BCM50a Integrated Router Configuration — Advanced BCM50a BCM50a Integrated Router Document Number: N0115791 Document Version: 1.
Copyright © Nortel 2005–2006 All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Autosensing 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Reset button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Nonphysical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 IPSec VPN capability . . . . . . . . . . . . . . . . .
Contents 5 Initial screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Logging on to the SMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Navigating the SMT interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Main menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Remote Node setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Remote Node profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Encapsulation and Multiplexing scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Edit IP/Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Remote Node filter . . .
Contents 7 Chapter 10 Introducing the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Using SMT menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Activating the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Chapter 11 Filter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents System information and console port speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Console port speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Log and trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Syslog logging . . . . . . . .
Contents 9 Chapter 16 System Maintenance menus 8 to 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Command Interpreter mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Command usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Call control support . . . . . . . . . . . .
Contents Triangle Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 The Ideal Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 The Triangle Route Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 The Triangle Route Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 IP aliasing . . . . . .
Contents 11 Appendix G Command Interpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Command usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Sys commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Appendix J Log descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 VPN/IPSec logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 VPN responder IPSec log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Log commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures Figure 1 Secure Internet Access and VPN Application . . . . . . . . . . . . . . . . . . . . . 38 Figure 2 Initial screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Figure 3 SMT Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Figure 4 Main menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Figure 5 Menu 23.
Figures Figure 30 Menu 4 – Applying NAT for Internet Access . . . . . . . . . . . . . . . . . . . . . . . 90 Figure 31 Menu 11.3 – Applying NAT to the Remote Node . . . . . . . . . . . . . . . . . . . 91 Figure 32 Menu 15 – NAT Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Figure 33 Menu 15.1 – Address Mapping Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Figure 34 Menu 15.1.255 – SUA Address Mapping Rules . . . . . . . . . . . . . . . .
Figures 15 Figure 65 Filtering Remote Node Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Figure 66 Menu 22 – SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Figure 67 Menu 23 – System security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Figure 68 Menu 23 – System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Figure 69 Menu 23.2 – System Security – RADIUS server . . . .
Figures Figure 100 Windows XP: Start menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Figure 101 Windows XP: Control Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Figure 102 Windows XP: Control Panel: Network Connections: Properties . . . . . . . 198 Figure 103 Windows XP: Local Area Connection Properties . . . . . . . . . . . . . . . . . . 198 Figure 104 Windows XP: Advanced TCP/IP settings . . . . . . . . . . . . . . . . . . . . . . . .
Figures 17 Figure 135 NetBIOS Display Filter Settings Command Example . . . . . . . . . . . . . . . 280 Figure 136 Example VPN initiator IPSec log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Figure 137 Example VPN responder IPSec log . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures N0115791
Tables Table 1 Feature specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Table 2 Main menu commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Table 3 Main menu summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Table 4 General setup menu fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Table 5 Configure dynamic DNS menu fields . . . . .
Tables Table 30 Menu 24.1 System Maintenance: Status . . . . . . . . . . . . . . . . . . . . . . . . 147 Table 31 Menu 24.2.1 System Maintenance: Information . . . . . . . . . . . . . . . . . . . 150 Table 32 System Maintenance Menu Syslog Parameters . . . . . . . . . . . . . . . . . . . 152 Table 33 System Maintenance menu diagnostic . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Table 34 Filename Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables 21 Table 65 NetBIOS filter default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Table 66 System error logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Table 67 System maintenance logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Table 68 UPnP logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Table 69 Content filtering logs . . . . . .
Tables N0115791
Preface Before you begin This guide is designed to assist you with advanced configuration of your BCM50a Integrated Router for its various applications. Note: This guide explains how to use the System Management Terminal (SMT) or the command interpreter interface to configure your BCM50a Integrated Router. See the basic manual for how to use the WebGUI to configure your BCM50a Integrated Router. Not all features can be configured through all interfaces.
Preface A single keystroke is written in Arial font and enclosed in square brackets, for instance, [ENTER] means the Enter key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys. Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.
Preface 25 USA and Canada Authorized Distributors Technical Support - GNTS/GNPS Telephone: 1-800-4NORTEL (1-800-466-7835) If you already have a PIN Code, you can enter Express Routing Code (ERC) 196#. If you do not yet have a PIN Code, or for general questions and first line support, you can enter ERC 338#. Web Site: www.nortel.
Preface CALA (Caribbean & Latin America) Technical Support - CTAS Telephone: 1-954-858-7777 E-mail: csrmgmt@nortel.com APAC (Asia Pacific) Service Business Centre & Pre-Sales Help Desk: +61-2-8870-5511 (Sydney) Technical Support - GNTS Telephone: +612 8870 8800 Fax: +612 8870 5569 E-mail: asia_support@nortel.
Preface Thailand 001-800-611-3007 Service Business Centre & Pre-Sales Help Desk +61-2-8870-5511 27 BCM50a Integrated Router Configuration — Advanced
Preface N0115791
Chapter 1 Getting to know your BCM50a Integrated Router This chapter introduces the main features and applications of the BCM50a Integrated Router. Introducing the BCM50a Integrated Router The BCM50a Integrated Router is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN).
Chapter 1 Getting to know your BCM50a Integrated Router Table 1 Feature specifications Feature Specification Number of SUA (Single User Account) servers 12 Number of address mapping rules 10 Number of configurable VPN rules (gateway policies) 10 Number of configurable IPSec VPN IP policies (network policies) 60 Number of concurrent IKE (Internet Key Exchange) Phase 1 Security Associations: These correspond to the gateway policies.
Chapter 1 Getting to know your BCM50a Integrated Router 31 • • • • • • • • • • Extended-reach ADSL (ER ADSL) SRA (Seamless Rate Adaptation) Autonegotiating rate adaptation ADSL physical connection ATM (Asynchronous Transfer Mode) AAL5 (Adaptation Layer type 5)· Multiprotocol over AAL5 (Request For Comments (RFC) 2684/1483) Support Point-to-Point-Protocol over ATM AAL5 (PPPoA) (RFC 2364) PPP over Ethernet support for DSL (Digital Subscriber Line) connection (RFC 2516) Support Virtual Circuit (VC) based and
Chapter 1 Getting to know your BCM50a Integrated Router Autonegotiating 10/100 Mb/s Ethernet LAN The LAN interfaces automatically detect if they are on a 10 or a 100 Mb/s Ethernet. Autosensing 10/100 Mb/s Ethernet LAN The LAN interfaces automatically adjust to either a crossover or straight through Ethernet cable. Time and date Using the BCM50a Integrated Router, you can get the current time and date from an external server when you turn on your BCM50a Integrated Router.
Chapter 1 Getting to know your BCM50a Integrated Router 33 Certificates The BCM50a Integrated Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication. SSH The BCM50a Integrated Router uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network.
Chapter 1 Getting to know your BCM50a Integrated Router Content filtering The BCM50a Integrated Router can block web features such as ActiveX controls, Java applets, and cookies, as well as disable web proxies. The BCM50a Integrated Router can block specific URLs by using the keyword feature. The administrator can also define time periods and days during which content filtering is enabled. Packet filtering The packet filtering mechanism blocks unwanted traffic from entering or leaving your network.
Chapter 1 Getting to know your BCM50a Integrated Router 35 IP Multicast The BCM50a Integrated Router can use IP multicast to deliver IP packets to a specific group of hosts. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The BCM50a Integrated Router supports versions 1 and 2. IP Alias Using IP Alias, you can partition a physical network into logical networks over the same Ethernet interface.
Chapter 1 Getting to know your BCM50a Integrated Router Traffic Redirect Traffic Redirect forwards WAN traffic to a backup gateway when the BCM50a Integrated Router cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails. Port Forwarding Use this feature to forward incoming service requests to a server on your local network. You can enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.
Chapter 1 Getting to know your BCM50a Integrated Router 37 Upgrade BCM50a Integrated Router Firmware The firmware of the BCM50a Integrated Router can be upgraded manually through the WebGUI. Embedded FTP and TFTP Servers The embedded FTP and TFTP servers enable fast firmware upgrades, as well as configuration file backups and restoration. Applications for the BCM50a Integrated Router Secure broadband internet access and VPN The BCM50a Integrated Router provides broadband Internet access through ADSL.
Chapter 1 Getting to know your BCM50a Integrated Router Figure 1 Secure Internet Access and VPN Application BCM50a Integrated Router Caution: Electro-static Discharge can disrupt the router. Use appropriate handling precautions to avoid ESD. Avoid touching the connectors on the router, particularly when it is in use.
Chapter 2 Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. Introduction to the SMT The BCM50a Integrated Router SMT (System Management Terminal) is a menu-driven interface that you can access over a Telnet connection. This chapter shows you how to navigate the SMT, and how to configure SMT menus. Initial screen When you turn on your BCM50a Integrated Router, it performs several internal tests as well as line initialization.
Chapter 2 Introducing the SMT Type the username (“nnadmin “is the default) and press [ENTER]. The logon screen prompts you to enter the password. Figure 3 SMT Login Enter Username : XXXX Enter Password : XXXX Type the password (“PlsChgMe!” is the default) and press [ENTER]. As you type the password, the screen displays an X for each character you type.
Chapter 2 Introducing the SMT 41 Table 2 Main menu commands Operations Keystrokes Descriptions Move the cursor [ENTER] or [UP] or [DOWN] arrow keys Within a menu, press [ENTER] to move to the next field. You can also use the [UP] or [DOWN] arrow keys to move to the previous or the next fields, respectively. When you are at the top of a menu, press the [UP] arrow key to move to the bottom of a menu. Entering information Fill in, or press [SPACE BAR], then press [ENTER] to select from choices.
Chapter 2 Introducing the SMT Figure 4 Main menu BCM50a Integrated Router Main Menu Getting Started 1. 2. 3. 4. Advanced Management General Setup WAN Setup LAN Setup Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 14. Dial-in User Setup 15. NAT Setup 21. 22. 23. 24. 26. Filter and Firewall Setup SNMP Configuration System Security System Maintenance Schedule Setup 99.Exit Enter Menu Selection Number: Table 3 describes the fields in Figure 4.
Chapter 2 Introducing the SMT 43 Table 3 Main menu summary No. Menu Title Function 23 System Security Use this menu to change your password and enable network user authentication. 24 System Maintenance From displaying system status to uploading firmware, this menu provides comprehensive system maintenance. 26 Schedule Setup Use this menu to schedule outgoing calls. 99 Exit Use this menu to exit (necessary for remote configuration).
Chapter 2 Introducing the SMT SMT menus at a glance Figure 6 SMT overview N0115791
SMT menu 1 - general setup Introduction to general setup Menu 1 - general setup contains administrative and system-related information. Configuring general setup Enter 1 in the main menu to open Menu 1: general setup. The Menu 1 - General Setup screen appears, as shown in Figure 7. Fill in the required fields.
Chapter 2 SMT menu 1 - general setup Table 4 describes the fields in Figure 7. Table 4 General setup menu fields N0115791 Field Description Example System name Choose a descriptive name for identification purposes. BCM50a Nortel recommends you enter your computer name in Integrated this field. This name can be up to 30 alphanumeric Router characters long. Spaces, dashes (-) and underscores (_) are accepted. Domain name Enter the domain name (if you know it) here. If you leave nortel.
Chapter 2 SMT menu 1 - general setup 47 Table 4 General setup menu fields Field Description First system DNS server DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The BCM50a Integrated Router uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.
Chapter 2 SMT menu 1 - general setup Table 4 General setup menu fields Field Description Example You must also configure a VPN branch office rule since the BCM50a Integrated Router uses a VPN tunnel when it relays DNS queries to the private DNS server. One of the rule’s IP policies must include the LAN IP address of the BCM50a Integrated Router as a local IP address and the IP address of the DNS server as a remote IP address. A Private DNS entry with the IP address set to 0.0.0.
Chapter 2 SMT menu 1 - general setup 49 Figure 8 Menu 1.1 – Configure Dynamic DNS Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.
Chapter 2 SMT menu 1 - general setup Table 5 Configure dynamic DNS menu fields Field Description Enable Wildcard Your BCM50a Integrated Router supports DYNDNS Wildcard. Press [SPACE BAR] and then [ENTER] to select Yes or No This field is N/A when you choose DDNS client as your service provider. Offline This field is only available when CustomDNS is selected in the DDNS Type field. Press [SPACE BAR] and then [ENTER] to select Yes. When Yes is selected, http://www.dyndns.
Chapter 2 SMT menu 1 - general setup 51 The IP address updates when you reconfigure menu 1 or perform DHCP client renewal.
Chapter 2 SMT menu 1 - general setup N0115791
Chapter 3 WAN Setup This chapter describes how to configure the WAN using Menu 2. Introduction to WAN setup This chapter explains how to configure the settings for your WAN port. WAN setup From the main menu, enter 2 to open Menu 2.
Chapter 3 WAN Setup Figure 9 Menu 2 – WAN Setup Menu 2 - WAN Setup Route Selection: WAN Metric= 1 Traffic Redirect Metric= 14 Dial Backup Metric= N/A Edit Traffic Redirect= No Dial-Backup: Active= N/A Port Speed= N/A AT Command String: Init= N/A Edit Advanced Setup= N/A Press ENTER to Confirm or ESC to Cancel: Table 6 describes the fields in Figure 9.
Chapter 3 WAN Setup 55 Table 6 Menu 2 WAN setup Field Description Example Edit Traffic Redirect Press [SPACE BAR] to select Yes or No. No Select No (default) if you do not want to configure this feature. Select Yes and press [ENTER] to configure Menu 2.2 — Traffic Redirect Setup. Dial-Backup: Dial backup does not apply to all BCM50a Integrated Router models. Active Use this field to turn the dial-backup feature on (Yes) or off (No).
Chapter 3 WAN Setup Figure 10 Menu 2.2 – Traffic Redirect Setup Menu 2.2 - Traffic Redirect Setup Active= No Configuration: Backup Gateway IP Address= 0.0.0.0 Metric= 15 Press ENTER to Confirm or ESC to Cancel: Table 7 describes the fields in Figure 10. Table 7 Menu 2.2 Traffic Redirect Setup Field Description Active Press [SPACE BAR] and select Yes (to enable) or No (to disable) traffic redirect setup. The default is No.
Chapter 4 LAN setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. Introduction to LAN setup This section describes how to configure the BCM50a Integrated Router for LAN connections. Accessing the LAN menus From the main menu, enter 3 to open Menu 3 – LAN setup Figure 11 Menu 3 – LAN setup. Menu 3 - LAN Setup 1. LAN Port Filter Setup 2.
Chapter 4 LAN setup Figure 12 Menu 3.1 – LAN Port Filter Setup Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: TCP/IP and DHCP ethernet setup menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup. Figure 13 Menu 3 – LAN Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2.
Chapter 4 LAN setup 59 Figure 14 Menu 3.2 – TCP/IP and DHCP Ethernet setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.2 IP Address= 192.168.1.1 Size of Client IP Pool= 126 IP Subnet Mask= 255.255.255.
Chapter 4 LAN setup Table 8 DHCP Ethernet setup menu fields N0115791 Field Description Example Size of Client IP Pool This field specifies the size or count of the IP address pool. 126 First DNS Server Second DNS Server Third DNS Server The BCM50a Integrated Router passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Select From ISP if your ISP dynamically assigns DNS server information (and the BCM50a Integrated Router's WAN IP address).
Chapter 4 LAN setup 61 Use the instructions in Table 9 to configure TCP/IP parameters for the LAN port. Table 9 LAN TCP/IP setup menu fields Field Description Example TCP/IP Setup: IP Address Enter the IP address of your BCM50a Integrated 192.168.1.1 Router in dotted decimal notation. (default) IP Subnet Mask Your BCM50a Integrated Router automatically calculates the subnet mask based on the IP address that you assign.
Chapter 4 LAN setup Figure 15 Menu 3.2.1 – IP Alias setup Menu 3.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle.
Chapter 4 LAN setup 63 Table 10 IP Alias setup menu field Field Description Example RIP Direction Press [SPACE BAR] and then [ENTER] to select the RIP direction. Options are Both, In Only, Out Only or None. None Version Press [SPACE BAR] and then [ENTER] to select the RIP version. Options are RIP-1, RIP-2B or RIP-2M. RIP-1 Incoming Protocol Filters Enter the filter sets you wish to apply to the incoming traffic between this node and the BCM50a Integrated Router.
Chapter 4 LAN setup N0115791
Chapter 5 Internet access This chapter shows you how to configure your BCM50a Integrated Router for Internet access. Internet access configuration Using Menu 4 you can enter the Internet Access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in Menu 11. Before you configure your BCM50a Integrated Router for Internet access, you must collect your Internet account information.
Chapter 5 Internet access Figure 16 Menu 4 – Internet Access Setup Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= ENET ENCAP Multiplexing= LLC-based VPI #= 8 VCI #= 35 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Dynamic IP Address= N/A Network Address Translation= SUA Only Address Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Table 11 describes the fields in Figure 16.
Chapter 5 Internet access 67 Table 11 Menu 4 Internet access setup (continued) Field Description Example Idle Timeout This value specifies the number of idle seconds that elapse before the BCM50a Integrated Router automatically disconnects the PPPoE session. 0 IP Address Assignment Press [SPACE BAR] to select Static or Dynamic address assignment. Dynamic IP Address Enter the IP address supplied by your ISP, if applicable.
Chapter 5 Internet access N0115791
Chapter 6 Remote Node setup This chapter shows you how to configure a remote node. Introduction to Remote Node setup This section describes the protocol-independent parameters for a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. When you use menu 4 to set up Internet access, you are configuring one of the remote nodes.
Chapter 6 Remote Node setup Nailed-Up Connection A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The BCM50a Integrated Router does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the BCM50a Integrated Router will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
Chapter 6 Remote Node setup 71 Figure 17 Menu 11 – Remote Node Setup Menu 11 - Remote Node Setup 1. ChangeMe (ISP, SUA) 2. -GUI (BACKUP_ISP, SUA) Enter Node # to Edit: Encapsulation and Multiplexing scenarios For Internet access you should use the encapsulation and multiplexing methods used by your ISP. Consult your telephone company for information on encapsulation and multiplexing methods for LAN-to-LAN applications, for example between a branch office and corporate headquarters.
Chapter 6 Remote Node setup Selecting RFC-1483 encapsulation with VC-based multiplexing requires the least amount of overhead (0 octets). However, if there is a potential need for multiple protocol support in the future, it may be safer to select PPPoA encapsulation instead of RFC-1483, so you do not need to reconfigure either computer later. • Scenario 3.Multiple VCs If you have an equal number (or more) of VCs than the number of protocols, then select RFC-1483 encapsulation and VC-based multiplexing.
Chapter 6 Remote Node setup 73 Table 12 Menu 11.1 Remote Node Profile (continued) Field Description Example Encapsulation PPPoA refers to RFC-2364 (PPP Encapsulation over ATM ENET Adaptation Layer 5). ENCAP If RFC-1483 (Multiprotocol Encapsulation over ATM Adaptation Layer 5) of ENET ENCAP are selected, then the Rem Login, Rem Password, My Login, My Password and Authen fields are not applicable (N/A).
Chapter 6 Remote Node setup Table 12 Menu 11.1 Remote Node Profile (continued) Field Description Example Edit ATM Options Press [SPACE BAR] to select Yes and press [ENTER] to display Menu 11.6 – Remote Node ATM Layer Options. No Edit Advance Options This field is only available when you select PPPoE in the No Encapsulation field. Press [SPACE BAR] to select Yes and press [ENTER] to display Menu 11.8 – Advance Setup Options. This field is not available on all models.
Chapter 6 Remote Node setup 75 2 In menu 11.1, make sure IP is among the protocols in the Route field. 3 Move the cursor to the Edit IP/Bridge field, press [SPACE BAR] to select Yes, then press [ENTER] to display Menu 11.3 – Remote Node Network Layer Options. Figure 19 Menu 11.3 – Remote Node Network Layer Options Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment = Dynamic Rem IP Addr = 0.0.0.0 Rem Subnet Mask= 0.0.0.
Chapter 6 Remote Node setup Table 13 Menu 11.3 Remote Node Network Layer Options (continued) Field Description Example My WAN Addr Some implementations, especially UNIX derivatives, require separate IP network numbers for the WAN and LAN links and each end to have a unique address within the WAN network number. In that case, type the IP address assigned to the WAN port of your BCM50a Integrated Router. NOTE: Refers to local BCM50a Integrated Router address, not the remote router address.
Chapter 6 Remote Node setup 77 Table 13 Menu 11.3 Remote Node Network Layer Options (continued) Field Description Example Multicast IGMP-v1 sets IGMP to version 1, IGMP-v2 sets IGMP to version 2 and None disables IGMP. None After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Remote Node filter Move the cursor to the field Edit Filter Sets in menu 11.1, and then press [SPACE BAR] to set the value to Yes.
Chapter 6 Remote Node setup Figure 20 Menu 11.1.4 – Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 21 Menu 11.1.4 – Remote Node Filter (PPPoE or PPPoA Encapsulation) Menu 11.1.
Chapter 6 Remote Node setup 79 Editing ATM Layer Options Follow the steps shown next to edit Menu 11.6 – Remote Node ATM Layer Options. In menu 11.1, move the cursor to the Edit ATM Options field and then press [SPACE BAR] to select Yes. Press [ENTER] to display Menu 11.6 – Remote Node ATM Layer Options. There are two versions of menu 11.6 for the Contivity 251, depending on whether you chose VC-based/LLC-based multiplexing and PPP encapsulation in menu 11.1.
Chapter 6 Remote Node setup Figure 23 Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation Menu 11.6 - Remote Node ATM Layer Options VPI/VCI (LLC-Multiplexing or PPP-Encapsulation) VPI #= 8 VCI #= 35 ATM QoS Type= UBR ENTER here to CONFIRM or ESC to CANCEL: In this case, only one set of VPI and VCI numbers need be specified for all protocols. The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (1 to 31 is reserved for local management of ATM traffic).
Chapter 6 Remote Node setup 81 Move the cursor to the Edit Advance Options field, press [SPACE BAR] to select Yes, then press [ENTER] to display Menu 11.8 – Advance Setup Options. Figure 25 Menu 11.8 – Advance Setup Options Menu 11.8 - Advance Setup Options PPPoE pass-through = No Press ENTER to Confirm or ESC to Cancel: Table 14 describes the fields in Figure 25. Table 14 Menu 11.
Chapter 6 Remote Node setup N0115791
Chapter 7 IP Static Route Setup This chapter shows you how to configure static routes with your BCM50a Integrated Router. IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown in Figure 26 to configure IP static routes in menu 12. 1.
Chapter 7 IP Static Route Setup Figure 26 Menu 12 – IP Static Route Setup Menu 12 - IP Static Route Setup 1. Reserved 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ 9. ________ 10. ________ 11. ________ 12. ________ Enter selection number: Now, enter the index number of the static route that you want to configure. The reserved entry is for the WAN interface and you cannot edit it here.
Chapter 7 IP Static Route Setup 85 Figure 27 Menu 12.1 – Edit IP Static Route Menu 12.1 - Edit IP Static Route Route #: 1 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to CONFIRM or ESC to CANCEL: Table 15 describes the fields in Figure 27. Table 15 IP Static Route Menu Fields Field Description Route # This is the index number of the static route that you chose in menu 12. Route Name Enter a descriptive name for this route.
Chapter 7 IP Static Route Setup Table 15 IP Static Route Menu Fields Field Description Private This parameter determines if the BCM50a Integrated Router includes the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node is propagated to other hosts through RIP broadcasts.
Chapter 8 Dial-in User Setup This chapter shows you how to create user accounts on the BCM50a Integrated Router. Dial-in User Setup By storing user profiles locally, your BCM50a Integrated Router can authenticate users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your BCM50a Integrated Router. From the main menu, enter 14 to display Menu 14 - Dial-in User Setup. Figure 28 Menu 14 – Dial-in User Setup Menu 14 - Dial-in User Setup 1. 2. 3. 4. 5. 6.
Chapter 8 Dial-in User Setup Figure 29 Menu 14.1 – Edit Dial-in User Menu 14.1 - Edit Dial-in User User Name= test Active= Yes Password= ******** Press ENTER to Confirm or ESC to Cancel: Leave name field blank to delete profile Table 16 describes the fields in Figure 29. Table 16 Menu 14.1- Edit Dial-in User Field Description User Name Enter a username up to 31 alphanumeric characters long for this user profile. This field is case sensitive.
Chapter 9 Network Address Translation (NAT) This chapter discusses how to configure NAT on the BCM50a Integrated Router. Using NAT Note: You must create a firewall rule in addition to setting up SUA/ NAT, to allow traffic from the WAN to be forwarded through the BCM50a Integrated Router. SUA (Single User Account) Versus NAT SUA (Single User Account) is an implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Chapter 9 Network Address Translation (NAT) Figure 30 Menu 4 – Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= ENET ENCAP Multiplexing= LLC-based VPI #= 8 VCI #= 35 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Dynamic IP Address= N/A Network Address Translation= SUA Only Address Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Figure 31 shows how you apply NAT to the remote node in menu 11.1.
Chapter 9 Network Address Translation (NAT) 91 Figure 31 Menu 11.3 – Applying NAT to the Remote Node Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment = Dynamic Rem IP Addr = 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= SUA Only Address Mapping Set= N/A Metric= 15 Private= No RIP Direction= None Version= RIP-1 Multicast= None Bridge Options: Ethernet Addr Timeout(min)= N/A Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle.
Chapter 9 Network Address Translation (NAT) NAT setup Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN. You can see two NAT address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.3, the SMT uses Set 1. When you select SUA Only, the SMT uses the pre-configured Set 255 (read only).
Chapter 9 Network Address Translation (NAT) 93 Figure 33 Menu 15.1 – Address Mapping Sets Menu 15.1 — Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: SUA Address Mapping Set Enter 255 to display the screen shown in Figure 34 (see “SUA (Single User Account) Versus NAT” on page 89). The fields in this menu cannot be changed.
Chapter 9 Network Address Translation (NAT) Figure 34 Menu 15.1.255 – SUA Address Mapping Rules Menu 15.1.255 - Address Mapping Rules Set Name= SUA Idx Local Start IP Local End IP Global Start IP Global End IP Type --- --------------- --------------- --------------- --------------- ------ 0.0.0.0 255.255.255.255 0.0.0.0 M-1 0.0.0.0 Server 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Press ENTER to Confirm or ESC to Cancel: Table 18 explains the fields in Figure 34. Note: Menu 15.1.
Chapter 9 Network Address Translation (NAT) 95 Table 18 SUA Address Mapping Rules Field Description Example Local End IP Local End IP is the ending local IP address (ILA). If 255.255.255.255 the rule is for all local IPs, then the start IP is 0.0.0.0 and the end IP is 255.255.255.255. Global Start IP This is the starting global IP address (IGA). If you 0.0.0.0 have a dynamic IP, enter 0.0.0.0 as the Global Start IP. Global End IP This is the ending global IP address (IGA).
Chapter 9 Network Address Translation (NAT) Figure 35 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx Local Start IP Local End IP Global Start IP Global End IP Type --- --------------- --------------- --------------- --------------- ------ 1. 2 3. 4. 5. 6. 7. 8. 9. 10. Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: Note: The Type, Local and Global Start/End IPs are configured in menu 15.1.1.
Chapter 9 Network Address Translation (NAT) 97 your configured rule is pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9. In the set summary screen, the new rule will be rule 7, not 9. If you delete rule 4, rules 5 to 7 will be pushed up by 1 rule, so as old rule 5 becomes rule 4, old rule 6 becomes rule 5 and old rule 7 becomes rule 6. Table 19 Fields in menu 15.1.
Chapter 9 Network Address Translation (NAT) Figure 36 Menu 15.1.1.1: Editing or configuring an individual rule in a set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= End = N/A Global IP: Start= End = N/A Press ENTER to Confirm or ESC to Cancel: Table 20 describes the fields in Figure 36. Table 20 Menu 15.1.1.1: Editing or configuring an individual rule in a set Field Description Example Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.
Chapter 9 Network Address Translation (NAT) 99 Table 20 Menu 15.1.1.1: Editing or configuring an individual rule in a set Field Global IP Start End Description Example Enter the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global IP Start. Note that Global IP Start can be set to 0.0.0.0 only if the types are Many-to-One or Server. 0.0.0.0 Enter the ending global IP address (IGA). This field is N/A for N/A One-to-One, Many-to-One and Server types.
Chapter 9 Network Address Translation (NAT) Figure 37 Menu 15.2 – NAT Server Sets Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 No 0 0 0.0.0.0 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 9 Network Address Translation (NAT) 101 Figure 38 15.2.1 – NAT Server Configuration 15.2.1 - NAT Server Configuration Index= 1 ----------------------------------------------------------------Name= Active= No Start port= 0 End port= 0 IP Address= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Table 21 15.2.1: NAT Server Configuration Field Description Index This is the index number of an individual port forwarding server entry.
Chapter 9 Network Address Translation (NAT) 5 Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. 6 Press [ENTER] at the “Press ENTER to confirm …” prompt to save your configuration after you define all the servers or press [ESC] at any time to cancel. Figure 39 Menu 15.2 – NAT Server Setup Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act.
Chapter 9 Network Address Translation (NAT) 103 Figure 40 Multiple servers behind NAT example BCM50a Integrated Router General NAT examples The following are some examples of NAT configuration. Internet access only In the Internet access example shown in Figure 41, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Chapter 9 Network Address Translation (NAT) Figure 41 NAT Example 1 BCM50a Integrated Router Figure 42 Menu 4: Internet access & NAT example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= ENET ENCAP Multiplexing= LLC-based VPI #= 8 VCI #= 35 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Dynamic IP Address= N/A Network Address Translation= SUA Only Address Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: From menu 4 shown above, simply choos
Chapter 9 Network Address Translation (NAT) 105 Example 2: Internet access with an inside server Figure 43 NAT Example 2 BCM50a Integrated Router In this case, you do exactly as shown in Figure 43 (use the convenient pre-configured SUA Only set), and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in Figure 44.
Chapter 9 Network Address Translation (NAT) Figure 44 Menu 15.2: Specifying an inside server Menu 15.2 - NAT Server Setup Default Server: 192.168.1.10 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 No 0 0 0.0.0.0 002 No 0 0 0.0.0.0 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 9 Network Address Translation (NAT) 107 The example situation looks like this: Figure 45 NAT example 3 BCM50a Integrated Router 1 In this case you must configure Address Mapping Set 1 from Menu 15.1 Address Mapping Sets. Therefore, you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) (see Figure 46). 2 Enter 15 from the main menu. 3 Enter 1 to configure the Address Mapping Sets. 4 Enter 1 to begin configuring this new set.
Chapter 9 Network Address Translation (NAT) Figure 46 Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment = Dynamic Rem IP Addr = 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set= 1 Metric= 15 Private= No RIP Direction= None Version= RIP-1 Multicast= None Bridge Options: Ethernet Addr Timeout(min)= N/A Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle.
Chapter 9 Network Address Translation (NAT) 109 Figure 47 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= 10.132.50.
Chapter 9 Network Address Translation (NAT) Figure 48 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type --- --------------- --------------- --------------- --------------- ------ 1. 192.168.1.10 10.132.50.1 1-1 2 10.132.50.2 1-1 10.132.50.3 M-1 10.132.50.3 Server 192.168.1.11 3. 0.0.0.0 255.255.255.255 4. 5. 6. 7. 8. 9. 10.
Chapter 9 Network Address Translation (NAT) 111 Figure 49 Example 3: Menu 15.2 Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address -----------------------------------------------------001 Yes 80 80 192.168.1.21 002 Yes 25 25 192.168.1.20 003 No 0 0 0.0.0.0 004 No 0 0 0.0.0.0 005 No 0 0 0.0.0.0 006 No 0 0 0.0.0.0 007 No 0 0 0.0.0.0 008 No 0 0 0.0.0.0 009 No 0 0 0.0.0.0 010 No 0 0 0.0.0.
Chapter 9 Network Address Translation (NAT) Figure 50 Menu 15.3 – Trigger Port Setup Menu 15.3 - Trigger Port Setup Incoming Rule Name Start Port Trigger End Port Start Port End Port ---------------------------------------------------------------------1. 6970 7170 7070 7070 2. Real Audio 0 0 0 0 3. 0 0 0 0 4. 0 0 0 0 5. 0 0 0 0 6. 0 0 0 0 7. 0 0 0 0 8. 0 0 0 0 9. 0 0 0 0 10. 0 0 0 0 11. 0 0 0 0 12.
Chapter 9 Network Address Translation (NAT) 113 Table 22 Menu 15.3: Trigger Port setup description Field Description Example Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the BCM50a Integrated Router to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port Enter a port number or the starting port number in a range of port numbers. End Port Enter a port number or the ending port number in a range of port 7070 numbers.
Chapter 9 Network Address Translation (NAT) N0115791
Chapter 10 Introducing the firewall This chapter shows you how to get started with the firewall. Using SMT menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown in Figure 51. Figure 51 Menu 21– Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: Activating the firewall Enter option 2 in this menu to bring up the screen shown in Figure 52.
Chapter 10 Introducing the firewall Figure 52 Menu 21.2 – Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User’s Guide for details about the firewall default policies. You may define additional policy rules or modify existing ones but please exercise extreme caution in doing so. Active: Yes You can use the WebGUI to configure the firewall.
Chapter 11 Filter configuration This chapter shows you how to create and apply filters. Introduction to filters Your BCM50a Integrated Router uses filters to decide whether to allow passage of a data packet, make a call, or both. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters. Data filtering screens the data to determine if the packet is allowed to pass.
Chapter 11 Filter configuration Figure 53 Outgoing packet filtering process C all Filtering O utgoing P acket D ata Filtering N o m atch M atch D rop packet B uilt-in default C all Filters N o m atch U ser-defined C all Filters (if applicable) M atch D roppacket if linenot up N o m atch A ctiveD ata Initiatecall if linenot up S endpacket andreset IdleTim er M atch D roppacket if linenot up O r O r S endpacket but donot reset IdleTim er S endpacket but donot reset IdleTim er For incom
Chapter 11 Filter configuration 119 Figure 54 Filter rule process Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Filter Set Fetch First Filter Rule Fetch Next Filter Rule Yes Yes Next Filter Set Available? No Next filter Rule Available? No Active? Yes No Check Next Rule Execute Filter Rule Forward Drop Drop Packet Accept Packet You can apply up to four filter sets to a particular port to block multiple types of packets.
Chapter 11 Filter configuration Configuring a Filter Set The BCM50a Integrated Router includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 55 Menu 21 – Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 2 N0115791 Enter 1 to bring up the menu 21.1.
Chapter 11 Filter configuration 121 Figure 56 Menu 21.1– Filter Set Configuration Menu 21.
Chapter 11 Filter configuration Table 23 Abbreviations used in the Filter Rules Summary Menu Field Description # The filter rule number: 1 to 6. A Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here. M More: “Y” means there are more rules to check which form a rule chain with the present rule. An action cannot be taken until the rule chain is complete.
Chapter 11 Filter configuration 123 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule. To speed up filtering, all rules in a filter set must be of the same class, for example, protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets.
Chapter 11 Filter configuration Figure 57 Menu 21.1.1.1 – TCP/IP Filter Rule Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= IP Mask= Port #= Port # Comp= None Source: IP Addr= IP Mask= Port #= Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Chapter 11 Filter configuration 125 Table 25 TCP/IP Filter Rule Menu fields Field Description Options IP Mask Enter the IP mask to apply to the Destination: IP Addr. 0.0.0.0 Port # Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65 535. This field is ignored if it is 0. 0-65535 Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value given in Destination: Port #.
Chapter 11 Filter configuration Table 25 TCP/IP Filter Rule Menu fields Field Description Action Matched Press [SPACE BAR] and then [ENTER] to select the Check Next action for a matching packet. Rule Forward Drop Action Not Matched Press [SPACE BAR] and then [ENTER] to select the action for a packet not matching the rule. After you configure Menu 21.1.1.1 - TCP/IP Filter Rule, press [ENTER] at the message “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel.
Chapter 11 Filter configuration 127 Figure 58 Executing an IP filter Packet into IP Filter Filter Active? No Yes Apply SrcAddrMask to Src Addr Check Src IP Addr Not Matched Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Not Matched Matched Check IP Protocol Not Matched Matched Check Src & Dest Port Not Matched Matched More? Yes No Action Matched Drop Drop Packet Action Not Matched Check Next Rule Check Next Rule Drop Forward Forward Check Next Rule Accept Packet BCM50a Integra
Chapter 11 Filter configuration Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. With generic rules you can filter non-IP packets. For IP packets, it is generally easier to use the IP rules directly. For generic rules, the BCM50a Integrated Router treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Chapter 11 Filter configuration 129 Figure 59 Menu 21.1.1.1 – Generic Filter Rule Menu 21.1.1.1 - Generic Filter Rule Filter #: 2,3 Filter Type= Generic Filter Rule Active= No Offset= 0 Length= 0 Mask= N/A Value= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Table 26 describes the fields in the Generic Filter Rule menu.
Chapter 11 Filter configuration Table 26 Generic Filter Rule Menu fields Field Description Options Value Enter the value (in Hexadecimal notation) to compare with the data portion. More If Yes, a matching packet is passed to the next filter rule Yes before an action is taken; or the packet is disposed of No according to the action fields. If More is Yes, then Action Matched and Action Not Matched are No. Log Select the logging option from the following: None - No packets are logged.
Chapter 11 Filter configuration 131 Figure 60 Telnet filter Example BCM50a Integrated Router 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. 2 Enter 1 to open Menu 21.1 - Filter Set Configuration. 3 Enter the index of the filter set you wish to configure (for example 3) and press [ENTER]. 4 Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. 5 Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary.
Chapter 11 Filter configuration Figure 61 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Chapter 11 Filter configuration 133 Figure 62 Example Filter Rules Summary: Menu 21.1.3 Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number (1-6) to Configure: 1 After you have created the filter set, you must apply it. 1 Enter 11 from the main menu to go to menu 11. 2 Then enter 1 to open Menu 11.
Chapter 11 Filter configuration are replaced on a connection-by-connection basis, which makes it impossible to know the exact address and port on the wire. Therefore, the BCM50a Integrated Router applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire.
Chapter 11 Filter configuration 135 Applying LAN Filters LAN traffic filter sets are useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the numbers of the filter sets that you want to apply, as appropriate. You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, for example., 3, 4, 6, 11.
Chapter 11 Filter configuration Figure 65 Filtering Remote Node Traffic Menu 11.1.
Chapter 12 SNMP Configuration This chapter explains SNMP configuration menu 22. Note: SNMP is only available if TCP/IP is configured. SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The community for Get, Set and Trap fields is SNMP terminology for password.
Chapter 12 SNMP Configuration Figure 66 Menu 22 – SNMP Configuration Menu 22 - SNMP Configuration SNMP: Get Community= Set Community= Trusted Host= 0.0.0.0 Trap: Community= Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Table 27 describes the SNMP configuration parameters. Table 27 SNMP Configuration Menu Fields Field Description Example Get Community Type the Get community, which is the password for the incoming Get- and GetNext requests from the management station.
Chapter 12 SNMP Configuration 139 SNMP Traps The BCM50a Integrated Router will sends traps to the SNMP manager when any one of the following events occurs: Table 28 SNMP Traps Trap # Trap Name Description 0 coldStart (defined in RFC-1215) A trap is sent after booting (power on). 1 warmStart (defined in RFC-1215) A trap is sent after booting (software reboot).
Chapter 12 SNMP Configuration N0115791
Chapter 13 System security This chapter describes how to configure the system security on the BCM50a Integrated Router. System security You can configure the system password, an external RADIUS server and 802.1x in this menu. System password Figure 67 Menu 23 – System security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Enter Menu Selection Number: Nortel recommends you change the default password.
Chapter 13 System security Configuring external RADIUS server Enter 23 in the main menu to display Menu 23 – System security. Figure 68 Menu 23 – System Security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Enter Menu Selection Number: From Menu 23- System Security, enter 2 to display Menu 23.2 – System Security – RADIUS Server, as shown in Figure 69. Figure 69 Menu 23.2 – System Security – RADIUS server Menu 23.
Chapter 13 System security 143 Table 29 describes the fields in Figure 69. Table 29 Menu 23.2 System Security: RADIUS Server Field Description Authentication Server Active Press [SPACE BAR] to select Yes and press [ENTER] to enable user authentication through an external authentication server. Server Address Enter the IP address of the external authentication server in dotted decimal notation. Port # The default port of the RADIUS server for authentication is 1812.
Chapter 13 System security N0115791
Chapter 14 System information and diagnosis This chapter covers SMT menus 24.1 to 24.4. Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your BCM50a Integrated Router. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown in Figure 70.
Chapter 14 System information and diagnosis Figure 70 Menu 24 – System Maintenance Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Upload Firmware 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11.
Chapter 14 System information and diagnosis 147 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 drops the WAN connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 71 Menu 24.1 – System Maintenance – Status Node-Lnk Status 1-ENET N/A Menu 24.1 - System Maintenance - Status 11:48:18 Tue. Jun. 06, 2006 TxPkts 0 Rx B/s 0 RxPkts 0 Errors 0 Tx B/s 0 Up Time 0:00:00 My WAN IP (from ISP): 0.0.0.
Chapter 14 System information and diagnosis Table 30 Menu 24.1 System Maintenance: Status (continued) Field Description Up Time This is the time this channel has been connected to the current remote node. My WAN IP (from ISP) This is the IP address of the ISP remote node. Ethernet This shows statistics for the LAN. Status This shows the current status of the LAN. Tx Pkts This is the number of transmitted packets to the LAN. Rx Pkts This is the number of received packets from the LAN.
Chapter 14 System information and diagnosis 149 Figure 72 System Information and Console Port Speed Menu 24.2 - System Information and Console Port Speed 1. System Information 2. Console Port Speed Please enter selection: System Information System Information gives you information about your system, as shown in Figure 73. More specifically, it gives you information on your routing protocol, Ethernet address and IP address.
Chapter 14 System information and diagnosis Figure 73 Menu 24.2.1 – System Maintenance – Information Menu 24.2.1 - System Maintenance - Information Name: Routing: IP RAS F/W Version: VBCM252_2.6.0.0.001b3 | 06/29/2006 Country Code: 255 ADSL Chipset Vendor: STMI 2.6.4 Standard: Multi-Mode LAN Ethernet Address: 00:13:49:00:00:01 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: Table 31 Menu 24.2.
Chapter 14 System information and diagnosis 151 Table 31 Menu 24.2.1 System Maintenance: Information (continued) Field Description DHCP This field shows the DHCP setting (None, Relay or Server) of the BCM50a Integrated Router. After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. Console port speed You can change the speed of the console port through Menu 24.2.2 – Console Port Speed.
Chapter 14 System information and diagnosis Figure 75 Menu 24.3 – System Maintenance: Log and Trace Menu 24.3 - System Maintenance - Log and Trace 2. Syslog Logging 4. Call-Triggering Packet Press ENTER to Confirm or ESC to Cancel Syslog logging The BCM50a Integrated Router uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured in Menu 24.3.2 - System Maintenance - Syslog Logging, as shown in Figure 76.
Chapter 14 System information and diagnosis 153 Table 32 System Maintenance Menu Syslog Parameters Parameter Description Syslog Server IP Address Enter the IP Address of the server that logs the CDR (Call Detail Record) and system messages. For example, the syslog server. Log Facility Press [SPACE BAR] and then [ENTER] to select a Local option. Using the log facility, you can log the message to different files in the server. Refer to the documentation of your syslog program for more details.
Chapter 14 System information and diagnosis Packet triggered Packet triggered Message Format SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String ); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 RAS: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c0200010061626364656 66768696a6b6c6d6e6f7071727374 Jul 19 11:28:56 192.
Chapter 14 System information and diagnosis 155 spo: Source port dpo: Destination port Mar 03 10:39:43 202.132.155.97 RAS: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 RAS: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 RAS: IP[Src=192.168.1.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202.132.155.97 RAS: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 12:00:52 202.132.155.97 RAS: GEN[ffffffffffff0080] }S05>R01mF Mar 03 12:00:57 202.132.155.
Chapter 14 System information and diagnosis Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.
Chapter 14 System information and diagnosis 157 Flags = 0x00 Fragment Offset = 0x00 Time to Live = 0xFE (254) Protocol = 0x06 (TCP) Header Checksum = 0xFB20 (64288) Source IP = 0xC0A80101 (192.168.1.1) Destination IP = 0x00000000 (0.0.0.0) TCP Header: Source Port = 0x0401 (1025) Destination Port = 0x000D (13) Sequence Number = 0x05B8D000 (95997952) Ack Number = 0x00000000 (0) Header Length = 24 Flags = 0x02 (....S.
Chapter 14 System information and diagnosis Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. 1 From the main menu, select option 24 to open Menu 24 - System Maintenance. 2 From this menu, select option 4. Diagnostic. This opens Menu 24.4 - System Maintenance - Diagnostic. Figure 78 Menu 24.4 – System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPPoA Setup Test System 11.
Chapter 14 System information and diagnosis 159 Figure 79 WAN & LAN DHCP BCM50a Integrated Router Table 33 describes the diagnostic tests available in menu 24.4 for your BCM50a Integrated Router and associated connections. Table 33 System Maintenance menu diagnostic Field Description Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings.
Chapter 14 System information and diagnosis N0115791
Chapter 15 Firmware and configuration file maintenance This chapter tells you how to backup and restore your configuration file, as well as upload new firmware and configuration files. Filename conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup and TCP/IP Setup. It comes with a rom filename extension.
Chapter 15 Firmware and configuration file maintenance If your (T)FTP client does not allow you to have a destination filename different than the source, you must rename the firmware and config file names as the BCM50a Integrated Router only recognizes rom-0 and ras. Be sure you keep unaltered copies of both files for later use. Table 34 is a summary.
Chapter 15 Firmware and configuration file maintenance 163 Backup configuration Follow the instructions as shown in Menu 24.5 (Figure 80). Figure 80 Menu 24.5 – System Maintenance – Backup Configuration Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "nnadmin" and SMT password as requested. 3.
Chapter 15 Firmware and configuration file maintenance Example of FTP commands from the command line Figure 81 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 config.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit GUI-based FTP clients Table 35 describes some of the commands that you can see in GUI-based FTP clients.
Chapter 15 Firmware and configuration file maintenance 165 • • • You disable Telnet service in menu 24.11. You apply a filter in menu 3.1 (LAN) or in menu 11.1.4 (WAN) to block Telnet service. The IP address in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the BCM50a Integrated Router disconnects the Telnet session immediately.
Chapter 15 Firmware and configuration file maintenance 5 Use the TFTP client (see the example below) to transfer files between the BCM50a Integrated Router and the computer. The file name for the configuration file is “rom-0” (rom-zero, not capital o). Note: Telnet connection must be active and the SMT must be in CI mode before and during the TFTP transfer. For details on TFTP commands (see “TFTP command example” on page 166), consult the documentation of your TFTP client program.
Chapter 15 Firmware and configuration file maintenance 167 Table 36 General commands for GUI-based TFTP clients Command Description Binary Transfer the file in binary mode. Abort Stop transfer of the file. Refer to Chapter 17, “Remote Management,” on page 185 for information about configurations that disallow TFTP and FTP over WAN. Restore configuration This section shows you how to restore a previously saved configuration.
Chapter 15 Firmware and configuration file maintenance Figure 82 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and the configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "nnadmin" and SMT password as requested. 3.
Chapter 15 Firmware and configuration file maintenance 169 Restore using FTP session example Figure 83 Restore using FTP session example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Refer to Chapter 17, “Remote Management,” on page 185 to read about configurations that disallow TFTP and FTP over WAN.
Chapter 15 Firmware and configuration file maintenance Figure 84 Telnet Into Menu 24.7.1 Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "nnadmin" and SMT password as requested. 3.
Chapter 15 Firmware and configuration file maintenance 171 To upload the firmware and the configuration files, follow the examples in the rest of this chapter: FTP file upload command from the DOS prompt example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your BCM50a Integrated Router. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “PlsChgMe!”). 5 Enter “bin” to set transfer mode to binary.
Chapter 15 Firmware and configuration file maintenance FTP Session Example of Firmware File Upload Figure 86 FTP Session Example of Firmware File Upload 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> put firmware.bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 1103936 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit More commands (found in GUI-based FTP clients) are listed earlier in this chapter.
Chapter 15 Firmware and configuration file maintenance 173 5 Launch the TFTP client on your computer and connect to the BCM50a Integrated Router. Set the transfer mode to binary before starting data transfer. 6 Use the TFTP client (see the example below) to transfer files between the BCM50a Integrated Router and the computer. The file name for the firmware is ras. Note that the telnet connection must be active and the BCM50a Integrated Router must be in CI mode before and during the TFTP transfer.
Chapter 15 Firmware and configuration file maintenance N0115791
Chapter 16 System Maintenance menus 8 to 10 This chapter leads you through SMT menus 24.8 to 24.10. Command Interpreter mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet connection, although some commands are only available with a serial connection. See the included disk or www.nortel.
Chapter 16 System Maintenance menus 8 to 10 Figure 87 Command mode in Menu 24 Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6. Restore Configuration 7. Firmware Update 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Command syntax The command keywords are in Courier New font.
Chapter 16 System Maintenance menus 8 to 10 177 means that you must specify the type of netbios filter and whether to turn it on or off. Command usage A list of commands can be found by typing “help” or “?” at the command prompt. Always type the full command. Type “exit” to return to the SMT main menu when finished. See Appendix G, “Command Interpreter,” on page 241 for details on the commands.
Chapter 16 System Maintenance menus 8 to 10 Figure 88 Call Control Menu 24.9 - System Maintenance - Call Control 1.Budget Management 2.Call History Enter Menu Selection Number: Budget management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the Budget Management menu (Figure 89).
Chapter 16 System Maintenance menus 8 to 10 179 Figure 89 Budget Management Menu 24.9.1 - Budget Management Remote Node 1.ChangeMe Connection Time/Total Budget No Budget Elapsed Time/Total Period No Budget 2.GUI No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call is dropped and further outgoing calls to that remote node is blocked.
Chapter 16 System Maintenance menus 8 to 10 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control. Figure 90 Call History Menu 24.9.2 - Call History Phone Number 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dir Rate #call Max Min Total Enter Entry to Delete(0 to exit): Table 38 describes the fields in Figure 90.
Chapter 16 System Maintenance menus 8 to 10 181 Time and Date setting There is a software mechanism to set the time manually or get the current time and date from an external server when you turn on your BCM50a Integrated Router. With Menu 24.10, you can update the time and date settings of your BCM50a Integrated Router. The real time is then displayed in the BCM50a Integrated Router error logs and firewall logs. Select menu 24 in the main menu to open Menu 24 - System Maintenance.
Chapter 16 System Maintenance menus 8 to 10 Figure 92 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= a.ntp.alphazed.net Current Time: New Time (hh:mm:ss): 01 : 07 : 41 N/A N/A N/A Current Date: New Date (yyyy-mm-dd): 2000 - 01 - 01 N/A N/A N/A Time Zone= GMT Daylight Saving= No Start Date (mm-nth-week-hr): End Date (mm-nth-week-hr): Jan. - 1st Jan. - 1st - Sat. - Sat.
Chapter 16 System Maintenance menus 8 to 10 183 Table 39 Time and Date Setting Fields Field Description Current Date This field displays an updated date only when you reenter this menu. New Date Enter the new date in year, month and day format. This field is available when you select Manual in the Time Protocol field. Time Zone Press [SPACE BAR] and then [ENTER] to set the time difference between your time zone and Greenwich Mean Time (GMT).
Chapter 16 System Maintenance menus 8 to 10 Resetting the Time The BCM50a Integrated Router resets the time in three instances: • • • N0115791 After you make changes to and leave menu 24.10 After starting up the BCM50a Integrated Router starts up, if a time server configured in menu 24.
Chapter 17 Remote Management This chapter covers remote management found in SMT menu 24.11. Remote Management With remote management, you can determine which services and protocols can access which BCM50a Integrated Router interface (if any) from which computers.
Chapter 17 Remote Management Figure 93 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: FTP Server: SSH Server: HTTPS Server: HTTP Server: SNMP Service: DNS Service: Port = 23 Access = Disable Secure Client IP = 0.0.0.0 Port = 21 Access = Disable Secure Client IP = 0.0.0.0 Certificate = auto_generated_self_signed_cert Port = 22 Access = Disable Secure Client IP = 0.0.0.
Chapter 17 Remote Management 187 Table 40 Menu 24.11 – Remote Management control Field Description Certificate Press [SPACE BAR] and then [ENTER] to select the certificate that the BCM50a Integrated Router uses to identify itself. The BCM50a Integrated Router is the SSL server and must always authenticate itself to the SSL client (the computer that requests the HTTPS connection with the BCM50a Integrated Router).
Chapter 17 Remote Management N0115791
Chapter 18 Call scheduling Using call scheduling (applicable only for PPPoA or PPPoE encapsulation), you can dictate when a remote node is called and for how long. Introduction Using the call scheduling feature, the BCM50a Integrated Router can manage a remote node and dictate when a remote node is called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record). You can apply up to 4 schedule sets in Menu 11.
Chapter 18 Call scheduling Lower numbered sets take precedence over higher numbered sets, thereby avoiding scheduling conflicts. For example, if sets 1, 2, 3, and 4 are applied in the remote node then set 1 takes precedence over sets 2, 3, and 4 as the BCM50a Integrated Router, by default, applies the lowest numbered set first. Set 2 takes precedence over sets 3 and 4, and so on. You can design up to 12 schedule sets, but you can only apply up to four schedule sets for a remote node.
Chapter 18 Call scheduling 191 If a connection is already established, your BCM50a Integrated Router does not drop it. After the connection is dropped manually or it times out, then that remote node cannot be triggered until the end of the Duration. Table 41 Menu 26.1 Schedule Set Setup Field Description Example Active Press [SPACE BAR] to select Yes or No. Choose Yes and Yes press [ENTER] to activate the schedule set.
Chapter 18 Call scheduling After you configure your schedule sets, you must apply them to the desired remote nodes. Enter 11 from the Main Menu and then enter the target remote node index. Using [SPACE BAR], select PPPoE or PPPoA in the Encapsulation field and then press [ENTER] to make the schedule sets field available, as shown in Figure 96. Figure 96 Applying Schedule Sets to a Remote Node (PPPoE) Menu 11.
Appendix A Setting up your computer IP address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, and Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
Appendix A Setting up your computer IP address Figure 97 WIndows 95/98/Me: network: configuration Installing components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: a In the Network window, click Add. b Select Adapter and click Add. c Select the manufacturer and model of your network adapter and click OK.
Appendix A Setting up your computer IP address 195 a Click Add. b Select Client and click Add. c Select Microsoft from the list of manufacturers. d Select Client for Microsoft Networks from the list of network clients and click OK. e Restart your computer so your changes take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
Appendix A Setting up your computer IP address — If you know your DNS information, select Enable DNS and type the information in the fields below (you do not need to fill them all in). Figure 99 Windows 95/98/Me: TCP/IP Properties: DNS configuration 4 Click the Gateway tab. — If you do not know your gateway’s IP address, remove previously installed gateways. — If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window.
Appendix A Setting up your computer IP address 197 Windows 2000/NT/XP 1 For Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. Figure 100 Windows XP: Start menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections.
Appendix A Setting up your computer IP address 3 Right-click Local Area Connection and then click Properties. Figure 102 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties.
Appendix A Setting up your computer IP address 199 5 The Internet Protocol TCP/IP Properties window appears (the General tab in Windows XP). — If you have a dynamic IP address, click Obtain an IP address automatically. — If you have a static IP address, click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced.
Appendix A Setting up your computer IP address — In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. — Click Add. — Repeat the previous three steps for each default gateway you want to add. — Click OK when finished.
Appendix A Setting up your computer IP address 201 10 Turn on your BCM50a Integrated Router and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type ipconfig and press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.
Appendix A Setting up your computer IP address 2 Select Ethernet built-in from the Connect via list. Figure 107 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: — — — — From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your BCM50a Integrated Router in the Router address box.
Appendix A Setting up your computer IP address 203 Macintosh OS X 1 Click the Apple menu, and click System Preferences to open the System Preferences window. Figure 108 Macintosh OS X: Apple menu 2 Click Network in the icon bar. — Select Automatic from the Location list. — Select Built-in Ethernet from the Show list. — Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list.
Appendix A Setting up your computer IP address 4 For statically assigned settings, do the following: — — — — From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your BCM50a Integrated Router in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your BCM50a Integrated Router and restart your computer (if prompted).
Appendix B Triangle Route The Ideal Setup When the firewall is on, your BCM50a Integrated Router acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the BCM50a Integrated Router to protect your LAN against attacks. Figure 110 Ideal Setup BCM50a Integrated Router The Triangle Route Problem You can have more than one connection to the Internet (through one or more ISPs).
Appendix B Triangle Route 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN. 2 The BCM50a Integrated Router reroutes the SYN packet through Gateway B on the LAN to the WAN. 3 The reply from the WAN goes directly to the computer on the LAN without going through the BCM50a Integrated Router. As a result, the BCM50a Integrated Router resets the connection, as the connection is not acknowledged.
Appendix B Triangle Route 207 2 The BCM50a Integrated Router reroutes the packet to Gateway B, which is in Subnet 2. 3 The reply from WAN goes to the BCM50a Integrated Router. 4 The BCM50a Integrated Router ends the response to the computer in Subnet 1.
Appendix B Triangle Route N0115791
Appendix C Importing certificates This appendix shows examples for importing certificates. Import BCM50a Integrated Router certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the BCM50a Integrated Router server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in Figure 113 to do this.
Appendix C Importing certificates Importing the BCM50a Integrated Router Certificate into Internet Explorer For Internet Explorer to trust a self-signed certificate from the BCM50a Integrated Router, simply import the self-signed certificate into your operating system as a trusted certification authority.
Appendix C Importing certificates 211 2 Click Install Certificate to open the Install Certificate wizard.
Appendix C Importing certificates 3 Click Next to begin the Install Certificate wizard.
Appendix C Importing certificates 213 4 Select where you want to store the certificate and click Next.
Appendix C Importing certificates 5 Click Finish to complete the Import Certificate wizard. Figure 118 Certificate Import Wizard 3 6 Click Yes to add the BCM50a Integrated Router certificate to the root store.
Appendix C Importing certificates 215 Figure 120 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the BCM50a Integrated Router. You must have imported at least one trusted CA to the BCM50a Integrated Router in order for the Authenticate Client Certificates to be active (see “Certificates” in BCM50a Integrated Router Configuration - Basics (N0115790) for details).
Appendix C Importing certificates Figure 121 BCM50a Integrated Router Trusted CA screen The CA sends you a package containing the CA’s trusted certificates, your personal certificates and a password to install the personal certificates.
Appendix C Importing certificates 217 Installing the CA’s certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown in Figure 122. Figure 122 CA certificate example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing your personal certificates You need a password in advance. The CA can issue the password or you can specify it during the enrollment.
Appendix C Importing certificates 1 Click Next to begin the wizard.
Appendix C Importing certificates 219 2 The file name and path of the certificate you double-clicked automatically appears in the File name text box. Click Browse if you wish to import a different certificate.
Appendix C Importing certificates 3 Enter the password given to you by the CA.
Appendix C Importing certificates 221 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
Appendix C Importing certificates 5 Click Finish to complete the wizard and begin the import process. Figure 127 Personal certificate import wizard 5 6 Figure 128 shows the screen that appears when the certificate is correctly installed on your computer.
Appendix C Importing certificates 223 Using a certificate when accessing the BCM50a Integrated Router example Use the following procedure to access the BCM50a Integrated Router via HTTPS. 1 Enter https://BCM50a Integrated Router IP Address/ in your browser’s web address field. Figure 129 Access the BCM50a Integrated Router via HTTPS 2 When Authenticate Client Certificates is selected on the BCM50a Integrated Router, you are asked to select a personal certificate to send to the BCM50a Integrated Router.
Appendix C Importing certificates 3 The BCM50a Integrated Router login screen appears.
Appendix D PPPoE PPPoE in action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see Figure 132). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Appendix D PPPoE Figure 132 Single-PC per router hardware configuration BCM50a Integrated Router How PPPoE works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over the Ethernet, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC acts as an L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Appendix D PPPoE 227 Figure 133 BCM50a Integrated Router as a PPPoE Client BCM50a Integrated Router BCM50a Integrated Router BCM50a Integrated Router Configuration — Advanced
Appendix D PPPoE N0115791
Appendix E Hardware specifications Table 42 General specifications Power Specification I/P AC 100~240V 50/60Hz; O/P DC 18V 1.
Appendix E Hardware specifications N0115791
Appendix F IP subnetting IP addressing Routers route based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1. IP addresses are categorized into different classes. The class of an address depends on the value of its first octet. • • • • Class A addresses have a 0 in the left-most bit.
Appendix F IP subnetting Table 43 Classes of IP addresses IP Address: Octet 1 Octet 2 Octet 3 Octet 4 Class A 0 Network number Host ID Host ID Host ID Class B 10 Network number Network number Host ID Host ID Class C 110 Network number Network number Network number Host ID Note: Host IDs of all zeros or all ones are not allowed. Therefore: A class C network (8 host bits) can have 28 –2 or 254 hosts. A class B address (16 host bits) can have 216 –2 or 65 534 hosts.
Appendix F IP subnetting 233 Subnet masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). A subnet mask contains 32 bits. If there is a 1 in the bit, then the corresponding bit of the IP address is part of the network number. If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID. Subnet masks are expressed in dotted decimal notation just as IP addresses are.
Appendix F IP subnetting Table 46 shows all possible subnet masks for a class C address using both notations. Table 46 Alternative Subnet Mask Notation Subnet mask IP address Subnet mask 1 Bits Last octet bit value 255.255.255.0 /24 0000 0000 255.255.255.128 /25 1000 0000 255.255.255.192 /26 1100 0000 255.255.255.224 /27 1110 0000 255.255.255.240 /28 1111 0000 255.255.255.248 /29 1111 1000 255.255.255.252 /30 1111 1100 The first mask shown is the class C natural mask.
Appendix F IP subnetting 235 Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The borrowed host ID bit can be either 0 or 1, thus giving two subnets; 192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128. Note: In the following charts, shaded or bolded last-octet bit values indicate host ID bits borrowed to form network ID bits.
Appendix F IP subnetting 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.
Appendix F IP subnetting 237 Table 51 Subnet 3 Network number Last Octet Bit Value IP Address 192.168.1. 128 IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190 Table 52 Subnet 4 Network number Last Octet Bit Value IP Address 192.168.1. 192 IP Address (Binary) 11000000.10101000.00000001.
Appendix F IP subnetting Table 53 Eight subnets Subnet Subnet Address First Address Last Address Broadcast Address 7 192 193 222 223 8 224 225 254 255 Table 54 is a summary for class C subnet planning. Table 54 Class C subnet planning No. Borrowed Host Bits Subnet Mask No. Subnets No. Hosts per Subnet 1 255.255.255.128 (/25) 2 126 2 255.255.255.192 (/26) 4 62 3 255.255.255.224 (/27) 8 30 4 255.255.255.240 (/28) 16 14 5 255.255.255.248 (/29) 32 6 6 255.255.255.
Appendix F IP subnetting 239 Table 55 Class B subnet planning No. “Borrowed” Host Bits Subnet Mask No. Subnets No. Hosts per Subnet 5 255.255.248.0 (/21) 32 2 046 6 255.255.252.0 (/22) 64 1 022 7 255.255.254.0 (/23) 128 510 8 255.255.255.0 (/24) 256 254 9 255.255.255.128 (/25) 512 126 10 255.255.255.192 (/26) 1 024 62 11 255.255.255.224 (/27) 2 048 30 12 255.255.255.240 (/28) 4 096 14 13 255.255.255.248 (/29) 8 192 6 14 255.255.255.252 (/30) 16 384 2 15 255.255.
Appendix F IP subnetting N0115791
Appendix G Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 Command Interpreter Mode. See the included disk or www.nortel.com for more detailed information on these commands. Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable. Command Syntax • • • • • The command keywords are in Courier New font.
Appendix G Command Interpreter Sys commands Table 56 lists and describes the system commands. Each of these commands must be preceded by sys. For example, type sys stdio 60 to set the management session inactivity timeout to 60 minutes. Table 56 Sys commands Command Description atsh Displays the MRD field. callhist Displays the call history. display remove Removes an entry from the call history. name [name] Sets or displays the client logon name.
Appendix G Command Interpreter 243 Table 56 Sys commands Command Description logs category 8021x Records logs for IEEE 802.1X. access [0:none/1:log/ 2:alert/3:both] Records, sends alerts, or both for access control logs. attack [0:none/1:log/ 2:alert/3:both] Records, sends alerts, or both for firewall attack logs. cdr [0:none/1:log] Records Call Detail Record logs. display Displays the category settings. error [0:none/1:log/ 2:alert/3:both] Records, sends alerts, or both for system error logs.
Appendix G Command Interpreter Table 56 Sys commands Command Description disp Displays the error log. online Turns the error log online display on or off. Loads the log settings buffer. Use this command before you configure the log settings. Use sys logs save after you configure the log settings. load mail alertAddr [mail address] Sends alerts to this e-mail address. clearLog [0:no/1:yes] Enables the switch to clear the log after sending logs via e-mail.
Appendix G Command Interpreter 245 Table 56 Sys commands Command Description display Displays the syslog settings. facility [Local ID(1-7)] Specifies the file to which the device logs the syslog messages. server [domainName/IP] Specifies the IP address of the syslog server the syslogs are sent. switch <0:on|1:off> Turns log consolidation on or off. period Sets the consolidation period (in seconds). msglist Displays the consolidated messages.
Appendix G Command Interpreter Table 56 Sys commands Command Description igmp Sets the IGMP session idle timeout value. tcpsyn Sets the SYN TCP session idle timeout value. tcp Sets the TCP session idle timeout value. tcpfin Sets the TCP FIN session idle timeout value. udp Sets the UDP-session idle-timeout value. gre Sets the GRE-session idle-timeout value. esp Sets the ESP-session idle-timeout value. ah Sets the AH-session idle-timeout value.
Appendix G Command Interpreter 247 Table 56 Sys commands Command Description trcpacket Uses trace packets to capture parts of packets in order to see the packet flow from one interface to another. create Removes the packet trace buffer. destroy channel Creates a packet trace buffer. [none|incoming| outgoing|bothway] Sets the packet trace direction for a given channel.
Appendix G Command Interpreter Table 56 Sys commands Command Description romreset Restores the factory default configuration file. Use these commands to configure remote server management. server access Sets the server access type. load Loads server information. disp Displays server information. port Sets the server port. save Saves server information.
Appendix G Command Interpreter 249 Table 56 Sys commands Command Description Displays the current NetBIOS filter modes. disp config <0:Between LAN and Sets NetBIOS filters. WAN/ 3: IPSec Pass through/ 4: Trigger Dial> ddns debug Enables or disables DDNS service. display Displays DDNS information. restart Restarts DDNS. logout This command has no effect. display Displays the CPU utilization.
Appendix G Command Interpreter Table 58 Ether Commands Command Description status disp Displays the Ethernet driver counters. Shows the LAN status. Displays the Ethernet device type. version edit load <1:LAN> Loads Ethernet (1:LAN) data from the System Parameters Table. mtu Sets the Ethernet data Maximum Transmission Unit. accessblock <0:disable 1:enable> Blocks Internet access.
Appendix G Command Interpreter 251 Table 59 IP commands Command Description status Displays an interface’s IP Address Resolution Protocol status. attpret Allows or disallows the device to receive ARP from a different network or not. force Enables or disables the ARP timeout function. dhcp client release Releases the DHCP client IP address. renew Renews the DHCP client IP address. status [option] Displays the DHCP status.
Appendix G Command Interpreter Table 59 IP commands Command Description ifconfig [iface] [ipaddr] [broadcast |mtu |dynamic] Configures a network interface. ping Pings a remote host. status [if] Displays the routing table. add [/] [] Adds a route. addiface [/] [] Adds an entry to the routing table for the specified interface.
Appendix G Command Interpreter 253 Table 59 IP commands Command Description dialin_user tcp in [mode] Sets the BCM50a Integrated Router to use the RIP information it receives. out [mode] Sets the BCM50a Integrated Router to broadcast its routing table. [show|in|out|both |none] Shows the dial-in user RIP direction. Displays the TCP statistic counters. status telnet [port] Creates a Telnet connection to the specified host. tftp Displays whether or not TFTP is supported.
Appendix G Command Interpreter Table 59 IP commands Command Description actionFlags [act(1-7)] [enable/disable] Sets the content filtering customize action flags. logFlags [type(1-3)][enabl e/disable] Sets the content filtering customize log flags. add [string] [trust/untrust/ keyword] Adds a trusted Web site, forbidden Web site or keyword blocking string. delete [string] [trust/untrust/ keyword] Deletes a trusted Web site, forbidden Web site or keyword blocking string.
Appendix G Command Interpreter 255 Table 59 IP commands Command Description Records the most heavily used protocols or service ports. srv stroute display [rule # | buf] Displays the list of static routes or detailed information on a specified rule. load Loads the specified static route rule into the buffer. Saves a rule from the buffer to the System Parameters Table. save config name Sets the name for a static route.
Appendix G Command Interpreter Table 59 IP commands Command Description robustness leave Removes an interface from a group. query Sends an IGMP query on the specified interface. rsptime [time] Sets the IGMP response time. start Turns on IGMP on the specified interface. stop Turns off IGMP on the specified interface. ttl Sets the IGMP Time To Live threshold.
Appendix G Command Interpreter 257 IPSec commands Table 60 lists and describes the IP Sec commands. Each of these commands must be preceded by ipsec. For example, type ipsec display 3 to display the third IPSec rule, if you have it configured. Table 60 IPSec commands Command debug switch Description type <0:Disable | 1:Original on|off | 2:IKE on|off | 3: IPSec [SPI]|on|off | 4:XAUTHon|off | 5:CERT on|off | 6: All> Turns the trace for IPsec debug information on or off.
Appendix G Command Interpreter Table 60 IPSec commands Command Description chk_input show_runtime <0~255> Adjusts autotimer to check if any inbound IPsec traffic has passed during the specified period. If not, the BCM50a Integrated Router disconnects the tunnel. sa Displays runtime phase 1 and phase 2 SA information. spd When a dynamic rule accepts a request and a tunnel is established, a runtime SPD is created according to the peer’s local IP address. This command displays these runtime SPDs.
Appendix G Command Interpreter 259 Table 60 IPSec commands Command Description lcIdType <0:IP | 1:DNS | 2:Email> Sets the local ID type. lcIdContent Sets the local ID content. myIpAddr Sets the My IP Address. peerIdType <0:IP | 1:DNS | 2:Email> Sets the peer ID type. peerIdContent Sets the peer ID content. secureGwAddr Sets the secure gateway address. authMethod <0:PreSharedKey |1: RSASignature> Sets the authentication method.
Appendix G Command Interpreter Table 60 IPSec commands Command ikeList N0115791 Description encap <0:Tunnel | 1:Transport> Sets the encapsulation mode. pfs <0:None | 1:DH1 | 2:DH2> Sets Perfect Forward Secrecy. antiReplay Turns replay detection on or off. connType <0:Branch Office | 1:Contivity Client> Specifies whether the rule is for a branch office or Contivity Client VPN connection.
Appendix G Command Interpreter 261 Table 60 IPSec commands Command Description ikeDelete Deletes the specified IPSec rule. policyEdit Edits the specified IP policy. policySave Saves the IP policy. ipsecList Displays a summary of the IPSec (phase 2) rules. policyList Displays the IP policies. policyDelete Deletes the specified IP policy. Uses these commands to configure an IP policy for an IPSec office tunnel rule.
Appendix G Command Interpreter Table 60 IPSec commands Command Description btNatType <0:single | 1:range | 2:all> Sets the type of NAT address mapping. btNatAddrStart Sets the branch tunnel NAT starting IP address. btNatArEnd Sets the branch tunnel NAT ending IP address or subnet mask. swSkipOverlapIP Turn this option on to have the device allow rules with overlapping source and destination IP addresses.
Appendix G Command Interpreter 263 Table 60 IPSec commands Command Description clientTerm Loads client termination configuration from ROM to working buffer, you must execute this command before configuring client termination. load active Enables or disables client termination. display [user | cfg] Displays configuration and/or remote user logon status of client termination, unless a parameter is specified, displays all. Saves any client termination configuration changes to ROM.
Appendix G Command Interpreter Table 60 IPSec commands Command Description ipPool natt N0115791 ipPool Select which IP pool, index is based on 1, and inactive IP pool cannot be selected. load Before you configure an IP pool for client termination, you must load the specified IP pool. Currently 3 IP pools are supported, so the valid index is: 1~3 save After changing the IP pool configuration, use the save command to save the modification to the ROM.
Appendix G Command Interpreter 265 Table 60 IPSec commands Command Description rekeyTo Sets the lifetime of a single key used for data encryption. rekeyDc Sets how much data you expect to transmit via the tunnel with a single key. A setting of 0 kb disables the Rekey Data Count, rekey data count must be more than 5. domain Sets the domain name for client termination. dns Sets primary or secondary DNS server IP addresses to be assigned to remote users.
Appendix G Command Interpreter WAN Commands The following chart lists and describes the wan commands. Each of these commands must be preceded by wan when you use them. Table 61 WAN Commands Command Description wan adsl bert Displays ADSL ber. cellcnt Displays the ADSL cell counter. chandata Displays the ADSL operational mode (standard) and ADSL channel data, line rate. close Closes the ADSL line. defbitmap Displays ADSL defect bitmap status. dyinggasp Sends ADSL dyinggasp.
Appendix G Command Interpreter 267 Table 61 WAN Commands (continued) Command Description Add Adds an entry to the hunting pool. : input the remote node index 1-8 : vpi value : vci value Need to save after this command. Remove Sets remote node ID and VPI, VCI value to Active Enables/disables VC auto hunting feature. display Displays the hunt pool.
Appendix G Command Interpreter Sys firewall commands Table 62 lists and describes the system firewall commands. Each of these commands must be preceded by sys firewall. For example, type sys firewall active yes to turn on the firewall. Table 62 Sys firewall commands Command Description acl active disp Displays ACLs or a specific ACL set # and rule #. Activates or deactivates firewall Enables or disables the firewall. disp Displays the firewall log type and count.
Appendix G Command Interpreter 269 Bandwidth management commands Table 63 lists and describes the bandwidth management commands. Each of these commands must be preceded by bm. For example, type bm show lan to display the LAN port’s bandwidth management settings. Table 63 Bandwidth management commands Command interface Description lan enable Enables bandwidth management (BWM) for traffic going out the LAN interface. You can also specify the b/s of bandwidth.
Appendix G Command Interpreter Table 63 Bandwidth management commands Command Description Deletes the class # and its filter and all its children classes and their filters in LAN. del # mod # wan add # Modifies the parameters of the class in the LAN. A bandwidth value is optional. Sets the class name. Sets the class priority. The range is between 0 (the lowest) to 7 (the highest). The priority is unchanged if you do not set a new value.
Appendix G Command Interpreter 271 Table 63 Bandwidth management commands Command filter Description lan add # The class can borrow bandwidth from its parent class when borrowing is turned on, and vice versa. Daddr Dport Saddr Sport protocol Adds a filter for class # in LAN. The filter contains destination address (netmask), destination port, source address (netmask), source port and protocol. Use 0 for items that you do not want the filter to include.
Appendix G Command Interpreter Table 63 Bandwidth management commands Command Description lan <#> Displays the bandwidth usage of the specified LAN class (or all of the LAN classes if you do not specify one). The first time you use the command turns it on; the second time turns it off, and so on. wan <#> Displays the bandwidth usage of the specified WAN class (or all of the WAN classes if you do not specify one).
Appendix G Command Interpreter 273 Table 64 Certificates commands Command Description create selfsigned [key size] Creates a self-signed local host certificate. specifies a descriptive name for the generated certificate. specifies a subject name (required) and alternative name (required). The format is “subject-name-dn;{ip,dns,email}=value". If the name contains spaces, put it in quotes. [key size] specifies the key size. It has to be an integer from 512 to 2 048.
Appendix G Command Interpreter Table 64 Certificates commands Command Description create cmp_enroll [key size] Creates a certificate request and enrolls for a certificate immediately online using CMP protocol. specifies a descriptive name for the enrolled certificate. specifies the CA server address. specifies the name of the CA certificate. specifies the id and key used for user authentication.
Appendix G Command Interpreter 275 Table 64 Certificates commands Command Description rename Renames the specified certificate. specifies the name of the certificate to be renamed. specifies the new name the certificate is saved as. def_self_sign ed [name] Sets the specified self-signed certificate as the default self-signed certificate. [name] specifies the name of the certificate to be set as the default self-signed certificate.
Appendix G Command Interpreter Table 64 Certificates commands Command Description crl_issuer [on|off] Specifies whether or not the specified CA issues CRL. specifies the name of the CA certificate. [on|off] specifies whether or not the CA issues CRL. If [on|off] is not specified, the current crl_issuer status of the CA is used. import Imports the PEM-encoded certificate from stdin. specifies the name the imported remote host certificate is saved as.
Appendix G Command Interpreter 277 Table 64 Certificates commands Command Description add [login:pswd] Adds a new directory service. specifies a descriptive name for the directory server. specifies the server address (required) and port (optional). The format is "server-address[:port]". The default port is 389. [login:pswd] specifies the logon name and password, if required. The format is "[login:password]".
Appendix G Command Interpreter N0115791
Appendix H NetBIOS filter commands The following describes the NetBIOS packet filter commands. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that enable a computer to connect to and communicate with a LAN. For some dial-up services, such as PPPoE or PPPoA, NetBIOS packets cause unwanted calls. You can configure NetBIOS filters to do the following: • • • Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN.
Appendix H NetBIOS filter commands Display NetBIOS filter settings Figure 135 NetBIOS Display Filter Settings Command Example ============== NetBIOS Filter Status =============== Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes.
Appendix H NetBIOS filter commands 281 • • 0 = LAN to WAN and WAN to LAN 3 = IPSec packet pass through is a switch to enable or disable the filter. • • For type 0, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 3, use on to block NetBIOS packets from being sent through a VPN connection. Use off to allow NetBIOS packets to be sent through a VPN connection.
Appendix I Enhanced DHCP option commands The following describes the DHCP option commands. Enhanced DHCP option commands introduction The enhanced DHCP feature allows you to use DHCP option commands to add site-specific options to the DHCP server’s offer messages. Specifying the Nortel BCM50 IP address Syntax: ip dhcp server m50ipreserve [ [ip ] | [index ] ] where: Specify an interface on the device.
Appendix I Enhanced DHCP option commands 283 The following example sets the BCM50a Integrated Router to assign an IP address of 11.12.13.10 to the Nortel BCM50. ip dhcp server m50ipreserve ip 11.12.13.10 Nortel BCM50 DHCP server options Use these commands to add site-specific options to the DHCP server’s offer messages that it sends to the BCM50.
Appendix I Enhanced DHCP option commands [0:disable | 1:IP phones only | 2:All devices | 3:automatic] This is the Nortel BCM50 DHCP server setting. “0” disables the DHCP server. “1” enables the DHCP server for IP phones. “2” enables the DHCP server for all devices that send DHCP requests. “3” enables the DHCP server. The BCM50 automatically determines whether to assign IP addresses to IP phones or any device that sends a DHCP request.
Appendix I Enhanced DHCP option commands 285 where: Specify an interface on the device. Currently you can use this command with the LAN interface (enif0). [0|1] Use “1” to have the Nortel BCM50 assign VoIP server (DHCP option 128) and VLAN (DHCP option 191) settings to Nortel’s IP Telephone 2004. Use “0” to not have the Nortel BCM50 assign VoIP server and VLAN settings to Nortel’s IP Telephone 2004.
Appendix I Enhanced DHCP option commands [port (1~65535)] This is the VoIP server’s listening port (1~65535). [retry count (0~255)] This sets the number of times (0-255) the i2004 can attempt to connect to this VoIP server (without a response), before trying to connect to the other server. Use this command to assign VoIP server information to Nortel’s i2004 VoIP telephones. This command sets DHCP option 128.
Appendix I Enhanced DHCP option commands 287 This command sets DHCP option 191. The following example sets the BCM50a Integrated Router to assign a VLAN ID of five to VoIP telephones. ip dhcp enif0 server vlanid 5 Nortel WLAN handsets 2210 & 2211 phone options Nortel's WLAN Handsets 2210 & 2211 phones require the same options as the IP Phone 2004.
Appendix I Enhanced DHCP option commands WLAN IP Telephony Manager IP Address Assignment Syntax: ip dhcp server wlantelmanager [none |] where: Specify an interface on the device. Currently you can use this command with the LAN interface (enif0). none | Specify the address of a WLAN Telephony Manager 2245 for the Nortel WLAN Handsets 2210 & 2211.
Appendix J Log descriptions This appendix provides descriptions of log messages. Table 66 System error logs Log Message Description %s exceeds the max. number of session per host! This attempt to create a SUA/NAT session exceeds the maximum number of SUA/NAT session table entries allowed to be created per host. Table 67 System maintenance logs Log Message Description Time calibration is successful The router has adjusted its time based on information from the time server.
Appendix J Log descriptions Table 67 System maintenance logs Log Message Description TELNET Login Fail Someone has failed to log on to the router via Telnet. FTP Login Successfully Someone has logged on to the router via FTP. FTP Login Fail Someone has failed to log on to the router via FTP. NAT Session Table is Full! The maximum number of SUA/NAT session table entries has been exceeded and the table is full.
Appendix J Log descriptions 291 Table 70 Attack logs Log Message Description attack TCP The firewall detected a TCP attack. attack UDP The firewall detected an UDP attack. attack IGMP The firewall detected an IGMP attack. attack ESP The firewall detected an ESP attack. attack GRE The firewall detected a GRE attack. attack OSPF The firewall detected an OSPF attack. attack ICMP (type:%d, code:%d) The firewall detected an ICMP attack; see the section on ICMP messages for type and code details.
Appendix J Log descriptions Table 70 Attack logs Log Message Description teardrop TCP The firewall detected a TCP teardrop attack. teardrop UDP The firewall detected an UDP teardrop attack. teardrop ICMP (type:%d, code:%d) The firewall detected an ICMP teardrop attack. illegal command TCP The firewall detected a TCP illegal command attack. NetBIOS TCP The firewall detected a TCP NetBIOS attack.
Appendix J Log descriptions 293 Table 71 Access logs Log Message Description Firewall default policy: TCP (set:%d) TCP access matched the default policy of the listed ACL set and the BCM50a Integrated Router blocked or forwarded it according to the ACL set’s configuration. Firewall default policy: UDP (set:%d) UDP access matched the default policy of the listed ACL set and the BCM50a Integrated Router blocked or forwarded it according to the ACL set’s configuration.
Appendix J Log descriptions Table 71 Access logs N0115791 Log Message Description Firewall rule match: GRE (set:%d, rule:%d) GRE access matched the listed firewall rule and the BCM50a Integrated Router blocked or forwarded it according to the rule’s configuration. Firewall rule match: OSPF (set:%d, rule:%d) OSPF access matched the listed a firewall rule and the BCM50a Integrated Router blocked or forwarded it according to the rule’s configuration.
Appendix J Log descriptions 295 Table 71 Access logs Log Message Description (set:%d) With firewall messages, this is the number of the ACL policy set and denotes the packet's direction (see Table 72). With filter messages, this is the number of the filter set. (rule:%d) With firewall messages, the firewall rule number denotes the number of a firewall rule within an ACL policy set.With filter messages, this is the number of an individual filter rule.
Appendix J Log descriptions Table 72 ACL setting notes ACL Set Number Direction Description 1 LAN to WAN ACL set 1 for packets traveling from the LAN to the WAN. 2 WAN to LAN ACL set 2 for packets traveling from the WAN to the LAN. 7 LAN to LAN/BCM50a Integrated Router ACL set 7 for packets traveling from the LAN to the LAN or the BCM50a Integrated Router. 8 WAN to WAN/BCM50a Integrated Router ACL set 8 for packets traveling from the WAN to the WAN or the BCM50a Integrated Router.
Appendix J Log descriptions 297 Table 73 ICMP notes Type Code Description 0 Echo message Time Exceeded 11 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded Parameter Problem 12 0 Pointer indicates the error Timestamp 13 0 Timestamp request message Timestamp Reply 14 0 Timestamp reply message Information Request 15 0 Information request message Information Reply 16 0 Information reply message Table 74 Sys log LOG MESSAGE DESCRIPTION Mon dd hr:mm:ss hostname This mess
Appendix J Log descriptions Figure 136 Example VPN initiator IPSec log Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:02:22 Send Main Mode request to <192.168.100.
Appendix J Log descriptions 299 VPN responder IPSec log Figure 137 shows a typical log from the VPN connection peer. Figure 137 Example VPN responder IPSec log Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:08:07 Recv Main Mode request from <192.168.100.
Appendix J Log descriptions Table 75 Sample IKE key exchange logs N0115791 Log Message Description Send Mode request to Send Mode request to The BCM50a Integrated Router has started negotiation with the peer. Recv Mode request from Recv Mode request from The BCM50a Integrated Router has received an IKE negotiation request from the peer. Recv: IKE uses the ISAKMP protocol (refer to RFC2408 – ISAKMP) to transmit data.
Appendix J Log descriptions 301 Table 75 Sample IKE key exchange logs Log Message Description !! Active connection allowed exceeded The BCM50a Integrated Router limits the number of simultaneous Phase 2 SA negotiations. The IKE key exchange process fails if this limit is exceeded. !! IKE Packet Retransmit The BCM50a Integrated Router did not receive a response from the peer and so retransmits the last packet sent.
Appendix J Log descriptions Table 76 shows sample log messages during packet transmission. Table 76 Sample IPSec logs during packet transmission LOG MESSAGE DESCRIPTION !! WAN IP changed to If the BCM50a Integrated Router’s WAN IP changes, all configured “My IP Addr” are changed to “0.0.0.0”. If this field is configured as 0.0.0.0, the BCM50a Integrated Router uses the current BCM50a Integrated Router WAN IP address (static or dynamic) to set up the VPN tunnel.
Appendix J Log descriptions 303 Table 77 RFC-2408 ISAKMP payload types CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Table 78 PKI logs Log Message Description Enrollment successful The SCEP online certificate enrollment was successful. The Destination field records the certification authority server IP address and port. Enrollment failed The SCEP online certificate enrollment failed.
Appendix J Log descriptions Table 78 PKI logs Log Message Description Rcvd ARL : The router received an ARL (Authority Revocation List), with size and issuer name as recorded, from the LDAP server whose address and port are recorded in the Source field. Failed to decode the received ca cert The router received a corrupted certification authority certificate from the LDAP server whose address and port are recorded in the Source field.
Appendix J Log descriptions 305 Table 79 Certificate path verification failure reason codes Code Description 9 Certificate decoding failed. 10 Certificate was not found (anywhere). 11 Certificate chain looped (did not find trusted root). 12 Certificate contains critical extension that was not handled. 13 Certificate issuer was not valid (CA specific information missing). 14 (Not used) 15 CRL is too old. 16 CRL is not valid. 17 CRL signature was not verified correctly.
Appendix J Log descriptions Configuring what you want the BCM50a Integrated Router to log Use the sys logs load command to load the log setting buffer that is used to configure which logs the BCM50a Integrated Router is to record. Use sys logs category followed by a log category and a parameter to decide what to record.
Appendix J Log descriptions 307 Use the sys logs display [log category] command to show the logs in an individual BCM50a Integrated Router log category. Use the sys logs clear command to erase all of the BCM50a Integrated Router’s logs. Log command example This example shows how to set the BCM50a Integrated Router to record the access logs and alerts and then view the results. ras> ras> ras> ras> # sys sys sys sys logs logs logs logs load category access 3 save display access .
Appendix J Log descriptions N0115791
Appendix K Brute force password guessing protection Table 81 describes the commands for enabling, disabling and configuring the brute force password guessing protection mechanism for the password. Table 81 Brute force password guessing protection commands Command Description sys pwderrtm This command displays the brute-force guessing password protection settings. sys pwderrtm 0 This command turns off the password’s protection from brute-force guessing.
Appendix K Brute force password guessing protection N0115791
Index Numbers CHAP 73 4-Port Switch 31 CHAP/PAP 73 A Command Interpreter Mode 175 Collision 148 Community 137 ADSL standards 30 Conditions that prevent TFTP and FTP from working over WAN 164 Alternative Subnet Mask Notation 234 Applications 37 Console Port 148, 149, 151 AT command 55, 162 Content Filtering 34 ATM Options 79 Contivity VPN Client Software 32 Authentication 69, 73 conventions, text 23 Authentication Protocol 69 Autonegotiating 10/100 Mb/s Ethernet LAN 32 Autosensing 10/10
Index E-mail Address 49 H Enable Wildcard 50 Hidden Menus 40 Encapsulation 66, 71 encapsulation 31 Entering Information 41 Ethernet Encapsulation 78 F F/W Version 162 Features 29 Filename Conventions 161 Filter 77 Applying 134 Configuration 117 Configuring 120 Example 130 Generic Filter Rule 128 Generic Rule 129 NAT 133 Remote Node 135 Structure 118 TCP/IP Rule 124 Filters Executing a Filter Rule 118 IP Filter Logic Flow 126 Firewall 33 Activating 115 SMT Menus 115 FTP 187 FTP File Transfer 169 FTP
Index 313 L Operation Temperature 229 LAN 148 Outgoing Protocol Filters 63 LAN Port Filter Setup 57 P LAN Setup 57, 58 LLC 79 Packet Error 147 Received 148 Transmitted 148 LLC-based Multiplexing 79 Packet Filtering 34 Log 151 Packets 147 Log Facility 153 PAP 73 Logging 36 Password 40, 43, 137 Logging In to the SMT 39 Ping 159 Login Screen 39, 40 Port Forwarding 36 LAN-to-LAN application 71 Link type 147 M PPP Encapsulation 79 PPPoA 71 Main Menu 41 PPPoE 34, 225 Mean Time Between F
Index Required fields 41 T Reset Button 32 Resetting the Time 184 TCP/IP 58, 61, 123, 124, 126, 129, 133 Setup 61 Restore Configuration 167 TCP/IP and DHCP Setup 58 RFC-1483 72 TCP/IP filter rule 123 RFC-2364 71 technical publications 24 RIP 61, 63, 76 Direction 63 Version 63 text conventions 23 S Time and Date 32 Schedule Sets Duration 191 Time Zone 183 Server 92, 95, 98, 99, 105, 106, 182 setup a schedule 190 SMT 40 SNMP 35 Community 138 Configuration 137 Trusted Host 138 TFTP File Tr
Index 315 W WAN DHCP 158, 159 WAN Setup 53, 54 WebGUI 116 www.dyndns.
