ADMINISTRATION GUIDE Cisco RV320/RV325 Gigabit Dual WAN VPN Router
First Published in August 2014 Last Update in Mar 2015
Contents Chapter 1: Getting Started 7 Using the Getting Started Window 7 Features of the User Interface 8 Chapter 2: Wizard 11 Basic Setup 11 Access Rule Setup 11 Chapter 3: System Summary 13 System Information 13 Configuration (Wizard) 14 Port Activity 14 IPv4 and IPv6 15 Security Status 16 VPN Setting Status 16 SSL VPN Status 17 Log Setting Status 17 Chapter 4: Setup 19 Setup Network 19 IP Mode 19 WAN1 or WAN2 Port Settings 20 USB1 or USB2 Port Settings 29 3G/4G Conn
Contents Adding or Editing a Service Name 39 Setting Up One-to-One NAT 39 MAC Address Cloning 40 Assigning Dynamic DNS to a WAN Interface 41 Advanced Routing 42 Configuring Dynamic Routing 42 Configuring Static Routing 43 Inbound Load Balance 44 USB Device Update 45 Chapter 5: DHCP 47 DHCP Setup 48 Viewing the DHCP Status 50 Option 82 51 IP and MAC Binding 52 DNS Local Database 53 Router Advertisement (IPv6) 54 Chapter 6: System Management 57 Dual WAN Connections 57 Bandw
Contents Backup and Restore Chapter 7: Port Management 68 71 Port Setup 71 Port Status 72 Traffic Statistics 73 VLAN Membership 73 Map DSCP to queue 74 Map CoS to DSCP 74 802.
Contents Advanced Setting Chapter 10: Certificate Management 105 107 My Certificate 107 Trusted SSL Certificate 109 Trusted IPsec Certificate 109 Certificate Generator 110 CSR Authorization 111 Chapter 11: Log 113 System Log 113 System Statistics 116 Processes 116 Chapter 12: User Management 117 Chapter 13: Web Filtering 119 Cisco Small Business Web Filtering Service Supplemental End User License Agreement 120 Cisco RV320/RV325 Administration Guide 6
1 Getting Started Thank you for choosing a Cisco RV320. This chapter includes information to help you get started using your device. Using the Getting Started Window The default settings are sufficient for many small businesses. Network demands or your Internet Service Provider (ISP) might require modification of the settings. To use the web interface, you need a PC with Internet Explorer (version 6 and higher), Firefox, or Safari (for Mac).
1 Getting Started Features of the User Interface STEP 7 To configure other settings, use the links in the navigation tree. Troubleshooting Tips If you have trouble connecting to the Internet or the web-based web interface: • Verify that your web browser is not set to Work Offline. • Check the local area network connection settings for your Ethernet adapter. The PC should obtain an IP address through DHCP. Alternatively, the PC can have a static IP address in the 192.168.1.
Getting Started Features of the User Interface 1 Help To view information about the selected configuration page, click Help near the top right corner of the web interface. If your web browser displays a warning message about the pop-up window, allow the blocked content. Logout To exit the web interface, click Logout near the top right corner of the web interface. The Login page appears.
1 10 Getting Started Features of the User Interface Cisco RV320/RV325 Administration Guide
2 Wizard From the Wizard page, you can launch the Basic Setup wizard that guides you through the process of initial configuration of the device. The Access Rule wizard guides you through the process of configuring the security policy for the network. To open this page, select Wizard in the navigation tree. Basic Setup Use the Basic Setup Wizard to change the number of WAN ports or to configure the Internet connection. Click Launch Now to run the Basic Setup Wizard.
2 12 Wizard Access Rule Setup Cisco RV320/RV325 Administration Guide
3 System Summary The System Summary displays information about the current status of the device connections, status, settings, and logs. System Information System information descriptions: • Serial Number—Serial number of the device. • Firmware version—Version number of the installed firmware. • PID VID—Version number of the hardware. • MD5 Checksum—A value used for file validation. • LAN IPv4/ Subnet Mask—IPv4 management IP address and subnet mask of the device.
3 System Summary Configuration (Wizard) Configuration (Wizard) To access the Internet connection setup wizard and be prompted through the process, click Setup Wizard to launch the Wizard. Port Activity Port Activity identifies the port interfaces and indicates the status of each port: • Port ID—Port label. • Interface—Type of interface: LAN, WAN, or DMZ. Multiple WAN interfaces are indicated by a number, such as WAN1 or WAN2.
3 System Summary IPv4 and IPv6 • VLAN—VLAN ID of this port. There are two predefined VLANs: 25 and 100. VLAN 25 can be used for guest VLAN access and VLAN 100 can be used for Voice traffic. By default, VLAN 25 and VLAN 100 are not enabled. • Receive Packet Count—Number of packets received on this port. • Receive Packet Byte Count—Number of bytes received on this port. • Transmit Packet Count—Number of packets transmitted by this port.
3 System Summary Security Status Security Status This section displays the status of the security features: • SPI (Stateful Packet Inspection)—Status of the firewall: On (green) or Off (red). Tracks the state of network connections, such as TCP streams and UDP communication, traveling across it. The firewall distinguishes legitimate packets for different types of connections. Only packets matching a known active connection are allowed past the firewall; other packets are rejected.
3 System Summary SSL VPN Status • PPTP Tunnel(s) Used—Point-to-Point Tunneling Protocol (PPTP) tunnels in use. PPTP is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a Generic Routing Encapsulation (GRE) tunnel to encapsulate PPP packets. • PPTP Tunnel(s) Available—PPTP tunnels available.
3 18 System Summary Log Setting Status Cisco RV320/RV325 Administration Guide
4 Setup Use the Setup > Network page to set up your LAN, WAN (Internet), DMZ, and so forth. Setup Network To open the Network page, click Setup > Network. Some ISPs require that you assign a hostname and domain name to identify your device. Default values are provided, but they can be changed as needed: • Host Name—Keep the default setting or enter a hostname specified by your ISP. • Domain Name—Keep the default setting or enter a domain name specified by your ISP.
4 Setup Setup Network Adding or Editing an IPv4 Network By default one IPv4 LAN subnetwork is configured, 192.168.1.1. One subnetwork is usually sufficient for most small businesses. The firewall denies access if a LAN device source IP address is on a subnetwork that is not specifically allowed. You can allow traffic from other subnetworks and use this device as an edge router that provides Internet connectivity to a network. STEP 1 Click the IPv4 tab to display the Multiple Subnet table.
4 Setup Setup Network To configure WAN Connection Settings, select a WAN interface and click Edit. WAN Connection Settings appears. Select the WAN Connection Type from the menu and modify the related parameters as described in these sections: Obtain an IP Automatically Choose this option if your ISP dynamically assigns an IP address to the device. (Most cable modem subscribers use this connection type.) The ISP assigns the device IP address for this port, including the DNS server IP addresses.
4 Setup Setup Network - Configure to RA and DHCPv6 automatically—Provide Stateless and Stateful IPv6 addresses for LAN-side PCs. Static IP Choose this option if your ISP assigned a permanent IP address to your account. Enter the settings provided by your ISP: • Specify WAN IP Address—IP address that your ISP assigned to your account. • Subnet Mask (IPv4)—Subnetwork mask. • Default Gateway Address—IP address of the default gateway. To specify a DNS server, enter the IP address of DNS Server 1.
4 Setup Setup Network PPPoE Choose this option if your ISP uses PPPoE (Point-to-Point Protocol over Ethernet) to establish Internet connections (typical for DSL lines). Then enter the settings provided by your ISP: • Username and Password—Username and password for your ISP account. The maximum number of characters for each entry is 255. • Service Name—A set of services provided by the ISP identified by the service name. • Connection Timers—Connection is disconnected after a period of inactivity.
4 Setup Setup Network To configure the IPv6 parameters, check Enable. The DHCPv6 client process and requests for prefix delegation through the selected interface are enabled. Use this option when your ISP is capable of sending LAN prefixes by using DHCPv6. If your ISP does not support this option, manually configure a LAN prefix: NOTE When DHCP-PD is enabled, manual LAN IPv6 addressing is disabled. When DHCP- PD is disabled, manual LAN IPv6 addressing is enabled.
4 Setup Setup Network • - Connect on Demand—When this feature is enabled, the device automatically establishes your connection. If you enabled this feature, enter the Max Idle Time, the number of minutes that the connection can be inactive before the connection is terminated. The default maximum idle time is 5 minutes. - Keep Alive—Ensures that your router is always connected to the Internet.
4 Setup Setup Network To specify a DNS server, enter the IP address of DNS Server 1. Optionally, you can enter a second DNS server. The first available DNS server is used. To set the maximum transmission unit (MTU) size automatically, select Auto. Otherwise, to set the MTU size manually, select Manual and enter the MTU size. (The size in bytes of the largest protocol data unit that the layer can pass.
4 Setup Setup Network • LAN IPv6 Address—Global IPv6 prefix that was assigned by your ISP for your LAN devices, if applicable. (Check with your ISP for more information.) • Prefix Length—IPv6 prefix length: The IPv6 network (subnet) is identified by the initial bits of the address called the prefix. All hosts in the network have the identical initial bits for their IPv6 address. Enter the number of common initial bits in the network addresses. The default prefix length is 64.
4 Setup Setup Network - Without any action—Does not provide Stateless or Stateful IPv6 address for LAN-side PCs. - Configure to RA automatically—Provides Stateless IPv6 address for LAN-side PCs. - Configure to DHCPv6 automatically—Provides Stateful IPv6 address for LAN-side PCs. - Configure to RA and DHCPv6 automatically—Provides Stateless and Stateful IPv6 addresses for LAN-side PCs.
4 Setup Setup Network - Configure to RA automatically—Provides Stateless IPv6 address for LAN-side PCs. - Configure to DHCPv6 automatically—Provides Stateful IPv6 address for LAN-side PCs. - Configure to RA and DHCPv6 automatically—Provides Stateless and Stateful IPv6 addresses for LAN-side PCs. USB1 or USB2 Port Settings USB port configuration manages the connection between this device and the USB dongle. It also manages WAN port failover (redundancy).
4 Setup Setup Network Setting Failover and Recovery While both an Ethernet and mobile network link might be available, only one connection at a time can be used to establish a WAN link. Whenever one WAN connection fails, the device attempts to bring up another connection on another interface. This feature is called Failover. When the primary WAN connection is restored, it reverts to that path and drops the backup connection. This feature is called Recovery.
4 Setup Setup Network - Extra Charge—Cost in dollars if a given period of time is exceeded. - Stop connection...—Check to enable dropping the connection when the time exceeds the given time. The window appears: • Previous Cumulative Time—Amount of time the 3G/4G connection has been up since being reset. • Current Cumulative Time—Amount of time that has elapsed since the device brought up a 3G/4G connection. • Charge—Estimated cost of the connection since the counters were reset.
4 Setup DMZ Enable DMZ Enable A DMZ is a subnetwork that is open to the public but behind the firewall. A DMZ allows you to redirect packets coming into your WAN port to a specific IP address in your LAN. You can configure firewall rules to allow access to specific services and ports in the DMZ from both the LAN or WAN. In the event of an attack on any of the DMZ nodes, the LAN is not necessarily vulnerable.
4 Setup Password ! CAUTION The password cannot be recovered if it is lost or forgotten. If the password is lost or forgotten, the device must be reset to the factory default settings, removing all configuration changes. If you are accessing the device remotely and reset the device to factory defaults, you cannot log into the device until you have established a local, wired link on the same subnetwork. After changing the username or password, you are logged out.
4 Setup Time Minimum number of character classes Enter the number of classes that the password must include. By default, the password must contain characters from at least three of these classes: • Uppercase letters • Lowercase letters • Numbers • Special characters available on a standard keyboard The new password must be different than the current one Check Enable if the new password must be differerent from the current password.
4 Setup DMZ Host • Daylight Savings Time—Enable or disable the adjustment for daylight savings time. Enter the start date in the From fields and enter the stop date in the To fields. • Set Date and Time—Auto enables the NTP server. If you chose Auto, enter the fully qualified NTP Server name or IP address. Manual enables setting the date and time locally, and uses the device clock to maintain the time. If you chose Manual, enter the Date and Time.
4 Setup (Port) Forwarding To add or edit a service to the table: STEP 1 To add a service, click Add in the Port Range Forwarding table. To edit a service, select the row and click Edit. The fields are open for modification. STEP 2 Configure the following: • Select a Service from the drop-down menu. (If a service is not listed, you can modify the list by following the instructions in the Adding or Editing a Service Name section.) • Enter the IP Address of the server. • Select the Interface.
4 Setup (Port) Forwarding STEP 4 Click Save. Configuring Port Triggering Port triggering allows the device to monitor outgoing data for specific port numbers. The IP address of the client that sent the matching data is remembered by the device. When the requested data returns through the device, the data is transmitted to the proper client by using IP addressing and port mapping rules. Some Internet applications or games use atypical ports to communicate between the server and LAN host.
4 Setup Port Address Translation Port Address Translation Port Address Translation (PAT) is an extension of Network Address Translation (NAT) that permits multiple devices on a LAN to be mapped to a single public IP address to conserve IP addresses. PAT is similar to port forwarding except that an incoming packet with destination port (external port) is translated to a packet different destination port (an internal port). The Internet Service Provider (ISP) assigns a single IP address to the edge device.
4 Setup Setting Up One-to-One NAT Adding or Editing a Service Name To add or edit an entry on the Service list: STEP 1 Click Service Management. If the web browser displays a warning about the pop-up window, allow the blocked content. STEP 2 To add a service, click Add in the Service Management table. To edit a service, select the row and click Edit. The fields are open for modification. If the web browser displays a warning about the pop-up window, allow the blocked content.
4 Setup MAC Address Cloning To enable this feature, check Enable. To add an entry to the list, click Add and enter the following information: • Private Range Begin—Starting IP address of the internal IP address range that you want to map to the public range. Do not include the router management IP address in this range. • Public Range Begin—Starting IP address of the public IP address range provided by the ISP. Do not include the router WAN IP address in this range.
Setup Assigning Dynamic DNS to a WAN Interface 4 Assigning Dynamic DNS to a WAN Interface Dynamic Domain Name System (DDNS) service assigns a fixed domain name to a dynamic WAN IP address, so you can host your own web, FTP, or another type of TCP/IP server on your LAN. Select this feature to configure the WAN interfaces with your DDNS information. Before configuring Dynamic DNS on the router, we recommend that you visit www.dyndns.org and register a domain name. (The service is provided by DynDNS.org).
4 Setup Advanced Routing Advanced Routing This feature enables dynamic routing and adds static routes to the routing table for IPv4 and IPv6. To view the routing table, click View Routing Table. Click Refresh to update the data. Click Close to close the pop-up window. Configuring Dynamic Routing Dynamic routing constructs routing tables automatically, based on information carried by routing protocols, and allowing the network to act nearly autonomously in avoiding network failures and blockages.
4 Setup Advanced Routing (VLSM). RIPv1 also lacks support for router authentication, making it vulnerable to attacks. RIPv2 carries a subnet mask and supports password authentication security. • Transmit RIP versions—Select the RIP protocol for transmitting network data: None, RIPv1, RIPv2 - Broadcast, or RIPv2 - Multicast. RIPv2 - Broadcast (recommended) broadcasts data in the entire subnet. RIPv2 - Multicast sends data to multicast addresses.
4 Setup Inbound Load Balance To delete an entry from the list, click the entry that you want to delete, and then click Delete. To view current data, click View Routing Table. The Routing Table Entry List appears. You can click Refresh to update the data, or click Close to close the pop-up window. Inbound Load Balance Inbound load balancing distributes inbound traffic equally to every WAN port to make best use of bandwidth. It also can prevent traffic from unequal distribution and congestion.
4 Setup USB Device Update STEP 6 Click SPF Settings to add SPF text. SPF (Sender Policy Framework) is an email validation system that prevents email spam by detecting email spoofing (a common vulnerability) by verifying sender IP addresses. (Configuring this field is not required. More information can be found at http://www.openspf.org/Tools#wizard?mydomain=&x=35&y=6.) STEP 7 Enter the Mail Server parameters: • Host Name—Name (without the domain name) of mail host. • Weight—Order of the mail hosts.
4 46 Setup USB Device Update Cisco RV320/RV325 Administration Guide
5 DHCP Dynamic Host Configuration Protocol (DHCP) is a network protocol that is used to configure network devices to communicate on an IP network. A DHCP client uses the DHCP protocol to acquire configuration information, such as an IP address, a default route, and one or more DNS server addresses from a DHCP server. The DHCP client then uses this information to configure its host. Once the configuration process is complete, the host is able to communicate on the Internet.
5 DHCP DHCP Setup DHCP Setup DHCP Setup configures DHCP for IPv4 or IPv6. It also allows some devices to download their configuration from a TFTP server. When a device starts, if it does not have both the IP address and TFTP server IP address pre configured, it sends a request with Option 66, 67, and 150 to the DHCP server to obtain this information. DHCP Option 150 is Cisco proprietary. The IEEE standard that similar to this requirement is Option 66.
5 DHCP DHCP Setup • Client Lease Time—Amount of time in minutes that a network user is allowed to connect to the router with the current IP address. Valid values are 5 to 43200 minutes. The default is 1440 minutes (equal to 24 hours). • Range Start and Range End—Starting and ending IP addresses that create a range of IP addresses that can be assigned dynamically. The range can be up to the maximum number of IP addresses that the server can assign without overlapping features such as PPTP and SSL VPN .
5 DHCP Viewing the DHCP Status • DHCP Relay—Passes DHCP requests and replies from another DHCP server through the device. • Client Lease Time—Amount of time that a network user is allowed to connect to the router with the current IP address. Enter the amount of time in minutes. Valid values are 5 to 43200 minutes. The default is 1440 minutes (equal to 24 hours). • DNS Server 1 and DNS Server 2—(Optional) IP address of a DNS server.
5 DHCP Option 82 • Total—Total number of dynamic IP addresses managed by the DHCP server. The Client Table shows the DHCP client information: • Client Host Name—Name assigned to a client host. • IP Address—Dynamic IP address assigned to a client. • MAC Address (IPv4 only)—MAC address of a client. • Client Lease Time—Amount of time that a network user can remain connected to the router with a dynamic IP address. To release an IPv4 client IP address, select the Client Host Name and click Delete.
5 DHCP IP and MAC Binding IP and MAC Binding When the device is configured as a DHCP server or for DHCP relay, you can bind static IP addresses to up to 100 network devices, such as a web server or an FTP server. Typically the MAC address of a device physically appears on a label on the bottom panel or back panel of a device. To open this page, select DHCP > IP & MAC Binding in the navigation tree.
5 DHCP DNS Local Database Edit or Delete Bound Entries To Edit the settings, select an entry in the list and click Edit. The information appears in the text fields. Make the changes, and click Save. To Delete an entry from the list, select the entry to delete, and click Delete. To select a block of entries, click the first entry, hold down the Shift key, and click the final entry in the block. To select individual entries, press the Ctrl key while clicking each entry.
5 DHCP Router Advertisement (IPv6) To change the TCP/IP connection settings, for example, on a PC running Windows, go to the Local Area Connection Properties > Internet Protocol > TCP/IP Properties window. Choose Use the following DNS server address, and enter the LAN IP address of the router as the Preferred DNS Server. For more information, refer to the documentation for the client that you are configuring.
5 DHCP Router Advertisement (IPv6) enter the Advertisement Interval; the interval at which Router Advertisement messages are sent. Enter any value between 10 and 1800 seconds. The default is 30 seconds. • Unicast only—Send Router Advertisement messages only to wellknown IPv6 addresses. RA Flags—Determines whether or not hosts can use DHCPv6 to obtain IP addresses and related information.
5 56 DHCP Router Advertisement (IPv6) Cisco RV320/RV325 Administration Guide
6 System Management System Management configures advanced settings, such as diagnostic tools, and performs tasks such as firmware upgrades, backups, and device reboots. Dual WAN Connections Use this feature to configure the settings for your Internet connections, if you are using more than one WAN interface. To configure the WAN ports, select System Management > Dual WAN in the navigation tree.
6 System Management Dual WAN Connections • Downstream—Maximum downstream bandwidth provided by your ISP. The default is 10000 kbs. Network Service Detection Optionally, check the box to allow the device to detect network connectivity by pinging specified devices and enter the settings as described here: • Retry count—Number of times to ping a device. The range is 1 to 99999 and the default is 3. • Retry timeout—Number of seconds to wait between pings.
6 System Management Bandwidth Management To enable the protocol binding, check the box to enable this rule, or uncheck the box to disable it. To Edit the settings, select an entry in the list. The information appears in the text fields. Make the changes, and click Save. To Delete an entry from the list, select the entry to delete, and click Delete. To select a block of entries, click the first entry, hold down the Shift key, and click the final entry in the block.
6 System Management Bandwidth Management To open bandwidth management, select System Management > Bandwidth Management in the navigation tree. Maximum Bandwidth Provided by ISP Enter the maximum bandwidth settings as specified by your ISP: • Upstream—Maximum upstream bandwidth provided by your ISP. • Downstream—Maximum downstream bandwidth provided by your ISP.
6 System Management SNMP • Direction—Select Upstream for outbound traffic. Select Downstream for inbound traffic. • Priority—Choose the priority for this service: High or Low. Default priority level is Medium, which is implied and not shown in the web interface. Check the box to enable this service. To Edit the settings, select an entry in the list and click Edit. The information appears in the text fields. Make the changes, and click Save.
6 System Management SNMP • Trap Community Name—Password sent with each trap to the SNMP manager. The string can be up to 64 alphanumeric characters. The default is public. • Enable SNMPv1/v2c—Enables SNMP v1/v2c. • - Get Community Name—Community string for authenticating SNMP GET commands. You can enter a name up to 64 alphanumeric characters in length. The default is public. - Set Community Name—Community string for authenticating SNMP SET commands.
6 System Management Discovery-Bonjour STEP 5 Click Save. To add or edit a user: STEP 1 Click Add or select a user and click Edit in the User Table. STEP 2 Enter the User Name. STEP 3 Select the Group from the drop-down menu. STEP 4 Select the Authentication Method and enter the Authentication Password. STEP 5 Select the Privacy Method and enter the Privacy Password. STEP 6 Click Save.
6 System Management LLDP Properties LLDP Properties Link Layer Discovery Protocol (LLDP) is a vendor-neutral protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, principally wired Ethernet. LLDP information is sent by devices from each of their interfaces at a fixed interval, in the form of an Ethernet frame. Each frame contains one LLDP Data Unit (LLDPDU).
6 System Management Using Diagnostics Using Diagnostics The Diagnostic page accesses two built-in tools, DNS Name Lookup and Ping. If you suspect a problem with connectivity, you can use these tools to investigate the cause. To open this page, select System Management > Diagnostic. To use DNS to learn an IP address, choose DNS Lookup, enter the Lookup Domain Name , such as www.cisco.com, and click Go. The IP address is displayed.
6 System Management Firmware Upgrade Firmware Upgrade This feature downloads the firmware for your device from a PC or a USB Flash drive and installs it. The window displays the Firmware Version currently running on the device. NOTE If you choose an earlier version of the firmware, the device might reset to factory default values. We recommend that you backup your configuration by using the Backup and Restore procedure before updating the firmware. Upgrading the firmware might take several minutes.
6 System Management Restart Alternatively, you can choose a language in the following ways: • On the Login page, choose a language from the Language drop-down list. • On all configuration pages, choose a language from the drop-down list at the top right-hand corner. For firmware versions 1.0.2.03 or earlier, use the Language Setup page to choose a new language by uploading a language pack to your device. STEP 1 Navigate to System Management > Language Setup.
6 System Management Backup and Restore Backup and Restore Configuration files can be imported, exported, and copied. The router has two managed configuration files, startup and mirror. The device loads the startup file from memory when it boots up into the running configuration and copies the startup file to the mirror file. Thus, the mirror file contains the last known valid configuration. If the Startup configuration file is corrupted or fails for any reason, the mirror configuration file is used.
6 System Management Backup and Restore STEP 3 Click Save and choose a file location. Optionally, enter a filename and click Save. TIP The default filenames are Startup.config and Mirror.config. The .config extension is required. For easier identification, it might be helpful to enter a filename that includes the current date and time. Copying the Mirror File to the Startup File You can manually copy the device startup configuration file to the mirror configuration file.
6 70 System Management Backup and Restore Cisco RV320/RV325 Administration Guide
7 Port Management Use Port Management to configure port settings and view the status of the port. You can enable port mirroring, disable a port, or set the priority, speed, duplex mode, and auto-negotiation. You also can enable port-based VLANs to control traffic between devices on your network. Port Setup You can set port mirroring and manage ports, including priority and mode. Port mirroring sends a copy of network packets seen on one port to a network monitoring connection on another port.
7 Port Management Port Status Enter the following settings: • Disable—Check this box to disable a port. By default, all ports are enabled. • EEE—Check this box to enable Energy-Efficient Ethernet that reduces the consumption of power during periods of low data activity. • Priority—For each port, select the appropriate priority level, High or Normal. This ensures Quality of Service (QoS) by prioritizing the traffic for devices on particular ports.
7 Port Management Traffic Statistics Traffic Statistics To open this page, select Port Management > Traffic Statistics in the navigation tree. For the selected port, the Statistics table displays the following: • Port ID—Location of the port. • Link Status—Status of the connection. • Rx Packets—Number of packets received on the port. • Rx Bytes—Number of packet received, measured in bytes. • Tx Packets—Number of packets sent on the port. • Tx Bytes—Number of packet sent, measured in bytes.
7 Port Management Map DSCP to queue Map DSCP to queue This option groups traffic by classes of service (CoS), ensuring bandwidth and higher priority for the specified services. All traffic that is not added to the IP Group uses Intelligent Balancer mode. To open this page, select Port Management > QoS:CoS/DSCP Setting in the navigation tree. To configure the service queues, select the Queue priority (4 is the highest and 1 is the lowest) from the drop-down menu.
7 Port Management 802.1X Configuration 802.1X Configuration Port-based network access control uses the physical access characteristics of IEEE 802 LAN infrastructures to provide a means of authenticating and authorizing devices attached to a LAN port that has point-to-point connection characteristics, and of preventing access to that port in cases which the authentication and authorization fails. A port in this context is a single point of attachment to the LAN infrastructure.
7 76 Port Management 802.
8 Firewall The primary objective of a firewall is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A network firewall builds a bridge between an internal network that is assumed to be secure and trusted and another network, usually an external (inter)network such as the Internet that is assumed not to be secure and untrusted.
8 Firewall Session Timeout • Remote Management—Allows remote management of the device when enabled. The port is 443 by default. It can be changed to any user-defined port. The string will be https://: • Multicast Pass Through—Allows multicast messages to pass through the device. • HTTPS—Hypertext Transfer Protocol Secure is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet.
8 Firewall Access Rules UDP timeout—Input the timeout value of UDP sessions. The default for UDP timeout is 30 seconds. Access Rules Access rules limit access to the subnetwork by allowing or denying access by specific services or devices identified by their IP address. To open this page, select Firewall > Access Rules in the navigation tree. To add or edit a service, click Service Management. This feature is described in Adding or Editing a Service Name.
8 Firewall Access Rules STEP 11 Click Save. Adding an Access Rule to the IPv6 Access Rule Table To add (or edit) an IPv6 access rule: STEP 1 Click the IPv6 tab. STEP 2 Click Add (or select the row and click Edit). STEP 3 Select the Action, Allow or Deny, for this rule from the drop-down menu. STEP 4 Select the Service from the drop-down menu. STEP 5 Select the Log from the drop-down menu. STEP 6 Select the Source Interface from the drop-down menu.
9 VPN A VPN is a connection between two endpoints in different networks that allows private data to be sent securely over a shared or public network, such as the Internet. This tunnel establishes a private network that can send data securely by using industry-standard encryption and authentication techniques to secure the data sent. Summary This feature displays general information about the VPN tunnel settings. The device supports up to 100 tunnels.
9 VPN Summary • Domain Name 1 through 4—If this router has a static IP address and a registered domain name, such as MyServer.MyDomain.com, enter the Domain Name to use for authentication. A domain name can be used only for one tunnel connection. The VPN Tunnel Status displays the number of Tunnels Used, Tunnels Available, Tunnels Enabled, and Tunnels Defined.
9 VPN Gateway to Gateway • Remote Client—IP address and subnet mask of the Remote Client. • Details—IP address of the Remote Gateway. • Tunnel Test—Status of the VPN tunnel. Gateway to Gateway In a site-to-site or gateway-to-gateway VPN, the local router at one office connects to a remote router through a VPN tunnel. Client devices can access network resources as if they were all at the same site. This model can be used for multiple users at a remote office.
9 VPN Gateway to Gateway • Enable—Check this box to enable the VPN tunnel, or uncheck it to disable the tunnel. By default, the tunnel is enabled. Local Group Setup Enter the settings for the Local Group Setup for this router. (Mirror these settings when configuring the VPN tunnel on the other router. ) NOTE All the options are documented, but only those options that relate to the selected parameter display.
9 VPN Gateway to Gateway If both routers have dynamic IP addresses (as with PPPoE connections), do not choose Dynamic IP + Email Addr. for both gateways. For the remote gateway, choose IP Address and IP Address by DNS Resolved. Keying Mode = IKE with Certificate • Local Security Gateway Type—LAN resources that can use this tunnel. The only option is IP + Certificate. - • IP Address—Displays the WAN IP address of the device.
9 VPN Gateway to Gateway VPN router, choose IP Address, and enter the address. If you do not know the IP address of the remote VPN router, select IP by DNS Resolved, and enter the domain name of the router. Cisco routers can get the IP address of remote VPN device by DNS Resolved. • 86 - IP + E-mail Address (USER FQDN) Authentication—This router has a static IP address and you want to use an E-mail address for authentication.
9 VPN Gateway to Gateway IPSec Setup For encryption to be successful, the two ends of a VPN tunnel must agree on the methods of encryption, decryption, and authentication. Enter exactly the same settings on both routers. Enter the settings for Phase 1 and Phase 2. Phase 1 establishes the preshared keys to create a secure authenticated communication channel. In Phase 2, the IKE peers use the secure channel to negotiate Security Associations on behalf of other services such as IPsec.
9 VPN Gateway to Gateway • Preshared Key—Preshared key to use to authenticate the remote IKE peer. You can enter up to 30 keyboard characters or hexadecimal values, such as My_@123 or 4d795f40313233 (' ' " \ are not supported). Both ends of the VPN tunnel must use the same Preshared Key. It is strongly recommended that you change the Preshared Key periodically to maximize VPN security. • Minimum Preshared Key Complexity—Check the Enable box to enable the Preshared Key Strength Meter.
9 VPN Gateway to Gateway • AH Hash Algorithm—Authentication Header (AH) protocol describes the packet format and default standards for packet structure. When AH is the security protocol, protection is extended forward into the IP header to verify the integrity of the entire packet. Check the box to use this feature and select an authentication method: MD5 or SHA1. MD5 produces a 128-bit digest to authenticate packet data. SHA1 produces a 160-bit digest to authenticate packet data.
9 VPN Client to Gateway • - Remote Backup IP Address—Alternative IP address for the remote peer, or reenter the WAN IP address that was already set for the remote gateway. - Local Interface—WAN interface to use to reestablish the connection. - VPN Tunnel Backup Idle Time—When the router boots up and the primary tunnel is not connected within the specified period, the backup tunnel is used. The default idle time is 30 seconds.
9 VPN Client to Gateway • Group VPN—Creates a tunnel for a group of users, eliminating the need to configure individual users. All of the remote users can use the same Preshared Key to connect to the device, up to the maximum number of supported tunnels. The router supports up to two VPN groups. The group number is automatically generated. • Easy VPN—Allows remote users to connect this device by using Cisco VPN Client (also known as Cisco Easy VPN Client) utility (available on https:// software.cisco.
9 VPN Client to Gateway • IKE with Certificate—Use a certificate to authenticate a remote IKE peer. Enable—Check to enable this VPN. Configuring Easy VPN Enter the following information: 92 • Name—Name to describe the tunnel. For a single user, you can enter the username or location. This description is for your reference and does not have to match the name used at the other end of the tunnel.
9 VPN Client to Gateway • Extended Authentication—Uses an IPsec host username and password to authenticate the VPN clients or it uses the user database found in User Management. To use the IPsec Host, click the radio button and enter the User Name and Password. To use the Edge Device, click the radio button and select the database from the drop-down menu. To add or edit the database, click Add/Edit to display the User Management window.
9 VPN Client to Gateway hostname. Enter an Email Address to use for authentication. If both routers have dynamic IP addresses (as with PPPoE connections), do not choose Dynamic IP + Email Address for both gateways. For the remote gateway, choose IP Address and IP Address by DNS Resolved. • Local Security Group Type—Specify the LAN resources that can access this tunnel. - IP Address—Choose this option to allow only one LAN device to access the VPN tunnel. Then enter the IP address of the computer.
9 VPN Client to Gateway If you know the IP address of the remote VPN client, choose IP Address, and then enter the address. If you do not know the IP address of the remote VPN client, select IP by DNS Resolved, and then enter the real domain name of the client on the Internet. The router will get the IP address of remote VPN client by DNS Resolved, and the IP address of remote VPN client will be displayed in the VPN Status section of the Summary page.
9 VPN Client to Gateway IPSec Setup For encryption to be successful, the two ends of a VPN tunnel must agree on the methods of encryption, decryption, and authentication. Enter exactly the same settings on both routers. Enter the settings for Phase 1 and Phase 2. Phase 1 establishes the preshared keys to create a secure authenticated communication channel. In Phase 2, the IKE peers use the secure channel to negotiate Security Associations for other services such as IPsec.
9 VPN Client to Gateway • Preshared Key—Preshared key to use to authenticate the remote IKE peer. You can enter up to 30 keyboard characters or hexadecimal values, such as My_@123 or 4d795f40313233. Both ends of the VPN tunnel must use the same Preshared Key. We recommend that you change the Preshared Key periodically to maximize VPN security. • Preshared Key Strength Meter—When you enable Minimum Preshared Key Complexity, this meter indicates the preshared key strength.
9 VPN Client to Gateway • AH Hash Algorithm—Authentication Header (AH) protocol describes the packet format and default standards for packet structure. When AH is the security protocol, protection is extended forward into the IP header to verify the integrity of the entire packet. Check the box to use this feature and select an authentication method: MD5 or SHA1. MD5 produces a 128-bit digest to authenticate packet data. SHA1 produces a 160-bit digest to authenticate packet data.
9 VPN VPN Passthrough VPN Passthrough VPN Passthrough allows VPN clients to pass through this router and connect to a VPN endpoint and is enabled by default. To open this page, select VPN > VPN Passthrough in the navigation tree. To enable VPN Passthrough, check Enable for the allowed protocols: • IPSec Passthrough—Internet Protocol Security (IPsec) is a suite of protocols used to implement secure exchange of packets at the IP layer.
9 VPN SSL VPN SSL VPN A SSL VPN (Secure Sockets Layer virtual private network) allows users to establish a secure, remote-access VPN tunnel to this device by using a web browser. Users do not need a software or hardware client preinstalled on their computers. SSL VPN provides secure, easy access to a broad range of web resources and web-enabled applications from almost any computer on the Internet. They include: • Internal websites • Web-enabled applications • NT/Active Directory file shares (i.e.
9 VPN SSL VPN STEP 4 Click on Virtual Passage page. Choose Connect using Virtual Passage. A warning message window pops out. Click on Install button (install Xtunnel_WOW64.cab) to establish a tunnel. STEP 5 After the Virtual Passage window finishes loading, the tunnel is connected. The PC will get the protected subnet IP from RV320/RV325 and be able to access the LAN resource. Status Provides the status of the SSL VPN tunnels. A user can be logged out from this window.
9 VPN SSL VPN • Resource—System resources the group is allowed to access. Click Details to display. • Status—Group status. Delete a Group To delete a group, click the name of the group that you want to remove in the SSL Status table and click Delete. If users belong to only one group, when an administrator deletes the group, the corresponding users are deleted automatically.
9 VPN SSL VPN • My Desktop—Enables RDP5 and VNC. Remote Desktop Protocol Client Enhancements (RDP5) ActiveX bookmarks now support advanced Windows options for resource mapping, with options to redirect drives, redirect printers, redirect ports, and redirect smartCards. Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the remote frame buffer (RFB) protocol to remotely control another computer.
9 VPN SSL VPN Resource name/ Group name All Users Supervisor Mobile User Branch Staff ERP v v v v Remote Desktop RDP5 v v VNC v My Network Place v v Virtual Passage v v Resource Management SSL VPN supports common Microsoft terminal services including Word, Excel, PowerPoint, Access, Outlook, Internet Explorer, FrontPage, and ERP.
9 VPN SSL VPN Advanced Setting Advanced SSL VPN settings limit the range of IP address that can access services, change the service port, or modify the banners. To open this page, select SSL VPN > Advanced Setting in the navigation tree. To modify advanced settings, enter the following parameters: • Client Address Range Starts—Starting IP address of the allowed range. • Client Address Range Ends—Ending IP address of the allowed range. • Service Port—Port number for SSL VPN.
9 106 VPN SSL VPN Cisco RV320/RV325 Administration Guide
10 Certificate Management A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.
10 Certificate Management My Certificate Exporting or Displaying a Certificate or Private Key The client certificate enables the client to connect to the VPN. To export or display a certificate or private key: STEP 1 Click the related icon Export Certificate for Client or Export Certificate for Administrator or Export Private Key. The File Download window appears. Export Certificate for Client—Client certificate that enables the client to connect to the VPN.
Certificate Management Trusted SSL Certificate 10 Trusted SSL Certificate Secure Sockets Layer (SSL) is the standard security technology for creating an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remains private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
10 Certificate Management Certificate Generator To export or display a certificate, click the Export Certificate icon. A pop-up window displays where you can Open the certificate for inspection or Save the certificate to a PC. To import a 3rd-party certificate, click Add and import the certificate: STEP 1 Select the CA Certificate. STEP 2 Select Import from PC or Import from USB Device. STEP 3 Browse in the Certificate. (3rd-party or Self-signed.) STEP 4 Click Save.
10 Certificate Management CSR Authorization • Key Encryption Length—Length of the key. • Valid Duration—Number of days the certificate is valid. STEP 2 Click Save. The My Certificate window appears. CSR Authorization CSR (Certificate Signing Request) is a digital identity certificate generated by a certificate generator. It is not a complete certificate until it is signed by a certificate authority (CA).
10 112 Certificate Management CSR Authorization Cisco RV320/RV325 Administration Guide
11 Log Logs document the status of the system, either by using traps or periodically. System Log Configure Short Message Service (SMS) logs and alerts. To open this page, select Log > System Log in the navigation tree. Configuring the System Log Send SMS To configure the link for the log, complete the following: STEP 1 Click Enable. STEP 2 Select USB1 or USB2 to send the log out the USB ports. STEP 3 Check the Dial Number1 and/or Dial Number2 and enter the phone number to call.
11 Log System Log Configure email Notification To configure E-mail notification, check Enable and complete the following: • Mail Server—Name or IP address of the mail server. • Authentication—Mail server login authentication type. - None—Without any authentication. - Login Plain—Authentication in plaintext format. - TLS—Authentication protocol of the secure connection (for example, Gmail uses TLS authentication option on port 587).
11 Log System Log Configure the Logs To trigger log entries, select the events: • Syn Flooding—TCP connections requests are being received faster than the device can process them. • IP Spoofing—IP packets with apparently forged source IP addresses sent with the purpose of concealing the identity of the sender or impersonating another computing system. • Unauthorized Login Attempt—Rejected attempt to log on to the network.
11 Log System Statistics Additional Information (Log Buttons) If the web browser displays a warning about the pop-up window, allow the blocked content. Click Refresh to update the data. Click the following buttons to view additional information: • View System Log—View the System Log. To specify a log, select the filter from the drop-down menu. Log entries include the date and time of the event, the event type, and a message.
12 User Management User management controls domain and user access, primarily used for PPTP, Cisco VPN Client (also known as EasyVPN), and SSL VPN. To open this page, select User Management in the navigation tree. To add (or modify) a domain: STEP 1 Click Add (or select an entry and click Edit). STEP 2 Choose the Authentication Type and enter the required information: • Local Data Base—Authenticates to a local database. - • • • Domain—Domain name users select to log into the SSL VPN portal.
12 User Management - Domain—Domain name users select to log into the SSL VPN portal. - LDAP Server Address—IPv4 address of the LDAP server. - LDAP Base DN—Search base for LDAP queries. An example of a search base string is CN=Users,DC=yourdomain,DC=com. STEP 3 Click OK. To add (or modify) a user, click Add (or select an entry and click Edit) and enter the following information: 118 • Username—Name the user enters to log into the SSL VPN portal. • Password—Password used for authentication.
13 Web Filtering Web filtering can provide you with the protection against access to the inappropriate websites based on the below working mechanism. This feature is only available on the RV320-WB and RV325-WB models. STEP 1 If the incoming URL is in the Exclusion List and its Web Reputation index value is not lower than 40, the URL is safe and allowed. Vice versa. STEP 2 If the incoming URL is not in the Exclusion List, check if it is in the Black List. If it is in the Black List, the URL is blocked.
13 Web Filtering Cisco Small Business Web Filtering Service Supplemental End User License Agreement • Click Add and input the value of the fields. - Name: The name of the schedule. - Description: Describe the schedule. - Check the dates of implementing the schedule. - Start: The start time of the schedule. - End: The end time of the schedule. - Active: Check to activate the schedule. - Click Save to save the configuration.
Web Filtering Cisco Small Business Web Filtering Service Supplemental End User License Agreement 13 1.1 These Terms describe the terms and conditions of your use of the Service. 1.2 Service Changes. Cisco reserves the right, at its sole discretion and from time to time, to modify the Service, or parts thereof, including, but not limited to, terminating the availability of a given feature or functionality. Some material Service changes may include a requirement that End User agree to the changed Terms.
13 Web Filtering Cisco Small Business Web Filtering Service Supplemental End User License Agreement 4.2 License. Subject to the terms and conditions of these Terms, Cisco grants to End User a limited, non-exclusive, non-transferable license to use the Service on the Cisco device. 5. DATA USAGE AND PROTECTION 5.1 Collection.
Web Filtering Cisco Small Business Web Filtering Service Supplemental End User License Agreement 13 TO THE GREATEST EXTENT ALLOWED BY APPLICABLE LAW. END USER’S SOLE AND EXCLUSIVE REMEDY FOR BREACH OF WARRANTY SHALL BE, AT CISCO’S OPTION, RE-PERFORMANCE OF THE SERVICE; OR TERMINATION OF THE SERVICE. IN NO EVENT DOES CISCO OR SERVICE PROVIDER WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, SECURE OR ERROR FREE.
13 Web Filtering Cisco Small Business Web Filtering Service Supplemental End User License Agreement 7.3 Force Majeure. Cisco shall not be liable for any delay or failure in performance whatsoever resulting from acts beyond its reasonable control.
14 Where to Go From Here Support Cisco Support Community www.cisco.com/go/smallbizsupport Online Technical Support and Documentation (Login Required) www.cisco.com/support Phone Support Contacts www.cisco.com/en/US/support/ tsd_cisco_small_ business_support_ center_contacts.html Software Downloads (Login Required) Go to tools.cisco.com/support/downloads, and enter the model number in the Software Search box. Cisco Open Source Requests www.cisco.