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide To re-configure the current DHCP values, perform the following step(s): Step 1 As required, change the current DHCP Server Status: a. Form the New Setting pull-down menu, select the desired the LAN DHCP Server Status mode. b. Click Apply. Step 2 As required, enter the IP Address Pool information: a. Enter the First IP Address in the range of IP address pool in the field provided. b.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface NOTE: The last IP address must be greater or equal to the first IP address. Both the first IP address and the last IP address cannot be a subnet address or a broadcast address.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide NAT Network Address Translation (NAT) is a feature that can provide a level of security by hiding the private IP addresses of your LAN behind the single public IP address of your router. All connections must come through your router and be translated by NAT.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Inbound NAT Setting This section of the form is divided into two parts. • The left side contains fields for WAN settings • The right side contains fields for local machine settings A section labeled "router" divides these two parts. This layout is a simple diagram of how NAT works between the WAN and the local machine to translate network addresses.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Advanced Setup The Advanced Setup fields provide the option of assigning specific network protocols to specific ports on the WAN side of NAT, while mapping the WAN settings to an IP address and port number of a local machine. To use the advanced setup, perform the following: Step 1 From the pull-down menu, select the Protocol. Step 2 Define the port (range). a.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface SNMP Simple Network Management Protocol (SNMP) is a protocol that provides for the exchange of messages between a management client and a management agent. The message contains requests to get and set variables that exist in network nodes, thus allowing a management client to obtain statistics, set configuration parameters, and monitor events.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide To configure SNMP, perform the following: Step 1 Enter the Community String In the field provided. Step 2 Define the SNMP Port Number; click to select one of the following: • Default - Returns the SNMP port the default value (161) and re-enables SNMP after it is disabled. • Disable - Disables the SNMP port by setting the port to 0.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface SNMP IP Filter Page The SNMP IP Filter page is used to manage SNMP IP filtering. Activating an IP Filter range will limit SNMP requests to only those that originate from the designated addresses or LAN. The current IP filter ranges are displayed in the IP Address form. To add a new filter, perform the following: Step 1 Enter the filter information: a. Click to select LAN, and / or b.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide To delete a filter, perform the following: Step 1 Locate the filter to delete in the IP Address form. Step 2 Click the corresponding Delete. The page will refresh and the current filters will be displayed in the IP Address form. Task Complete SNMP Password Page The SNMP Password page is used to change to SNMP password. The password is used to authenticate an SNMP Manager.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface SSH Secure Shell (SSH) allows secure network services over an insecure network such as the public Internet. The objective of SSH is to make a secure functional equivalent for telnet. Telnet connections and command are vulnerable to a variety of different kinds of attacks, allowing unauthorized system access, and even allowing interception and logging of traffic to and from the system including passwords.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Secure Shell Configuration page The SSH Configuration page (shown below) allows the user to change the modify the current SSH setting. The following parameters are used for the configuration of SSH. Status - Enables and disables the SSH feature. Encryption - Provides for the selection of encryption options supported for SSH communication. The selected method is configured locally on the router (or server).
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface SSH Configuration To change the current SSH settings, perform the following: NOTE: Prior to enabling SSH, a private/public key pair should be loaded on the router. Step 1 In no key pair exists on the router, perform one of the following. If a key pair is loaded, proceed to Step 2. • Key Generation • Key Upload Step 2 From the SSH Configuration List page, click the Configure SSH link.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide SSH Keys Diffie-Hellman is the key exchange system used for authentication in the establishment and maintenance of SSH connections. The Key exchange requires a Public key and a Private key that can be generated by the router. For additional information on SSH authentication, see “Key Exchange” on page 5-72.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Key Upload To load the key pair, perform the following: Step 1 From the SSH Configuration List page, click the Load Keys link. Step 2 Click to select the type of key file to be loaded (Public Key or Private Key). Step 3 Select the key file. a. Click Browse. b. Navigate to the location of the key file. c. Click to select the file. d. Click Open or other similar function to confirm the file selection.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Firewall Scripts Your router can secure your network and data communications with built-in firewall capabilities. A firewall is any combination of hardware and software that secures a network and traffic to prevent interception or intrusion. For additional information on IP filtering and firewalls, see “IP Filtering” on page 5-23.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface CAUTION: All network security efforts, including firewall configurations, should be performed by an experienced and qualified network security technician, who is familiar with the unique architecture and requirements of your network. Efficient Networks cannot be liable for security violations due to inadequate or incorrect firewall configurations.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface QoS QoS is a key enabled feature and will not be displayed on the Main menu if the feature has not been key-enabled. For additional information, see “Key Enabled Features” on page 4-29.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface To change the current settings, perform the following as required: Step 1 Click to select a QoS Status. Step 2 Click to select a DiffServ Status. Step 3 Enter a new value for the desired Threshold Setting in the field provided. Step 4 Click Apply.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide QoS Policy Configuration page The QoS Policy Configuration page (shown below) provides a menu that allows the user to: Page 8-54 • Create new QoS policies • View or modify existing QoS policies • Delete existing QoS policies • Move QoS policies • Refresh the QoS policies lists Efficient Networks®
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface QoS Policy Parameters The following parameters are used in the creation or modification of QoS policies. Policy Name - Defines the specific policy. Status - Enables and disables the QoS policy. Source IP - Specifies the source IP address or range of IP addresses. Do Not care will disable source address checking. Dest IP - Specifies the destination IP address or range of IP addresses.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide The following configuration form will be displayed: Step 3 Select a delete option. a. Click to select all policies from the IP policy list or b. Click to select policy, then enter the policy name in the field provided. Note: Current policy names can be viewed using the IP Policy List pull-down menu. Step 4 Click Apply to save the changes.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Step 3 In the field provided, specify the Policy name to be moved. Step 4 Specify the new policy location. a. Click to select to the end - this will move the specified policy to the end of the policy list, or b. Click to select before policy, then enter the policy name in the field provided. The policy will be moved to the location immediately preceding the specified policy.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide QoS Policy Creation To create a new QoS policy, perform the following. Step 1 From the QoS Configuration page, click the link to open the QoS Policy Configuration page. Step 2 Click Create. The following Qos Configuration form will be displayed. Step 3 Configure the parameters as required. For specific information on parameters, refer back to ‘QoS Policy Parameters” on page 8-55. Step 4 Click Save.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Qos Policy Modification To modify (or view) an existing QoS policy, perform the following. Step 1 From the QoS Configuration page, click the link to open the QoS Policy Configuration page. Step 2 Click Modify/Display. The following QoS Policy Configuration form will be displayed. a. To exit this form with out saving changes, click Cancel. Step 3 Modify the parameters as required.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Stateful Firewall An IP filtering firewall examines the packet’s header information and matches it against a set of defined rules. If it finds a match, the corresponding action is performed. If not, the packet is accepted. The stateful firewall varies from the IP Filtering Firewall in that it gathers and maintains state information about each session.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface To change the current settings, perform the following as required: Step 1 Click to select the new Firewall Status. Step 2 Click to select the new Watch Setting. Step 3 Enter a new value for the desired Threshold Setting in the field provided. Step 4 Click Apply.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Dropped Packet Page The Dropped Packet page allows the user to view the last few dropped packets. The user can view up to 200 dropped packets. The Dropped Packet List area is shown below. NOTE: For Netscape 4 users, you may have to wait for a very long time to get the list displayed. Please select a smaller value.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Firewall Rule Configuration page The Firewall Rule Configuration page (shown below) provides a menu that allows the user to: • Create new firewall rules • View or modify existing rules • Delete existing rules • Refresh the Allow and Deny Rule lists Firewall Rule Parameters The following parameters are used in the creation or modification of Stateful Firewall Rules.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Address - These parameters define the source and destination IP address boundaries that will be applied to the firewall rules. Source /Destination IP address - The packet must have a source (or destination) IP address within the specified address range. If only one address is specified, the packet must have that source (or destination) IP address.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface To delete a single rule or range of rules: a. Click to select rule number from... to... NOTE: When entering a range of rules to be deleted, the rule range specified is inclusive of the first and last rules. b. In the first field, enter the rule (or first rule of the range of rules) to delete. If deleting only a single rule, proceed to Step d. c.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Firewall Rule Creation To create a new stateful firewall rule, perform the following. Step 1 Step 2 Click to select the list the to which the rule will be added: • Allow Rules List • Deny Rules List Click Create. The following Firewall Rule Configuration form will be displayed. Step 3 Configure the parameters as required.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Firewall Rule Modification To modify (or view) an existing stateful firewall rule, perform the following. Step 1 From the appropriate pull-down menu, select the rule be modified. Step 2 Click Modify/Display. The following Firewall Rule Configuration form will be displayed. a. To exit this form with out saving changes, click Cancel. Step 3 Modify the parameters as required.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Dial Backup Dial Backup, when enabled, provides a backup connection to the Internet through an external V.90 or ISDN modem. If your router is equipped with an internal modem and the Feature Key is present, the backup connection uses the internal modem; otherwise the backup connection uses an external modem connected to the console port of the router.
Efficient Networks® Router family Technical Reference Guide Step 7 Chapter 8: WEB Management Interface Enter the Reset DSL Timer value in the field provided. This timer specifies how often to check to see if the DSL link has been restored. Step 8 In the field provided, enter the Backup Failover Timeout value. This parameter defines a time period which guards against too frequent switching back and forth between the DSL link and the backup port. The default Failover period is three minutes.
Chapter 8: WEB Management Interface Efficient Networks® Router family Technical Reference Guide Step 3 Click the Home link to return to the Router Information Page. Step 4 Click Reboot Router to reboot enable the changes.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Command Line Interface Command Line Interface page allows the user to enter any CLI command over the web interface. For complete command line syntax, refer to the Command Line interface Guide. The functional area of the WMI, Command Line Interface is shown below. To execute CLI command, perform the following: Step 1 In the field provided, enter the CLI command. Step 2 Click Execute.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Web Management Interface Privileges The following table indicates the access privileges required for viewing or executing functions and features via the WMI. Table 8-1: WMI Access Privilege WMI Page Read-Only Read/Write index.html (default page) Any - Read NA bronly.html Data or Wan - Read Data or Wan - Write dhcp.html Security - Read Security - Write filter.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Table 8-1: WMI Access Privilege WMI Page Read-Only Read/Write tools/dhcp.html Data - Read Data - Write tools/diag.html * None None tools/syslog.html Inventory - Read Inventory - Write tools/setupDBUP.html Data - Read Data - Write tools/configDBUP.html Data - Read Data - Write lib/index.html Any - Read NA lib/basic.html Debug - Read Debug - Write lib/js_lib.
Efficient Networks® Router family Technical Reference Guide Chapter 8: WEB Management Interface Table 8-1: WMI Access Privilege WMI Page Read-Only Read/Write tools/loopGround.html Voice - Read Voice - Write tools/stdSignal.html Voice - Read Voice - Write tools/features.html Any - Read Any - Write firewall/index.html Security - Read Security - Write firewall/stateful_firewall.html Security - Read Security - Write firewall/ stateful_firewall_rule.
