SpeedStreamª Router Family Command Line Interface Guide
November 2000 Copyright Efficient Networks provides this publication Òas isÓ without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. All rights reserved. No part of this book may be reproduced in any form or by any means without written permission from Efficient Networks. Changes are periodically made to the information in this book. They will be incorporated in subsequent editions.
WhatÕs New in This Release? This version of the Command Line Interface (CLI) manual has been updated to document features available with this release of the kernel software. The following list directs you to the CLI documentation for these new features: Release 5.0: VRRP Backup Ñ page 107 ¥ Implements the Virtual Router Redundancy Protocol (RFC 2338). ¥ Allows other routers in the LAN to serve as backups for a static default gateway. Dial Backup Ñ see page 103 ¥ Uses a V.
IP Filter changes Ñ see eth ip filter, page 237 or remote ipfilter, page 267 ¥ New -tcp rst parameter allows a filter to match the TCP RESET flag. ¥ Watch messages are also sent to Unix Syslog servers. New IP remote LANCONFIG option Ñ see page 278 ¥ PPP remote can receive IPCP information for dyamically reconfiguring the Ethernet interface. Command to delete software options Ñ see page 115 ¥ The command reboot bridgeonly deletes the KEYFILE.DAT file.
About This Manual This manual contains information on the syntax and use of the Command Line Interface for the family of DSL routers. Configuration of network connections, bridging, routing, and security features are essentially the same for all DSL routers, unless otherwise noted. This manual is intended for small and home office users, remote office users, and other networking professionals who are installing and maintaining bridged and routed networks.
Typographic Conventions The following typeface conventions are used in this guide: Typeface Italics 6 Item Examples Book titles, command reference parameters, cross-references, text emphasis. Refer to the Quick Start Guide. Bold Keywords in command reference instructions save Mono-spaced font Examples. remote listIpRoute hq Uppercase File names Copy Þle CFGMGR.
Table of Contents WhatÕs New in This Release? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Release 5.0: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 About This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 How This Manual is Organized . . . . . . . . . . . . .
Configuration Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Configuring PPP with IP Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Configuring PPP with IPX Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Configuring PPP with Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dial Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Configuring Dial Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 VRRP Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .
BootP Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 BootP Service by the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Relaying BootP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Syslog Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Router Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 SYSTEM (Target Router System Configuration Commands) . . . . . . . . . . . . . . . . . . . . . . . . . .207 ETH (Target Router Ethernet LAN Bridging and Routing) . . . . . . . . . . . . . . . . . . . . . . . . . . . .229 Remote Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Access the Command Line This manual describes the Command Line Interface for your router. The Command Line Interface gives you access to all capabilities of your router. Many of the router configuration capabilities are also available through an easy-to-use, graphic interface. To learn how to access the graphic interface, see the Quick Start Guide that came with the router. To use the Command Line Interface, you must Þrst access the router command line. To do this, you: 1.
Terminal Session under Windows (HyperTerminal) To open the HyperTerminal emulator available under the Windows operating system: 1. Click Start on your desktop and then select Programs > Accessories > Communications > Hyperterminal. 2. Double-click Hypertrm.exe. 3. In the Connection Description window, enter a name for the connection and select OK. 3. In the Phone Number window, under Connect using, select Choose Direct to Com 1 (or 2). 4.
Terminal Session for Macintosh or UNIX To open a terminal window emulation in a Macintosh or UNIX environment, you need a VT100 terminal emulation program. 1. Start your VT100 terminal emulator. 2. Configure the emulator with the following port settings: Baud rate (Data rate): 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: Hardware (To use a baud rate other than 9600, see page 157.) Telnet Session for Remote Access The router supports Telnet access.
4. The router displays a line identifying itself and then displays the Login: prompt.
Chapter 1. Router Concepts This chapter provides background information applicable to the router on topics useful to network administrators.
Numerous network protocols have evolved, and within each protocol are associated protocols for routing, error handling, network management, etc. The following chart displays the networking and associated protocols supported by the router.
These bridge-only units are pre-configured; no further configuration is required. The unit comes up in bridge mode automatically. Upgrading an upgradable bridge to become a router requires the addition of a software option key. The software option key turns on the IP Routing feature. To read about software option keys, see page 114.
¥ ¥ Routing takes precedence over bridging; i.e., when routing is active, the router uses the packetÕs protocol address information to route the packet. If the protocol is not supported, the router uses the MAC address information to forward the packet. Routing and Bridging Controls The router can be configured to perform general routing and bridging while allowing you to set specific controls. ¥ ¥ ¥ One remote router can be designated as the outbound default bridging destination.
¥ Support for these voice gateways: ¥ ¥ ¥ Jetstream proprietary CopperCom proprietary ATM Forum Standards based (ATM Forum doc. VMOA-0145.00) ¥ Upstream traffic shaping (bandwidth management) of data when the telephony interface is active ¥ ADPCM or PCM voice encoding ¥ Local echo canceling (G.168) This diagram illustrates how a Voice over DSL router connects both a phone system to the PSTN and a LAN to the Internet over the same DSL line.
Changing Your Voice Profile If your voice gateway is an ATM standards-based gateway, the voice profile must match the configuration of the voice gateway. (You do not set a voice profile for the other supported gateways.) The voice profile determines the following attributes: ¥ ¥ ¥ Voice compression: ADPCM32 or PCM or PCM only? Silence suppression supported: yes or no? Voice cell payload size: 44 bytes or 40 bytes? You can display and change your active voice profile.
PAP/CHAP Security Authentication The router supports PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol) under PPP. Security authentication may not be required due to the nature of the connection in a DSL environment (traffic occurs on a dedicated line/virtual circuit. However, authentication may be specifically required by the remote end, the ISP, or the NSP. When authentication is not required, security can be disabled with the command remote disauthen (page 266).
Authentication Process The authentication process occurs regardless of whether a remote router connects to the local router or vice versa, and even if the remote end does not request authentication. It is a bi-directional process, where each end can authenticate the other using the protocol of its choice (provided the other end supports it). During link negotiation (LCP), each side of the link negotiates which protocol to use for authentication during the connection.
router. This allows you to set a unique CHAP or PAP authentication password for authentication of the local site by the remote site only when the router connects to that remote site. A common use is for the system override password is to set a password assigned to you by Internet Service Providers (ISPs). Similarly, the system name of the local router can be overridden for connecting to a specific remote with the command remote setOurSysName (page 283).
Interoperability Between the Router and Other Equipment The router uses industry-wide standards to ensure compatibility with routers and equipment from other vendors. To interoperate, the router supports standard protocols on the physical level, data link level for frame type or encapsulation method, and network level. For two systems to communicate directly, they must use the same protocol at each level. Most protocols do not support negotiable options, except for PPP.
¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ ¥ RFC 1877 RFC 1962 RFC 1969 RFC 1973 RFC 1974 RFC 1990 RFC 1994 RFC 2104 RFC 2131 RFC 2132 RFC 2364 RFC 2419 RFC 2401 RFC 2402 RFC 2403 RFC 2404 RFC 2405 RFC 2406 RFC 2407 RFC 2408 RFC 2409 RFC 2410 RFC 2412 RFC 2451 Automatic IP / DNS PPP Compression Control Protocol (CCP) DES PPP in Frame Relay Stac LZS compression protocol Multi-Link Protocol (MLP) User Authentication PAP / CHAP Dynamic Host Configuration Protocol (DHCP) DHCP Client PPP over ATM DES v2 Sec
0x0021 IP 0x002d Van Jacobson compressed TCP/IP 0x002f Van Jacobson uncompressed TCP/IP 0x8031 Bridge NCP 0x0031 Bridge Frame The command for this encapsulation option is: remote setProtocol PPP See page 284. Note: With PPP over ATM, the address and control fields (i.e., FF03) are never present; this also is the case for LCP packets.
MAC Encapsulated Routing: RFC 1483MER (ATM) or RFC 1490MER (Frame Relay) MER encapsulation allows IP packets to be carried as bridged frames, but does not prevent bridged frames from being sent as well, in their normal encapsulation format: RFC 1483 (ATM) or RFC 1490 (Frame Relay). If IP routing is enabled, then IP packets are prepended with the sequence 0xAAAA0300 0x80c20007 0x0000 and sent as bridged frames. If IP routing is not enabled, then the packets appear as bridged frames.
Router System and ConÞguration Files The system software and configuration information for the router are contained in files in its DOS-compatible file system. It is wise to keep a backup copy of these files. For more information on the backup and restoration of configuration files, see page 162. Any file contained within the system may be retrieved or replaced using the TFTP protocol. Specifically, configuration files and the operating system upgrades can be updated.
software keys are isomorphic to one and only one router. For more information on software option keys, see page 114. 30 Chapter 1.
Chapter 2. Planning for Router ConÞguration This chapter describes the basic information you need before you can begin configuring your router. The basic configuration tasks can be performed using the Command Line Interface described in this manual or the graphic interface described in the Quick Start Guide that came with your router. This basic information you need is the same in either case.
The commands that define information for a remote router entry start with the word remote and end with the name of the remote entry. Most of these commands are described in the section REMOTE Commands, on page 256. Managing the Remote Entries You can control the use of a remote entry in the remote router database by enabling or disabling its use. To enable a remote, use the remote enable command (page 266). To disable a remote, use the remote disable command (page 265).
To configure a Dual-Ethernet Router: Select one of these two configurations: Configuring the Dual-Ethernet Router as a Bridge, on page 45 Configuring the Dual-Ethernet Router for IP Routing, on page 46 Chapter 2.
PPP Link Protocol (over ATM or Frame Relay) The PPP Link Protocol is an encapsulation method that can be used over ATM (for ATM routers) or over Frame Relay (for Frame-Relay routers). For PPP over Ethernet (PPPoE), see page 97. PPP over ATM and PPP over Frame Relay use different connection identifiers: ¥ VPI/VCI numbers are used for ATM. ¥ A DLCI number is used for Frame Relay.
t DNS Internet Account Information (optional) The Domain Name Service (DNS) maps host names to IP addresses. DNS is performed by Domain Name Servers. The router can get DNS information automatically. Or, you can choose to configure DNS manually.
IPX Routing Network Protocol t System Names and Authentication Passwords For the Target Router You define the system name and authentication password for the target router. A system name and authentication password are required because they are used by a remote router to authenticate the target router. For the Remote Site(s) The Network Service Provider defined the system names and authentication passwords for the remote routers.
Internal Network Number It is a logical network number that identifies an individual Novell server. It is needed to specify a route to the services (i.e., file services, print services) that Novell offers. It must be a unique number. External Network (a.k.a. IPX Network Number) It refers to a physical LAN/wire network segment to which servers, routers, and PCs are connected (Ethernet cable-to-router segment). It must be a unique number.
Bridging Network Protocol t System Names and Authentication Passwords For the Target Router You define the system name and authentication password for the target router. A system name and authentication password are required because they are used by a remote router to authenticate the target router. t For the Remote Site(s) This information is obtained from the Network Service Provider. For each remote site, you must have the site name and its authentication password.
RFC 1483/RFC 1490 Link Protocols The Link Protocol RFC 1483 is a multiprotocol encapsulation method over ATM and is used by ATM routers. RFC 1490 is a multiprotocol encapsulation method over Frame-Relay and is used by Frame-Relay routers. RFC 1483 and RFC 1490 combined with the IP, IPX, or Bridging Network Protocols share the same configuration characteristics, except for the connection identifiers: VPI/VCI numbers are used for RFC 1483 and a DLCI number is used for RFC 1490.
TCP/IP Ethernet Routes You normally do not need to define an Ethernet IP route. An Ethernet IP route consists of an IP address, a mask, a metric, and a gateway. An Ethernet route is usually defined when there are multiple routers on the Ethernet that cannot exchange routing information. For the WAN Interface This information is obtained from the Network Administrator.
Internal Network Number This is a logical network number that identifies an individual Novell server. It is needed to specify a route to the services (i.e., file services, print services) that Novell offers. It must be a unique number. External Network (a.k.a. IPX Network Number) This number refers to a physical LAN/wire network segment to which servers, routers, and PCs are connected (Ethernet cable-to-router segment). It must be a unique number.
t DNS Internet Account Information (optional) This information is obtained from the Network Service Provider. Consult with your Network Service Provider to find out if you need to enter the following information: ¥ DNS server address ¥ DNS second server address ¥ DNS domain name MAC Encapsulated Routing MAC Encapsulated Routing (MER) allows IP packets to be carried as bridged frames (bridged format).
¥ DNS server address ¥ DNS second server address ¥ DNS domain name Note: If you intend to only connect to the Internet, enter this information using the Internet Quick Start configurator. t IP Routing Entries For the Ethernet Interface This information is defined by the user or the Network Administrator. Ethernet IP Address (Local LAN) An Ethernet LAN IP address and subnet mask are required for the routerÕs local Ethernet LAN connection.
FRF8 Link Protocol The FRF8 Link Protocol is an encapsulation method that allows an ATM router to interoperate with a Frame- Relay network. FRF8 is only used in conjunction with the IP Network Protocol. Obtain the information described below. This data will be used later to configure your router using the Command Line Interface (see Configuration Tables, on page 48). IP Routing Network Protocol t VPI and VCI Numbers Your router may have been preconfigured with VPI/VCI numbers.
For the ATM WAN Interface This information is obtained from the Network Administrator or the Network Service Provider. Source (Target/Local) WAN Port Address and Mask You must specify a Source WAN IP address for the WAN connection to the remote router (whether or not Network Address Translation is enabled. The Source WAN address is the address of the local router on the remote network. The mask is the mask used on the remote network. Check with your system administrator for details.
Configuring the Dual-Ethernet Router for IP Routing The eth commands are used to configure the Dual-Ethernet router for IP routing. Refer to the section DualEthernet Router (ETH) Commands, on page 296, for usage and syntax information. The last argument of each ETH command determines which interface is being configured (0 for ETH/0, 1 for ETH/1). Each interface (ETH/0 and ETH/1) must be set. A minimum of one route must be defined to have a working configuration.
Chapter 3. ConÞguring Router Software This chapter covers configuration tables and verifying the router configuration. It also provides sample configurations. Configuration commands are outlined for each Link Protocol/Network Protocol supported by the router. The information needed to configure the router is contingent on the chosen Link Protocol.
ConÞguration Tables The following tables give you step-by-step instructions for standard configurations of the following Network Protocol/Link Protocol associations, as well as a configuration table for a Dual-Ethernet Router: ¥ PPP Link Protocol with IP Routing Network Protocol ¥ PPP Link Protocol with IPX Routing Network Protocol ¥ PPP Link Protocol with Bridging Network Protocol ¥ RFC 1483/RFC 1490 Link Protocols with IP Routing Network Protocol ¥ RFC 1483/RFC 1490 Link Protocols with IPX Routin
Configuring PPP with IP Routing This table outlines configuration commands for the PPP Link Protocol with the IP Routing Network Protocol.
Configuring PPP with IPX Routing This table outlines configuration commands for the PPP Link Protocol with the IPX Routing Network Protocol. Note: Appendix B provides step-by-step information on how to configure IPX routing.
Configuring PPP with Bridging This table outlines configuration commands for the PPP Link Protocol with the Bridging Network Protocol.
Configuring RFC 1483 / RFC 1490 with IP Routing This table outlines configuration commands for the RFC 1483 and the RFC 1490 Link Protocols with the IP Routing Network Protocol.
Configuring RFC 1483 / RFC 1490 with IPX Routing This table outlines configuration commands for the RFC 1483 and RFC 1490 Link Protocols with the IPX Routing Network Protocol. Note: Appendix B provides step-by-step information on how to configure IPX routing.
Configuring RFC 1483 / RFC 1490 with Bridging This table outlines configuration commands for the RFC 1483 and RFC 1490 Link Protocols with the Bridging Network Protocol.
Configuring MAC Encapsulated Routing: RFC 1483MER / RFC 1490MER with IP Routing This table outlines configuration commands for the RFC 1483MER and RFC 1490MER Link Protocols with the IP Routing Network Protocol.
Configuring FRF8 with IP Routing This table outlines configuration commands for the FRF8 Link Protocol with the IP Routing Network Protocol.
Configuring Mixed Network Protocols Several network protocols can be configured concurrently in the same router. The possible combinations are: ¥ ¥ ¥ ¥ Bridging + IP routing Bridging + IPX routing Bridging + IP routing + IPX routing IP routing + IPX routing General configuration rules: ¥ IP (and IPX) routing takes precedence over bridging. ¥ Each network protocol in the combination is individually configured as described in the preceding tables.
Configuring a Dual-Ethernet Router for IP Routing This table outlines commands used to configure a Dual-Ethernet router for IP routing.
Verify the Router ConÞguration Test IP Routing Test IP Routing over the Local Ethernet LAN (from PC) ¥ Use the TCP/IP ping command or a similar method to contact the configured target router specifying the Ethernet LAN IP address. ¥ If you cannot contact the router, verify that the Ethernet IP address and subnet mask are correct and check the cable connections. ¥ Make sure that you have saved and rebooted after setting the IP address. ¥ Check Network TCP/IP properties under Windows 95.
Test IPX Routing One way to test IPX routing is to check for access to servers on the remote LAN. Under Windows, use the NetWare Connections selection provided with NetWare User Tools. Under DOS, use the command pconsole or type login on the login drive (usually F:). Select the printer server and verify that the server you have defined is listed. When you attempt to access the server, the router will connect to the remote router using the DSL line.
Sample ConÞgurations Sample Configuration 1: PPP with IP and IPX This configuration example comprises: ¥ A scenario describing the configuration ¥ A diagram showing the configuration of the SOHO router ¥ Tables containing the configuration settings for this example ¥ Several list command outputs that are used to check the information entered for this particular configuration ¥ Information about the names and passwords that are used in this configuration example (required for PPP) Note: Appendix A
Sample Configuration 1: Diagram for Target Router (SOHO) Small Home Office SOHO (Target/Local Router) IPX = 456 0,39 (HQ) SOHO Target Router IP:192.168.254.254 255.255.255.0 Workstation/Server 192.168.254.3 255.255.255.0 PC/Client 192.168.254.2 255.255.255.0 2 Virtual Circuits 0,38 (ISP) DSL / ATM Network PPP/IP 192.168.200.20 IPX WAN = 789 Remote Router HQ 0.0.0.0 255.255.255.255 ISP IP:172.16.0.1 255.255.255.0 PPP/IP and IPX IPX NET = 123 Network Service Provider (ISP) DNS: 192.168.200.
Sample Configuration 1: Tables for Target Router (SOHO) SOHO System Settings ConÞguration Section Item Commands System Settings Name System Name system name SOHO Message Message (optional) system msg ConÞgured_Dec_1998 Authentication Password Authentication Password system password SOHOpasswd Ethernet IP Address Ethernet IP Address and Subnet Mask (default IP eth ip addr 192.168.254.254 255.255.255.
SOHO Remote Router Database Entry: HQ ConÞguration Section Item Commands Remote Routers New Entry Remote RouterÕs Name remote add HQ Link Protocol Link Protocol remote setProtocol PPP HQ PVC VPI Number/VCI Number remote setPVC 0*39 HQ Security Minimum Authentication (PAP is the default) remote setauthen PAP HQ Remote RouterÕs Password remote setpasswd HQpasswd HQ Bridging Bridging on/off (Bridging is off by default) remote disbridge HQ TCP/IP Route Addresses Remote NetworkÕs IP Addresse
SOHO Remote Router Database Entry: ISP ConÞguration Section Item Commands Remote Routers New Entry Link Protocol PVC Security Bridging TCP/IP Route Addresses Remote RouterÕs Name Link Protocol VPI Number/VCI Number Minimum Authentication (PAP is the default) Remote RouterÕs Password Bridging on/off (Bridging is off by default) Remote NetworkÕs IP Addresses, Subnet Masks, and Metric Network Address Translation In Advanced: Source WAN IP Address and Subnet Maska remote add ISP remote setProtocol PPP ISP
Sample Configuration 1: Check the Configuration with the LIST Commands Type the following commands to obtain a list of your configuration. system list GENERAL INFORMATION FOR System started on.................... Authentication override.............. WAN to WAN Forwarding................. BOOTP/DHCP Server address............ Telnet Port.......................... SNMP Port..............................
IPX network number................... Total IPX remote routes.............. Total IPX SAPs....................... Bridging enabled..................... Exchange spanning tree with dest... 00000000 0 0 no yes dhcp list bootp server ................. none bootp file ................... n/a DOMAINNAMESERVER (6) ......... 192.168.200.1 DOMAINNAME (15) .............. myISP.com WINSSERVER (44) .............. 172.16.0.2 Subnet 192.168.254.0, disabled - other DHCP servers detected When DHCP servers are active .
Information About Names and Passwords for Sample Configuration 1 In this configuration example, the PPP Link Protocol requires using system names and passwords. t System Passwords SOHO has a system password ÒSOHOpasswd,Ó which is used when SOHO communicates with HQ for authentication by that site and at any time when HQ challenges SOHO. HQ has a system password ÒHQpasswd,Ó which is, likewise, used when HQ communicates with site SOHO for authentication by SOHO and at any time SOHO challenges HQ.
Sample Configuration 2: RFC 1483 with IP and Bridging This configuration example comprises: ¥ A scenario describing this configuration of the router SOHO ¥ A diagram showing the configuration information needed for this example ¥ Tables containing the configuration settings for this example ¥ Several list command outputs that are used to check the information entered for this particular configuration Note 1: Names and passwords are not required with the RFC 1483 Link Protocol.
Sample Configuration 2: Diagram for Target Router SOHO Small Home Office SOHO (Target Router) 0,39 (HQ) SOHO Target Router Workstation/Server 192.168.254.3 255.255.255.0 PC/Client 192.168.254.2 255.255.255.0 IP:192.168.254.254 255.255.255.0 2 Virtual Circuits 0,38 (ISP) DSL / ATM Network RFC 1483 / IP 192.168.200.20 Remote Router HQ 0.0.0.0 255.255.255.255 IP:172.16.0.1 255.255.255.0 ISP RFC 1483 / IP + Bridging Network Service Provider (ISP) DNS: 192.168.200.1 DNS Domain: myISP.
Sample Configuration 2: Tables for Target Router (SOHO) SOHO System Settings ConÞguration Section Item Commands System Settings Message Message (optional) system msg RFC1483_dec98 Ethernet IP Address Ethernet IP Address and Subnet Mask eth ip addr 192.168.254.254 255.255.255.0 (default IP address) DHCP Settings DNS Domain Name dhcp set valueoption domainname myISP.com DNS Server dhcp set valueoption domainnameserver 192.168.200.1 WINS Server address dhcp set valueoption winsserver 172.16.0.
SOHO Remote Router Database Entry: ISP ConÞguration Section Item Commands Remote Routers New Entry Remote RouterÕs Name remote add ISP Link Protocol Link Protocol remote setProtocol RFC1483 ISP PVC VPI Number/VCI Number remote setPVC 0*38 ISP Bridging Bridging On/Off remote disbridge ISP (Bridging is Off by default) TCP/IP Route Addresses Remote NetworkÕs IP Addresses, Subnet Masks, and Metric remote addiproute 0.0.0.0 255.255.255.
Sample Configuration 2: Check the Configuration with the LIST Commands system list GENERAL INFORMATION FOR System started on.................... Authentication override.............. WAN to WAN Forwarding.................. BOOTP/DHCP Server address............ Telnet Port.......................... SNMP Port.............................. System message: ADSL RFC1483 sample 12/1/1998 at 17:48 NONE yes none default (23) default (161) eth list ETHERNET INFORMATION FOR Hardware MAC address.
Compression Negotiation.............. Source IP address/subnet mask........ Remote IP address/subnet mask........ Send IP RIP to this dest............. Send IP default route if known..... off 192.168.200.20/255.255.255.255 0.0.0.0/0.0.0.0 no no Receive IP RIP from this dest......... .no Receive IP default route by RIP.... no Keep this IP destination private..... yes Total IP remote routes............... 1 0.0.0.0/255.255.255.255/1 IPX network number................... 00000000 Total IPX remote routes.....
Sample Configuration 3: Configuring a Dual-Ethernet Router for IP Routing Scenario: The following example provides a simple sample configuration for a Dual-Ethernet router (eth_router) with IP routing enabled. The routerÕs hub (ETH/0) belongs to the 192.168.254.0 subnet. The routerÕs ETH/1 belongs to the 192.168.253.0 subnet. ETH/0 will route packets to ETH/1 at the address 192.168.253.254. DHCP is enabled for both subnets.
Chapter 4. ConÞguring Special Features The features described in this chapter are advanced topics. They are primarily intended for experienced users and network administrators to perform network management and more complex configurations.
Multiple IP Subnets You may configure the router to provide access to multiple IP subnets on the Ethernet network. (This feature does not apply to IPX or bridged traffic.) Each IP subnet is referenced as a logical (or virtual) Ethernet interface. You may define multiple logical interfaces for each physical Ethernet interface (that is, port) in the router. Each logical interface is referenced by its port number and logical interface number (port #:logical#).
Virtual Routing Tables The virtual routing feature allows you to define multiple routing tables. This is also known as IP virtual router support. To define a new routing table, you must specify a name for the routing table and a range of IP source addresses that use that table. The router determines which routing table to use based on the source address in the packet. For example, if the router receives a packet whose source address is 192.168.254.
Bridge Filtering and IP Firewall You can control the flow of packets across the router using bridge filtering. Bridge filtering lets you ÒdenyÓ or ÒallowÓ packets to cross the network based on position and hexadecimal content within the packet. This enables you to restrict or forward messages with a specified address, protocol, or data content. Common uses are to prevent access to remote networks, control unauthorized access to the local network, and limit unnecessary traffic.
Enable/Disable Internet Firewall Filtering The router supports IP Internet Firewall Filtering to prevent unauthorized access to your system and network resources from the Internet. This filter discards packets received from the WAN that have a source IP address recognized as a local LAN address. Caution: This is a simple firewall check; it does not add much security. For more elaborate firewall features, see IP Filtering, page 119 .
IP (RIP) Protocol Controls You can configure the router to send and receive RIP packet information, respectively, to and from the remote router. This means that the local site will ÒlearnÓ all about the routes beyond the remote router and the remote router will ÒlearnÓ all about the local siteÕs routes. You may not want this to occur in some cases. For example, if you are connecting to a site outside your company, such as the Internet, you may want to keep knowledge about your local siteÕs routes private.
DHCP (Dynamic Host ConÞguration Protocol) The router supports DHCP and can act as the DHCP server. (The routerÕs DHCP server disables itself if it locates other active DHCP servers on the network or if a DHCP server on the WAN has been explicitly specified.) This section describes how to configure DHCP using the Command Line Interface. Configuring DHCP can be a complex process; this section is therefore intended for network managers.
DHCP Administration and Configuration The DHCP administration and configuration process is divided into the following parts: ¥ Manipulating subnetworks and explicit client leases ¥ Setting option values ¥ Managing BootP ¥ Defining option types ¥ Configuring BootP/DHCP relays ¥ Other information Note: To save the DHCP conÞguration or changes to ßash memory in the router, remember to use the command dhcp save.
dhcp add To remove a subnetwork, use: dhcp del Note: All client leases associated with this subnetwork are automatically deleted. Example 1: The following command creates a subnetwork 192.168.254.0 with a subnet mask of 255.255.255.0: dhcp add 192.168.254.0 255.255.255.0 Example 2: The following command deletes the subnetwork 192.168.254.0 and deletes all client leases associated with that subnetwork: dhcp del 192.168.254.
Caution: If is a subnet, you will delete the entire subnet. Setting the Lease Time ¥ Concepts The information given by the DHCP server (router) to your PC is leased for a specific amount of time. The client lease has already been selected. The DHCP server will select the lease time based on the option defined for the client lease as described by this algorithm: ¥ 1.
Warning: The client will not be aware that the administrator has changed or released a client lease! To change the client lease expiration time to a given value: dhcp set expire Setting the expiration time to ÒdefaultÓ will cause the server to compute the lease time using the algorithm as described in Setting the Lease Time, page 85.
To clear the value for a global option, use: dhcp clear valueoption Example: To set the global value for the domain name server option, enter: dhcp set valueoption domainnameserver 192.168.254.2 192.168.254.3 Commands for Specific Option Values for a Subnetwork To set the value for an option associated with a subnetwork, use: dhcp set valueoption ...
Note: By default, the DHCP server does not satisfy BootP requests unless the administrator has explicitly enabled BootP (at the subnetwork or lease level). About BootP and DHCP BootP and DHCP provide services that are very similar. However, as an older service, BootP offers only a subset of the services provided by DHCP. The main difference between BootP and DHCP is that the client lease expiration for a BootP client is always infinite.
Example 6: To clear the subnet 192.168.254.0 server IP address and file name: dhcp bootp tftpserver 192.168.254.0 0.0.0.0 Configuring BootP/DHCP Relays BootP/DHCP relays are used by system administrators when the DHCP configuration parameters are acquired from a BootP/DHCP server other than the routerÕs DHCP server. This feature allows configuration information to be centrally controlled.
Example: To define a new option with a code of 128, a minimum number of IP addresses of 1, a maximum number of IP addresses of 4, of type ÒIP addressÓ, type: dhcp add 128 1 4 ipAddress This information implies that: ¥ Some DHCP client will know about the option with code 128. ¥ Option 128 allows IP addresses. ¥ The server can have a minimum of 1 IP address. ¥ The server can have up to 4 IP addresses.
Network Address Translation (NAT) The router supports both of the following NAT techniques: Classic NAT One NAT IP address is assigned to one PC IP address Masquerading One NAT IP address is assigned to many PC IP addresses. General NAT Rules ¥ IP routing must be enabled (see eth ip enable, page 237). ¥ NAT can be run on a per-remote-router and per-Ethernet-interface basis. ¥ Any number of PCs on the LAN may be going to the same or different remote routers at the same time.
To enable NAT for an Ethernet interface, use the commands: eth ip translate on save The save command makes the above changes persistent across reboots; these changes turn NAT on when the specified interface is used. ¥ Obtain an IP Address for NAT The IP address (the IP address ÒknownÓ by the remote ISP) used for this type of NAT can be assigned in two ways. The ISP dynamically assigns the IP address. Use the commands: remote setSrcIpAddr 0.0.0.0 0.0.0.
Remember to type save to make the changes persistent across reboots. Example 1: Assume that the local LAN network is 192.168.1.0 255.255.255.0. The following commands enable a Telnet server on the local LAN with the IP address 192.168.1.3, and an FTP server with the IP address 192.168.1.2. remote addServer 192.168.1.3 tcp telnet router1 remote addServer 192.168.1.
Not enough memory was available to create an entry. This condition should not ordinarily occur because the amount of memory needed for a server entry is less than 30 bytes. Should this problem occur, it may cause many related problems or failures. ¥ System Commands The following two commands are used to globally enable/disable a local IP address (on your LAN) as the server for that particular protocol and/or port.
Classic NAT With classic NAT, one PC IP address is translated to one NAT IP address. This NAT technique is primarily used to make certain hosts on a private LAN globally visible and give them the ability to remap these IP addresses as well. Client Configuration Classic NAT requires that you first enable NAT Masquerading (as described in the previous section); thus, for the Classic and Masquerading forms of NAT, the clients are configured in the same way. Refer to the Client Configuration, page 91 section.
¥ Multiple-Host Remapping Entries Users may enter as many host remapping entries as they wish. Example: remote addHostMapping 192.168.207.40 192.168.207.49 10.0.20.11 remote1 remote addHostMapping 192.168.207.93 192.168.207.99 10.0.20.4 remote1 remote addHostMapping 192.168.209.71 192.168.209.80 10.12.14.16 remote1 The above entries create three mappings: 192.168.207.40 through 192.168.207.49 are mapped to 10.0.20.11 through 10.0.20.20 192.168.207.93 through 192.168.207.99 are mapped to 10.0.20.
PPPoE (PPP over Ethernet) PPPoE is a method of delivering PPP sessions over an Ethernet LAN connected to a DSL line, as defined in the document RFC2516. It was designed to maintain the established PPP interface for the end user and the service provider, while improving service through use of a DSL line. ¥ PPPoE allows the user to connect to a service provider using the same PPP interface as for a dialup connection, but the connection is through a DSL line, which provides greater speed and bandwidth.
remote setBrOptions stp off In addition, if the remote entry should be used only for PPPoE traffic, define it as ÒPPPoE onlyÓ using this command: remote setBrOptions pppoeOnly on For a Dual-Ethernet router, an Ethernet interface can be designated as ÒPPPoE onlyÓ using this command: eth br options pppoeOnly on PPPoE Client PPPoE configuration requires creation of a new remote router entry to serve as the PPPoE client.
To set up a timeout, set the minline value to 0 and specify the timeout period in seconds, as follows: remote setminline 0 remote settimer Sample PPPoE Configuration Script The following script is an example showing commands for a PPPoE configuration. The script assumes the following: ¥ The VPI/VCI for the connection is 0/35. ¥ The domain name for the service is DialUpPPP.net. ¥ The CHAP user name is JaneDoe and the CHAP password is Secret.
remote setourpasswd Secret PPPoEuser # # Define an IP route for the remote. remote addiproute 0.0.0.0 0.0.0.0 1 PPPoEuser # # Turn on Network Address Translation for the remote. remote setiptranslate on PPPoEuser # # Permanently allocate a channel for the connection. remote setminline 1 PPPoEuser # To have PPPoE sessions timeout after 10 min. (600 sec.
Controlling Remote Management With the following security control features, the user can control remote management of the router via Telnet, HTTP, Syslog, and/or SNMP. Disabling SNMP stops the Configuration Manager from accessing the router, which in some environments is desirable. Router system event messages can be automatically sent to a Unix Syslog server. The system syslogport and system addsyslogfilter commands control the port number and valid IP addresses.
system addsnmpfilter 192.168.1.5 192.168.1.
Dial Backup The Dial Backup capability provides a backup V.90 connection to the Internet when the default DSL link goes down. The V.90 connection is provided through the console port. In this case, the console port is used as a serial port and must be connected to an external V.90 modem. Dial Backup is intended for customers with critical applications for which continuous Internet access is vital. If the DSL link for those applications goes down, the router can automatically switch their traffic to the V.
¥ Minimum retry period before DSL link restoration is attempted ¥ Specify the modem parameters. ¥ Specify the ISP phone number and other dialup parameters.
The router determines your gateway and/or DNS address implicitly via a means such as DHCP, static configuration, PPP negotiation, etc. If you specify more than one address to ping, you may want to assign the addresses to groups. Each group can be assigned its own ping interval, number of samples, and success rate. For example, you might want the success rate for the DNS address to be at least 95%, while a success rate of 50% would be reasonable for a heavily used website.
check whether the DSL link has been restored. This time period between checks is called the retry period (default, 30 minutes). When the retry period expires, the router determines if the DSL link has been restored. To do so, it first determines if the DSL link status signal has been up for the minimum stability period. If it has, then the router stops the data traffic going through the backup V.90 modem, and checks whether the DSL link can be used instead.
# pause), and finally the 7-digit local number. remote setphone async 1 9,5554218 backup # Specifies the bit rate for the preceding phone number. # The bit rate can be 38400, 57600, 115200, or 230400. remote setspeed 115200 async 1 backup # Specifies the alternative phone number to be used and its bit rate.
The following illustration shows two routers connecting a LAN to the Internet. By using VRRP, the backup router can take over as the gateway if the master router fails. Ethernet LAN VRRP Routers Master Internet Backup Routers using VRRP send out advertisement packets at intervals to let the other VRRP routers on the LAN know that they are still up. The other VRRP routers realize that a router is down when no advertisement packets have been received for the minimum down interval.
For example, assume that the gateway IP address is 192.168.100.254. If the default logical interface (0:0) is to be the VRRP interface, it is assigned the gateway address. Another logical interface (0:1) is defined to be the management interface and is assigned another IP address. eth ip addr 192.168.100.254 255.255.255.0 eth ip add 0:1 eth ip addr 192.168.254.253 255.255.255.
Adding a VRID Attribute Record To define a record to contain the attributes for a VRID in a router, use this command: eth vrrp add [] The port number is needed only if the router is an Ethernet hub router with two ports (port 0 and port 1). Priority Attribute (0-255, default, 100) The priority value determines which backup router takes over when a router fails. The original (or master) router must be assigned the highest priority (255).
Note: Our implementation does not validate the IP addresses in the advertisement packet or authenticate using an authentication header. Preemption Option (default, preempt) The preemption option determines what the router does when it recovers from a failure, as follows: ¥ If the router is the master router for the IP address (it has priority 255), it always immediately preempts the backup router and resumes its function in the network.The preemption option cannot change this.
Sample VRRP Configuration The sample configuration shown here is for two routers, one master and one backup. It is assumed that either router can route Internet traffic for the Ethernet LAN containing devices that use a static default gateway address 192.168.100.254. LAN with Static Gateway 192.168.100.254 VRRP Routers Mgmt. Addr. 192.168.254.253 Gateway Addr. 192.168.100.254 Master Router Internet Mgmt. Addr. 192.168.254.252 Gateway Addr. 192.168.100.
# # Use the default time interval (1 second) and preemption option (preempt). # # Save the changes and then reboot. save reboot Backup Router Configuration File These are the VRRP configuration commands for the backup router. # These commands define a logical interface 0:1 to serve as the management interface. # It is assigned an IP address unique on the LAN, 192.168.254.252. eth add 0:1 eth ip addr 192.168.254.252 255.255.255.0 0:1 # # RIP is not needed for either interface so it is turned off.
Chapter 5. ConÞguring Software Options The features described in this chapter can be purchased as software option keys. To determine which software options are installed on your router, use the vers command. (If a feature has not been enabled, it is listed with a ~ prefix.
Adding a New Software Option Key A software option key is a 44-character string, unique to a particular router, that enables a single feature. After receiving a software option key, you can enter it using either the web GUI or the Command Line Interface. When using the web GUI, you select the Upgrade Features button and enter the key. When using the Command Line Interface, you enter the key using the following command: key add Note: The new feature is not activated until the router is rebooted.
Encryption Note: Encryption is a software option. The following section applies only for routers with this option. For routers shipped with the following encryption options, two variants of encrypted data links over PPP have been implemented: ¥ PPP DES (Data Encryption Standard) (RFC1969) ¥ Diffie-Hellman Encryption requires PPP. Caution: PPP DES and Diffie-Hellman encryption options may not be exported outside the United States or Canada.
Use this sample configuration with the additional encryption commands as a guideline to configure your own routers.
remote setEncryption DESE_1_KEY dh96.num SOHO save reboot File Format for the Diffie-Hellman Number File The file consists of 192 bytes, in binary format. There are two 96-byte numbers stored, with the most significant byte in the first position. For example, the number 0x12345678 would appear as 000000...0012345678. The first 96 bytes form the modulus. In the equation x' = g^x mod n, n is the modulus. According to Diffie and Hellman, the modulus should be prime, and (n-1)/2 should also be prime.
IP Filtering IP Filtering is a type of firewall used to control network traffic. The process involves filtering packets received from one interface and deciding whether to route them to another interface or to discard them. When it is filtering packets, the router examines information such as the source and destination address contained in the IP packet, the type of connection, etc.
If NAT translation is enabled for the Input interface, NAT translation is performed. Forward Phase At this stage, the router uses its routing table to determine to which interface or link the packet is sent . It then applies the Forward filters based on the Input interface information. Next the router applies the Forward filters based on the Output interface information. Output Phase If NAT translation is enabled for the Output interface, then NAT translation is performed.
action is for packets coming from the local protected network; it passes the packet to IPSec so it can be encrypted and sent to the other IPSec gateway. Although filters are the mechanism by which packets are passed to IPSec, it is recommended that you use IKE, rather than your own filters, to manage your IP Security (see IPSec (Internet Protocol Security), page 134). IP Filter Commands To define and manage IP filters on an Ethernet interface, use the command eth ip filter.
L2TP Tunneling Ñ Virtual Dial-Up This section has four parts: ¥ The Introduction provides a general overview of L2TP tunneling. ¥ The L2TP Concepts section explains LNS, L2TP client, LAC, dial user, tunnels, and sessions. ¥ Configuration describes preliminary configuration steps and verification steps and lists commands associated with the configuration of L2TP and PPP sessions.
LNS, L2TP Client, LAC, and Dial User An L2TP tunnel is created between an L2TP client and an L2TP network server (LNS). The client and server control the tunnel using the L2TP protocol. ¥ L2TP Network Server (LNS) The LNS is the point where the call is actually managed and terminated (e.g., within a corporate network). ¥ L2TP Access Concentrator (LAC) The LAC is the physical hardware (such as a router) used for placing and receiving phone calls.
LNS and L2TP Client Relationship The LNS acts as the supervising system. The L2TP client acts both as the dial user and the LAC. One end of the tunnel terminates at the L2TP client. The other end of the tunnel terminates at the LNS. One end of the PPP session going through the tunnel terminates at the L2TP client acting as the dial user; the other end terminates at the LNS. Tunnels Tunnels are virtual paths that exist between an L2TP client and an L2TP server.
2. Decide if one side or both sides of the connection should be allowed to initiate a tunnel. 3. Create the L2TP Tunnel Entry with these characteristics: 4.
l2tp set authen on | off Type of L2TP support for tunnel: Configure the entry to act as a L2TP client,, an L2TP network server (LNS), or as both a LAC and an LNS, or the entry can be disabled. l2tp set type all | lns | l2tpclient |disabled Remote tunnel IP address: l2tp set address Note: Verify that the IP address of the other end of the tunnel is correctly routed. It should not be routed through the tunnel itself, but over a physical link.
Simple L2TP Client Configuration Example This example shows how a telecommuter working at home (client side) can configure his/her router SOHO to tunnel to the companyÕs LAN (server side). The information given in the Configuration Process section below provides a framework reference for this type of L2TP Client configuration. ¥ Assumptions In this example, the following information is assumed: ¥ The server side (the company) has an LNS router connected to the Internet.
2. Work_Router 3. Shared_Secret 4. 10.0.0.1 L2TP tunnel configuration commands. These commands would be used to set up the L2TP tunnel information for our example: l2tp l2tp l2tp l2tp add set set set Work_Router ourtunnel Home_Router Work_Router chapsecret Shared_Secret Work_Router address 10.0.0.1 Work_Router PPP remote configuration PPP remote-specific questions: 1. What is the home routerÕs name for PPP authentication? 2. What is the home routerÕs secret for PPP authentication? 3.
1. ppp_soho 2. ppp_soho_secret 3. We assume that this router will authenticate the router at work with the following information: a) the company routerÕs name is: ppp_work b) the company routerÕs PPP secret is: ppp_work_secret 4. We assume that the companyÕs router will dynamically assign an IP address to the home router. 5. 172.16.0.0/255.240.0.0 PPP remote configuration commands.
Tunnel Only the L2TP client (soho) will initiate the tunnel and make the connection. The tunnel is routed through the remote internet which is the default route. The LNS server never calls the L2TP client (soho). Figure 1 Remote User Company PPP session running over the tunnel TUNNEL soho router PC lnsserver (see Note 3) lacclient (see Note 1) L2TP Client: tunnelAtWork (see Note 2) tunnelAtHome (see Note 2) (ISDN) LNS: LNSserver router (DSL) 192.168.100.1 Router on the LAN side: 192.168.101.
Enable IP routing for soho: eth ip enable eth ip addr 192.168.101.1 255.255.255.0 Set up ISDN parameters: isdn set switch ni1 isdn set dn 5551000 5553000 isdn set spids 0555100001 0555300001 Define DHCP settings for DNS servers, domain, wins server: dhcp set value DOMAINNAMESERVER 192.168.100.68 dhcp set value DOMAINNAME efficient.com dhcp set value WINSSERVER 192.168.100.
Create a DHCP pool of addresses: dhcp add 172.16.0.0 255.255.255.0 dhcp del 192.168.254.0 dhcp set addr 172.16.0.2 172.16.0.20 Set up DSL parameters: sd term co sd speed 1152 Define a remote LNSserver remote remote remote remote remote remote save reboot ¥ add lnsserver setauthen chap lnsserver setpasswd serverpassword lnsserver addiproute 192.168.110.1 255.255.255.255 1 lnsserver setprotocol ppp lnsserver setpvc 0*38 lnsserver Configuration commands for isp Note: isp is an ISDN router.
save reboot ¥ Configuration commands for LNSserver Note: LNSserver is a DSL router. Define LNSserver: system system system system name lnsserver passwd serverpassword msg Script_for_LNS_called_HQ securitytimer 60 Enable IP routing: eth ip enable eth ip addr 192.168.100.1 255.255.255.0 Define DHCP settings for DNS servers, domain: dhcp set value domainname efficient.com dhcp set value domainnameserver 192.168.100.
IPSec (Internet Protocol Security) Note: IPSec security is a software option for your router. The option becomes available after purchase and installation of the software option key (see Software Option Keys, page 114). The following section applies only to routers with this option. IPSec is an open standard that defines optional authentication and encryption methods at the IP packet level. It is a true network layer protocol that provides authentication, privacy, and data integrity.
It can also be used for L2TP over IPSec. The routers at either end of the L2TP tunnel do both the IPSec and L2TP encapsulations so the routers can use transport mode for communications. Tunnel Mode: Device Transport Mode: Device or router Secure Packet Traffic Between Routers Router Router Device Secure Data Traffic Between Devices Router Router Device or router ESP and AH Security Protocols An IPSec connection must use either the AH or the ESP security protocol.
The following figure shows the transformed IP packet after the ESP or AH protocol has been applied in tunnel mode.
during this phase. Phase 2 IKE then exchanges proposals for IPSec security attributes, generates the encryption keys and sets up IPSec Security Associations (SAs) for moving user data.
Additional IKE Settings In addition to the peer identification and shared secret described earlier, IKE requires that the router be configured with the following information: ¥ Session authentication ¥ Phase 1 IKE message authentication ¥ Phase 1 IKE message encryption ¥ One of the following for each IKE proposal: ÑIPSec AH packet authentication ÑIPSec ESP data authentication ÑIPSec ESP data encryption ÑIPSec ESP data authentication and data encryption ¥ Diffie-Hellman key generation group ¥ IPSe
IKE Commands The Internet Key Exchange (IKE) process consists of two phases. In phase 1, a moderately secure connection is established between the two security endpoints. This connection is used to exchange key and connection information for the final SA, which is used to exchange user data. You can use the following command to clear all IKE configuration information from the router. ike flush The other IKE commands relate to the four categories of information required to set up IKE in the router. 1.
Sets the IP address of the other endpoint. One end, the gateway, has a fixed IP address. The other end, the client, has a changing address. When configuring the client, set the peer IP address to the gatewayÕs fixed address. When configuring the gateway for aggressive mode, set the IP address to 0.0.0.0. ike peers set secret Sets the shared secret for the peer. The secret must be identical for both ends.It can be up to 256 characters long; do not use spaces or non-printable characters.
ike proposals set dh_group Proposes the Diffie-Hellman (DH) key generation group used (no group or group 1 or 2). ike proposals set lifetime Proposes the length of time (in seconds) before the Phase 1 SA expires; the recommended value is 86400 (24 hours). When the time limit expires, IKE renegotiates the connection.
NONE No ESP encapsulation and no ESP message authentication. (If you select this option, the encapsulation method must be requested by a set espenc or set ahauth command.) ike ipsec proposals set ahauth Determines whether AH message authentication is requested and, if it is requested, the hash algorithm used. Note: The proposal cannot request both AH encapsulation and ESP encapsulation. MD5 Use AH encapsulation and authenticate using hash algorithm Message Digest 5.
ike ipsec policies set mode Specifies the encapsulation mode (tunnel or transport) that may be used for the connection. The default is tunnel mode. ike ipsec policies set proposal Specifies an IKE IPSec proposal that may be used for the connection. (It must have been defined by IKE IPSec proposal commands.) The policy may allow more than one value for the proposal parameter.
IKE Configuration Examples This section shows two simple IKE configurations. The installation CD also contains sample configuration files. These files can be edited for your installation and copied to the router using TFTP or the Windows Quick Start application. For more information on TFTP use, see Batch File Command Execution, page 166. The first example in this section shows an IKE configuration that uses main mode for a secure connection between two routers with fixed IP addresses.
# MD5 authentication # Diffie-Hellman group 2 key exchange # 24-hour timeout # Unlimited data ike proposals add branch_proposal ike proposals set encryption des branch_proposal ike proposals set message_auth md5 branch_proposal ike proposals set dh_group 2 branch_proposal ike proposals set lifetime 86400 branch_proposal # Describe the desired IPSec connection # Triple-DES encryption # SHA1 authentication # 30-minute timeout # Unlimited data ike ipsec proposals add branch_ipsec_prop ike ipsec proposals set
# Describe the home office peer # IKE main mode is used because the home office has a fixed IP address # (192.168.17.200). The shared secret is ýThisIsASecret12345;)ý ike peers add home_peer ike peers set mode main home_peer ike peers set address 192.168.17.
save reboot Aggressive Mode Example This example supposes, like the preceding main mode example, that a secure connection is needed between a home office router and a branch office router. However, now the DSL connection for the branch office router does not provide a fixed IP address for the branch office router. Thus, an aggressive mode IKE configuration is required. 192.168.16.X Home Office Private Network (No fixed IP address) Domain: branchoffice.big.com 192.168.17.
ike peers set localidtype domainname home_peer ike peers set localid branchoffice.big.com home_peer IPSec Commands The following commands allow you to define an IPSec connection without IKE. Note: If you define a tunnel using IPSec commands, the keys will remain static. This could pose a security risk and is not recommended. Use of IKE for key management is recommended. ipsec flush Clears all IPSec definitions. ipsec add Defines an SA name. ipsec del Deletes an existing SA.
Specifies the identifier (SPID) for the IPSec tunnel. It must match the SPID at the other end of the tunnel, that is, the tx SPID on this end must match the rx SPID on the other end. ipsec set service Selects the authentication and/or encryption services used: AH authentication, ESP encryption, or both ESP encryption and ESP authentication (encryption applied first and then authentication).
Chapter 6. Managing the Router This chapter describes facilities for managing, monitoring, and securing the router.
trigger alarms on thresholds, graph or list node statistic counters, view and edit individual MIB variables, and print reports. An example of useful information that can be obtained from a remote SNMP client would be the current status of the routerÕs WAN link and Ethernet interfaces, including protocol (PPP, CSMA-CD), line speed, maximum frame (transmission unit) size, physical address, operating status, or packet traffic rates. Telnet Remote Access The router supports Telnet access.
TFTPD rootdirectory The TFTPD operational parameters are kept in file ROUTER.INI in the form: rootdir=rootdirectory retries=maxtries timeout=timeout TFTPD is automatically called by BootP and Configuration Manager. BootP Service This section first discusses what BootP is and then describes the BootP service available from the router. BootP Concepts BootP refers to the Bootstrap Protocol. In general, BootP requests have these purposes: ¥ To obtain an IP address to use.
Relaying BootP Requests The DHCP relay list is an optional list of IP addresses of servers on the network. You create the list manually; addresses are not automatically added or removed. You add addresses to the list using the command dhcp addrelay (page 310) and remove addresses from the list using the command dhcp delrelay (page 313).
Boot Code Maintenance Options The router provides a number of maintenance options for booting router software. ¥ You can boot from the routerÕs FLASH memory, the most common option. ¥ Or, you can boot across the LAN network from a TFTP server, perhaps to test a new level of router software before downloading it to FLASH memory. ¥ You can also boot through a gateway to a WAN.
Option 1: Retry Start-Up If you are in Manual Boot mode, you can reboot the router in the boot procedure order by selecting option 1, ÒRetry start-upÓ. The boot procedure order is either the one you have specified or the default order. The default order is to boot from FLASH memory and then from the network (if defined). If you wish to boot from the network and/or alter the boot procedure order, refer to Option 3: Boot from Network, on page 155.
The boot IP address is the router LAN IP address used during the boot procedure. This address may differ from the LAN IP address that the router is ultimately assigned. This address is different so that a system can be booted from one subnetwork and then moved to its operational network, if necessary. The boot IP address is in the form: zzz.zzz.zzz.zzz. The TFTP boot server address is specified as: xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is the LAN IP address of the boot server).
When the router is configured by a PC, the GUI overwrites the time and date fields. The router time and date values are copied from the PC time and date values. Option 7: Set Console Baud Rate Select option 7 to alter the baud rate that the router uses to communicate over the Console port with a terminal-emulation program. You can override the default rate of 9600. Remember to set the identical baud rate in your terminal emulation program.
Identifying Fatal Boot Failures Fatal boot failures can be identified by the light patterns shown by the LEDs on the front panel of the router. Note: Normal LED states are described in the Hardware Specifications section of the Quick Start Guide.
Software Kernel Upgrades You can upgrade the software kernel by downloading a new version from the LAN or from the WAN. Booting and Upgrading from the LAN You can download a new version of the router software kernel using a TFTP server that already exists on the LAN. The following steps demonstrate how to boot the router software from the network and copy the image from the network into the routerÕs FLASH memory.
the return key for the load address). If all entered information is valid, the router boots from the network. An example follows: Enter selection: 4 Enter my IP address: 128.1.210.65 Enter server IP address: 128.1.210.70 Enter load address [80100]: Enter Þle name: kernel.f2k Alternatively, select option 5 to set permanent network boot parameters and then boot from the network using option 3.
where xxx.xxx.xxx.xxx is the TFTP server IP address, sfilename is the server filename of the kernel, and KERNEL.F2K is the name of the file. If you do not specify the server address, a permanent or more recent override TFTP server address will be used, if you have previously defined one. Warning: After the kernel is copied, do not power down the router until you have either issued a sync command or rebooted the router. Otherwise the file is not written to FLASH memory. 4.
Backup and Restore ConÞguration Files To successfully save configuration files to the server, those files must already exist and be writeable by everyone. This restriction is part of the TFTP protocol. Moreover, all the files accessed by the TFTP server must be under a single root directory. Multiple sub-directories can exist below this root directory, but they must be created manually at the server. Neither the sub-directories nor the files can be created remotely.
FLASH Memory Recovery Procedures Recovering Kernels for Routers with Configuration Switches In the unlikely event that the FLASH file system should become corrupted, attempt to recover using these steps. Perform the following procedures in the order listed: 1. Try to repair the file system by issuing the msfs command. While logged in, issue a sync command followed by an msfs command.
Recovering Kernels for Routers with a Reset Button The reset button (if your router has one) is recessed in an unlabeled hole on the back panel of the router (to the right of the Ethernet hub connector). If your router has a reset button, you can use it to perform these functions: ¥ If the reset button is depressed during the power on sequence, the router attempts to download a kernel from a BootP server as described in Recovery Steps Using BootP, on page 164.
5. In the BootP Setting dialog box, click OK. Configuration Manager writes the above settings to a file called BOOTDBASE.TXT and calls the Bootp server. 6. Power off the router. 7. Insert a a small pen or pointed object into the small reset switch (unlabeled hole) on the back panel of the router (to the right of the Ethernet hub connector). With the object still inserted in the reset switch, power up the router. Wait until all the LED lights flash (about 10 seconds). 8.
Batch File Command Execution This feature is used to load batch files of configuration commands into the router. This allows the user to customize and simplify installation of the router. A script file can contain commands, comments (lines introduced by the # or ; characters), and blank lines. There are two kinds of script files: ¥ A one-time script that is executed on startup (only once).
Chapter 7. Troubleshooting Software problems usually occur when the routerÕs software configuration contains incomplete or incorrect information. This chapter discusses: ¥ Diagnostic tools that are available to help identify and solve problems that may occur with your router ¥ Symptoms of software configuration problems ¥ Actions for you to take ¥ System messages Diagnostic Tools This section describes three diagnostic tools available to you: ¥ The LEDs on the front panel of your router.
Normal LED Sequence State Length State 1 Power ON PWR - green TEST - amber LINK - off 5 sec State 2 All lights flash Problem If the LED sequence stops at this stage: A hardware problem has been detected. Contact Technical Support. 1 sec State 3 PWR - green TEST - green LINK - off 5 sec State 4 PWR - green TEST - green LINK - amber 5 to 10 sec State 5 PWR - green TEST - green LINK - green Ready State 1. Check that the DIP switches are all up. 2. Check that the correct software was loaded. 1.
Accessing History Log through Configuration Manager 1. Select Tools and Terminal Window (the console cable is required). 2. Log in with your administration password into the router (e.g. ÒadminÓ). 3. Use the command system history to view the buffer contents. Other Logging Commands ¥ If you wish to monitor your router activity at all times, use the command system log start to view a continuous log, using Telnet. (This command will not work in a Terminal Window session; it only works from Telnet.
Interpretation and Troubleshooting To isolate a problem with the TCP/IP protocol, perform the following three tests: 1. 2. 3. Try to ping the IP address of your PC. If you get a response, proceed directly with step 2. If you donÕt get a response, check that: ¥ The network adapter card is installed. ¥ The TCP/IP protocol is installed. ¥ The TCP/IP protocol is bound to the network adapter. Try to ping the IP address of your router. If you get a response, proceed directly to step 3.
¥ connect to the router. ¥ log in. ¥ access the remote network. ¥ access the router via Telnet. ¥ download software. Finally, if you have a VoDSL router, it suggests how to trouble-shoot your telephony services. Problems Connecting to the Router If you cannot connect your PC to the target router for configuration: ¥ For a LAN connection, verify that the routerÕs IP address matches the IP address previously stored into the routerÕs configuration.
Note: If you do not reset switches 5 and 6 to the up position and then reboot, the router is placed in maintenance mode. Set switches 5 and 6 up and turn the power off and then on again. Problems Accessing the Remote Network Bridging ¥ Make sure to reboot if you have made any bridging destination or control changes. ¥ All IP addresses must be in the same IP subnetwork (IP is being bridged). ¥ Check that a bridging default destination has been configured and is enabled.
¥ The IP address must be within the valid range for the subnet. ¥ Verify that the IP and gateway addresses are correct on the PC. ¥ Windows 95 may remember MAC addresses: if you have changed MAC addresses, reboot the router and the PC. ¥ In Windows 3.1., check that the TCP driver is installed correctly. Ping (ping command) your PCÕs IP address from the PC. Successful ÒpingingÓ results let you know that the TCP driver is working properly.
¥ Make sure that the Novell server is up. Incorrect VPI/VCI (ATM Routers) If you are given an incorrect VCI/VPI number or none at all to use for the remote, and you need to determine what the possible value might be, use the atom findpvc command (see ATM Debug Commands, on page 181). Problems Accessing the Router via Telnet ¥ Ensure that the router has a valid IP address. ¥ Check that the Ethernet cable is plugged in.
frame voice Changes the voice DLCI to the specified number x. frame stats Shows LMI statistics. For a frame stats example, see page 204. If the voice gateway is a Jetstream gateway, the following commands are available: voice l2stats Shows AAL2 statistics for control messages. voice l2clear Clears the AAL2 statistics to 0. The following commands allow you to trace all signaling cells sent and received and all encoding changes for voice ports.
Value Specified 0-5 6-11 12-16 17-22 23-28 29-33 34-39 40-44 45-50 51-55 56-60 Actual (G.711) 5.5 (1) 11 (2) 16.5 (3) 22 (4) 27.5 (5) 33 (6) 38.5 (7) 44 (8) 49.5 (9) 55 (10) 60.5 (11) Actual (G.726) 11 (1) 11(1) 22 (2) 22 (2) 33 (3) 33 (3) 44 (4) 44 (4) 55 (5) 55 (5) 66 (6) System Messages System messages are displayed on the terminal and sent to a log file (if you have opened one). The messages listed in this section are time-stamped informational and error messages.
Explanation: PAP cannot be negotiated. Can't agree with on what their IP address should be Explanation: The IP address entry for the remote router in the remote router database does not match what the local router expects. Can't obtain an IP address from : one is needed in single user mode Informative message. Can't supply an IP address to Explanation: The remote end requests an IP address from the local end, which cannot supply it. Cannot remove SYSTEM.
Explanation: The router does not have a system name. For PAP/CHAP negotiation, the router will use a default name and password. Note: IPX is misconfigured for - no IPX WAN network Explanation: IPX WAN address is wrong or missing. Note: There is no IPX route statically defined for Informational message. PPP: Peer not negotiating right now Explanation: One end of the network is not negotiating the same protocol as the other end.
Explanation: The remote destination refused to participate in the PAP/CHAP authentication process. Startup failed Explanation: The ATM modem could not synchronize with the remote end. Call Technical Support. Startup failed: failure code = , Status [code] Explanation: The ATM modem could not synchronize with the remote end. Call Technical Support TelnetD Explanation: Connection accepted. A remote configuration session has been established.
Debugging Commands The following commands may be available for debugging purposes. Please use them with caution because they are not fully supported. General Debug Commands ifs Shows which interfaces are configured or active. For an example of its output, see page 190. mlp debug [<0>] BNCP is for bridging, ECP for encryption, and NCPSTATES for state table changes. To turn off the trace, enter the command with the optional 0 at the end.
Dumps all tables. If you capture and send this output to Technical Support, it can be useful in debugging problems. For more information, see SYSTEM SUPPORTTRACE, on page 226. The information dumped includes the history log and information about the version, memory, processes, the file system, general system information, Ethernet, DHCP, Voice, remote database, interfaces, bridging, the ARP table, IP routes, IPX routes, IPX SAPs, L2TP tunnels, and IP filters. copy /RAW-IMAGE ttp@192.4.210.
Web GUI Debug Commands If you point your web browser to http://192.168.254.254/tools/index.html, you can display an index to special pages in the web GUI. These pages include: dump.html State variable dump (for debugging purposes) access.html Control router administrative access. editor.html Edit files in the router file system. routing.html Edit the static routing table for an interface. features.html Display and modify feature list. password.html Change administrative password. newpass.
BER_METER_STATUS .............. BER Meter Status sdsl btstat * Displays available SDSL status commands. sdsl bts felm Displays Far-End Signal Attenuation. It gives an estimate of the length of the loop. Output example: SDSL: FELM: 63 [0x3f] sdsl bts nmr Displays noise margin. Large values are symptoms of a bad or excessively lengthy loop. Output example: SDSL: NMR: 224 [0xe0] sdsl states trace [] Turns on trace of line changes. To turn off the trace, append all to the command.
Shows AAL2 statistics for voice router. voice 12stats clear Resets values. dsp Turns echo canceller on (NOEC) or off (ECON). The following commands can be used for standalone phone verification. (This is for lab or bench verification only.) dsp init nobortStarts DSP for this test. dsp cas x Connects and rings port x. dsp ploop x-y Connects port x to port y. dsp init Reinitialize after testing.
Frame Relay Debug Commands frame stats Displays statistics. For more information, see FRAME STATS, on page 204. ATM Tracing Commands atom print Shows count of good and bad atm cells and frames. atom rx Shows AAL5 frames received. atom promisc on Turns on promiscuous mode (rx ATM cells no matter what VPI*VCI). atom cellrx Traces ATM cells received. atom tx Traces ATM cells sent. atom stats Prints the ATM statistics every n seconds. It shows good and bad cells and frames.
¥ Type of operating system (Windows 95, 98, NT, or Windows for Workgroups) ¥ Description of the problem ¥ List of other equipment such as personal computers, modems, etc. and third-party software you are using, including revision levels. To determine how to contact Technical Support, see the Quick Start Guide and the Customer Release Notes that came with your router. 186 Chapter 7.
Chapter 8. Command Reference This chapter lists the formats of the commands you can enter on the router command line.
? or help Example: # ? Top-level commands: ? help filter logout reboot mem copy dir rename execute sync msfs ipifs iproutes ipxroutes ipxsaps system eth erase key call ping dhcp l2tp ike atom sdsl voice version exit ps delete format ifs arp bi save remote tcp ipsec dsp System-Level Commands These commands are online action and status commands.
ARP LIST Lists Address Resolution Protocol (ARP) table entries in an IP routing environment. ARP is a tool used to find the appropriate MAC addresses of devices based on the destination IP addresses. arp list ipaddr IP address associated with a MAC address for a device on the local interface in the format of 4 decimals separated by periods. InterfaceName MAC address on the local network InterfaceUnit For an Ethernet interface, this can be a 1 or 0.
bi list Example: # bi list BRIDGE GROUP 0: 00206F024C34: 0180C2000000: FFFFFFFFFFFF: 02206F02E70D: ETHERNET/0 00C04F2E1AEB: ETHERNET/0 0060081BD761: ETHERNET/0 P US P P FLD SD A A A 325 143 95 MC BC MC FWD FWD FWD CALL Dials a remote router. This command can be used to test the ISDN link or L2TP secession and the configuration settings for the remote router. call Response: # Request Queued EXIT Has the same function as logout, but will disconnect you from a Telnet session.
Additional interfaces on other routers could include: FR/3 FR-VC/1 DMT/0 ATM-VC/1 144kb 144kb 0 b 0 b Interface In% Out% 0%/0% 0%/12% 0%/0% (HDLC/FR) 0%/2% (FR) (ATM) (ATM) OPENED OPENED OFF OFF ETHERNET LAN SDSL DMT FR WAN physical layer ATM-VC FR WAN layer 2 virtual circuit BACKUP Dial Backup modem ATM-VOICE Voice over DSL CONSOLE Serial port VOX-STRM Streaming voice control channel to internet Downstream and upstream percentages.
iproutes Response: # iproutes IP route / Mask --> Gateway Interface Hops Flags 0.0.0.0 192.84.210.0 192.84.210.12 192.168.254.0 192.168.254.1 192.168.254.2 224.0.0.9 255.255.255.255 /ffffffff /ffffff00 /ffffffff /ffffff00 /ffffffff /ffffffff /ffffffff /ffffffff --> --> --> --> --> --> --> --> 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 HQ HQ 0.0.0.0 0.0.0.
Service Name SERV312_FP Type 4 Node number Network Skt 000000000001:00001001:045 Hops 1 LOGOUT Logs out to reinstate administrative security after you have completed changing the routerÕs configuration. logout MEM The mem command report the amount of ram installed in the router. mem Response: # mem Small buffers used.......18 Large buffers used.......41 Buffer descriptors used..59 Number of waiters s/l....
Example: mlp summary PING This command sends an echo message, available within the TCP/IP protocol suite. The echo message is sent to a remote node and returned in order to test connectivity to the remote node. It is particularly useful for locating connection problems on a network. A status message is issued for each echo message sent. You cannot ping your own LAN address; you can ping your own WAN address.
PS Lists all of the tasks (processes) running in the system and the status of the tasks.
¥ Ethernet IP address ¥ TCP/IP routing ¥ Remote router default bridging destination ¥ TCP/IP route addresses ¥ SAPs and bridging ¥ Adding a new remote entry to the remote database. A reboot also ensures that all file system updates are completed. There is a time lag between the entry of a save command and the safe storage of the data in FLASH memory. If the power goes off before the data is stored in memory, the data can be lost. Always reboot before powering off the router.
save eth Saves the configuration settings for the Ethernet LAN into FLASH memory. save filter Saves the bridging filtering database to FLASH memory. A reboot must be executed to load the database for active use. save sys Saves the name, message, and authentication password system settings into FLASH memory. ERASE The erase command erases the entire routerÕs configuration or parts of it from FLASH memory.
TCP STATS Displays the TCP statistics and open connections. tcp stats Example: tcp stats TRACEROUTE Traces the route taken by packets sent from the target router to the specified IP address. A packet is sent for each hop in the route. The output lists the IP addresses of the hops that returned packets. Note: To terminate the traceroute before it completes, press control-c. traceroute [-c count] [-i wait] [- s size (or -l size)] [-I srceaddr] -c count Number of packets sent (from 1 to 255).
18: 208.178.103.62 19: reply from 204.71.200.68: bytes=56 (data), time=95 ms traceroute: packets sent 19, packets received 18 VERS Displays the software version level, source, software options, and amount of elapsed time that the router has been running. All software options are listed. If the option has a + prefix, the option was enabled using a key. If the option has a ~ prefix, the option is disabled in this router. For more information, see Software Option Keys, on page 114.
File System Commands The file system commands allow you to perform maintenance and recovery on the router. These commands allow you to: ¥ Format the file system ¥ List the contents of the file system ¥ Copy, rename, and delete files The router file system is DOS-compatible, and the file system commands are similar to the DOS commands of the same name. COPY Copies a file from the source to the destination.
DELETE Removes a file from the file system. delete filename Name of the file to be deleted. The filename is in the format xxxxxxxx.xxx. Example: delete kernel.f2k Response: kernel.f2k deleted. DIR Displays the directory of the file system. The size of each file is listed in bytes. dir Example: dir EXECUTE This command loads batch files of configuration commands into the router. This allows for customization and simpler installation of the router.
indicates the file system is corrupted, you may wish to reformat the disk, reboot the router, and recopy the router software. format disk Example: format disk Response: NEWFS: erasing disk... NEWFS: fs is 381k and will have 762 sectors NEWFS: 128 directory slots in 8 sectors NEWFS: 747 fat entries in 3 sectors NEWFS: writing boot block...done. NEWFS: writing fat tables...done. NEWFS: writing directory...done. Filesystem formatted! MSFS Checks the structure of the file system.
RENAME Renames a file in the file system. rename oldName Existing name of the Þle. The Þlename is in the format xxxxxxxx.xxx. newName New name of the Þle. The Þlename is in the format xxxxxxxx.xxx. Example: rename ether.dat oldeth.dat Response: Ôether.datÕ renamed to Ôoldeth.datÕ SYNC Commits the changes made to the file system to FLASH memory. sync Example: sync Response: Syncing file systems...done. Warning: Syncing is not complete until you see the message ÒdoneÓ.
FRAME LMI Turns frame LMI either on or off. frame < on | off> Example: # frame on LMI is on FRAME VOICE Displays the voice DLCI for voice routers. frame voice Example: # frame voice Voice DLCI is 22 FRAME STATS Displays frame relay statistics. frame stats Example: # frame stats FR/0 Frame Relay Statistics ANSI LMI: Protocol Errors........................ Unknown Msg Recv....................... T391 Timeouts.......................... PVC Status Changes..................... StatusEnq Sent................
Data Packets Out Queued............ Data Packets Out (dropped Q Full).. Voice Cells In..................... Voice Cells In (with errors)....... Voice Cells Out.................... 0 0 0 0 0 LMI Stats for DLCI................. LMI State.......................... Status State Changes............... Active to Not Active Changes....... Not Active to Active Changes....... Data Packets In.................... Data Packets Out................... Data Packets Out Queued............
Router ConÞguration Commands Configuration commands are used to set configuration information for each functional capability of the router.
SYSTEM (Target Router System Configuration Commands) The following commands set basic router configuration information: ¥ name of the router ¥ optional system message ¥ authentication password ¥ security authentication protocol ¥ management security ¥ system administration password ¥ IP address translation ¥ NAT configuration ¥ host mapping ¥ WAN-to-WAN forwarding ¥ filters SYSTEM ? Lists the supported keywords.
SYSTEM ADDBOOTPSERVER Adds an address to the BootP server list. (The BootP server list is also the DHCP relay list.) While the BootP server list has at least one address, the router disables its own DHCP server and, instead, forwards all DHCP/BootP requests to all servers in the list. It forwards every reply received from any of the servers in the list to the appropriate LAN. Addresses can also be added to the list using the dhcp addrelay command (page 310).
last ip addr Last IP address of the range. May be omitted if the range contains only one IP address. LAN Local Ethernet LAN. Example: system addHTTPFilter 192.168.1.5 192.168.1.12 SYSTEM ADDIPROUTINGTABLE Defines a new virtual routing table. Once defined, you can add routes to the table using the commands eth ip bindRoute (page 233) and remote bindIPVirtualRoute (page 260). The command specifies the name of the new routing table and the range of IP addresses that reference the table for their routing.
action One of the following command actions: ipaddr Selects the host with this IP address as server (4 decimals separated by periods). discard Discards the incoming server request. me Sends the incoming server request to the local router, regardless of its IP address. protocol Protocol used by the selected server. protocolid Numeric protocol ID. tcp TCP only. udp UDP only. all All protocols. first port First or only port as seen by the remote end.
The Syslog filter can comprise one or more ranges of IP addresses that DHCP may return for Syslog servers. To delete addresses from the Syslog filter, use the command system delsyslogfilter (page 220). This command does not affect the Syslog server addresses that you specify explicitly. For more information on the router as Syslog client, see page 153. Note: This command does not require a reboot and is effective immediately.
first ip addr First IP address of the client range. last ip addr Last IP address of the client range. May be omitted if the range contains only one IP address. LAN Local Ethernet LAN. Example: system addTelnetFilter 192.168.1.5 192.168.1.12 SYSTEM ADDUDPRELAY This command is used to create a UDP port range for packet forwarding. You can specify a port range from 0 to 65535; however, 137 to 139 are reserved for NetBIOS ports. Overlap of UDP ports is not allowed.
pap When set to pap, negotiation will begin with PAP (instead of CHAP) for those entries that have PAP in the remote database and only when the call is initiated locally. chap Overrides all the remote database entries with chap; i.e., only CHAP will be performed. Example: system authen CHAP SYSTEM BACKUP ADD Adds an IP address to the list of addresses to be pinged for the Dial Backup option.
ipaddr IP address to be deleted from the list (four decimals separated by periods). GW Gateway address. The router determines the actual gateway address and deletes it. DNS Domain Name Server address. The router determines the actual DNS address and deletes it. all Requests deletion of all addresses in the group. group Optional number of a group from which the specified address or all addresses are deleted (integer, 0 thru 65535). The default is group 0.
SYSTEM BACKUP PINGINTERVAL Changes the ping interval for a group, that is, the number of seconds between pings during a test of the addresses in the group. Note: If you change the ping interval to 0, you disable the group of addresses. To see the current ping intervals, use the system list command. For more information about the ping interval and Dial Backup, see Ping Interval, Number of Samples, and Success Rate, on page 105.
SYSTEM BACKUP RETRY Changes the Dial Backup retry period. The retry period determines how often the router attempts to restore the DSL link. For more information about the Dial Backup retry period, see DSL Restoration Retry Period, on page 105. The default retry period is thirty minutes. The minimum retry period is two minutes. To see the current retry value, use the system list command. system backup retry minutes Number of a minutes in the retry period (integer).
percentage Minimum success rate required during a ping test of the addresses in the group (integer, 0 thru 99). The default is 50. group Optional number of a group (integer, 0 thru 65535). The default is group 0. Examples: The following command changes the success rate to 75% for addresses in group 0. system backup successrate 75 The following command disables the pinging of addresses in group 1.
SYSTEM DELBOOTPSERVER Removes an address from the BootP server list. (The BootP server list is also the DHCP relay list.) To remove all addresses from the list, use system delbootpserver all. Addresses can also be removed from the list using the dhcp delrelay command (page 313). To add an address to the list, use the dhcp addrelay command (page 310). system delbootpServer | all ipaddr IP address of the server (4 decimals separated by periods).
system delHTTPFilter 192.168.1.5 192.168.1.12 SYSTEM DELIPROUTINGTABLE Deletes a range of addresses that reference a virtual routing table or deletes the entire virtual routing table. To list the virtual routing tables, use the iproutes command (page 191). For more information, see Virtual Routing Tables, on page 78. system delIPRoutingTable ALL | [] ALL Deletes the virtual routing table. Both the table definition and all routes in the table are deleted.
http tftp all last port HTTP port. TFTP port. All ports. Optional last port in the range of ports as seen by the remote end for the server on the LAN. first private port If specified, this is a port remapping of the incoming request from the remote end. Example: system delServer 192.168.1.5 tcp smtp SYSTEM DELSNMPFILTER Deletes the client range previously defined by the command system addsnmpfilter. Note 1: This command does not require a reboot and is effective immediately.
SYSTEM DELSYSLOGSERVER Removes an address from the list of Syslog servers. To see the server addresses, use the command system list. To specify a new Syslog server address, use the command system addSyslogServer (page 211). Note: This command does not require a reboot; it takes effect immediately. system delSyslogServer ipaddr IP address to be removed from the Syslog server address list. Example: system delSyslogServer 192.168.1.
SYSTEM HISTORY Displays the routerÕs most recent console log. system history Example: system history SYSTEM HTTPPORT Manages HTTP port access including disabling and re-enabling HTTP port access or redefining the HTTP port for security reasons. Refer to Chapter 4. Controlling Remote Management on page 101. Note: This command requires a save and reboot to take effect. system httpport default | disabled | default Restores the port value to the default value 80 and re-enables the port.
Syslog Port......................... Allowed Syslog Servers.............. Default Syslog Servers.............. System message: Security timer...................... One WAN Dial UP..................... default (514) all none 30 minutes no SYSTEM LOG Allows logging of the routerÕs activity in a Telnet session. system log start | stop | status start Used to monitor router activity at all times. Example: system log start stop Used to discontinue the logging utility at the console.
it deletes them from the address ranges for the other virtual routing tables. The command then adds the specified address range to the virtual routing table named on the command. To list the routes in the virtual routing tables, use the iproutes command (page 191) or the remote listiproutes command (page 272). For more information, see Virtual Routing Tables, on page 78.
Note: The system name is case sensitive and may be no more than 50 characters. Example: system name Router1 SYSTEM ONEWANDIALUP This command is useful when security concerns dictate than the router have only one connection active at a time. For example, the command can prevent from connecting to the Internet and to another location such as your company at the same time. The command system oneWANdialup on forces the router to have no more than one connection to a remote entry active at one time.
SYSTEM SECURITYTIMER Automatically logs out a Telnet or console user out of privileged mode when no typing has occurred for 10 minutes. This command allows the user to change the 10-minute default to a different value. system securityTimer minutes Length of time in minutes. Auto logout can be disabled by setting the to zero.
¥ bi (if bridging is enabled) ¥ ipifs ¥ iproutes ¥ ipxroutes system supporttrace Example: system supporttrace SYSTEM SYSLOGPORT Manages Syslog port access including disabling and re-enabling the Syslog port or redefining the Syslog port for security reasons. For more information on configuring the router as a Syslog client, see page 153. Note: This command requires a save and reboot to take effect.
Examples: system telnetport default system telnetport disabled system telnetport 3333` SYSTEM WAN2WANFORWARDING Allows the user to manage WAN-to-WAN forwarding of data from one WAN link to another. For example, an employee uses the router at home to access both a company network and the Internet at the same time, and the company does not want its information to pass to the Internet, then this command is useful for disabling WAN-to-WAN forwarding.
ETH (Target Router Ethernet LAN Bridging and Routing) The following commands allow you to configure the Ethernet interfaces in your router. You can: ¥ Set the Ethernet LAN IP address ¥ Define logical interfaces to provide service to multiple IP subnets ¥ Manage the contents of the default routing table and any virtual routing tables ¥ Enable and disable IP routing ¥ List the current configuration settings Note: In general, these commands require a save and reboot before they take effect.
Note: This command requires a save and reboot before it takes effect. eth add : port# Ethernet interface (0 for a single-port router; 0 or 1 for a dual-port router). logical# New logical interface number. It cannot be 0 because logical interface 0 always exists. Example: eth add 0:1 ETH DELETE Deletes a logical interface from an Ethernet port.
If the router has two physical Ethernet interfaces (an Ethernet hub router), the port number (0 or 1) must be specified. To specify a logical interface other than logical interface 0, specify both the port number and the logical interface number (:, for example, 0:1). Example: eth ip addHostMapping 192.168.207.40 192.168.207.49 10.0.20.11 1 ETH IP ADDR Defines the IP address and subnet mask for an Ethernet port or logical interface.
gateway IP address (4 decimals separated by periods). hops Number of routers through which the packet must go to get to its destination. interface Ethernet interface through which the packet is sent out. This parameter may be omitted if the router has only one Ethernet interface. If the router has two physical Ethernet interfaces (an Ethernet hub router), the port number (0 or 1) must be specified.
interface Ethernet interface. This parameter may be omitted if the router has only one Ethernet interface. If the router has two physical Ethernet interfaces (an Ethernet hub router), the port number (0 or 1) must be specified. To specify a logical interface other than logical interface 0, specify both the port number and the logical interface number (:, for example, 0:1). Example: eth ip addServer 192.168.1.5 tcp smtp 1 eth ip addServer 192.168.1.
eth ip bindRoute 10.1.3.0 255.255.255.0 1 192.168.252.9 ROSA 0:1 eth ip bindRoute 10.1.3.0 255.255.255.0 1 192.168.252.9 MIGUEL 0:1 eth ip bindRoute 10.1.3.0 255.255.255.0 1 192.168.252.7 FRANCISCO eth ip addRoute 10.1.3.0 255.255.255.0 1 192.168.252.7 ETH IP DEFGATEWAY Assigns an Ethernet default gateway for packets whose destination address does not have a route defined. This setting is most useful when IP routing is not enabled, in which case the system acts as an IP host (i.e.
If the router has two physical Ethernet interfaces (an Ethernet hub router), the port number (0 or 1) must be specified. To specify a logical interface other than logical interface 0, specify both the port number and the logical interface number (:, for example, 0:1). Example: eth ip delHostMapping 192.168.207.40 192.168.207.49 10.0.20.11 1 ETH IP DELROUTE Removes a route from the default routing table that was added using the eth ip addroute command.
me Sends the incoming server request to the local router, regardless of its IP address. protocol Protocol used by the selected server. protocolid Numeric protocol ID. tcp TCP only. udp UDP only. all All protocols. first port First or only port as seen by the Ethernet interface. Port used by the selected server portid Numeric value between 0 and 65,535. A numeric value of 0 matches any port. ftp FTP port. telnet Telnet port. smtp SMTP port. sntp SNTP port. http HTTP port. tftp TFTP port. all All ports.
ETH IP DISABLE Disables IP routing across the Ethernet LAN. This commands acts as a master switch allowing you to disable all IP routing for testing or control purposes. Note: This command requires a save and reboot before it is effective. eth ip disable Example: eth ip disable ETH IP ENABLE Enables IP routing across the Ethernet LAN. This command acts as a master switch allowing you to re-enable all IP routing. Note: This command requires a save and reboot before it is effective.
eth ip filter insert [] Inserts a filter in the list of filters for this and . The filter is specified by the and optional . If no line number is specified, the filter is inserted at the beginning of the list; otherwise, it is inserted before the specified line. To see the line numbers, use the eth ip filter list command. Filters are used in the order they appear in their list.
The Þlter type speciÞes at which point the Þlter is compared to the IP packet (see the illustration under IP Filtering, on page 119): input Filter is used when the packet enters the interface, before any IP address translation is performed. forward Filter is used, after any IP address translation, but before routing is performed. output Filter is used after routing and IP address translation have been performed, just before the packet is sent out an interface.
-dp | [:] The packet must have a destination port that matches the specified ICMP type or that is within the specified port range. If only one port is specified, the packet must have that destination port. If no destination port is specified, the filter matches any destination port in the range 0:0xffff. -tcp syn|ack|noflag|rst If the IP packet is a TCP packet, the filter matches the packet only if the packet flag settings are as specified.
If -v (verbose) is specified, a message is printed every time this filter matches a packet, regardless of the filter action. The optional interface determines which Ethernet interface the Þlter applies to. If the router has only one Ethernet interface, may be omitted. If the router has two physical Ethernet interfaces (that is, a dual-port router), you must specify the port by its number (0 or 1).
The management IP address is separate from the IP address used for IP address translation. The IP address used for address translation is generally a public IP address valid on the Internet. It is set by the eth ip addr command (page 231). Note: The management address is not effective until after the next save and reboot. Note: To use the management address as the source address for a ping, you must specify it using the -I option on the ping command (page 194). For example, to use management address 192.
If the router has two physical Ethernet interfaces (an Ethernet hub router), the port number (0 or 1) must be specified. To specify a logical interface other than logical interface 0, specify both the port number and the logical interface number (:, for example, 0:1). Example: The following command decreases the MTU size for Ethernet interface 0:1 to 1400 bytes. eth ip mtu 1400 0:1 ETH IP OPTIONS RIP is a protocol used for exchanging IP routing information among routers.
ETH IP RESTART Stops and restarts a logical Ethernet interface. To read about logical Ethernet interfaces, see page 77. Certain configuration changes for a logical Ethernet interface become effective only after the logical interface is restarted or the router is rebooted. Remember to save the changes before the restart or reboot. Note: Use restart instead of reboot whenever possible. A restart does not affect other interfaces, allowing their traffic to continue.
eth ip start 0:1 ETH IP STOP Stops a logical Ethernet interface. To read about logical Ethernet interfaces, see page 77. Note: To keep certain configuration changes, you must enter a save command before stopping the logical interface. The stopped interface is disabled until it is started again. To start a logical Ethernet interface, use the command eth ip start (page 244). To stop and immediately restart a logical Ethernet interface, use the command eth ip restart (page 244).
ETH IP UNBINDROUTE Removes an Ethernet route from the named IP virtual routing table. To list the routes, use the iproutes command, page 191. To add an Ethernet route to a virtual routing table, use the eth ip bindRoute command. Note: A route change in an IP virtual routing table takes effect immediately. However, the change is lost if it is not saved before the next reboot. eth ip unbindRoute [] ipaddr Ethernet LAN IP address (4 decimals separated by periods).
interface Ethernet interface. The default Ethernet interface is 0:0. To specify a logical interface other than 0:0, specify both the port number (0 or 1) and the logical interface number using the format : (for example, 0:1). Examples: This command assigns VRID 7 to the logical Ethernet interface 0:1. eth ip vrid 7 0:1 This command clears the VRRP interface designation from interface 0:1. eth ip vrid 0 0:1 This command assigns VRID 1 to the default logical Ethernet interface 0:0.
eth ipx enable [port#] port# Port number of the Ethernet LAN. This number must be 0 or 1, or it may be omitted. Example: eth ipx enable ETH IPX FRAME Sets the frame encapsulation method. The default is 802.2. eth ipx frame type 802.2 (DEC standard) 802.3 (Intel standard) dix (Xerox/Ethernet II standard) Example: eth ipx frame 802.3 ETH LIST Lists information about the Ethernet interfaces including the status of bridging and routing, IP protocol controls, and IP address and subnet mask.
IP filters defined................... IP address/subnet mask............... Static Ethernet routes defined....... IP address/subnet mask............. IP gateway/metric.................. Virtual Ethernet routes defined...... IPX External network number.......... IPX Frame type....................... MTU.................................. no 192.168.0.101/255.255.255.0 1 0.0.0.0/0.0.0.0 192.168.0.252/1 none 00000000 802.2 default ETH VRRP ADD Defines a VRRP attribute record for the VRID (virtual router ID).
Note: This command takes effect immediately, but you must save the change if it is to persist after you restart the interface or reboot the router. eth vrrp clear password [] vrid Virtual router ID of the VRRP attribute record (integer, 1-255). The attribute record was created by the command eth vrrp add (page 249). port# Physical Ethernet interface (port) number (0 or 1). The default is 0; the parameter may be omitted if the router has only one port.
port# Physical Ethernet interface (port) number (0 or 1). The default is 0; the parameter may be omitted if the router has only one port. If the router has two ports (an Ethernet hub router), the port number (0 or 1) must be specified. Example: This command lists the attribute records for the default port 0. eth vrrp list ETH VRRP SET MULTICAST Changes the multicast address used for VRRP router announcements. This address is used by all VRRP announcements from this router, regardless of VRID or port.
eth vrrp set option preempt | nopreempt [] preempt Preempt immediately. nopreempt Do not preempt a router with lower priority. vrid Virtual router ID of the VRRP attribute record (integer, 1-255). The attribute record was created by the command eth vrrp add (page 249). port# Physical Ethernet interface (port) number (0 or 1). The default is 0; the parameter may be omitted if the router has only one port.
ETH VRRP SET PRIORITY Specifies the priority attribute in a VRRP attribute record for the VRID (virtual router ID). The priority value determines which VRRP router in the LAN takes over when a VRRP router fails. For more information, see VRRP Backup, on page 107. Note: If you do not specify a priority value for a VRRP attribute record, the default priority, 100, is used. The priority for the master router must be the maximum, 255; the priority for each backup router must be less than 255.
Skew_Time = (256 - Priority) / 256 Thus, the default skew time is (256 - 100) / 256, or .609375. The default master down interval is (3 * 1) + .609375, or 3.609375 seconds. For more information, see VRRP Backup, on page 107. Note: The time interval must be the same for every router in the Virtual Router, that is, for every router in the LAN with the same VRID. For example, if a VRRP interface in routers A, B, and C has the VRID 7, routers A, B, and C must all specify the same time interval for VRID 7.
Remote Access ConÞguration The following commands allow you to add, delete, and modify remote routers to which the target router can connect. Remote router information that can be configured includes: ¥ PVC numbers ¥ Security authentication protocols and passwords ¥ WAN IP/ IPX addresses ¥ IP routes ¥ IPX routes and SAPS ¥ Remote bridging addresses and bridging control ¥ Host mapping ¥ Encryption (optional) ¥ IP filtering (optional) ¥ L2TP tunneling (optional) Chapter 8.
REMOTE Commands REMOTE ? Lists the supported keywords. (The list varies depending on the router model.
REMOTE ADDBRIDGE Defines the remote router entry as the default bridging destination for outbound bridging. The command can define either the default bridging destination for all MAC addresses or the default bridging destination for a specific MAC address. When you specify a MAC address on this command, a permanent entry for that address is created in the bridging table. Thereafter, packets that contain that MAC address are bridged using the specified remote router entry.
REMOTE ADDIPROUTE Adds an IP address route to a network or station on the LAN connected beyond the remote router. The route is added to the default routing table. The target routerÕs routing table must be seeded statically to access networks and stations beyond this remote router. After the connection is established, standard RIP update packets can dynamically add to the routing table.
ipxNe# IPX network number represented by 8 hexadecimal characters. metric Number of routers through which the packet must go to get to the network/station. ticks Number in 1/8 seconds which is the estimated time delay in reaching the remote network or station. remoteName Name of the remote router (character string). Example: remote addIpxRoute 456 1 4 HQ REMOTE ADDIPXSAP Adds an IPX SAP to the server information table for a service on the LAN network connected beyond the remote router.
ipaddr Selects the host with this IP address as server (4 decimals separated by periods). discard Discards the incoming server request. me Sends the incoming server request to the local router, regardless of its IP address. protocol Protocol used by the selected server. protocolid Numeric protocol ID. tcp TCP only. udp UDP only. all All protocols. first port First or only port as seen by the remote end. Port used by the selected server portid Numeric value between 0 and 65,535.
remoteName Name of the remote router (character string). Example: The following command adds a route to virtual routing table FRANCISCO. The route is to IP address 10.1.2.0/255.255.255.0 and goes through remote router HQ. remote bindIPVirtualRoute 10.1.2.0 255.255.255.0 1 francisco HQ REMOTE BLOCKNETBIOS This command turns on or turns off a filter that blocks all NetBIOS packets over this WAN connection.
Example: remote delbridge 01:08:03:0A:0B:0C HQ REMOTE DELENCRYPTION Deletes encryption files associated with a remote router. remote delEncryption remoteName Name of the remote router (character string). Example: remote delEncryption HQ REMOTE DELHOSTMAPPING Undoes an IP address/host translation (remapping) range that was previously established with the command remote addhostmapping on a per-remote-router basis.
REMOTE DELIPXROUTE Deletes an IPX address for a network on the LAN connected beyond the remote router. Note: The reboot command must be issued on the target router for a deleted static route to take effect. remote delIpxroute ipxNet IPX network number represented by 8 hexadecimal characters. remoteName Name of the remote router (character string). Example: remote delIpxRoute 010a020b HQ REMOTE DELIPXSAP Deletes an IPX service on the LAN network connected beyond the remote router.
REMOTE DELOURPASSWD Removes the unique CHAP or PAP authentication password entries established by the command remote setOurPasswd. remote delOurPasswd remoteName Name of the remote router (character string). Example: remote delOurPasswd HQ REMOTE DELOURSYSNAME Removes the unique CHAP or PAP authentication system name entries established by the command remote setOurSysName. remote delOurSysName remoteName Name of the remote router (character string).
REMOTE DELSERVER Deletes an entry created by the remote addServer command (page 259). remote delServer [ []] action One of the following command actions: ipaddr Selects the host with this IP address as server (4 decimals separated by periods). discard Discards the incoming server request. me Sends the incoming server request to the local router, regardless of its IP address. protocol Protocol used by the selected server.
REMOTE DISAUTHEN This command is intended for situations where third-party routers cannot be authenticated; the target router will not attempt to authenticate the remote router. remote disAuthen remoteName Name of the remote router (character string). Example: remote disAuthen HQ REMOTE DISBRIDGE Disables bridging from the target router to the remote router. Note: This command requires rebooting the target system for the change to take effect.
REMOTE ENABRIDGE Enables bridging from the target router to the remote router. This command requires rebooting the target system for the change to take effect. remote enaBridge remoteName Name of the remote router (character string). Example: remote enaBridge HQ REMOTE IPFILTER This command manages the IP filters on the WAN interface. The filters screen IP packets at the interface level. You can define filters for any entry in the remote router database.
If no line numbers are specified, all filters in the list are deleted. If only the first line number is specified, all filters from that line to the end are deleted. To see the line numbers, use the remote ipfilter list command. Filters are used in the order they appear in their list. remote ipfilter clear [ []] [] Resets the counters for the specified filters. A filter has a counter if the -c parameter was specified for the filter.
drop The packet is discarded, without sending an ICMP (Internet Control Management Protocol) error message. reject The packet is discarded and an ICMP error message is returned to the sender. inipsec The packet is passed to IPSec for decrypting. The filter is intended to match packets coming from the other IPSec gateway.
- Specify -tcp noflag if neither the SYN flag nor the ACK flag can be set. For example, for the IP filter to match the initiation of a TCP connection, specify -tcp syn. The filter will match TCP packets that have the TCP SYN flag set but not the TCP ACK flag set. For the filter to match the response to initiation of a TCP connection, specify -tcp syn and -tcp ack. The filter will match only TCP packets with both the TCP SYN and TCP ACK flags set.
remote ipfilter append forward drop -da 192.168.0.0 -dm 255.255.0.0 internet remote ipfilter append forward drop -da 192.168.0.0:192.168.255.255 internet This command lists all IP filters of type Forward for the remote interface internet. remote ipfilter list forward internet REMOTE LIST Lists the remote router entry (or all the entries) in the remote router database.
mtu.................................. 1500 REMOTE LISTBRIDGE Lists the current bridge settings for the specified remote router entry. remote listBridge remoteName Name of the remote router (character string). If a name is omitted, the bridge settings for all remote router entries are listed. Example: # remote listbridge BRIDGING INFORMATION FOR Bridging enabled.................... yes Exchange spanning tree with dest... no Bridge only PPPoE with dest........
Total IP remote routes............... 5 192.168.210.0/255.255.255.0/1 10.0.0.0/255.0.0.0/1 172.16.0.0/255.240.0.0/1 192.168.0.0/255.255.0.0/1 10.1.2.0/255.255.255.0/1 through REMOTE LISTIPXROUTES Lists all network IPX route addresses defined for the LAN connected beyond the remote router. The network number, hop count, and ticks are displayed. If the remote name is not specified, a list of IPX routes is displayed for each remote router in the database.
remote listPhones remoteName Name of the remote router (character string). Example: remote listPhones HQ Response: PHONE NUMBER(s) FOR Connection Identifier (VPI*VCI)...... 0*38 Note: If the remote name is not specified, a list of phone numbers is displayed for each remote router in the database. REMOTE RESTART Stops the current active session and starts a new active session for a remote.
E164 ITU E164 encoding. partial The MAC address of the router is substituted for octets 2-7 of the NSAP. full No change is made to the specified NSAP. NSAP specified as 40 hex digits or 20 octets (2-digit pairs separated by colons). Name of the remote router (character string). Example: # rem setatmnsap atfm partial 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:10:11:12:13 co # remote list INFORMATION FOR Status.............................................
in | out | both Incoming traffic, outgoing traffic, or both. The default is both. remoteName Name of the remote router (character string). Example: remote setBOD out HQ REMOTE SETBROPTIONS Sets controls on bridging for the remote router entry. To see the current bridging settings for remote router entries, use the remote listbridge command (page 272). Warning: Do not change the stp setting without approval from your system administrator.
The threshold is used in bandwidth on demand management. Initially, a call is activated on one B-channel. When bandwidth utilization reaches the bandwidth threshold, the second B-channel is activated. (The additional channel is available if the maximum links was set to 2 by a remote setmaxline command, page 280.) Both channel are utilized until the bandwidth utilization drops below the threshold. The default is 0% utilization, in which case, both channels are always used for data transmission.
remoteName Name of the remote router (character string). Example: remote setEncryption dese tx 1111111111111111 HQ remote setEncryption dese rx 2222222222222222 HQ REMOTE SETENCRYPTION (DifÞe-Hellman Encryption) This command is used to specify encryption based on the Diffie-Hellman key-exchange protocol. Each router possesses an internal encryption file that is associated with a public key providing 768-bit security. The predefined keys can be replaced by the user.
txrip Transmit IP RIP-1 compatible broadcast packets and RIP-2 multicast packets to the remote site. When this option is set on, the local router sends routing information packets to the remote site. The default is off. txrip1 Transmit broadcast RIP-1 packets only. txrip2 Transmit multicast RIP-2 packets only. txdef Transmit the local routerÕs default IP route. When this option is set to on, the local router sends the default route to the remote site. The default is off.
routersÕ local WAN port. This command requires that you define a Source WAN IP Address with the command: remote setSrcIpAddr remote setIPTranslate on|off remoteName Name of the remote router (character string). Example: remote setIPTranslate on HQ REMOTE SETIPXADDR Sets the IPX network number for the remote WAN connection. remote setIpxaddr [port#] ixpNet IPX network number represented by 8 hexadecimal characters. port# Port number of the Ethernet LAN.
remote setMaxLine 2 HQ REMOTE SETMGMTIPADDR This command assigns to the remote router entry an IP address which is to be used for management purposes only and not for IP address translation. This management IP address is generally a private network address used solely by the ISP. The management IP address is separate from the IP address used for IP address translation. The IP address used for address translation is generally a public IP address valid on the Internet.
The following command keeps a channel allocated for the session even when there is no traffic. remote setMinLine 1 PPPoEuser The following commands set up a timeout period so that, if there is no traffic for 10 minutes (600 seconds), the channel is deallocated. remote setMinLine 0 PPPoEuser remote settimer 600 PPPoEuser REMOTE SETMTU Sets the maximum transfer unit for the remote interface. To see the current MTU size for an active remote that is doing IP routing, use the ipifs command (page 191).
REMOTE SETOURSYSNAME Sets a unique CHAP or PAP authentication system name for the local router that is used for authentication when the local router connects to the specified remote router. This system name overrides the system name set in the system name command. A common use is to set a password assigned to you by Internet Service Providers. remote setOurSysName name System name of the target router. Note: The system name is case-sensitive and may be no more than 255 characters.
remoteName Name of the remote entry (character string). Example: # The phone number begins with 9 (to get an outside line), a comma (for a 2-second # pause), and finally the 7-digit local number. remote setphone async 1 9,3801100 backup remote setspeed 115200 async 1 backup # Specifies the alternative phone number to be used and its bit rate. remote setphone async 2 9,3801101 backup remote setspeed 115200 async 2 backup REMOTE SETPPPOPT Turns on or turns off a PPP option.
RFC1483 RFC 1483 protocol. RFC1483MER RFC 1483MER (MAC Encapsulated Routing) protocol. FRF8 This protocol implements ATM to frame relay as deÞned in the Frame Relay Forum FRF.8 Interworking Agreement. RAWIP RawIP protocol. remoteName Name of the remote router (character string). Example: remote setProtocol ppp fp1 REMOTE SETPVC Specifies the PVC number for connecting to the remote router.
For more information on the Dial Backup option, see page 149. remote setSpeed | default async 1 | 2 bitrate Bit rate to be used for the phone number. Possible speeds are 38400, 57600, 115200, or 230400. default Use the default speed. 1 Primary phone number. 2 Alternative phone number. remoteName Name of the remote entry (character string). Example: # Specifies the primary phone number and its bit rate.
A timeout period is desirable if your service provider charges by the hour. However, the connection has to wait a few seconds each time a channel is re-allocated. Note: The timeout period set by this command is not effective if a remote setMinLines command has changed the minlines value from its default (0) to 1 or 2. remote setTimer seconds Number of seconds in the timeout period. The default is 60. remoteName Name of the remote router (character string).
STATISTICS FOR : Current state ........................ Current output bandwidth ............. Current input bandwidth .............. Current bandwidth allocated .......... On port ATM_VC/1 ..................... Total connect time ................... Total bytes out ...................... Total bytes in ....................... currently connected 0 bps 0 bps 25600000 bps 0+01:02:36 (0%/0% of 25600000 bps) 0+01:11:48 15896 0 STATISTICS FOR : Current state ........................
Example: The following command stops the active session for remote HQ. remote stop HQ REMOTE UNBINDIPVIRTUALROUTE Removes a remote route from the named IP virtual routing table. To list the remote routes, use the remote listIProutes command, page 272. To add a remote route, use the remote bindIPVirtualRoute command, page 260. Note: A route change in an IP virtual routing table takes effect immediately. However, the change is lost if it is not saved before the next remote restart or reboot.
ADSL Commands Use the following commands to manage the ADSL (Asymmetric Digital Subscriber Line) link for an ADSL router. ADSL ? Lists the supported keywords. adsl ? Response: ADSL commands: ? restart stats speed ADSL RESTART Resynchronizes the modem with the CO (Central Office) equipment.
ADSL STATS Shows the current error status for the ADSL connection. adsl stats [clear] clear Option used to reset the counters. Example: adsl stats Response: ASDL Statistics: Out of frame errors ..... HEC errors received ..... CRC errors received ..... FEBE errors received .... Remote Out-of-frame ....... Remote HEC errors ......... Chapter 8.
ATM Commands Use the following commands to manage the ATM (Asynchronous Transfer Mode) link for an ATM router. ATM ? Lists the supported keywords. atm ? Example: atm ? Response: ATM commands: ? help echoPVC voicePVC findPVC ATM PCR Sets the speed of the ATM link in cells per second. To set the speed in kilobytes, use the command atm speed (page 293). atm pcr cells/second number of cells per second Example: atm pcr 471 ATM RESET Performs traffic shaping.
ATM SPEED Sets the speed of the ATM link in kilobits per second. The default upstream speed is 326 Kb/s. Use this command if the upstream speed exceeds 326 Kb/s. Generally, your speed value is obtained from your Network Service Provider. To set the speed in cells per second, use the command atm pcr (page 292) atm speed [upstream speed in Kb/S] upstream speed in Kb/S Number provided by the Network Service Provider. The default value for the upstream speed is 326 Kb/s.
remote setATMtraffic 47 1 HQ The following command disables ATM traffic-shaping on remote router HQ: remote setATMtraffic 0 0 HQ 294 Chapter 8.
DMT Commands These commands manage the ADSL DMT (Discrete MultiTone) router. To see additional DMT debug commands, see ADSL DMT Router Debug Commands, on page 184. DMT LINK Selects the link type for the ADSL DMT router. The link type survives reboots. Normally, the CO and CPE negotiate the link type to be used. Use the dmt link command when you do not want the CO and CPE to negotiate the link type, but instead want to specify the type of data link required.
Dual-Ethernet Router (ETH) Commands The following Ethernet commands are used to manage the Ethernet interfaces of the Dual-Ethernet (Ethernet-toEthernet) router and thus are specific to that type of router only. For the other Ethernet commands, see page 229. ¥ The Dual-Ethernet router has two interfaces: ETH/0 Hub with four 10Base-T connectors ETH/1 Single 10Base-T connector ¥ This Dual-Ethernet router may be configured via the Web Browser GUI or from the Command Line Interface (CLI).
option stp Set this option to on to use the Spanning Tree Protocol (STP). The default is on. STP is used to detect bridging loops. Set this option to off only if the bridging peers do not support the Spanning Tree Protocol or if you are certain that no bridging loops could exist. When STP is disabled on an interface, any STP packets received on that interface are ignored.
HDSL Commands Use the following commands to manage the HDSL (High-Speed Digital Subscriber Line) link for an HDSL router. General Information about HDSL t Line activation Line activation is independent of network settings. During activation, the Link light (on the front panel of the router) first is yellow and then turns green when the link becomes active. The router at the CPE end will try auto-speed detection, starting at 384 and then try to detect the next higher speed (for about 30 seconds per speed).
HDSL ? Lists the supported keywords. hdsl ? Example: hdsl ? Response: HDSL commands: ? save help speed terminal HDSL SAVE Saves the HDSL-related changes across restarts and reboots. hdsl save Example: hdsl save HDSL SPEED CO end: Sets the speed manually on the Central Office (CO) end only. CPE end: The router on the Customer Premises End (CPE) is always in auto-speed mode: it uses an auto-speed algorithm to attempt to match the CO speed. The command hdsl speed noauto is used to override auto-speed.
HDSL TERMINAL The router is by default configured as the Customer Premises Equipment (CPE). Use this command if you intend to configure the router as the Central Office equipment (CO). hdsl terminal cpe defines the CPE end (default configuration) hdsl terminal co defines the CO end. hdsl terminal displays the current settings. hdsl terminal [cpe|co] co This option lets you deÞne the router as the CO. Example: hdsl terminal Response: Customer Premises Example: 300 hdsl terminal co Chapter 8.
IDSL Commands An IDSL (ISDN Digital Subscriber Line) delivers a maximum symmetric 144 Kbps of bandwidth. The IDSL bandwidth is composed of two 64 Kbps B channels, plus one 16 Kbps D channel. Your speed setting indicates the channels that you are using. When using Frame Relay: ¥ Your IDSL switch setting indicates your committed bandwidth (FR64, FR128, or FR144). ¥ The IDSL router can support several DLCI virtual circuits over a Frame-Relay IDSL link.
The IDSL bandwidth is composed of two 64 Kbps B channels, plus one 16 Kbps D channel. Your speed setting indicates the channels that you are using. idsl set speed 64 | 128 | 144 64 64 Kbps (one channel) 128 128 Kbps (two channels) 144 144 Kbps (three channels) Example: # idsl set speed 144 IDSL SET SWITCH Specifies link speeds of 64, 128, or 144 Kbps for the IDSL connection.
REMOTE SETPROTOCOL This IDSL-specific command is used to select the appropriate link protocol for your IDSL connection. Your Network Service Provider will tell you which link protocol to use. remote setProtocol PPP | FR | MER PPP PPP protocol with no encapsulation. FR RFC 1490 protocol (Multiprotocol encapsulation over Frame Relay). MER RFC 1490 protocol with MAC Encapsulated Routing. remoteName Name of the remote router (character string). Example: remote setProtocol FR HQ Chapter 8.
SDSL Commands The commands in this section manage the Symmetric Digital Subscriber Line (SDSL) link for an SDSL router. ¥ sdsl preact Disables or re-enables autobaud pre-activation. ¥ sdsl speed Displays and sets the line speed. ¥ sdsl stats Displays and clears SDSL statistics. ¥ sdsl terminal Redefines the router as CO equipment. Line activation Line activation is independent of network settings.
03/09/1998-17:15:35:DOD: link to co over ATM-VC/1 is now up 03/09/1998-17:15:57:SDSL: Line Rate at last activation saved Autobaud pre-activation The previous section showed an example in which auto-speed detection attempted several speeds, before settling on the best speed for the connection. In some cases, this process can require substantial time.
The default status is on. However, to be effective, autobaud pre-activation must also be enabled at the Central Office (CO) end of the connection. Note: Remember to enter an sdsl save or save command to save SDSL changes across restarts and reboots. To determine the current pre-activation status, enter sdsl preact. For more information on the autobaud feature, see Autobaud pre-activation, on page 305. sdsl preact [on | off] on Enables pre-activation at the customer premises (CPE) end.
speed Speed in kbps. To see the speeds available for the model type, enter sdsl speed. If the auto-speed search is in progress, this command stops the search and sets the line speed as specified on the command. noauto Overrides auto-speed detection. If auto-speed detection is disabled, the Link light on the front panel is amber when the line tries to activate. (Auto-speed detection is reinstated if you enter an sdsl speed command.) Example: The example shows three commands: 1.
sdsl terminal [cpe | co] cpe Defines the router as the customer premises (CPE) equipment. co Defines the router as the central office (CO) equipment. Example: # sdsl terminal Customer Premises # sdsl terminal co Central Office 308 Chapter 8.
DHCP Commands The following DHCP (Dynamic Host Configuration Protocol) commands allow you to: ¥ Enable and disable subnetworks and client leases. ¥ Add subnetworks and client leases. ¥ Set the lease time. ¥ Change client leases manually. ¥ Set option values globally, for a subnetwork, or for a client lease. ¥ Enable/disable BootP. ¥ Use BootP to specify the boot server. ¥ Define option types.
max Maximum number of value(s). type Byte | word | long | longint | binary | ipaddress | string Example 1: dhcp add 192.168.254.0.255.255.255.0 (adds this subnetwork) Example 2: dhcp add 192.168.254.31 (adds this client lease Example 3: dhcp add 128 1 4 ipAddress (adds this option type Note: In example 3, 128 allows IP addresses, the server has a minimum of one IP address, the server can have up to four IP addresses, and the type is ÒipaddressÓ).
dhcp bootp disallow | net IP address of the subnetwork lease in the format of 4 decimals separated by periods. ipaddr IP address of the client lease in the format of 4 decimals separated by periods. Example: dhcp bootp disallow 192.168.254.0 DHCP BOOTP FILE Specifies the boot file name (kernel) and the subnet to which it applies. Note: Be sure to specify the TFTP server IP address when you specify the file using the command dhcp bootp tftpserver (page 313).
dhcp clear addresses net IP address of the subnetwork lease in the format of 4 decimals separated by periods. Example: dhcp clear addresses 192.168.254.0 DHCP CLEAR ALL RECORDS Clears all DHCP information, including all leases and all global DHCP information. Unlike erase dhcp, this command clears all DHCP information from memory, but leaves the DHCP.DAT file intact. If you want to clear the information in the DHCP.DAT file as well, enter a save command after dhcp clear all records.
Examples: dhcp clear valueoption 4 dhcp clear valueoption 192.168.254.0 7 dhcp clear valueoption 192.168.254.2 gateway DHCP DEL Deletes a subnetwork lease, a specific client lease, or a code. dhcp del | net IP address of the subnetwork lease in the format of 4 decimals separated by periods. ipaddr IP address of the client lease in the format of 4 decimals separated by periods. code The user-deÞned code and can be a number between 128 to 254 or a keyword. Example 1: dhcp del 192.
DHCP DISABLE Disables a subnetwork or a client lease. dhcp disable all | | all Disables all subnets. net IP address of the subnetwork lease in the format of 4 decimals separated by periods. ipaddr IP address of the client lease in the format of 4 decimals separated by periods. Examples: dhcp disable 192.168.254.0 dhcp disable 192.168.254.17 DHCP ENABLE Enables a subnetwork or a client lease. dhcp enable all | | all Enables all subnets.
DOMAINNAME (15)............ efficient.com WINSSERVER (44)............ 192.168.254.73 Subnet 192.168.254.0, Enabled Mask....................... 255.255.255.0 first ip address........... 192.168.254.2 last ip address............ 192.168.254.253 lease...................... Default bootp...................... not allowed bootp server............... none bootp file................. GATEWAY (3)192.168.254.254 client 192.168.254.2, Ena, jo-computer, Expired client 192.168.254.
Example 1: To list all available options (they may be predeÞned as in the list below, and/or user-deÞned), enter: dhcp list definedoptions Example 1: The following command lists all available options (predefined and user-defined): #dhcp list definedoptions code TIMEOFFSET (2), 1 occurrence, type LONG code GATEWAY (3), 1 to 63 occurrences, type IPADDRESS code TIMESERVER (4), 1 to 63 occurrences, type IPADDRESS code NAMESERVER (5), 1 to 63 occurrences, type IPADDRESS code DOMAINNAMESERVER code SUBNETMASK (1
code code code code code code code code code code code code code code code code code code code code code code code code code code code REQUESTEDIPADDR (50), 1 occurrence, type IPADDRESS-RESERVED IPADDRLEASETIME (51), 1 occurrence, type LONGINT-RESERVED OPTIONOVERLOAD (52), 1 occurrence, type BYTE-RESERVED MESSAGETYPE (53), 1 occurrence, type BYTE-RESERVED SERVERIDENTIFIER (54), 1 occurrence, type IPADDRESS-RESERVED PARAMREQUESTLIST (55), 1 to 255 occurrences, type BYTE-RESERVED MESSAGE (56), 1 to 255 chara
dhcp set addresses Þrst ipaddr First address in a pool of addresses for a particular subnetwork. last ipaddr Last address in a pool of addresses for a particular subnetwork. Example: dhcp set addresses 192.168.254.1 192.168.254.250 DHCP SET EXPIRE This command is used to manually change a client lease expiration time to a certain value. Note 1: Changing a client lease time manually is rarely required. Note 2: The client information does not get updated.
Example 3: dhcp set lease 192.168.254.0 infinite (sets lease time to inÞnite for this subnet) Chapter 8.
DHCP SET MASK Used to conveniently change the mask of a DHCP subnet without having to delete and recreate the subnet and all its entries. dhcp set mask net IP address of the subnetwork lease in the format of 4 decimals separated by periods. mask IP network mask, in the format of 4 decimals separated by periods. Example: dhcp set mask 192.168.254.0 255.255.255.
value Value to be assigned to the speciÞed option. It could be a byte, word, signed long, unsigned long, binary, IP address, or string depending on the option. Example 1: This command does not specify an client or subnetwork address, and thus sets a global value for the domainnameserver option. dhcp set valueoption domainnameserver 192.168.254.2 192.168.254.3 Example 2: This command sets the value for the gateway option associated with the subnetwork. dhcp set valueoption gateway 192.168.254.0 192.168.
L2TP Ñ Virtual Dial-Up Configuration Commands This section contains L2TP command descriptions. For a complete discussion of L2TP tunneling, see L2TP Tunneling Ñ Virtual Dial-Up, on page 122.
l2tp call TunnelName Name of the tunnel (character string). The name is case sensitive. Example: l2tp call PacingAtWork L2TP CLOSE Closes an L2TP tunnel and/or session. l2tp close |-n|-t|-s|-c L2TP unit number -n TunnelName Name of the tunnel (character string). The name is case sensitive. -t tunnelid Local tunnel id. -s serialnum Serial number of the call within the tunnel. -c callid ID of the local call for the session.
none No incoming calls are allowed to be forwarded through the tunnel to an LNS TunnelName Name of the tunnel (character string). The name is case-sensitive. Example: l2tp forward PacingAtWork L2TP LIST Provides a complete display of the current conÞguration settings for tunnel(s), except for the authentication password/secret. l2tp list || TunnelName Name of the tunnel (character string). The name is case sensitive.
Caution: If the IP address of the remote tunnel is part of a subnet that is also reached through the tunnel, a routing table entry for this address must be explicitly added. Normally, this routing entry will be added to remote entry, which has the default route. Note 1: When a remote router tries to create a tunnel, the remote routerÕs IP address is not authenticated . Note 2: If this command is not used, then defaults to 0.0.0.0, and this end cannot initiate the tunnel.
L2TP SET DIALOUT Lets the LNS instruct the L2TP client to use an ISDN phone line to place a call on its behalf. l2tp set dialout yes | no yes This option lets the router place outgoing calls. no This option prevents the router from placing outgoing calls.The default is no. TunnelName Name of the tunnel (character string). The name is case-sensitive.
L2TP SET OURPASSWORD SpeciÞes the routerÕs secret/password for PPP authentication on a per-tunnel basis. l2tp set ourpassword password RouterÕs secret/password used for authentication when challenged by another router. TunnelName Name of the tunnel (character string). The name is case-sensitive. Example: l2tp set ourpassword 7z8x9q0d6j1t3k PacingAtWork L2TP SET OURSYSNAME SpeciÞes the routerÕs name for PPP authentication on a per-tunnel basis.
l2tp set remoteName name Host name of the remote tunnel. This is the fully qualiÞed domain name of the remote host. TunnelName Name of the tunnel (character string). The name is case-sensitive. Example: l2tp set remoteName isp PacingAtWork L2TP SET TYPE DeÞnes the type of L2TP support for the tunnel. The routerÕs role is deÞned on a per-tunnel basis.
TunnelName Name of the tunnel (character string). The name is case-sensitive. Examples: This command restricts the tunnel named OfficeTunnel to the remote interface named officertr. l2tp set wanif officertr OfficeTunnel This command clears the remote interface restriction for the tunnel named OfficeTunnel. l2tp set wanif - OfficeTunnel This command restricts the tunnel named OfficeTunnel to the physical interface ETHERNET/1.
TunnelName Name of the tunnel (character string) associated with the remote LAC. The name is casesensitive. remoteName Name of the remote entry (character string). The name is case sensitive. Example: remote setl2tpclient PacingAtWork Router2 REMOTE SETLNS With this command, this remote is the path to the LNS, and it will forward the incoming call (which matches this remote entry) through the tunnel named if your router is the client.
FILTER BR (Bridge Filtering) Commands Bridge filtering allows you to control the packets transferred across the router. This feature can be used to enhance security or improve performance. Filtering is based on matched patterns within the packet at a specified offset. Two filtering modes are available. ¥ Deny mode will discard any packet that matches the deny filter database and let all other packets pass.
pos Byte offset within a packet; number from 0-127. data Hexadecimal number up to 6 bytes. Example: This command deletes the filter which denies the forwarding of packets that have the hex value 8035 at byte offset 12. filter br del 12 8035 deny FILTER BR LIST Lists the bridging filters in the filtering database. filter br list Example: filter br list Response: Allow Filter: Deny Filter: pos:12, len=2, <80><35> FILTER BR USE Sets the mode of filtering to either deny, allow, or none.
PPPoE Commands This section contains the commands that are specific to PPPoE (PPP over Ethernet). To learn more about PPPoE configuration and management, see page 97. The commands in this section are: remote setPPPoEservice Used when configuring a PPPoE client entry. pppoe close Ends a PPPoE session. pppoe list Lists information about PPPoE sessions. REMOTE SETPPPOESERVICE Defines the remote router entry as a PPPoE remote entry.
# pppoe list PPPoE Client Session ...... PPPoE/Ifs number..... Access Concentrator.. Peer MAC Address .... Session ID .......... State ............... Flags ............... # pppoe close 1 DialUpPPP.net 1 15021109931568-efficient 00:10:67:00:66:E2 2 2 1 PPPOE LIST Lists information about the currently active PPPoE sessions. pppoe list Output Fields: PPPoE Client Session . . . . . Service name. PPPoE/Ifs number . . . . Number identifying the session. It is used on the pppoe close command.
IKE (Internet Key Exchange) Commands The IKE software option and the IKE commands are described in IPSec (Internet Protocol Security), on page 134. IKE FLUSH Clears all IKE configuration information from the router. For more information about IKE, see IPSec (Internet Protocol Security), on page 134. ike flush IKE IPSEC POLICIES ADD Defines the name of an IPsec policy to be used for filtering. Other IPSec Policy commands define the filtering parameters (see IKE IPSec Policy Commands, on page 142).
IKE IPSEC POLICIES ENABLE Enables an IPSec policy. An enable command is required for each new policy; the enable command indicates that the specification of the policy is complete and the policy is ready to be used. The enable command can also be used to re-enable a disabled policy. For more information, see IKE IPSec Policy Commands, on page 142. ike ipsec policies enable PolicyName Example: Name of the IPsec policy. To see the policy names, use the ike ipsec policies list command.
IKE IPSEC POLICIES SET DESTPORT Defines a destination port filtering parameter value for the policy. The destination port parameter requires a specific destination port for the data or allows any destination port (*). (Because port numbers are TCP and UDP specific, a port filter is effective only when the protocol filter is TCP or UDP.
ike ipsec policies set interface all mypolicy IKE IPSEC POLICIES SET MODE Defines the mode filtering parameter value for the policy. The mode parameter specifies the encapsulation mode (tunnel or transport) that may be used for the connection (see Transport and Tunnel Encapsulation Modes, on page 134). If no value is set for the mode parameter, tunnel mode is assumed.
none Perfect Forward Secrecy negotiation is not required for this connection. PolicyName Name of the IPsec policy to which the pfs parameter value is added. To see the policy names, use the ike ipsec policies list command. Example: ike ipsec policies set pfs 2 mypolicy IKE IPSEC POLICIES SET PROPOSAL Defines a proposal filtering parameter value for the policy. The proposal parameter specifies an IKE IPSec proposal that may be used for the connection.
ike ipsec policies set source IPaddress IP address allowed to be the source of the data (4 decimals separated by periods). IPmask IP network mask (4 decimals separated by periods). PolicyName Name of the IPsec policy to which the source parameter value is added. To see the policy names, use the ike ipsec policies list command. Example: ike ipsec policies set source 192.168.16.0 255.255.255.
protected network. (See the example below.) You can use the eth ip addhostmapping command (page 230) to map a range of NAT addresses to private addresses so the IKE tunnel can be initiated from either end. ike ipsec policies set translate on | off on | off Sets the translate option on or off. If translate is set to on, translation is applied before encryption, and the packets are sent using the host routerÕs public IP address.
IKE IPSEC PROPOSALS DELETE Deletes an existing IKE IPSec proposal. For more information, see IKE IPSec Proposal Commands, on page 141. ike ipsec proposals delete ProposalName Example: Name of the IPsec proposal to be deleted. To see the proposal names in use, use the ike ipsec proposals list command. ike ipsec proposals delete myproposal IKE IPSEC PROPOSALS LIST Lists the IKE IPSec proposals. For more information, see IKE IPSec Proposal Commands, on page 141.
ProposalName Example: Name of the IPsec proposal to which the AH authentication parameter is added. To see the proposal names in use, use the ike ipsec proposals list command. ike ipsec proposals set ahauth sha1 myproposal IKE IPSEC PROPOSALS SET ESPAUTH Sets the proposal parameter that determines whether ESP message authentication is requested and, if it is requested, the hash algorithm used.
Example: ike ipsec proposals set espenc 3des myproposal IKE IPSEC PROPOSALS SET IPCOMP Sets the proposal parameter that requests either no compression or LZS compression. For more information, see IKE IPSec Proposal Commands, on page 141. ike ipsec proposals set ipcomp ike ipsec proposals set > One of the following: NONE No compression. LZS Compress using the LZS algorithm.
Example: ike ipsec proposals set lifetime 600 myproposal IKE PEERS ADD Defines the name of a new IKE peer. Other commands specify the address, secret, and mode of the peer connection; see IKE Peer Commands, on page 139. ike peers add PeerName Example: New name for an IKE peer. To see the peer names in use, use the ike peers list command. ike peers add my_aggressive_peer IKE PEERS DELETE Deletes an existing IKE peer entry. For more information, see IKE Peer Commands, on page 139.
IKE PEERS SET ADDRESS Sets the IP address of the other endpoint of the secure IKE peer connection. The address specified depends on the mode of the peer connection, which can be either main mode or aggressive mode. (See IKE Management, on page 136.) If the mode is main mode, the other endpoint of the peer connection is constant, and you specify its IP address. If the mode is aggressive mode, one end of the connection, the gateway, has a fixed IP address. The other end, the client, has a changing address.
One of the following: IPADDR The local ID must be an IP address. DOMAINNAME The local ID must be a domain name. EMAIL The local ID must be an e-mail address. PeerName Example: Name of the IKE peer whose local ID type is specified. To see the peer names, use the ike peers list command. ike peers set localidtype domainname my_aggressive_peer IKE PEERS SET MODE Sets the IKE peer connection mode to either main mode or aggressive mode.
The peer ID type must match the local ID type on the other end of the connection. The possible ID types are IP address, domain name, or e-mail address. For more information, see IKE Peer Commands, on page 139. ike peers set peeridtype One of the following: IPADDR The peer ID must be an IP address. DOMAINNAME The peer ID must be a domain name. EMAIL The peer ID must be an e-mail address. PeerName Example: Name of the IKE peer whose peer ID type is specified.
ProposalName Example: Name of the IKE proposal to be deleted. To see the proposal names in use, use the ike proposals list command. ike proposals delete my_ike_proposal IKE PROPOSALS LIST Lists the IKE proposals. See IKE Proposal Commands, on page 140.
One of the following: DES Use DES (56-bit) encryption. 3DES Use 3DES (168-bit) encryption (if 3DES is enabled in the router; see Software Option Keys, on page 114). ProposalName Name of the IKE proposal to which the encryption parameter is added. To see the proposal names in use, use the ike proposals list command.
PRESHARE Preshared key. ProposalName Name of the IKE proposal to which the session authentication parameter is added. To see the proposal names in use, use the ike proposals list command. Example: ike proposals set session_auth preshare my_ike_proposal IPSec Commands The following commands allow you to define an IPSec connection without IKE. To read about IPSec Security, see IPSec (Internet Protocol Security), on page 134. Note: If you define a tunnel using IPSec commands, the keys will remain static.
IPSEC ENABLE Enables a defined IPSec SA entry, indicating it is complete and ready to be used. The command can also re-enable a disabled SA entry. ipsec enable SAname Example: Name for the IPSec SA to be enabled.To see the IPSec SA names in use, use the ipsec list command. ipsec enable show_rx IPSEC FLUSH Clears all IPSec definitions. ipsec flush IPSEC LIST Lists one or all IPSec SA entries. ipsec list [] SAname Optional name for the IPSec SA to be listed.
key=012345678901234567890123456789012345678901234567 SHA1 key=abcdefabcdefabcdefabcdefabcdefabcdefabcd (20) No compression id =123456 seq=6734 IPSEC SET AUTHENTICATION Selects authentication for the IPSec SA using either SHA-1 (Secure Hashing Algorithm 1) or MD5 (Message Digest 5). ipsec set authentication One of the following: MD5 Authenticate using the MD5 algorithm. SHA1 Authenticate using the SHA1 algorithm. SAname Example: Name of the IPSec SA.
ipsec set direction One of the following: INBOUND OUTBOUND SAname Name of the IPSec SA.To see the IPSec SA names in use, use the ipsec list command. Example: ipsec set direction inbound show_rx IPSEC SET ENCKEY Specifies the encryption key. ipsec set enckey key Hexadecimal encryption key (64 bits for DES or 192 bits for 3DES). SAname Name of the IPSec SA.To see the IPSec SA names in use, use the ipsec list command.
IPSEC SET IDENT Specifies the identifier (SPID) for the IPSec tunnel. It must match the SPID at the other end of the tunnel, that is, the tx SPID on this end must match the rx SPID on the other end. ipsec set ident ident SPID for the IPSec tunnel. SAname Name of the IPSec SA.To see the IPSec SA names in use, use the ipsec list command. Example: ipsec set ident 424242 show_rx IPSEC SET MODE Selects the encapsulation mode (tunnel or transport) for the SA. The default is tunnel mode.
Appendix A.
Configuring PPP with IP Routing PPP with IP Routing Steps Commands Your settings System Settings System Name system name .............................................. System Message system msg .............................................. Authentication Passwd system passwd .............................................. Ethernet IP Address eth ip addr [] ..............................................
Configuring PPP with IPX Routing PPP with IPX Routing Steps Commands Your Settings System Settings System Name system name .............................................. System Message system msg .............................................. Authentication Passwd system passwd .............................................. Ethernet IP Address eth ip addr [] ..............................................
Configuring PPP with Bridging PPP with Bridging Steps Commands Your Settings System Settings System Name system name ............................................... System Message system msg ............................................... Authorization Password system passwd ............................................... DHCP Settings dhcp set valueoption domainname ...............................................
Configuring RFC 1483 / RFC 1490 with IP Routing RFC 1483 / RFC 1490 with IP Routing Steps Commands Your Settings System Settings System Message system msg ............................................... Ethernet IP Address eth ip addr [port#>] ............................................... DHCP Settings dhcp set valueoption domainname ............................................... dhcp set valueoption domainnameserver < ipaddr> ......................
Configuring RFC 1483 / RFC 1490 with IPX Routing RFC 1483 / RFC 1490 with IPX Routing Steps Commands Your Settings System Settings System Message system msg .............................................. Ethernet IP Address eth ip addr [port#>] .............................................. DHCP Settings dhcp set valueoption domainname dhcp set valueoption domainnameserver ..............................................
Configuring RFC 1483 / RFC 1490 with Bridging RFC 1483 / RFC 1490 with Bridging Steps Commands Your Settings System Settings System Message system msg ............................................... DHCP Settings dhcp set valueoption domainname ............................................... dhcp set valueoption domainnameserver Change Login system admin ...............................................
Configuring RFC 1483MER / RFC 1490MER with IP Routing RFC 1483MER/RFC 1490MER with IP Routing Steps Commands Your Settings System Settings System Message system msg ................................................... Ethernet IP Address eth ip addr [] ................................................... DHCP Settings dhcp set valueoption domainname < domainname> dhcp set valueoption domainnameserver ...................................................
Configuring FRF8 with IP Routing RFC 1483FR with IP Routing Steps Commands Your Settings System Settings System Message system msg ............................................... Ethernet IP Address eth ip addr [] ............................................... DHCP Settings dhcp set valueoption domainname < domainname> dhcp set valueoption domainnameserver ............................................... Change Login system admin ......
Configuring a Dual-Ethernet Router for IP Routing This table outlines commands used to configure a Dual-Ethernet router for IP Routing. Dual-Ethernet Router - IP Routing Steps Commands Your Settings System Settings System Name system name .............................................................. Message system msg .............................................................. Ethernet Settings Routing/ Bridging Controls eth ip enable eth br disable .........................
Appendix B. ConÞguring IPX Routing IPX Routing Concepts To establish IPX Routing, you will need to enter all remote routers in the remote router database to which your router will connect. 1. For each remote router, enter the network addresses and services that may be accessed beyond the remote router. 2. Also enter a network number for the WAN link. 3. After you have specified the route addressing and services, you can then enable IPX routing across the Ethernet LAN.
Step 1: Collect Your Network Information for the Target (Local) Router The remote side of the WAN link has all of the file and print services. Enter the needed network information in the blank boxes of the diagram. Then match the boxesÕ numbers with the numbers in the Command Table below to configure the target router for IPX. 1 Enable IPX routing 2 External Network # (Local Wire address) Ex: 123 Server Name 3 IPX Frame Type Ex: 802.
Step 2: Review your Settings Commands used to review your IPX configuration: Ð eth list Ð remote list Ð ipxsaps > eth list ETHERNET INFORMATION FOR Hardware MAC address................. 00:20:6F:02:4C:35 Bridging enabled..................... no IP Routing enabled................... no Firewall filter enabled ........... yes Process IP RIP packets received.... yes Send IP RIP to the LAN............. yes Advertise me as the default router. Yes Receive default route using RIP....
Command Index Symbols adsl ?, 290 adsl restart, 290 adsl speed, 290 adsl stats, 291 arp delete, 188 arp list, 189 atm ?, 292 atm reset, 292 atm save, 292 atm speed, 293 atom cellrx, 185 atom dumpUnknownCells, 181 atom echoPVC, 181 atom empty, 181 atom findPVC, 181 atom pls, 181 atom print, 185 atom promisc, 185 atom rx, 185 atom stats, 185 atom tx, 185 atom voice, 174 dhcp bootp disallow, 310 dhcp bootp file, 311 dhcp bootp tftpServer, 311 dhcp clear addresses, 311 dhcp clear all records, 312 dhcp clear e
eth ip delRoute, 235 eth ip delServer, 235 eth ip directedBcast, 236 eth ip disable, 237 eth ip enable, 237 eth ip filter, 237 eth ip firewall, 241 eth ip mgmt, 241 eth ip mtu, 242 eth ip options, 243 eth ip restart, 244 eth ip ripMulticast, 244 eth ip start, 244 eth ip stop, 245 eth ip translate, 245 eth ip unbindRoute, 246 eth ip vrid, 246 eth ipx addr, 247 eth ipx disable, 247 eth ipx enable, 247 eth ipx frame, 248 eth list, 248 eth vrrp add, 249 eth vrrp clear password, 249 eth vrrp delete, 250 eth vrrp
ike peers set mode, 347 ike peers set peerID, 347 ike peers set peerIDtype, 347 ike peers set secret, 348 ike proposals add, 348 ike proposals delete, 348 ike proposals list, 349 ike proposals set dh_group, 349 ike proposals set encryption, 349 ike proposals set lifetime, 350 ike proposals set message_auth, 350 ike proposals set session_auth, 350 ipdebug, 180 ipifs, 191 ipRoutes, 191 ipsec add, 351 ipsec del, 351 ipsec disable, 351 ipsec enable, 352 ipsec flush, 352 ipsec list, 352 ipsec set authentication,
remote bindIPVirtualRoute, 260 remote blockNetBios, 261 remote del, 261 remote delATMnsap, 261 remote delBridge, 261 remote delEncryption, 262 remote delHostMapping, 262 remote delIpRoute, 262 remote delIpxRoute, 263 remote delIpxSap, 263 remote delOurPasswd, 264 remote delOurSysName, 264 remote delPhone, 264 remote delServer, 265 remote disable, 265 remote disAuthen, 266 remote disBridge, 266 remote enaAuthen, 266 remote enable, 266 remote enaBridge, 267 remote ipFilter, 267 remote list, 271 remote listBri
system addUdpRelay, 212 system admin, 212 system authen, 212 system backup add, 213 system backup delete, 213 system backup disable, 214 system backup enable, 214 system backup pinginterval, 215 system backup pingsamples, 215 system backup retry, 216 system backup stability, 216 system backup successrate, 216 system blockNetBios, 217 system community, 217 system defaultmodem, 217 system delBootpServer, 218 system delHostMapping, 218 system delHTTPfilter, 218 system delIpRoutingTable, 219 system delServer, 2
Topic Index Numerics 3DES encryption, 135 IKE proposal command, 141 A address translation, 91 ADPCM voice encoding, 20 ADSL DMT router commands, 295 debug commands, 184 AH IPSec protocol, 134, 135 ASIC.
VRRP, 112 configuration files, backup/restore, 162 configuration information Dual-Ethernet router, 45 FRF8 + IP, 44 PPP + IP, 34, 36, 38 RFC 1483 + bridging, 41 RFC 1483 + IP, 39 RFC 1483 + IPX, 40 RFC 1483MER + IP, 42 RFC 1490 + bridging, 41 RFC 1490 + IP, 34, 36, 38, 39 RFC 1490 + IPX, 40 RFC 1490MER + IP, 42 configuration tables dual-Ethernet router +IP routing, 58 FRF8 + IP routing, 56 mixed network protocols, 57 PPP + bridging, 51 PPP + IP routing, 49 PPP + IPX routing, 50 RFC 1483/RFC 1490 + bridging,
FRF8, 44 G G.
K kernel upgrade from the LAN, 159 upgrade from the WAN line, 160 keyfile.
RFC 1483, 34, 39 RFC 1483MER, 42 RFC 1490, 34, 39 RFC 1490MER, 42 RFCs supported, 25 RIP packet controls, 81 route tracing command, 198 router configuration commands, 206 S sample configurations dual-Ethernet router with IP, 75 IKE, 144 PPP with IP and IPX, 61 RFC 1483 with IP and bridging, 69 VRRP, 112 SAs, 134 save dod, 196 saving configuration files, 162 saving the configuration, 196 script execution, 166 SDSL commands, 304 autobaud pre-activation, 305 autospeed detection, 304 debug commands, 182 secure
transport mode, 134 troubleshooting bridging, 172 console, 170 factory configuration, 170 hardware problems, 170 history log, 168 IP routing, 172 IPX routing, 173 login password, 171 normal LED sequence, 168 PC connection, 171 power light off, 167 remote network access, 172 terminal window display, 170 using LEDs, 167 using ping, 169 troubleshooting voice routing, 174 tunneling IPSec, 134 L2TP, 122 L2TP configurations, 124 with Dial Backup, 103 frame voice command, 204 trouble-shooting, 174 VPI/VCI find va
