Alcatel provides this publication “as is” without warranty of any kind, either expressed or implied, including, but
not limited to, the implied warranties of merchantability or fitness for a particul ar purpos e.
All rights reserved. No part of this book may be reproduced in any form or by any means without written
permission from Alcatel .
Changes are periodically made to the information in this book. They will be incorporated in subs equent editions.
Alcatel may make improvements and/or changes in the product described in this publication at any time.
Alcatel is a trademark of Alcatel.
All other trademarks and registered trademarks mentioned in this manual are the sole property of their respective
companies.
2Alcatel™ DSL Router Family Command Line Interface
Page 3
Preface
About This Guide
Command Line Interface
The
for the family of DSL routers. It provides the steps and information needed to configure the router software and
troubleshoot problems using the Command Line Interface. Configuration of network connections, bridging,
routing, and security features are essentially the same for all DSL routers, unless otherwise noted. The guide also
provides detailed information about the system’s bridging, routing, addressing, and security oper ations.
This guide is intended for small and home office users, remote office users, and other networking professionals
who are installing and maintaining bridged and routed networks.
How This Guide is Organized
This guide is intended to help you configure and manage the router using the Command Line Interface. The guide
assumes that you have read the information about the router and installed the hardware using the
Start Guide
. The guide is divided into eight parts:
guide contains information on the syntax and use of the Command Line Interface
Internet Quick
Introduction.
Advanced Topics.
operations, PAP/CHAP security negotiation, bandwidth management, protocol conformance, and the file system.
Planning for Router Configurat ion.
Interface including worksheets for collecting required information.
Configuring Router Software.
Configuring Special Features.
NAT, Management Security, Software Options Keys, Encryption, IP Filtering, and L2TP Tunneling.
Command Line Interface Reference.
is entered.
Managing the Router.
how to upgrade the system software, boot code, backup and restore configuration files, FLASH memory recovery
procedures, and batch file command execution.
Troubleshooting.
Describes the features of the Command Line Interface.
Contains additional information on topics such as interoperability, routing and bridging
Provides information unique to configuration using the Command Line
Describes how to configure the router using the Command Line Interface.
Describes how to configure features such as Bridging Filtering, RI P, DH CP,
Describes the syntax of each command and the results when the comman d
Describes SNMP management capabilities, TFTP client and s erver , TE LNET s upport and
Describes diagnostic tools used for identifying and correcting hardware and software problems.
Page 4
References
User Guide.
installation and software configuration using the Windows-based Configuration Manager.
Quick Start Guide.
Contains an overview of the router’s software and hardware features and details on hardware
Describes the configuration process involved in setting up a specific router model.
Typographic Conventions
The following conventions are used in this guide:
ItemType FaceExamples
Book titles, command
reference parameters,
reference to a specific
section/chapter in this
guide, emphasis in text.
Keywords in command
reference instructions
Examples showing you what
to type and what is
displayed on the terminal.
ItalicsRefer to Chapter 1.
Features
system name <
Bold
Mono-spaced font
save
remote listIpRoute hq
Advanced
name>
File namesUpper caseCopy file CFGMGR.EXE
4 Preface
Page 5
Table of Contents
Preface3
About This Guide3
How This Guide is Organized3
References4
Typographic Conventions4
Table of Contents5
MAC Encapsulated Routing: RFC 1483MER (ATM) or RFC 1490MER (Frame Relay)19
FRF819
rawIP19
System Files20
Bridge Filtering20
Unique System Passwords22
Chapter 2. Planning for Router Configuration23
Important Terminology23
Essential Configuration Information24
PPP Link Protocol (over AT M or Frame Relay)25
RFC 1483/RFC 1490 Link Protocols30
MAC Encapsulated Routing: RFC 1483MER/RFC 1490MER Link Protocols35
FRF8 Link Protocol37
Dual-Ethernet Router Configuration39
Chapter 3. Configuring Router Software40
Configuration Tables41
Configuring PPP with IP Routing42
Configuring PPP with IPX Routing43
Configuring PPP with Bridging44
Configuring RFC 1483 / RFC 1490 with IP Routing45
Configuring RFC 1483 / RFC 1490 with IPX Routing46
Configuring RFC 1483 / RFC 1490 with Bridging47
Table of Contents 5
Page 6
Configuring MAC Encapsulated Routing: RFC 1483MER / RFC 1490MER with IP Routing48
Configuring FRF8 with IP Rout ing49
Configuring Mixed Network Protocols50
Configuring a Dual-Ethernet Router for IP Routing51
Verify the Router Configuration52
Test IP Routing52
Test Bridging to a Remote Destination52
Test IPX Routing53
Sample Configurations54
Sample Configuration 1: PPP with IP and IPX54
Sample Confi guration 2: RFC 1483 with IP and Bridging62
Sample Configuration 3: Configuring a Dual-Ethernet Router for IP Routing68
Chapter 4. Configuring Special Features69
Bridge Filtering and IP Firewall69
General Information69
Configure Bridge Filtering69
Enable/Disable Internet Firewall Filtering70
IP (RIP) Protocol Controls71
Dynamic Host Configuration Protocol (DHCP)72
General Information72
Manipulating Subnetwor ks and Explici t Clien t Leases73
Setting Option Values75
BootP77
Defining Option Types79
Configuring BootP/DHCP Relays80
Other Information80
Network Address Translation (NAT)80
General NAT Rules80
Masquerading81
Classic NAT84
Client Configuration85
Management Security 87
Disable Telnet and SNMP87
Restore Telnet and SNMP87
Validation of Telnet and SNMP Clients87
Restrict Remote Access88
Changing the SNMP Community Name88
Disable WAN Management88
System Log89
Software Option Ke ys89
Encryption89
PPP DES (RFC 1969) Encryption90
Diffie-Hellman Encryption92
IP Filtering93
Filters and Interfaces93
Configuring Filters with Network Address Translation Enabled94
Filter Actions95
IP Filter Commands95
Special Notes95
L2TP Tunneling — Virtual Dial-Up96
Introduction96
L2TP Concepts96
Configuration99
6Table of Contents
Page 7
Sample Configurations101
Chapter 5. Command Line Interface Reference109
Command Line Interface Conventions109
Command Input109
Command Output109
Command Or ganization109
? or HELP110
System-Level Commands111
Frame Statistics113
Router Configuration Com mands120
Target Router System Configuration Commands (SYSTEM)121
Target Router Ethernet LAN Bridging and Routing (ETH)134
Remote Router Access Configuration (REMOTE)143
Asymmetric Digital Subscriber Line Commands (ADSL)166
Asynchronous Transfer Mode Commands (ATM)168
DMT Command171
Dual-Ethernet Router Commands (ETH)172
High-Speed Digital Subscriber Line Commands (HDSL)176
ISDN Digital Subscriber Line (IDSL)179
Symmetric Digital Subscriber Line Commands (SDSL)181
Dynamic Host Configuration Protocol Commands (DHCP)185
L2TP — Virtual Dial-Up Configu ration (L2TP)196
Bridge Filtering Commands (FILTER BR)204
Save Configuration Commands (SAVE)206
Erase Configuration Commands (ERASE)208
Check the LEDs to Solve Common Hardware Problems234
Problems with the Terminal Window Display234
Problems with the Factory Configuration234
Investigating Software Configuration Problems235
Problems Connecting to the Router235
Problems with the Login Password235
Problems Accessing the Remote Network236
Problems Accessing the Router via Telnet238
Problems Downloading Software238
System Messages238
Time-Stamped Messages239
History Log241
How to Obtain Technical Support241
Appendix A. Network Information Worksheets243
Configuring PPP with IP Routing244
Configuring PPP with IPX Routing245
Configuring PPP with Bridging246
Configuring RFC 1483 / RFC 1490 with IP Routing247
Configuring RFC 1483 / RFC 1490 with IPX Routing248
Configuring RFC 1483 / RFC 1490 with Bridging249
Configuring RFC 1483MER / RFC 1490MER with IP Routing250
Configuring FRF8 with IP Rout ing251
Configuring a Dual-Ethernet Router for IP Routing252
Appendix B. Configuring IPX Routing253
IPX Routing Concepts253
Configure IPX Routing253
Step 1: Collect Your Network Information for the Target (Local) Router254
Step 2: Review your Settings255
Appendix C. Access the
Command Line Interface257
Connect the PC to the Console Port of the Router257
Access the Command Line Interface257
Terminal Window under Configuration Manager257
Terminal Session under Windows (HyperTerminal)258
Terminal Session for a Non-Windows Platform (Macintosh or UNIX)258
Telnet Session258
Index259
8Table of Contents
Page 9
Introduction
This guide provides steps and information needed to con figur e the DSL or Dual-Ethernet router software using the
Command Line Interface
The Command Line Interface covers the following basic configuration topics:
•Set names, passwords, PVC numbers, and link and network parameters
•Configure specific details within a protocol, such as IP or IPX addresses and IP protocol controls
•Activate bridging and routing protocols
•Enable the Internet firewall filter with IP routing
The Command Line Interface also provides the following advanced features:
•Manage the router’s file system
•Set bridging filters
•Configure the type of DSL technology specific to your router (e.g., ADSL, SDSL)
•Configure the Dual-Ethernet router
•Issue online status commands
1
.
•Monitor error messages
•Set RIP options
•Configure DHCP
•Configure NAT
•Configure Telnet/SNMP security
•Configure host mapping
•Configure IP multicast
•Create and execute script files
•Configure encryption
•Configure IP filtering
•Configure L2TP tunneling
•Enable software options keys
1. The Microsoft® Windows™-based
to-use, point-and-click GUI interface) provides another way to configure the router’s software. Please refer to
Access the Command Line Interface
Start as your primary configuration tool.
Configuration Manager or Quick Start
section in this guide if you intend to use Configuration Manager or Quick
program (featuring an easy-
Page 10
10Introduction
Page 11
Chapter 1. Advanced Topics
This chapter provides information on advanced topics useful to network administrators.
Interoperability
The router uses industry-wide standards to ensure compatibility with routers and equipment from other vendors.
To interoperate, the router supports standard protocols on the physical level, data link level for frame type or
encapsulation method, and network level. For two systems to communicate directly, they must use the same
protocol at each level. Most protocols do not support negotiable options, except for PPP.
The physical protocol level includes hardware and electrical signaling characteristics. This support is provided by
the router Ethernet and modem hardware interfaces.
The data-link protocol level defines the transmission of data packets between two systems over the LAN or WAN
physical link.
The frame type or encapsulation method defines a way to run multiple network-level protocols over a single LAN
or WAN link. The router supports the following WAN encapsulations:
•PPP (VC multiplexing)
•PPP (LLC multiplexing)
•RFC 1483 (for ATM)
•RFC 1483 with MAC encapsulated routing (for ATM)
•FRF8 (for ATM)
•RFC 1490 (for Frame Relay)
•RFC 1490 with MAC encapsulated routing (for Frame Relay)
Routing
The network protocol provides a way to route user data from source to destination over different LAN and WAN
links. Routing relies on routing address tables to determine the best path for each packet to take.
The routing tables can be seeded; i.e., addresses for remote destinations are placed in the table along with path
details and the associated costs (path latency).
The routing tables are also built dynamically; i.e., the location of remote stations, hosts, and networks are updated
from broadcast packet information.
Routing helps to increase network capacity by localizing traffic on LAN segments. It also provides security by
isolating traffic on segmented LANs. Routing extends the reach of networks beyond the limits of each LAN
segment.
Numerous network protocols have evolved, and within each protocol are associated protocols for routing, error
handling, network management, etc. The following chart displays the networking and associated protocols
supported by the router.
Chapter 1. Advanced Topics11
Page 12
Network ProtocolAssociated ProtocolsDescription
Internet Protocol
(IP)
Internet Packet
Exchange (IPX)
a Used only during a networ k boot
b IPX-RIP is a different protocol from IP-RIP and it includes time delays
Most of the router’s operation on each protocol level is transparent to the user. Some functions are influenced by
configuration parameters, and these are described in greater detail in the following sections.
Routing Information Protocol (RIP)Maintains a map of the network
Address-Resolution Protocol (ARP)Maps IP addresses to datalink
addresses
Reverse Address Resolution Protocol (RARP)
Internetwork Control Message Protocol
(ICMP)
Simple Network Management Protocol
(SNMP)
Routing Information Protocol (RIP)
Service Advertising Protocol (SAP)Distributes information about service
a
b
Maps data-link addresses to IP
addresses
Diagnostic and error reporting/
recovery
Network management
Maintains a map of the network
names and addresses
Bridging
Bridging connects two or more LANs so that all devices share the same logical LAN segment and network
number. The MAC layer header contains source and destination addresses used to transfer frames.
An address table is dynamically built and updated with the location of devices when the frames are received.
Transparent bridging allows locally connected devices to send frames to all devices as if they were local.
Bridging allows frames to be sent to all destinations regardless of the network protocols used. It allows protocols
that cannot be routed (such as NETBIOS) to be forwarded and allows optimizing internetwork capacity by
localizing traffic on LAN segments. A bridge extends the physical reach of networks beyond the limits of each
LAN segment. Bridging can increase network security with filtering.
The router bridging support includes the IEEE 802.1D standard for LAN-to-LAN bridging and the Spanning Tree
Protocol for interoperability with other vendors’ bridge/routers. Bridging is provided over PPP as well as adjacent
LAN ports. Most of the r outer’s bridging operation is t rans parent . S ome f unct ion s are influenced by configuration
parameters, which are described in greater detail in the following sections.
Bridging and Routing Operation
The router can operate as a bridge, a router, or as both (sometimes called a brouter).
12Chapter 1. Advanced Topics
Page 13
•The router will operate as a router for network protocols that are enabled for routing (IP or IPX).
•The router will operate as a bridge for protocols that are not supported for routing.
•Routing takes precedence over bridging; i.e., when routing is active, the router uses the packet’s protocol
address information to route the packet.
•If the protocol is not supported, the router will use the MAC address information to forward the packet.
Operation of the router is influenced by routing and bridging controls and filters set during router configuration as
well as automatic spoofing and filtering performed by the router. For example, general IP or IPX routing, and
routing or bridging from specific remote routers are controls set during the configuration process.
Spoofing and filtering, which minimize the number of packets that flow across the WAN, are performed
automatically by the router. For example, RIP routing packets and certain NetBEUI packets are spoofed even if
only bridg ing is enabled.
Bridging and Routing Configuration Settings
The router can be configured to perform general routing and bridging while allowing you to set specific controls.
One remote router is designated as the outbound default bridging destination. All outbound bridging traffic with
an unknown destination is sent to the default bridging destination. Bridging from specific remote routers can be
controlled by enabling or disabling bridging from individual remote routers.
Routing is performed to all remote routers entered into the remote router database. All routing can be enabled or
disabled with a system-wide control.
The following charts describe the operational characteristics of the router, based on configuration settings.
IP/IPX Routing OnBridging to/from Remote Router Off
Data packets carriedIP (TCP, UDP), IPX
Operational
characteristics
Typical usageWhen only IP/IPX traffic is to be routed and all other traffic is to be
Basic IP, IPX connectivity
ignored. For IP, used for Internet access.
Note:
This is the most easily controlled configuration.
Chapter 1. Advanced Topics13
Page 14
IP/IPX Routing OnBridging to/from Remote Router On
Data packets carriedIP/IPX routed; all other packets bridged.
Operational
characteristics
T ypical usageWhen only IP/IPX traffic is to be routed b ut some non-r outed proto col is
IP/IPX routing and allows other protocols, such as NetBEUI (that can’t
be routed) , to be bridged.
required. Used for client/server configurations.
IP/IPX Routing OffBridging to/from Remote Router On
Data packets carriedAll packets bridged.
Operational
characteristics
Typical usagePeer-to-peer bridging and when the remote end supports only bridging.
Allows protocols, such as NetBEUI (that can’t be routed) to be bridged.
Point-To-Point Protocol (PPP)
PPP is an industry standard WAN protocol for transporting multi-protocol datagrams over point-to-point
connections. PPP defines a set of protocols, such as security and network protocols, that can be negotiated over
the connection. PPP includes the following protocols:
•Link Control Protocol (LCP) to negotiate PPP; i.e., establish, configure and test the datalink connection.
•Network Control Protocols (NCPs), such as:
TCP/IP routing Internet Protocol Control Protocol (IPCP)
IPX routing Control Protocol (IPXCP)
Bridge Control Protocol (BN CP)
•Security Protocols including PAP and CHAP
A more detailed description of the router’s implementation of some of these protocols appears the following
section. A list of PPP protocol conformance is included later in this section.
PAP/CHAP Security Authentication
Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) under PPP
are supported by the router. However, security authentication may or may not be needed depending on the
requirements of the remote end.
The nature of the connection in a DSL environment (traffic occurs on a dedicated line/virtual circuit) does not
require authentication unless that is specifically required by the remote end, the ISP, or the NSP. When
authentication is not required, security can be disabled with the command
remote disauthen
.
14Chapter 1. Advanced Topics
Page 15
General Security Authentication
Security authentication may be required by the remote end. The following information describes how
authentication occurs.
PAP provides verification of passwords between routers using a two-way handshake. One router (peer) sends the
system name and password to the other router. Then the other router (known as the authenticator) checks the
peer’s password against the configured remote router’s password and returns acknowledgment.
PAP Authentication
New York
System Name=New York
System Password=xyz
Remote Router Database
Remote=Chicago
Password=abc
1
...New York & xyz.......
2
.....Accepted/Rejected.......
Chicago
System Name=Chicago
System Password=abc
Remote Router Database
Remote=New York
Password=xyz
CHAP is more secure than PAP because unencrypted passwords are not sent across the network. CHAP uses a
three-way handshake. One router (known as the authenticator) challenges the other router (known as the peer) by
generating a random number and sending it along with the system name. The peer then applies a one-way hash
algorithm to the random number and returns this encrypted information along with the system name.
The authenticator then runs the same algorithm and compares the result with the expected value. This authentication method depends up on a password or secret known only to both ends.
CHAP Authentication
New York
CHALLENGE
...New York & random number.......
1
Chicago
Hashes random
number and
secret ‘abc’
System Name=New York
System Password=xyz
Remote Router Database
Remote=Chicago
Password=abc
Performs same
hash with number
and secret ‘abc’
and compares
results
.....Chicago & encrypted secret.......
.....Accepted/Rejected.......
2
3
System Name=Chicago
System Password=abc
Remote Router Database
Remote=New York
Password=xyz
Chapter 1. Advanced Topics15
Page 16
Security Configuration Settings
The router has one default system password used to access any remote router. This “system authentication
password” is utilized by remote sites to authenticate the local site. The router also allows you to assign a unique
“system override password” used only when you are connecting to a specific remote router for authentication by
that remote site. Each remote router entered in the remote router database has a password used when the remote
site attempts to gain access to the local router. This “remote authentication password” is utilized by the router to
authenticate the remote site.
Each remote router entered in the remote router database also has a minimum s ecurity level, k no wn as the “remote
authentication protocol,” that must be negotiated before the remote router gains access to the local router. In
addition, a system-wide control, “system authentication protocol,” is available for overriding the minimum
security level in the entire remote router database.
Authentication Process
The authentication process occurs regardless of whether a remote router connects to the local router or vice versa,
and even if the remote end does not request authentication. It is a
authenticate the other using the protocol of its choice (provided the other end supports it).
During link negotiation (LCP), each side of the link negotiates which protocol to use for authentication during the
connection. If both the system and the remote router have PAP authentication, then they negotiate PAP
authentication.
bi-directional process
, where each end can
Otherwise, the router
the remote end does not accept either PAP or CHAP, the link is dropped; i.e., the router will not communicate
without a minimum security level. On the other hand, the router will accept any authentication scheme required by
the remote node, including no authentication at all.
During the authentication phase, each side of the link can request authentication using the method they negotiated
during LCP.
For CHAP, the router issues a CHAP challenge request to the remote side. The challenge includes the system
name and random number. The remote end, using a hash algorithm associated with CHAP, transforms the name
and number into a response value. When the remote end returns the challenge response, the router can validate the
response challenge value using the entry in the remote router database. If the response is invalid, the call is
disconnected. If the other end negotiated CHAP, the remote end can, similarly, request authentication from the
local router. The router uses its system name and password to respond to CHAP challenge.
For PAP, when a PAP login request is received from the remote end, the router checks the remote router PAP
security using the remote router database. If the remote router is not in the remote router database or the remote
router password is invalid, the call is disconnected. If the remote router and password are valid, the local router
acknowledges the PAP login request.
If PAP was negotiated by the remote end for the remote-side authentication, the router will issue PAP login
requests
router, or if the remote end returned a successful CHAP challenge response. For security reasons, the router will
never
If PAP was negotiated by the remote end for the local side of the authentication process and the minimum security
level is CHAP, as configured in the remote router database, the link will be dropped for a security violation.
only
if it knows the identity of the remote end. The identity is known if the call was initiated from th e
identify itself using PAP without first knowing the identity of the remote router.
always
requests CHAP authentication first; if CHAP is refused, PAP will be negotiated. If
16Chapter 1. Advanced Topics
Page 17
Protocol Conformance
Protocol Standards
The router conforms to RFCs designed to address performance, authentication, and multi-protocol encapsulation.
The following RFCs are supported:
•RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5
•RFC 1490 Multiprotocol Interconnect over Frame Relay
•RFC 1552 Novell IPX Control Protocol (IPXCP)
•RFC 1577 Classical IP and ARP over ATM
•RFC 1661 Point-to-P oi nt Protocol (PPP)
•RFC 1723 RIP Version 2
•RFC 1962 PPP Compression Control Protocol (CCP)
•RFC 1973 PPP in Frame Relay
•RFC 1974 Stac LZS compression protocol
•RFC 1990 Multi-Link Prot ocol (MLP)
•RFC 2131 and 2132 Dynamic Host Configuration Protocol (DHCP)
IP Routing
IP routing support, in conformance with RFC 791, provides the ability to process TCP/IP frames at the network
layer for routing. IP routing support includes the Routing Interface Protocol (RIP), in conformance with RFC
1058 (RIP v.1) and RFC 1723 (RIP v.2).
IPX Routing
IPX routing conforms to the Novell® NetWare™ IPX Router Development Guide, Version 1.10.
Encapsulation Options
This section describes in technical terms the format of each packet associated with a particular encapsulation
option supported by th e router.
The encapsulation type for each remote entry is defined using the
remote setProtocol
command.
Chapter 1. Advanced Topics17
Page 18
PPP
Each packet begins with a one- or two-byte protocol ID. Typical IDs are:
0xc021—LCP
0x8021—IPCP
0x0021—IP
0x002d— Van Jacobson compressed TCP/IP
0x002f—Van Jacobson uncompressed TCP/IP
0x8031—Bridge NCP
0x0031—Bridge Frame
The command for this encapsulation option is:
Note:
With PPP over ATM, the address and control fields (i.e., FF03) are never present; this also is the case for
LCP packets.
remote setProtocol PPP
remoteName
<
>
PPPLLC
This protocol (LLC-multiplexed) allows PPP traffic to be carried simultaneously with other traffic on a single
virtual circuit (as opposed to the PPP method of encapsulation—VC multiplexin g—which dedicates a virtual
circuit to PPP traffic only).
Each PPP packet is prepended with the sequence 0xFEFE03CF. Thus, an LLC packet has the format:
0xFEFE03CF 0xC021.
The command for this encapsulation option is:
remote setProtocol PPPLLC
remoteName
<
>
RFC 1483 or RFC 1490
Bridging
User data packets are prepended by the sequence 0xAAAA0300 0x80c20007 0x0000 followed by the
Ethernet frame containing the packet.
802.1D Spanning Tree packets are prepended with the header 0xAAAA0300 0x80C2000E.
Routing
IP packets are prepended with the header 0xAAAA0300 0x00000800.
IPX packets are prepended with the header 0xAAAA0300 0x00008137.
The commands for this encapsulation option are:
remote setProtocol RFC1483
remote setProtocol FR
18Chapter 1. Advanced Topics
<
remoteName
<
remoteName
> (for ATM)
> (for Frame Relay - RFC 1490)
Page 19
MAC Encapsulated Routing: RFC 1483MER (ATM) or RFC 1490MER
(Frame Relay)
MER encapsulation allows IP packets to be carried as bridged frames, but does not prevent bridged frames from
being sent as well, in their normal encapsulation format: RFC 1483 (ATM) or RFC 1490 (Frame Relay).
If IP routing is enabled, then IP packets are prepended with the sequence 0xAAAA0300 0x80c20007 0x0000 and
sent as bridged frames. If IP routing is not enabled, then the packets appear as bridged frames.
The commands for this encapsulation option are:
remote setProtocol RFC1483MER
remote setProtocol MER
(for Frame Relay)
remoteName
<
> (for ATM)
FRF8
IP packets have prepended to them the following sequence: 0x03CC.
The command for this encapsulation option is:
Note:
This protocol allows sending ATM over Frame Relay.
remote setprotocol FRF8
remoteName
<
>
rawIP
IP packets do not have any protocol headers prepended to them; they appear as IP packets on the wire. Only IP
packets can be transported since there is no possible method to distinguish other types of packets (bridged frames
or IPX).
The command for this encapsulation option is:
remote setProtocol rawIP
remoteName
<
>
Chapter 1. Advanced Topics19
Page 20
System Files
The router’s file system is a DOS-compatible file system, whose contents are as follows: :
SYSTEM.CNF:
DODRemote Router Database
SYSSystem Settings: name, message, authentication method, and passwords
ETHEthernet LAN configuration settings
Router system software (KERNEL.F P 1 for IDSL routers).
File used by the manufacturer to set a default Ethernet configuration.
Firmware for the xDSL modem or ATM interface.
ATM configuration file.
IKE.DAT
AUTOEXEC.BAT - Autoexec file of commands to run on next reboot.
AUTOEXEC.OLD - Autoexec file that has run already
Note:
Users should not delete any of these files, unless advised by Tech Support.
Any file contained within the system may be retrieved or replaced using the TFTP protocol. Specifically,
configuration files and the operating system upgrades can be updated. Only one copy for the router software is
allowed in the router’s FLASH memory.
Refer to
copying configuration files, and restoring router software to FLASH memory.
Chapter 6. Managing the Router on page 215
for details on software upgrades, booting router software,
Bridge Filtering
You can control the flow of packets across the router using bridge filtering. Bridge filtering lets you “deny”or
“allow” packets to cross the network based on position and hexadecimal content within the packet. This featu re
lets you restrict or forward messages with a specified address, protocol, or data content. Common uses are to
prevent access to remote networks, control unauthorized access to the local network, and limit unnecessary traffic.
20Chapter 1. Advanced Topics
Page 21
For example, it might be necessary to restrict remote access for specific users on the local network. In this case,
bridging filters are defined using the local MAC address for each user to be restricted. Each bridging filter is
specified as a “deny” filter based on the MAC address and position of the address within the packet. Deny
filtering mode is then enabled to initiate bridge filtering. No packet with one of the MAC addresses can be bridged
across the router until the deny filtering mode is disabled.
Similarly, protocol filtering can be used to prevent a specific protocol from being bridged. In this case, the
protocol ID field in a packet is used to deny or allow a packet. You can also restrict, for example, the bridging of
specific broadcast packets.
Chapter 1. Advanced Topics21
Page 22
Unique System Passwords
As described in
override password for a remote router with the command
password” is used instead of the general system password
allows you to set a unique CHAP or PAP authentication password for authentication of the local site by the remote
only
site
A common use is to set a password assigned to you by Internet Service Providers (ISPs). Similarly, the system
name of the local router can be overridden for connecting to a specific remote with the command
setoursysname
when the router connects to that remote site.
Security Configuration Settings on page 16
.
of this chapter, you can specify a unique system
remote SetOurPasswd
only
for connecting to a specific remote router. This
. This “system override
remote
22Chapter 1. Advanced Topics
Page 23
Chapter 2. Planning for Router Configuration
This chapter describes the terminology and the information that you need to obtain before configuring the router.
The information needed to configure the router is contingent on the chosen Link Protocol. It is therefore important
to know which Link Protocol you are using (this is determined by your Network Service Provider) so that you can
refer to the configuration sections that apply to your setup.
When you configure the router using the Command Line Interface, the planning is sim ilar to the process des cribed
for Configuration Manager with very few exceptions.
Important Terminology
You should familiarize yourself with the following terminology as it will be u sed thro ughout this chapter.
Router that you are configuring. Also referred to as
All the routers to which the target (local) router may connect.
Database which resides in the target router and contains information about the remote
.
Entry about a remote router in the target router database. A remote router entry defines:
•Connection parameters
•Security features
•Route addressing and bridging functions
The following diagram illustrates these key words and concepts.
Configuration Process for Router A
TARGET ROUTER
Router A
Target Router:
System Settings
DSL/ATM
local
router
REMOTE ROUTERS
Router B
Router C
.
Remote Router Database
Remote Router B
Remote Router C
Remote Router D
Router D
Chapter 2. Planning for Router Configuration 23
Page 24
Essential Configuration Information
This section describes the configuration information associated with each Link Protocol/Network Protocol
combination and also provides configuration information for the Dual-Ethernet router.
If you are using Link and Network Protocols:
1.Determine which Link Protocol/Network Protocol association you are using from your Network Service
Provider (NSP).
2.Select (click) one of the following Link/Network information that applies to your situation:
PPP Link Protocol with:
•IP Routing Network Protocol, on page 25
•IPX Routing Network Protocol, on page 27
•Bridging Network Protocol, on page 29
RFC 1483 or RFC 1490 Link Protocol with:
•IP Routing Network Protocol, on page 30
•IPX Routing Network Protocol, on page 32
•Bridging Network Protocol, on page 34
MAC Encapsulated Routing: RFC 1483MER or RFC 1490MER Link Protocol with:
•IP Routing Network Protocol, on page 35
FRF8 Link Protocol with:
•IP Routing Network Protocol, on page 37
3.Collect the information applicable to your Link/Network Protocol associatio n. Thi s information will be used
later in conjunction with the
Network protocol. These configuration tables provide step-by-step instructions for a basic configuration for
each Link/Network protocol.
Note:
Use the blank Network Information Worksheets in Appendix A to collect your network information.
If you are using a Dual-Ethernet Router:
Select (click) one of the two following configurations that applies to your situ ation:
Configuring the Dual-Ethernet Router as a Bridge, on page 39
Configuring the Dual-Ethernet Router for IP Routing, on page 39
Configuration Tables
for easy configuration of your router based on your Link/
24Chapter 2. Planning for Router Configuration
Page 25
PPP Link Protocol (over ATM or Frame Relay)
The PPP Link Protocol is an encapsulation method that can be used over ATM (for ATM routers) or Frame Relay
(for Frame-Relay routers)
Combined with the IP, IPX, or Bridging Network Protocols, PPP over ATM and PPP over Frame Relay share the
same configuration characteristics, except for the connection iden tifiers : VPI/VCI numb ers are us ed f or ATM, an d
a DLCI number is used for Frame Relay.
Select the Network Protocol that applies to your situation: IP or IPX or Bridging. Collect th e information
described in the appropriate section. This data wi ll be later used to conf ig ure yo ur rou ter using the Co mmand Line
Interface commands (see
IP Routing Network Protocol
System Names and Authentication Passwords
!!!!
For the Target Router
Configuration Tables, on page 41).
This information is defined by the user. You must
target router. They are used by a remote router to authenticate the target router.
For the Remote Site(s)
This information is obtained from the Network Service Provider. For each remote site, you
site name and its authentication password. They are used by the target router to authenticate the remote
end. The name and password are used in both PAP and CHAP authentication. Refer to the diagram under
General Security Authentication, on page 15
Note 1:
Configuration 1: PPP with IP and IPX, on page 54
Note 2:
remote disauthen
VPI and VCI Numbers (for ATM routers)
!!!!
Your router may have been preconfigured with VPI/VCI numbers. If not, you will have to obtain these
numbers from your Network Service Provider and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
A sample configuration containing names and passwords is provided in the section
If the ISP does not support the authentication of the ISP system by the caller, use the command
remoteName
<
> to disable the authentication.
choose a name and authentication password for the
to see how this information is used.
Chapter 3.
must
Sample
have the
DLCI (for Frame Relay routers)
!!!!
The DLCI number applies to Frame Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a Data Link Connection Identifier (DLCI). The DLCI is
an address identifying your connection.
Chapter 2. Planning for Router Configuration 25
Page 26
DNS Internet Account Information (optional)
!!!!
This information is obtained from your Network Service Provider. Consult with you Network Service
Provider to find out if you need to enter the following information:
•DNS server address
•DNS second server address
•DNS domain name
IP Routing Addresses
!!!!
For the Ethernet Interface
This information is defined by the user or your Network Administrator.
Ethernet IP Address (local LAN)
An Ethernet LAN IP address and subnet mask are required for the router’s local Ethernet LAN
connection
Note:
exchange routing information. This feature is not normally used, except in special circumstances.
For the WAN Interface
This information is defined by the Network Service Provider
Source (Target/Local) WAN Port Address
If Network Address Translation (NAT) is enabled, you must specify a source WAN IP address for the
WAN connection to the remote router if IP address negotiation under PPP does not provide one. Check
with your system administrator for details on whether the router must communicate in numbered or
unnumbered mode and which addresses are required.
Remote WAN Address
You may need to specify a remote WAN IP address for the WAN connection to the remote router
depending on IP address negotiation under PPP. Check with your system administrator for details on
whether the router must communicate in numbered or unnumbered mode and which addresses are
required.
TCP/IP Remote Routes
An IP route includes an IP address, subnet mask, and metric (a number representing the perceived cost in
reaching the remote network or station).
.
An Ethernet route is usually defined when there are multiple routers on the Ethernet that cannot
.
TCP/IP Default Route
A
to other specific routes. You will need to define the default route to a remote router or, in special
circumstances, define an Ethernet gateway. There can be only one default route specified.
26Chapter 2. Planning for Router Configuration
should be designated in the routing table for all traffic that cannot be directed
Page 27
IPX Routing Network Protocol
System Names and Authentication Passwords
!!!!
For the Target Router
This information is defined by the user. You
target router. They are used by a remote router to authenticate the target router.
For the Remote Site(s)
This information is obtained from the Network Service Provider. For each remote site, you
site name and its authentication password. They are used by this target router to authenticate the remote
end. The name and password are used in both PAP and CHAP authentication. Refer to the diagrams
General Security Authentication, on page 15
under
Note 1:
Configurations, on page 54
Note 2:
remote disauthen
VPI and VCI Numbers
!!!!
Your router may have been preconfigured with VPI/VCI numbers. If not, you will have to obtain these
numbers from your Network Service Provider and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
A sample configuration containing names and passwords is provided in the section
.
If the ISP does not support the authentication of the ISP system by the caller, use the command
remoteName
<
> to disable the authentication.
must
choose a name and authentication password for the
to see how this information is used.
must
Sample
have the
DLCI (for Frame-Relay Routers)
!!!!
The DLCI number applies to Frame-Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a Data Link Connection Identifier (DLCI). The DLCI is
an address identifying your connection.
IPX Routing Entries
!!!!
These numbers are defined by the Network Administrator. You will need to obtain the following
information (most likely from your network administrator) for IPX Routing.
Note: IPX routes
allow the servers and clients to exchange packets. A path to a file server will be based on the Internal
Network Number of the server. A path to a client will be based on the External Network Number
(Ethernet) of the client.
define a
path
to a specific destination. They are primarily needed by the routers to
Chapter 2. Planning for Router Configuration 27
Page 28
Internal Network Number
It is a logical network number that identifies an individual Novell server. It is needed to specify a route to
the services (i.e., file services, print services) that Novell offers. It must be a unique number.
External Network (a.k.a. IPX Network Number)
It refers to a physical LAN/wire network segment to which servers, routers, and PCs are connected
(Ethernet cable-to-router segment). It must be a unique number.
WAN Network Number
Important
between the two routers. Note that only those two routers need to have the WAN Network Number
configured.
Service Advertisement Protocol (SAP)
SAP entries should reflect primary logon servers for the clients on the local LAN. Only the servers on the
remote side of the link have to be entered. Local servers do not need to be entered.
Frame Type
With local servers on your LAN, make sure to select the proper frame type for the IPX network number.
To determine this, consult with your network administrator. When you have only NetWare clients on
your LAN, keep the default (802.2) selected as most clients can support any typ e. The fr ame type cho ices
are:
: This number is part of the routing information. It is only used to identify the WAN segment
802.2
802.3
DIX
becoming obsolete.
Note:
Appendix B provides step-by-step information on how to configure IPX routing.
Default recommended by Novell
Other most common type
For DEC, Intel, Xerox; this setting is also referred to as “Ethernet II”, and it is rapidly
28Chapter 2. Planning for Router Configuration
Page 29
Bridging Network Protocol
System Names and Authentication Passwords
!!!!
For the Target Router
This information is defined by the user. You
target router. They are used by a remote router to authenticate the target router.
For the Remote Site(s)
!!!!
This information is obtained from the Network Service Provider. For each remote site, you
site name and its authentication password. They are used by the target router to authenticate the remote
end. The name and password are used in both PAP and CHAP authentication. Please refer to the diagram
General Security Authentication, on page 15
under
Note 1:
Configuration 1: PPP with IP and IPX, on page 54.
Note 2:
remote disauthen
VPI and VCI Numbers
!!!!
Your router may have been preconfigured with VPI/VCI numbers. If not, you will have to obtain these
numbers from your Network Service Provider and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
A sample configuration containing Names and Passwords is provided in the section Sample
If the ISP does not support the authentication of the ISP system by the caller, use the command
remoteName
<
> to disable the authentication.
must
choose a name and authentication password for the
to see how this information is used.
must
have the
DLCI (for Frame-Relay Routers)
!!!!
The DLCI number applies to Frame-Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a Data Link Connection Identifier (DLCI). The DLCI is
an address identifying your connection.
DNS Internet Account Information (optional)
!!!!
This information is obtained from the Network Service Provider. Consult with you Network Ser vice
Provider to find out if you need to enter the following information:
•DNS server address
•DNS second server address
•DNS domain name
Note:
If you intend to connect to the Internet only, enter this information using the Internet Quick Start
configurator.
Chapter 2. Planning for Router Configuration 29
Page 30
RFC 1483/RFC 1490 Link Protocols
The Link Protocol RFC 1483 is a multiprotocol encapsulation method over ATM and is used by ATM routers.
RFC 1490 is a multiprotocol encapsulation method over Frame-Relay and is used by Frame-Relay routers.
RFC 1483 and RFC 1490 com bi ned with th e IP, IP X , or Bri d gi ng Net w or k P rotocols share the same configuration
characteristics, except for the connection identifiers: VPI/VCI numbers are used for RFC 1483 and a DLCI
number is used for RFC 1490.
Obtain the information as described in the appropriate section. This data will be used later to configure your router
using the Command Line Interface (see
IP Routing Network Protocol
VPI and VCI Numbers (for RFC 1483)
!!!!
The VPI and VCI number s apply to ATM routers only. Your router may ha ve been preconfigured with
VPI/VCI numbers. If not, you will have to obtain these numbers from your Network Service Provider
and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
Configuration Tables, on page 41).
DLCI (for RFC 1490)
!!!!
The DLCI number applies to Frame-Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a Data Link Connection Identifier (DLCI). The DLCI is
an address identifying your connection.
DNS Internet Account Information (optional)
!!!!
This information is obtained from the Network Service Provider. Consult with you Network Service
Provider to find out if you need to enter the following information:
•DNS server address
•DNS second server address
•DNS domain name
IP Routing Entries
!!!!
For the Ethernet Interface
This information is defined by the user or the Network Administrator.
Ethernet IP Address (Local LAN)
An Ethernet LAN IP address and subnet mask are required for the router’s local Ethernet LAN
connection.
30Chapter 2. Planning for Router Configuration
Page 31
TCP/IP Ethernet Routes
You normally do not need to define an Ethernet IP route. An Ethernet IP route consists of an IP
address, a mask, a metric, and a gateway. An Ethernet route is usually defined when there are multiple
routers on the Ethernet that cannot exchange routing information.
For the WAN Interface
This information is obtained from the Network Administrator.
Source (Target/Local) WAN Port Address
If Network Address Translation (NAT) is enabled, you must
WAN connection to the remote router. Check with your system adminis tr ator f or d e tails.
specify a source WAN IP address for the
If NAT is not
the remote router. Check with your system administrator for details.
TCP/IP Remote Route
An IP route includes an IP address, subnet mask, and metric (a number representing the perceived cost
in reaching the remote network or station).
TCP/IP Default Route
A
cannot be directed to other specific routes. You will need to define the default route to a remote router
or, in special circumstances, define an Ethernet gateway. There can be only one default route specified.
enabled, you may need to specify a source WAN IP address for the WAN connection to
s
default route should be designated in the routing table for all traffic that
Chapter 2. Planning for Router Configuration 31
Page 32
IPX Routing Network Protocol
VPI and VCI Numbers (for RFC 1483)
!!!!
The VPI and VCI number s apply to ATM routers only. Your router may ha ve been preconfigured with
VPI/VCI numbers. If not, you will have to obtain these numbers from your Network Service Provider
and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
DLCI (for RFC 1490)
!!!!
The DLCI number applies to Frame Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a Data Link Connection Identifier (DLCI). The DLCI is
an address identifying your connection.
IPX Routing Entries
!!!!
The user or the Network Administrator defines this information.
Note: IPX routes
allow the servers and clients to exchange packets. A path to a file server will be based on the Internal
Network Number of the server. A path to a client will be based on the External Network Number
(Ethernet) of the client.
Internal Network Number
This is a logical network number that identifies an individual Novell server. It is needed to specify a
route to the services (i.e., file services, print services) that Novell offers. It must be a unique number.
External Network (a.k.a. IPX Network Number)
This number refers to a physical LAN/wire network segment to which servers, routers, and PCs are
connected (Ethernet cable-to-router segment). It must be a unique number.
WAN Network Number
Important:
between the two routers.
Note:
Only the two routers need to have the WAN Network Number configured.
Service Advertisement Protocol (SAP)
SAP entries should reflect primary logon servers for the clients on the local LAN. Only the servers on the
remote side of the link have to be entered. Local servers do not need to be entered.
define a
This number is part of the routing information. It is only used to identify the WAN segment
path
to a specific destination. They are primarily needed by the routers to
32Chapter 2. Planning for Router Configuration
Page 33
Frame Type
With local servers on your LAN, make sure to select the proper frame type for the IPX network number.
To determine this, consult with your network administrator. When you have only NetWare clients on
your LAN, keep the default (802.2) selected as most clients can support any type.
The frame type choices are:
802.2
802.3
DIX
becoming obsolete.
Default recommended by Novell
Other most common type
For DEC, Intel, Xerox; this setting is also referred to as “Ethernet II”, and it is rapidly
Chapter 2. Planning for Router Configuration 33
Page 34
Bridging Network Protocol
VPI and VCI Numbers (with RFC 1483)
!!!!
The VPI and VCI number s apply to ATM routers only. Your router may ha ve been preconfigured with
VPI/VCI numbers. If not, you will have to obtain these numbers from your Network Service Provider
and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
DLCI (with RFC 1490)
!!!!
The DLCI number applies to Frame-Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a Data Link Connection Identifier (DLCI). The DLCI is
an address identifying your connection.
DNS Internet Account Information (optional)
!!!!
This information is obtained from the Network Service Provider. Consult with your Network S ervice
Provider to find out if you need to enter the following information:
•DNS server address
•DNS second server address
•DNS domain name
34Chapter 2. Planning for Router Configuration
Page 35
MAC Encapsulated Routing: RFC 1483MER/RFC 1490MER Link
Protocols
MAC Encapsulated Routing (MER) allows IP packets to be carried as bridged frames (bridged format). The Link
Protocol RFC 1483 with MER (referred to as RFC 1483MER) is a multiprotocol encapsulation method over ATM
used by ATM routers. RFC 1490 with MER (referred to as RFC 1490MER) is a multip roto col encapsulation
method over Frame Relay used by Frame-Relay routers.
RFC 1483MER and RFC 1490MER combined with the IP, IPX, or Bridging Network Protocols share the same
configuration characteristics, except for the connection identifiers: VPI/VCI numbers are used for RFC 1483MER
and a DLCI number is used for RFC 1490.
Obtain the information as described in the appropriate section. This data will be later used to con figure you r ro uter
using the Command Line Interface (see
IP Routing Network Protocol
VPI and VCI Numbers (for RFC 1483MER)
!!!!
The VPI and VCI number s apply to ATM routers only. Your router may ha ve been preconfigured with
VPI/VCI numbers. If not, you will have to obtain these numbers from your Network Service Provider
and then configure them.
Configuration Tables, on page 41).
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
DLCI (for RFC 1490MER)
!!!!
The DLCI number applies to Frame Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a DLCI (Data Link Connection Identifier). The DLCI is
an address identifying your connection.
DNS Internet Account Information (optional)
!!!!
This information is obtained from the Network Service Provider. Consult with your Network S ervice
Provider to find out if you need to enter the following information:
•DNS server address
•DNS second server address
•DNS domain name
Note:
If you intend to only connect to the Internet, enter this information using the Internet Quick Start
configurator.
Chapter 2. Planning for Router Configuration 35
Page 36
IP Routing Entries
!!!!
For the Ethernet Interface
This information is defined by the user or the Network Administrator.
Ethernet IP Address (Local LAN)
An Ethernet LAN IP address and subnet mask are required for the router’s local Ethernet LAN
connection.
TCP/IP Ethernet Routes
You normally do not need to define an Ethernet IP route. An Ethernet IP route consists of an IP address,
a mask, a metric, and a gateway. An Ethernet route is usually defined when there are multiple routers on
the Ethernet that cannot exchange routing information between them.
For the ATM WAN Interface
This information is obtained from the Network Administrator or the Network Servi ce Prov ider.
Source (Target/Local) WAN Port Address and Mask
You must
not Network Address Translation is enabled). The Source WAN Address is the address of the local ro uter
on the remote network. The mask is the mask used on the remote network. Check with your system
administrator for details.
TCP/IP Remote Routes
If you are using RFC 1483MER or RFC 1490MER, the IP route includes an IP address, subnet mask,
metric (a number representing the perceived cost in reaching the remote network or station), and a
gateway
your system administrator for details.
specify a Source WAN IP address for the WAN connection to the remote router (whether or
. The gateway address that you enter is the address of a router on the remote LAN. Check with
TCP/IP Default Route
A
to other specific routes. You will need to define the default route to a remote router or, in DLCI ( special
circumstances, define an Ethernet gateway. There can be only one default route specified.
should be designated in the routing table for all traffic that cannot be directed
36Chapter 2. Planning for Router Configuration
Page 37
FRF8 Link Protocol
The FRF8 Link Protocol is an encapsulation method that allows an ATM router to interoperate with a
Frame- Relay network.
FRF8 is only used in conjunction with the IP Network Protocol. Obtain the information described below. This
data will be used later to configure your router using the Command Line Interface (see
page 41).
IP Routing Network Protocol
VPI and VCI Numbers
!!!!
Your router may have been preconfigured with VPI/VCI numbers. If not, you will have to obtain these
numbers from your Network Service Provider and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
DNS Internet Account Information (optional)
!!!!
The following information is obtained from the Network Service Provider. Con sult with your NSP to
find out if you need to enter the following information:
Configuration Tables, on
•DNS server address
•DNS second server address
•DNS domain name
Note:
If you intend to connect only to the Internet, enter this information using the Internet Quick Start
configurator.
IP Routing Entries
!!!!
For the Ethernet Interface
This information is defined by the user or the Network Administrator.
Ethernet IP Address (Local LAN)
An Ethernet LAN IP address and subnet mask are required for the router’s local Ethernet LAN
connection.
TCP/IP Ethernet Routes
You normally do not need to define an Ethernet IP route. An Ethernet IP route consists of an IP address,
a mask, a metric, and a gateway. An Ethernet route is usually defined when there are multiple routers on
the Ethernet that cannot exchange routing information.
Chapter 2. Planning for Router Configuration 37
Page 38
For the ATM WAN Interface
This information is obtained from the Network Administrator or the Network Servi ce Prov ider.
Source (Target/Local) WAN Port Address and Mask
You must
not Network Address Translation is enabled. The Source WAN address is the address of the local router
on the remote network. The mask is the mask used on the remote network. Check with your system
administrator for details.
TCP/IP Remote Routes
If you are using FRF8, the IP route includes an IP address, subnet mask, metric (a number representing
the perceived cost in reaching the remote network or station). Check with your system administrator for
details.
A
to other specific routes.
You will need to define the default route to a remote router or, in special circumstances, define an
Ethernet gateway. There can be only one default route specified.
specify a Source WAN IP address for the WAN connection to the remote router (whether or
TCP/IP Default Route
should be designated in the routing table for all traffic that cannot be directed
38Chapter 2. Planning for Router Configuration
Page 39
Dual-Ethernet Router Configuration
General Information on Dual Ethernet router
To configure the Dual-Ethernet router, access the router using the Command Line Interface (CLI). The CLI
can be accessed from a Telnet or a console session (using the console cable) connected to the router’s default
IP address of 192.169.254.254. You can also configure the router using the Web browser GUI. Refer to the
Dual-Ethernet Router Quick Start Guide
The Dual-Ethernet router has two interfaces:
ETH/0—refers to the router’s hub with four 10Base-T connectors
ETH/1—refers to the single 10Base-T connector
Bridging is enabled by default when the router boots up. IP and IPX routing are disabled.
The router’s default IP address is 192.168.254.254.
DHCP is enabled by default and the router’s DHCP server issues IP addresses to any PC request. The DHCP
default IP pool is 192.168.254. 2 through 192.168.254.20.
To connect to the router, use the router’s default IP address using a Telnet session, for example, and any
10Base-T port on the router.
.
Warning:
You cannot boot from the ETH/1 interface.
Configuring the Dual-Ethernet Router as a Bridge
This router is configured by default as a bridge and no configuration steps are needed. The user needs only
establish a connection to the remote location (to the Internet Service Provider, for example).
Bridging is enabled by default when the router boots up. IP and IPX routing are disabled.
Configuring the Dual-Ethernet Router for IP Routing
eth
The
Ethernet Router Commands (ETH), on page 172,
The last argument of each ETH command determines which interface is being configured (0 for ETH/0, 1 for
ETH/1).
Each interface (ETH/0 and ETH/1) must be set. A minimum of one route must be defined to have a working
configuration. This is generally a default route on the ETH/1 interface where all traffic otherwise specified is
automatically forwarded. This default route is: 0.0.0.0 255.255.255.255 1.
The Gateway address is the IP address supplied by your Internet Service Provider or Network Administrator.
You can customize your router by using the scripting feature, which loads batch files of preset configuration
commands into the router (refer to the
commands are used to configure the Dual-Ethernet router for IP routing. Refer to the section
for usage and syntax information.
Batch File Command Execution, on page 228
section).
Dual-
A Dual-Ethernet router sample configuration with IP Routing is provided in the
Configuring a Dual-Ethernet Router for IP Routing, on page 68
Chapter 2. Planning for Router Configuration 39
section.
Sample Configuration 3:
Page 40
Chapter 3. Configu ri n g Rout e r So ftw a re
This chapter covers configuration tables and verifying the router configuration. It also provides sample
configurations.
Configuration commands are outlined for each
The information needed to configure the router is contingent on the chosen Link Protocol. It is therefore
important to know which Link Protocol you are using (this is determined by your Network Service Provider)
to be able to refer to the configuration sections that apply to your setup.
A configuration table for the Dual-Ethernet Router (with IP routing enabled) is also provided.
The section on verifying the router configuration describes how to test IP, IPX, or Bridging.
In
this chapter, you will find two sample configurations with diagrams, commands , and list outputs.
Note 1:
to Chapter 5. Command Line Interface Reference on page 109
Note 2:
you have installed the router hardware, connected to the router with a terminal-emulation session (or ASCII
terminal), and powered the unit on. This chapter assumes that you have successfully installed the router
hardware as described in the
If you intend to use the Command Line Interface through Configuration Manager, it is assumed that you have
installed the Configuration Manager software and can access the terminal window (refer to the
Guide
Note 3:
remote routers. The worksheets list the commands associated with setting the features.
For usage conventions and a complete description of the commands mentioned in this chapter, refer
To configure the router software, the Command Line Interface is available to you at all times after
Quick Start Guide
).
Worksheets are provided in Appendix A so that you can enter details about your target router and
Link Protocol/Network Protocol
.
.
supported by the router.
Quick Start
To configure the target router, you need to fill out one chart for the target router and one remote router chart
each
for
If you are setting up both ends of the network, you will need a
for configuring the router on the other end of the link.
Important:
changes to take effect:
Ethernet LAN:
Bridging:
Remote Router:
add remote routers
remote router to be entered into the remote router database.
mirror image
If you change any the of the following settings, you must use the commands
Ethernet IP or IPX address, TCP/IP routing, IPX routing
Bridging, Filters
TCP/IP route addresses, IPX routes, IPX SAPs and bridging control, and enable, disable, or
of the information listed below
reboot
and
save
for the
40Chapter 3. Configuring Router Software
Page 41
Configuration Tables
The following tables give you step-by-step instructions for standard configurations of the following Network
Protocol/Link Protocol associations, as well as a configuration table for a Dual-Ethernet Router:
•PPP Link Protocol with IP Routing Network Protocol
•PPP Link Protocol with IPX Routing Ne t work Protocol
•PPP Link Protocol with Bridging Network Protocol
•RFC 1483/RFC 1490 Link Protocols with IP Routing Network Protocol
•RFC 1483/RFC 1490 Link Protocols with IPX Routing Network Protocol
•RFC 1483/RFC 1490 Link Protocols with Bridging Network Protocol
•RFC 1483MER/RFC 1490MER Link Protocols with IP Network Protocol
•FRF8 Link Protocol with IP Routing Network Protocol
•Mixed Network Protocols (combinations of two or three network protocols)
•Dual-Ethernet Router with IP routing
Note:
Blank Network Configuration Worksheets are available in Appendix A.
Using the tables:
1.Find the configuration table that fits yo ur par ticular Network Protocol/Link Protocol ass ociat ion. These tables
are designed to provide easy step-by-step instructions.
2.Use the blank Network Configuration Worksheets provided in Appendix A to enter the commands in the
order that they are given in the
3.You may want to refer to the sample configurations at the end of this chapter.
Commands
column of the configuration tables.
Chapter 3. Configuring Router Software 41
Page 42
Configuring PPP with IP Routing
This table outlines configuration commands for the PPP Link Protocol with the IP R outing Network Protocol.
PPP with IP Routing
StepsSettingsCommands
System Settings
System NameRequired
System MessageOptional
Authentication PasswordRequired
Ethernet IP AddressAs required
DHCP SettingsAlready enabled; additional
settings may be required
Change LoginOptional
Remote Routers
New EntryEnter: Remote Name
Link Protocol/PVC
(for ATM routers)
Link Protocol/DLCI
(for Frame Relay routers)
Security
c
a
b
Remote’s Password
Select: PPP
Enter: VPI/VCI numbers
Select: PPP
Enter: DLCI number
Choose security level
Enter: password
Bridging On/OffMust be off
TCP/IP Route AddressEnter: Explicit or default
route
If NAT is enabled:To enable NAT, use:
You may need to enter a
Source WAN Port Address
If NAT is not enabled:You may need to enter a
Source WAN Port Address
system name <
system msg <
system passwd <
eth ip addr <
name
message
password
ipaddr
>
>
ipnetmask
> <
>
>
[<
dhcp set valueoption domainname
domainname
<
dhcp set valueoption domainnameserver
system admin <
remote add <
remote setProtocol PPP <
remote setPVC <
remoteName>
<
remote setProtocol PPP <
remote setDLCI <
remote setAuthen <
remote setOurPasswd <
remote disBridge <
remote addIproute <
remoteName
<
remote setIpTranslate
remote setSrcIpAddr <
remoteName
<
remote setSrcIpAddr <
remoteName
<
>
password
remoteName
>
>
remoteName
vpi number
>*<
remoteName
number
> <
protocol> <remoteName
password
remoteName
ipnet
> <
>
remoteName
<
on
ipaddr
>
ipaddr> <mask
>
vci number
remoteName
> <
remoteName
>
ipnetmask
mask
> <
port#
<
ipaddr
>
>
> <
>
>
>
>
>]
>
hop
>
>
>
>
s
IP and IPX Routing
TCP/IP Routing
(Internet Firewall )
Must be enabled
(optional)
IPX Routing Must be disabled
Store
Reboot
a Enter this information if you are using PPP in an ATM environment.
b Enter this information if you are using PPP in a Frame Relay environmen t.
c If the ISP does not support the authentication of the ISP system by the caller, use the command
remoteName
<
> to disable the authentication.
eth ip enable
eth firewall <
eth ipx disable
save
reboot
on | off
>
remote disauthen
42Chapter 3. Configuring Router Software
Page 43
Configuring PPP with IPX Routing
This table outlines configuration commands for the PPP Link Protocol with the IPX Routi ng Network Protocol.
Note:
Appendix B provides step-by-step information on how to configure IPX routing.
PPP with IPX Routing
StepsSettingsCommands
System Settings
System NameRequired
System MessageOptional
Authentication PasswordRequired
Ethernet IP AddressAs required
Settings DHCPAlready enabled; addit.
settings may be required
Change LoginOptional
Ethernet IPX Network #Enter: IPX network #
Frame Type
(default: 802.2)
Remote Routers
New EntryEnter: Remote Name
Link Protocol/PVC
a
(for ATM routers)
Link Protocol/DLCI
(for Frame Relay routers)
Security
c
b
Remote’s Password
Select: PPP
Enter: VPI/VCI numbers
Select: PPP
Enter: DLCI number
Choose security level
Enter: password
Bridging On/OffMust be off
IPX Routes
Enter appropriate info
Add
IPX SAPs
Enter appropriate info
Add
WAN Network #Enter appropriate info
system name <
system msg <
system passwd <
eth ip addr <
dhcp set valueoption domainname
name
message
password
ipaddr
>
>
ipnetmask
> <
>
port#
>[<
>]
<domainname>
dhcp set valueoption domainnameserver <
ipxnet
remoteName
>
socket
> <
password
>
[<
type
>
vpi number
PPP
number
protocol
password
remoteName
<ipxNet
servicename
type
> <
ipxNet
>
port#
>]
>
remoteName
>*<
vci number
remoteName
<
remoteName
> <
remoteName
> <
> <
>
> <
hops
> <
remoteName
> <
>
>
>
>
remoteName
metric
> <
> <
ticks
> <
ipxNet
remoteName
system admin <
eth ipx addr <
eth ipx frame <
remote add <
remote setProtocol PPP <
remote setPVC <
<
remoteName
remote setProtocol
remote setDLCI <
remote setAuthen <
remote setPassw d <
remote disBridge <
remote addIpxroute
remoteName>
<
remote addIpxsap <
ipxNode
<
remote setIpxaddr <
ipaddr
>
>
>
>
>
>
>
IP and IPX Routing
TCP/IP Routing Must be disabled
IPX Routing Must be enabled
Store
Reboot
a Enter this i nformation if you are using PPP in an ATM environment.
b Enter this information if you are usin g PP P in a Fram- Relay environment.
eth ip disable
eth ipx enable
save
reboot
c If the ISP does not support the authentication of the ISP system by the caller, use the command:
remote disauthen
remoteName
<
> to disable the authentication .
Chapter 3. Configuring Router Software 43
Page 44
Configuring PPP with Bridging
This table outlines configuration commands for the PPP Link Protocol with the Bridging Network Protocol.
PPP with Bridging
StepsSettingsCommands
System Settings
System NameRequired
System MessageOptional
Authorization PasswordRequired
DHCP SettingsAlready enabled; additional
settings may be required
Change LoginOptional
Remote Routers
New EntryEnter: Remote Name
Link Protocol/PVC
a
(for ATM routers)
Link Protocol/DLCI
(for Frame Relay routers)
Security
c
Remote’s Password
Select: PPP
Enter: VPI/VCI
b
Select: PPP
Enter: DLCI number
Choose security level
Enter: Password
Bridging On/OffMust be ON
IP and IPX Routing
IP Routing Must be disabled
IPX Routing Must be enabled
Store
Reboot
system name <
system msg <
system passwd <
dhcp set valueoption domainname <
dhcp set valueoption domainnameserver <
system admin <
remote add <
remote setProtocol PPP <
remote setPVC
remote setProtocol PPP <
remote setDLC I <
remote setAuthen <
remote setOurPasswd <
remote enaBridge <
name
>
message
>
password
password
remoteName
vpi number
<
number
protocol
remoteName
>
>
>
remoteName
>*<
vci number
remoteName
remoteName
> <
> <
password
domainname
> <
remoteName
remoteName
remoteName
> <
>
eth ip disable
eth ipx disable
save
reboot
ipaddr
>
>
>
>
>
>
>
>
a Enter this information if you are using PPP in an ATM environment.
b Enter this information if you are using PPP in a Frame-Relay environment.
c If the ISP does not support the authentication of the ISP system by the caller, use the command
<
remoteName
>
to disable the authentication.
remote disauthen
44Chapter 3. Configuring Router Software
Page 45
Configuring RFC 1483 / RFC 1490 with IP Routing
This table outlines configuration commands for the RFC 1483 and the RFC 1490 Lin k Protocols with the IP
Routing Network Protocol.
RFC 1483 / RFC 1490 with IP Routing
StepsSettingsCommands
System Settings
System MessageOptional
Ethernet IP AddressAs required
DHCP SettingsAlready enabled;
additional settings may
be required
Change LoginOptional
New EntryEnter: Remote Name
a
Link Protocol/PVC
(for ATM routers)
Select: RFC 1483
Enter: VPI/VCI
Numbers
b
Link Protocol/DLCI
(for Frame Relay
routers)
Select: FR
Enter: DLCI number
Bridging On/OffMust be OFF
TCP/IP Route
Address
Enter: Explicit or default
route with remote
gateway
If Address T ranslation
To enable NAT, use:
(NAT) is enabled:
system msg <
eth ip addr <
message
ipaddr
>
ipnetmask
> <
dhcp set valueoption domainname <
dhcp set valueoption domainnameserver <
system admin <
password
>
Remote Routers
remote add <
remoteName
>
remote se tProtocol RFC1483 <
>
>
vpi number
remoteName
number
> <
remoteName
> <
ipnet
ipnetmask
>*<
remoteName
remote se tPVC <
remoteName
<
remote se tProtocol FR <
remote setDLCI <
remote disBridge <
remote addiproute <
<
remoteName
remote se tIpTranslate on <
port#
> [<
domainname
remoteName
vci number>
>
remoteName
>
> <
hops
>]
>
ipaddr>
>
>
>
>
TCP/IP Route
Addresses
If NAT is off:
TCP/IP Route
Addresses
Enter: Source WAN Port
Address
You may still need to
enter a Source WAN
Port Address
remote se tSrcIpAddr <
remote se tSrcIpAddr <
ipaddr
ipaddr
> <
> <
mask
mask
remoteName
> <
remoteName
> <
>
>
IP and IPX Routing
TCP/IP Routing
(Internet Firewall )
Must be enabled
(Optional)
IPX Routing Must be disabled
Store
Reboot
a Enter this information i f you are using RFC 1483 in an ATM environment.
Enter this information if you are using RFC 1490 in a Frame-Relay environment
b
eth ip enable
eth firewall <on | off >
eth ipx disable
save
reboot
.
Chapter 3. Configuring Router Software 45
Page 46
Configuring RFC 1483 / RFC 1490 with IPX Routing
This table outlines configuration commands for the RFC 1 483 and RFC 1490 Link Protocols with the IPX
Routing Network Protocol.
Note:
Appendix B provides step-by-step information on how to configure IPX routing.
RFC 1483 / RFC 1490 with IPX Routing
StepsSettingsCommands
System Settings
System MessageOptional
Ethernet IP AddressAs required
DHCP SettingsAlready enabled;
additional settings m ay be
required
Ethernet IPX Network #
Enter: IPX Network # Frame
Type (default is 802.2)
Change LoginOptional
Remote Routers
New EntryEnter: Remote Name
Link Protocol/PVC
(for ATM routers)
Link Protocol/DLCI
a
(for Frame Relay routers)
Select: RFC 1483
Enter: VPI/VCI Numbers
Select: FR
Enter: DLCI number
Bridging on/offMust be off
IPX Routes
Enter appropriate info
Add
IPX SAPs
Enter appropriate info
Add
WAN Network NumberEnter appropriate info
eth ip addr <
dhcp set valueoption domainna me <
dhcp set valueoption domainna me se rve r <
eth ipx addr <
eth ipx frame <
ipaddr
ipxnet
type
system admin <
remote add <
remoteName
remote setProtocol RFC1483 <
remote setPVC <
<
remoteName
vpi number
>
remote setProtocol FR <
remote setDLCI <
remote disBridge <
remote addIpxroute <
ipnetmask
> <
>
[<
port#
> [<
>]
>
password
>
>
remoteName
>* <
vci number
remoteName
number
remoteName
remoteName
> <
>
ipxNet> <metric> <ticks>
port#
domainname
>
<remoteName>
remote addIpxsap <
ipxNode
<
> <
socket
remote setIpxaddr <
servicename
type
> <
ipxNet
> <
> <
ipxNet
> <
hop
> <
s
remoteName
>]
>
>
ipaddr
>
>
>
>
remoteName>
>
IP and IPX Routing
TCP/IP Routing
(Internet Firewall)
Must be disabled
(optional)
IPX Routing Must be enabled
Store
Reboot
a Enter this information i f you are using RFC 1490 in a Frame Relay environment.
eth ip disable
eth firewall
<on | off >
eth ipx enable
save
reboot
46Chapter 3. Configuring Router Software
Page 47
Configuring RFC 1483 / RFC 1490 with Bridging
This table outlines configuration commands for the RFC 1 483 and RFC 1490 Link Protocols with the Bridging
Network Protocol.
RFC 1483 / RFC 1490 with Bridging
StepsSettingsCommands
System Settings
System MessageOptional
DHCP SettingsAlready enabled;
additional settings may be
required
Change LoginOptional
New EntryEnter: Remote Name
Link Protocol/PVC
(for ATM routers)
Link Protocol/DLCI
(for Frame Relay
routers)
Bridging On/OffMust be on
IP Routing Must be disabled
IPX Routing Must b e disabled
Store
Reboot
Enter this information if you are using RFC 1490 in a Frame-Relay environment
a
Select: RFC 1483
Enter: VPI/VCI Numbers
a
Select: FR
Enter: DLCI number
IP and IPX Routing
system msg <
dhcp set valueoption domainname <
dhcp set valueoption domainnameserver <
system admin <
Remote Routers
remote a dd <
remote setProtocol RFC1483 <
remote setPVC <
remoteName
<
remote setProtocol FR <
remote setDLCI <
remote enaBridge <
eth ip disable
eth ipx disab l e
save
reboot
message
remoteName
>
>
password
vpi number
number
remoteName
.
>
>
remoteName
vci number
>*<
remoteName
remoteName
> <
>
domainname
ipaddr
>
>
>
>
>
>
Chapter 3. Configuring Router Software 47
Page 48
Configuring MAC Encapsulated Routing: RFC 1483MER / RFC
1490MER with IP Routing
This table outlines configuration commands for the RFC 1483MER and RFC 1490MER Link Protocols with the
IP Routing Network Protocol.
RFC 1483MER / RFC 1490 MER with IP Routing
StepsSettingsCommands
System Settings
System MessageOptiona l
Ethernet IP AddressAs required
DHCP SettingsAlready enabled;
additional settings may
be required
Change LoginOptional
Remote Routers
New EntryEnter: Remote Name
a
Link Protocol/PVC
(for ATM routers)
Link Protocol/DLCI
(for Frame Relay
routers)
Bridging On/Off
TCP/IP Route
Address
Select: RFC 1483MER
Enter: VPI/VCI Numbers
b
Select: MER
Enter: DLCI number
Must be off
Enter: Explicit or default
route with remote
gateway
If NAT is enabled:To enable NAT, use:
If NAT is OFF:Enter: Source WAN Port
Address + mask of the
remote network
TCP/IP Route
Addresses
Enter a Source WAN Port
Address + mask of the
remote network’s mask
system msg <
eth ip addr <
dhcp set valueoption domainname <
message
ipnet
> <
>
ipnetmask
> [<
port#
>]
domainname
dhcp set valueoption domain nameserver <
system admin <
remote add <
remote setProtocol
remote setPVC <
remoteName
<
remote setProtocol MER <
remote setDLCI <
remote disBridge <
remote addiproute <
ipGateway
<
remote setIpTranslate on <
remote setSrcIpAddr <
remote setS rcIpAd dr <
password
remoteName
RFC1483MER
vpi number
>
number
remoteName
remoteName
> <
ipnet
ipaddr
ipaddr
>
>
remoteName
<
vci number
>*<
remoteName
remoteName
> <
>
>
>
ipnetmask><ipGateway
> <
>
remoteName
> <
> <
>
mask><remoteName
mask
remoteName
> <
ipaddr
>
>
>
>
>
>
>
IP and IPX Routing
TCP/IP Routing
(Internet Firewall)
Must be enabled
(optional)
IPX Routing Must be disabled
Store
Reboot
a Enter this information i f you are using RFC 1483 in an ATM environment.
Enter this information if you are using RFC 1490 in a Frame-Relay environment
b
eth ip enable
eth firewall <
eth ipx disable
save
reboot
on | off
.
>
48Chapter 3. Configuring Router Software
Page 49
Configuring FRF8 with IP Routing
This table outlines configuration commands for the FRF8 Link Protocol with th e IP Routin g N etwork Protocol.
FRF8 with IP Routing
StepsSettingsCommands
System Settings
System MessageOptiona l
Ethernet IP AddressAs required
DHCP SettingsAlready enabled;
additional settings may
be required
Change LoginOptional
Remote Routers
New EntryEnter: Remote Name
Link Protocol/PVCSelect: FRF8
Enter: VPI/VCI Numbers
Bridging On/OffMust be off
TCP/IP Route
Address
If Address Translation
(NAT) is enabled:
If NAT is OFF:Enter: Source WAN Port
TCP/IP Route
Addresses
Enter: explicit or default
route
To enable NAT, use:
Address + mask of the
remote network
Enter a Source W AN Port
Address + mask of the
remote network
system msg <
eth ip addr <
dhcp set valueoption domainname <
dhcp set valueoption domain nameserver <
system admin <
remote add <
remote setProtocol FRF8 <
remote setPVC <
remoteName
<
remote disBridg e <
remote addIproute <
remoteName
<
remote setIpTranslate on <
remote setSrcIpAddr <
remote setSrcIpAddr <
message
ipaddr
remoteName
>
>
>
> <
password
vpi number
remoteName
ipnet
ipnetmask
>
>
remoteName
vci number
>*<
>
ipnetmask> <hops
> <
remoteName
ipaddr
> <
ipaddr
> <
<port#>
>
[
domainname
>
>
mask><remoteName
mask><remoteName
]
ipaddr
>
>
>
>
>
>
IP and IPX Routing
TCP/IP Routing
(Internet Firewall )
IPX Routing Must be disabled
Store
Reboot
Chapter 3. Configuring Router Software 49
Must be enabled
(Optional)
eth ip enable
eth firewall <
eth ipx disable
save
reboot
on | off
>
Page 50
Configuring Mixed Network Protocols
Several network protocols can be configured concurrently in the same router. The possible combinations are:
•Bridging + IP routing
•Bridging + IPX routing
•Bridging + IP routing + IPX routing
•IP routing + IPX routing
General configuration rules
•IP (and IPX) routing takes precedence over bridging.
•Each network protocol in the combination is individually configured as described in the preceding tables.
•When configuring multiple network protocols,
preceding individual configuration tables show them to be mutually exclusive).
Example
To configuren bridging + IP routing (both with Link Protocol RFC 1483), refer to the preceding
Bridging
Bridging and IP Routing settings. Since you are configuring both bridging and IP routing, make sure that these
two protocols are both enabled (even though the individual configuration tables you are referring to are showing
them to be mutually exclusive). Configure Bridging and then IP Routing. Remember that IP Routin g has
precedence over Bridging.
:
RFC 1483 with IP Routing
and
:
make sure that they are all enabled
tables. Follow the instructions described in the tables, except for the
(even though the
RFC 1483 with
50Chapter 3. Configuring Router Software
Page 51
Configuring a Dual-Ethernet Router for IP Routing
This table outlines commands used to configure a Dual-Ethernet router for IP routing.
Dual-Ethernet Router with IP Routing
StepsSettingsCommands
System Settings
System NameOptional
System Settings
MessageOptional
Ethernet Settings
Routing/ Bridging
Controls
ETH/0 IP AddressDefine ETH/0 IP address for
ETH/1 IP AddressDefine ETH/1 IP address for
TCP/IP default route
address
DHCP SettingsDefine DHCP network for
Enable IP routing
Disable bridging
the hub side
the single 10Base-T side
ETH/0 sends all traffic to
ETH/1
DHCP Settings
Already enabled; additional settings may be required
ETH/1
Create an address pool for
ETH/1
DNS Domain Name
system name
system msg
eth ip enable
eth br disable
eth ip addr
eth ip addr
eth ip addroute
<hops> [<port#>
dhcp add | <
<min> <max> <type>
dhcp set addresses
dhcp set valueoption domainname <
<name>
<message>
<ipaddr> <ipnetmask> [<port#>
<ipaddr> <ipnetmask> [<port#>
<ipaddr> <ipnetmask> <gateway>
]
net> <mask> | <ipaddr>
<first ipaddr> <last ipaddr>
]
]
<code>
|
domainname
>
DNS Server
WINS Server Address
Chapter 3. Configuring Router Software 51
dhcp set valueoption domain nameserver
dhcp set valueoption winsserver
<ipaddr>
<ipaddr>
Page 52
Verify the Router Configuration
Test IP Routing
Test IP Routing over the Local Ethernet LAN (from PC)
•Use the TCP/IP
Ethernet LAN IP address.
•If you cannot contact the router, verify that the Ethernet IP address and subnet mask are correct and check the
cable connections.
•Make sure that you have saved and rebooted after setting the IP address.
• Check Network TCP/IP properties under Windows 95. If you are running Windows 3.1, check that you have
a TCP/IP driver installed.
ping
command or a similar method to contact the configured target router specifying the
Test IP Routing to a Remote Destination
•Using the TCP/IP
ping
the
•If remote or local WAN IP Addresses are required, verify that they are valid.
•Use the
specified a default route as well.
command, the router will connect to the remote router using the DSL line.
iproutes
ping
command, contact a remote router from a local LAN-connected PC. When you enter
command to check, first, the contents of the IP routing table and, second, that you have
Test Routing from a Remote Destination
•Have a remote router contact the target router using a similar method.
Test TCP/IP Routes
•Contact a station, subnetwork, or host located on the network beyond a remote router to verify the TCP/IP
route addresses entered in the remote router database.
•Verify that you configured the correct static IP routes.
•Use the
iproutes
command to check the contents of the IP routing table.
Test Bridging to a Remote Destination
Use any application from a local LAN-attached station that accesses a server or disk using a protocol that is being
bridged on the remote network beyond the remote router. If you cannot access the server:
•Verify that you have specified a default destination remote router.
•Make sure that you have enabled bridging to the remote router.
•Check that bridge filtering does not restrict access from the local station.
52Chapter 3. Configuring Router Software
Page 53
Test IPX Routing
One way to test IPX routing is to check for access to servers on the remote LAN. Under Windows, use the
NetWare Connections
login
type
listed. When you attempt to access the server, the router will connect to the remote router using the DSL line.
If you cannot access the remote server:
•Check that the local Ethernet LAN IPX network number is correct.
•Verify that the WAN link network number is the same as the remote WAN link network number.
•Check cable connections and pinouts.
•Verify that the IPX routes and IPX SAPs you have specified are correct.
on the login drive (usually F:). Select the printer server and verify that the server you have defined is
selection provided with NetWare User Tools. Under DOS, use the command
pconsole
or
•List the contents of the routing and services tables using the
•Make sure that the security authentication method and password that you configured match the remote router.
ipxroutes
and
ipxsaps
commands, respectively.
Chapter 3. Configuring Router Software 53
Page 54
Sample Configurations
Sample Configuration 1: PPP with IP and IPX
This configuration example comprises:
•A scenario describing the configuration
•A diagram showing the configuration of the SOHO router
•Tables containing the configuration settings for this example
•Several
•Information about the names and passwords that are used in this configuration example (required for PPP)
Note:
in Appendix A. Also these samples and others are on the installation CD in the samples directory where the GUI
was installed.
list
command outputs that are used to check the information entered for this particular configuration
Blank Network Information Worksheets are available to fill in the information for your own configuration
Scenario:
In this configuration example of a hypothetical network, a small office/home office (SOHO) will access:
•The Internet through an Internet Service Provider (ISP); it uses PPP as the link protocol with IP routing
as the network protocol. Network Address Translation (NAT) is enabled to the ISP, because the ISP
assigned the SOHO only one IP address.
•A central site (HQ) through a Network Service Provider (NSP provides access to the DSL/ATM Wide
Area Network); it uses PPP as the Link Protocol with IP and IPX as its network protocols.
IP addresses are issued by the DHCP server. DHCP will be set up to issue DNS information to the SOHO LAN.
54Chapter 3. Configuring Router Software
Page 55
Sample Configuration 1: Diagram for Target Router (SOHO)
Small Home Office SOHO (Target/Local Router)
IPX = 456
0,39
(HQ)
SOHO
0,38
(ISP)
PC/Client
192.168.254.2
255.255.255.0
Workstation/Server
192.168.254.3
255.255.255.0
Target Router
IP:192.168.254.254
255.255.255.0
PPP/IP
192.168.200.20
HQ
ISP
0.0.0.0
255.255.255.255
PPP/IP and IPX
2 Virtual
Circuits
DSL / ATM
Network
Remote Router
IP:172.16.0.1
255.255.255.0
IPX WAN = 789
IPX NET = 123
Network Service
Provider
(ISP)
DNS: 192.168.200.1
DNS Domain: myISP.com
PC/Client
Network Service Provider
(HQ)
Server
SERV312_FP,
1001
NT Server/WINS Server
172.16.0.2
255.255.255.0
Chapter 3. Configuring Router Software 55
Page 56
Sample Configuration 1: Tables for Target Router (SOHO)
SOHO System Settings
Configuration
Section
NameSystem Name
MessageMessage (optional)
Authentication
Password
Ethernet IP AddressEthernet IP Address and
Ethernet IPX
Network
DHCP SettingsDNS Domain Name
Authentication Password
Subnet Mask
address)
Ethernet IPX Network
Number
DNS Server
WINS Server Address
ItemCommands
(default IP
System Settings
system name SOHO
system msg Configured_Dec_1998
system password SOHOpasswd
eth ip addr 192.168.254.254 255.255.255.0
eth ipx addr 456
DHCP Settings
dhcp set valueoption domainname myISP.com
dhcp set valueoption domain nameserver
192.168.200.1
dhcp set valueoption winsserver 172.16.0.2
56Chapter 3. Configuring Router Software
Page 57
SOHO Remote Router Database
Entry: HQ
Configuration
Section
New EntryRemote Router’s Name
Link ProtocolLink Protocol
PVCVPI Number/VCI Number
SecurityMinimum Authentication
(PAP is the default)
Remote Router’s Password
BridgingBridging on/off
(Bridging is off by default)
TCP/IP Route
Addresses
IPX AddressNetwork #, Hop Count, Ticks
IPX SAPsSAPS: Server Name, Server
Note:
Fill in one worksheet for each remote router in the remote router database.
Remote Network’s IP
Addresses, Subne t Masks,
and Metric
Source IP address/subnet mask........ 0.0.0.0/0.0.0.0
Remote IP address/subnet mask........ 0.0.0.0/0.0.0.0
Send IP RIP to this dest............. no
Send IP default route if known..... no
Receive IP RIP from this dest........ no
Receive IP default route by RIP.... no
Keep this IP destination private..... yes
Total IP remote routes............... 1
172.16.0.0/255.255.255.0/1
IPX network number................... 00000789
Total IPX remote routes.............. 1
00001001/1/4
Total IPX SAPs....................... 1
SERV312_FP 00001001 00:00:00:00:00:01 0451 0003 1
Bridging enabled..................... no
Exchange spanning tree with dest... yes
INFORMATION FOR <ISP>
Status............................... enabled
Protocol in use...................... PPP
Authentication....................... enabled
Authentication level required........ PAP
Connection Identifier (VPI*VCI)...... 0*38
IP address translation............... on
Compression Negotiation.............. off
Source IP address/subnet mask........ 192.168.200.20/255.255.255.255
Remote IP address/subnet mask........ 0.0.0.0/0.0.0.0
Send IP RIP to this dest............. no
Send IP default route if known..... no
Receive IP RIP from this dest........ no
Receive IP default route by RIP.... no
Keep this IP destination private..... yes
Total IP remote routes............... 1
0.0.0.0/255.255.255.255/1
Chapter 3. Configuring Router Software 59
Page 60
IPX network number................... 00000000
Total IPX remote routes.............. 0
Total IPX SAPs....................... 0
Bridging enabled..................... no
Exchange spanning tree with dest... yes
dhcp list
bootp server ................. none
bootp file ................... n/a
DOMAINNAMESERVER (6) ......... 192.168.200.1
DOMAINNAME (15) .............. myISP.com
WINSSERVER (44) .............. 172.16.0.2
Subnet 192.168.254.0, disabled - other DHCP servers detected
When DHCP servers are active . stop
Mask ......................... 255.255.255.0
first ip address ............. 192.168.254.2
last ip address .............. 192.168.254.20
lease ........................ default
bootp ........................ not allowed
bootp server ................. none
bootp file ................... n/a
eth list
ETHERNET INFORMATION FOR <ETHERNET/0>
Hardware MAC address................. 00:20:6F:02:A1:BF
Bridging enabled..................... no
IP Routing enabled................... yes
Firewall filter enabled ........... yes
Send IP RIP to the LAN............. rip-1 compatible
Advertise me as default router... yes
Process IP RIP packets received.... rip-1 compatible
Receive default route by RIP..... yes
RIP Multicast address................ default
IP address/subnet mask............... 192.168.254.254/255.255.255.0
IP static default gateway............ none
IPX Routing enabled.................. yes
External network number............ 00000456
Frame type......................... 802.2
60Chapter 3. Configuring Router Software
Page 61
Information About Names and Passwords for Sample Configuration 1
In this configuration example, the PPP Link Protocol requires using systems names and passwords.
System Passwords
!!!!
SOHO
has a system password “SOHOpasswd,” which is used when SOHO communicates with HQ for
authentication by that site and at any time when HQ challenges SOHO.
HQ
has a system password “HQpasswd,” which is, likewise, used when HQ communicates with site
SOHO for authentication by SOHO and at any time SOHO challenges HQ.
ISP
has a system password “ISPpasswd” used for the same purpose.
Remote Passwords
!!!!
Each router has a remote router’s password for each remote router defined in its Remote Router
Database. The router will use the remote password to authenticate the remote router when the remote
router communicates with or is challenged by the local site.
For example, SOHO has remote router entries for HQ and ISP; defined in each table entry is the
respective remote router’s password.
The following table shows the names and passwords for each router that must be defined for
authentication to be performed correctly. (This assumes that all three systems use some form of
authentication protocol.)
Note:
If you experience trouble with pass word s, w e recom mend t hat yo u set t he remo te rout er s ecuri ty t o
disable authentication
System
Name
System
Password
Remote
Router
Database
to simplify the process.
Names & Passwords
Configured in
SOHO Router
SOHOHQISP
SOHOpasswdHQpasswdISPpasswd
HQpasswd
ISPpasswd
Names &
Passwords
Configured in
HQ Router
SOHOpasswdSOHOpasswd
Names &
Passwords
Configured in
ISP Router
Chapter 3. Configuring Router Software 61
Page 62
Sample Configuration 2: RFC 1483 with IP and Bridging
This configuration example comprises:
•A scenario describing this configuration of the router SOHO
•A diagram showing the configuration information needed for this example
•Tables containing the configuration settings for this example
•Several
Note 1:
Note 2:
in Appendix A.
list
command outputs that are used to check the information entered for this particular configuration
Names and passwords are
Blank Network Information Worksheets are available to fill in the information for your own configuration
not
required w ith the RFC 14 83 Link Protocol.
Scenario:
In this configuration example of a hypothetical network, a small office/home office (SOHO) will access:
•The Internet through an Internet Service Provider (ISP); it uses RFC 1483 as the Link Protocol with I
routing as the network protocol. Network Address Translation (NAT) is enabled to the ISP, since the ISP
assigned SOHO only one IP address.
•A central site (HQ) through a Network Service Provider (NSP provides access to the DSL/ATM Wide
Area Network); it uses RFC 1483 as the link protocol with bridging and IP routing as its network
protocols.
IP addresses are issued by the DHCP server. DHCP will be set up to iss ue DNS information to the SOHO
LAN.
P
62Chapter 3. Configuring Router Software
Page 63
Sample Configuration 2: Diagram for Target Router SOHO
Small Home Office SOHO (Target Router)
0,39
(HQ)
SOHO
0,38
(ISP)
PC/Client
192.168.254.2
255.255.255.0
Workstation/Server
192.168.254.3
255.255.255.0
Target Router
IP:192.168.254.254
255.255.255.0
RFC 1483 / IP
192.168.200.20
2 Virtual
Circuits
DSL / ATM
Network
ISP
Network Service
Provider
(ISP)
0.0.0.0
255.255.255.255
DNS: 192.168.200.1
DNS Domain: myISP.com
RFC 1483 / IP + Bridging
PC/Client
Bridging Application
Network Service Provider
(HQ)
HQ
Remote Router
IP:172.16.0.1
255.255.255.0
NT Server/WINS Server
172.16.0.2
255.255.255.0
Chapter 3. Configuring Router Software 63
Page 64
Sample Configuration 2 : Tables for Target Router (SOHO)
SOHO System Settings
Configuration SectionItemCommands
System Settings
MessageMessage (optional)
Ethernet IP AddressEthernet IP Address and
Subnet Mask
(default IP address)
DHCP SettingsDNS Domain Name
DNS Server
WINS Server address
system msg RFC1483_dec98
eth ip addr 192.168.254. 254 255.255. 255.0
dhcp set valueoption domainname myISP.com
dhcp set valueoption domainnameserver
192.168.200.1
dhcp set valueoption winsserver 172.16.0.2
SOHO Remote Router Database
Entry: HQ
Configuration SectionItemCommands
Remote Routers
New EntryRemote Router’s Name
Link ProtocolLink Protocol
PVCVPI Number/VCI Number
BridgingBridging on/off
TCP/IP Route Addresses Remote Network’s IP
Hardware MAC address................. 00:20:6F:02:A1:BF
Bridging enabled..................... yes
IP Routing enabled................... yes
Firewall filter enabled ........... yes
Send IP RIP to the LAN............. rip-1 compatible
Advertise me as default router... yes
Process IP RIP packets received.... rip-1 compatible
Receive default route by RIP..... yes
RIP Multicast address................ default
IP address/subnet mask............... 192.168.254.254/255.255.255.0
IP static default gateway.......... none
IPX Routing enabled.................. no
External network number............ 00000000
Frame type.......................... 802.2
remote list
INFORMATION FOR <HQ>
Status............................... enabled
Protocol in use...................... RFC1483 (SNAP)
Connection Identifier (VPI*VCI)...... 0*39
IP address translation............... off
Compression Negotiation.............. off
Source IP address/subnet mask........ 0.0.0.0/0.0.0.0
Remote IP address/subnet mask........ 0.0.0.0/0.0.0.0
Send IP RIP to this dest............. no
Send IP default route if known..... no
Receive IP RIP from this dest........ no
Receive IP default route by RIP.... no
Keep this IP destination private..... yes
Total IP remote routes............... 1
172.16.0.0/255.255.255.0/1
IPX network number................... 00000000
Total IPX remote routes.............. 0
Total IPX SAPs....................... 0
Bridging enabled..................... yes
Exchange spanning tree with dest... yes
INFORMATION FOR <ISP>
Status............................... enabled
Protocol in use...................... RFC1483 (SNAP)
Connection Identifier (VPI*VCI)...... 0*38
IP address translation............... on
66Chapter 3. Configuring Router Software
Page 67
Compression Negotiation.............. off
Source IP address/subnet mask........ 192.168.200.20/255.255.255.255
Remote IP address/subnet mask........ 0.0.0.0/0.0.0.0
Send IP RIP to this dest............. no
Send IP default route if known..... no
Receive IP RIP from this dest......... .no
Receive IP default route by RIP.... no
Keep this IP destination private..... yes
Total IP remote routes............... 1
0.0.0.0/255.255.255.255/1
IPX network number................... 00000000
Total IPX remote routes.............. 0
Total IPX SAPs....................... 0
Bridging enabled..................... no
Exchange spanning tree with dest.... yes
dhcp list
bootp server ................. none
bootp file ................... n/a
DOMAINNAMESERVER (6) ......... 192.168.200.1
DOMAINNAME (15) .............. myISP.com
WINSSERVER (44) .............. 172.16.0.2
Subnet 192.168.254.0, disabled - other DHCP servers detected
When DHCP servers are active . stop
Mask ......................... 255.255.255.0
first ip address ............. 192.168.254.2
last ip address .............. 192.168.254.20
lease ........................ default
bootp ........................ not allowed
bootp server ................. none
bootp file .................... n/a
Chapter 3. Configuring Router Software 67
Page 68
Sample Configuration 3: Configuring a Dual-Ethernet Router for IP
Routing
Scenario:
The following example provides a simple sample configuration for a Dual-Ethernet router (eth_router) with
IP routing enabled.
The router’s hub (ETH/0) belongs to the 192.168.254.0 subnet. The router’s ETH/1 belongs to the
192.168.253.0 subnet.
ETH/0 will route packets to ETH/1 at the address 192.168.253.254. DHCP is enabled for both subnets.
eth_router Configuration
Configuration
Section
NameSystem Name (optional)
MessageMessage (optional)
Routing/ Bridging
Controls
ETH/0 IP AddressDefine ETH/0 IP address for
ETH/1 IP AddressDefine ETH/1 IP address for
TCP/IP default route
address
DHCP SettingsDefine DHCP network for
Enable IP routing
Disable bridging
the hub side
the single 10Base-T side
ETH/0 sends all traffic to
ETH/1
ETH/1
Create an address pool for
ETH/1
DNS Domain Name
DNS Server
WINS Server Address
ItemCommands
System Settings
Ethernet Settings
DHCP Settings
system name eth_rout e r
system msg Config ured_Jan_1999
eth ip enable
eth br disable
eth ip addr 192.168.254.254 255.255.255.0 0
eth ip addr 192.168.253.254 255.255.255.0 1
eth ip addroute 0.0.0.0 255.255.255.255
192.168.253.254 1 1
dhcp add 192.168.253.0 255.255.255.0
dhcp set addresses 192.168.253.2 192.168.253.20
dhcp set valueoption domainname myISP.com
dhcp set valueoption domain nameserver
192.168.200.1
dhcp set valueoption winsserver 172.16.0.2
68Chapter 3. Configuring Router Software
Page 69
Chapter 4. Configuring Special Features
The features described in this chapter are advanced topics. They are primarily intended for experienced users and
network administrators to perform network management and more complex configurations.
•Bridge Filtering and IP firewall
•IP protoco l controls (RIP)
•Dynamic Host Configuration Protocol (DHCP)
•Network Address Translation (NAT )
•Management security
•Software options keys
•Encryption
•IP filtering
•L2TP tunneling
Bridge Filtering and IP Firewall
General Information
You can control the flow of packets across the router using bridge filtering. Bridge filtering lets you “deny” or
“allow” packets to cross the network based on position and hexadecimal content within the packet. This enables
you to restrict or forward messages with a specified address, protocol, or data content. Common uses are to
prevent access to remote networks, control unauthorized access to the local network, and limit unnecessary traffic.
For example, it might be necessary to restrict remote access for specific users on the local network. In this case,
bridging filters are defined using the local MAC address for each user to be restricted. Each bridging filter is
specified as a "deny" filter based on the MAC address and position of the address within the packet. “deny”
filtering mode is then enabled to initiate bridge filtering. Every packet with one of the MAC addresses would not
be bridged across the router until “deny” filtering mode was disabled.
Similarly, protocol filtering can be used to prevent a specific protocol from being bridged. In this case, the
protocol id field in a packet is used to deny or allow a packet. You can also restrict, for example, the bridging of
specific broadcast packets.
Configure Bridge Filtering
Bridge filtering allows you to control the packets transfer red acro ss the ro uter. Th is feature can b e used to enh a nce
security or improve performance. Filtering will occur based on matched patterns within the packet at a specified
offset. Two filtering modes are available:
•“Deny” mode will discard any packet matched to the “deny” filters in the filter database and let all other
packets pass.
•“Allow” mode will only pass the packets that match the “allow” filters in the filter database and discar d all
others.
Chapter 4. Configuring Special Features69
Page 70
Up to 40 “allow” filters or 40 “deny” filters can be activated from the filter database.
Enter the filters, including the pattern, offset, and filter mode, into a filter database. If you intend to restrict
specific stations or subnetworks from bridging, then add the filters with a “deny” designation. Then enable
filtering for “deny”. If you wish to allow only specific stations or subnetworks to bridge, then add the filters with
an “allow” designation and enable filtering for “allow”. Add each filter with the following command:
pos
filter br add
data
[
][
]deny|allow
pos
where [
data and offset number can be used to identify an address, protocol id, or data content. After you have entered all
the filters, verify your entries with the following command:
filter br list
If you have entered an incorrect filter, delete the filter using the
with the filter list, save the filtering database with the
filtering database. Then enable bridging filtering with the following command:
filter br use
Test the filtering configuration by accessing a remote destination identified in the filter .
]
is the byte offset within a packet (number from 0-127) to a [
filter br del
save filter
none|deny|allow
command. You must reboot the router to load the
data
(a hex number up to 6 bytes). This
]
command. When you are satisfied
Enable/Disab le Int e rnet Firewall Filtering
The router supports IP Internet Firewall Filtering to prevent unauthorized access to your system and network
resources from the Internet. This filter discards packets received from the WAN that have a source IP address
recognized as a local LAN address. You can set Internet Firewall Filtering using the command:
eth ip firewall
The Internet Firewall defaults to on during initial configuration and is active
is on.
on|off|list
only
when Ethernet LAN IP routing
As described earlier, Ethernet LAN IP routing is controlled by the commands:
eth ip enable
eth ip disable
Therefore, at initial configuration, you need only enable IP routing to activate the Internet Firewall Filter. If you
do not wish the router to perform IP Internet Firewall Filtering while doing IP routing, you must turn off the
firewall filter.
70Chapter 4. Configuring Special Features
Remember to save and reboot
if you alter IP routing status.
Page 71
IP (RIP) Protocol Controls
You can configure the router to send and receive RIP packet information, respectively, to and from the remote
router. This means that the local site will “learn” all about the routes beyond the remote router and the remote
router will “learn” all about the local site’s routes. You may not want this to occur in some cases. For example, if
you are connecting to a site outside your company, such as the Internet, you may want to keep knowledge about
your local site’s routes private.
The default is to not send or receive IP RIP packets. If RIP packets are not allowed to flow on the WAN link, you
must
use the
the local site’s existence. The default is to keep the local site’s existence private.
If you wish to allow sending or receiving RIP packets or default routes or to advertise the local site’s existence,
use the following command:
remote addiproute
command to configure static routes for this WAN link. You can also advertise
is:
option>
on|off
[
remote setipoptions <
where <
Note:
option>
rxripReceive IP RIP packets from the remote destination
rxrip1Receive and process RIP-1 packets only
rxrip2Receive and process RIP-2 packet only
rxdefReceive the remote site’s default route
txripSend IP RIP packets to the remote destination
txrip1 Send RIP-1 packets only
txrip2 Send RIP-2 packets only
txdefSend the local site’s default route
privateKeep the local site’s existence private
RIP can be set on the LAN interface as well. See the eth ip options commands for more information.
RIP can be set on the LAN interface as well. See the
remoteName>
] <
eth ip
options commands for more information.
Chapter 4. Configuring Special Features71
Page 72
Dynamic Host Configuration Protocol (DHCP)
This section describes how to configure DHCP using the Command Line Interface. Configuring DHCP can be a
complex process; this section is therefore intended for network managers. Please refer to Chapter 5 for a complete
list and explanation of the DHCP commands.
General Information
The router supports DHCP and acts as the DHCP server. DHCP is a service that allocates IP addresses
automatically
address.
to any DHCP client (any device attached to your network such as your PC) requesting an IP
DHCP is used to acquire IP addresses and
practical level, acquiring these initialization parameters with DHCP translat es into avoiding the more involved
router/PC manual initialization process (reconfiguration of router and/or PC addresses to be in the same network).
To configure DHCP for a network, the network administrator defines a range of valid IP addresses to be used in
the subnetwork as well as options and other parameters. Once DHCP is configured for the network, each DHCP
client (your PC, for example) can easily request an IP address from the pool of valid IP addresses. The DHCP
client will learn part or all of the network parameters automatically. IP addresses and options assig ned to a client
are collectively called the “lease”. The lease is only valid for a certain period of time and is automatically renewed
by the client. Note that the
some common options.
Before becoming active, the router’s DHCP server attempts to locate other active DHCP servers on the network
such as Windows NT servers. If one is detected, the router’s DHCP server disables itself.
DHCP administration and configuration is divided into the following parts:
•Manipulating subnetworks and explicit client leases
•Setting option values
•BootP
•Defining option types
•Configuring BootP/DHCP relays
•Other information
Note 1:
The TCP/IP stack has to be installed on the PCs for DHCP to work.
Quick Start
options
(such as the subnet mask, DNS, gateway) automatically. On the
configurator does a basic configuration of the DHCP server by asking for
Note 2:
Note 3:
72Chapter 4. Configuring Special Features
In Windows, DHCP is enabled by selecting it on your PC (under
TCP/IP
To save the DHCP configuration or changes to FLASH memory in the router, make sure to use the
command
in the
dhcp save
Configuration
.
tab page).
Settings, Control Panel, Network,
and
Page 73
Manipulating Subnetworks and Explicit Client Leases
Enabling/Disabling a subnetwork or a Client Lease
To enable/disable a subnetwork or a client lease, use the commands:
net
net
> <
> <
ipaddr
ipaddr
>
>
dhcp enable
dhcp disable
Example:
To enable the subnetwork 192.168.254.0 if that subnetwork exists, type:
dhcp enable 192.168.254.0
To enable the client lease 192.168.254.17 if that client lease exists, enter:
dhcp enable 192.168.254.17
To disable the client lease 192.168.254.18 if that client lease exists, type:
dhcp disable 192.168.254.18
To check the results of these commands, use:
dhcp list
If the client lease does not exist, it must be explicitly created.
all
all
| <
| <
Adding Subnetworks and Client Leases
Adding a Subnetwork
!!!!
The following commands are used to add/delete subnetworks. Only
addresses may be defined for a subnet.
To add a subnetwork, use:
net
net
> <
>
mask
>
dhcp add <
To remove a subnetwork, use:
dhcp del <
Note:
All client leases associated with this subnetwork are automatically deleted.
Example 1:
The following command will create a subnetwork 192.168.254.0 with a subnet mask of 255.255.255.0:
dhcp add 192.168.254.0 255.255.255.0
Example 2:
The following command will delete the subnetwork 192.168.254.0
associated with that subnetwork:
dhcp del 192.168.254.0
one
subnetwork with
and
will delete
one
all
client leases
pool of IP
Chapter 4. Configuring Special Features73
Page 74
Adding Explicit or Dynamic Client Leases
!!!!
Client leases may either be created dynamically or explicitly. Usually client leases are created
dynamically when PCs boot and ask for IP addresses.
Explicit client leases
To add an explicit client lease, a subnetwork
subnetwork) before the client lease may be added. Use the command:
dhcp add <
To remove a client lease, use:
dhcp del <
Note:
of IP addresses.
Example 1:
To explicitly add the client lease 192.168.254.31, type:
dhcp add 192.168.254.31
Example 2:
To delete the client lease 192.168.254.31, type:
d
hcp del 192.168.254.31
Dynamic Client Leases
Dynamic client leases are created from the pool of IP addresses associated with that subnetwork.
To set or change the pool, use:
dhcp set addresses <
To clear the values from the pool, use:
dhcp clear addresses <
Note:
ipaddr
>
ipaddr
>
An administrator
Any client leases that currently exist will not be affected.
may
create a client lease that is part of a subnet but
first ip addr
net
>
last ip addr
> <
must
already exist (use
>
dhcp add <
net
mask
> <
does not fall within the pool
>
to add the
To remove a client lease that was dynamically created, use:
dhcp del <
Caution:
ipaddr
If <
>
ipaddr
> is a subnet, you will delete the entire subnet.
Setting the L ease Time
Concepts
!!!!
The information given by the DHCP server (router) to your PC is leased for a specific amount of time.
The client lease has already been selected. The DHCP server will select the lease time based on the
option defined for the client lease as described by this algorithm:
1.If the client lease option is a specific number or is infinite, then the server uses the specified lease
time associated with this client lease.
2. If the client lease option is “default”, then the server goes up one level (to the subnetwork) and uses
the lease time explicitly specified for the subnetwork.
74Chapter 4. Configuring Special Features
Page 75
3.If the client
(global) and uses the lease time defined at the global level (server).
4.Lease time:
The minimum lease time is 1 hour.
The global default is 168 hours.
Commands
!!!!
The following commands are used by network administrators to control lease time.
To set the lease time explicitly for the client lease, use:
dhcp set lease <
To set the lease time explicitly for the subnetwork lease, use:
dhcp set lease <
To set the lease time explicitly for the global lease, use:
dhcp set lease <
Example 1:
To set the lease time to “default” for the client 192.168.254.17, type:
dhcp set lease 192.168.254.17 default
Example 2:
To set the subnetwork lease time to infinite for the subnet 192.168.254.0, type:
dhcp set lease 192.168.254.0 infinite
Example 3:
To set the global lease time to 2 hours, type:
dhcp set lease 2
and
subnetwork lease options are both “default”, then the server goes up one level
ipaddr
net
hours
> <
> <
hours
>
hours
>
>
Manually Changing Client Leases
Administrators will generally not need to change client leases manually. However, if the need arises to do so,
use the following two commands.
Warning
To change the client lease expiration time to a given value:
dhcp set expire <
Setting the expiration time to “default” will cause the server to compute the lease time using the algorithm as
described in Section C
To release the client lease so it becomes available for other assignments:
dhcp clear expire <
: The client will not be aware that the administrator has changed or released a client lease!
ipaddr
ipaddr
hours
> <
, Setting the lease time
>
>
.
Setting Option Values
Administrators will want to set the values for global options, for options specific to a subnetwork, or for options
specific to a client lease.
Note:
See RFC 2131/2132 for the description of various options.
Chapter 4. Configuring Special Features75
Page 76
Concepts
The server returns values for options explicitly requested in the client request. It selects the values to return
based on the following algorithm:
1.If the value is defined for the client, then the server will return the requested value for an option.
2.If the value for the option has not been set for the client, then the server returns the value option if it has
been defined for the subnetwork.
3.If the value option does not exist for the client
returns the value option if it has been defined globally.
4.If the value option is not defined anywhere, the server will
to the client request.
Important:
•
•
•
•
When the server replies to a client:
It does not
It does not
It does not
has a value defined for t hat option .
It does not
option.
return any option values
support the definition of a “class” of clients.
return any non-default option values
return any non-default values on the clients subnet
not
requested by the client.
and
Commands for Global Option Values
To set the value for a global option, use:
dhcp set valueoption <
The code can be a number between 1 and 61 or a keyword.
To see the list of predefined and user-defined options, use:
dhcp list definedoptions
code
> <
value
>...
does not exist for the subnetwork, then the server
not
return any value for that option in its reply
unless
the client requests the option value
unless
the client requests the value for that
and
the server
To clear the value for a global option, use:
dhcp clear valueoption <
Example:
To set the global value for the domain name server option, enter:
dhcp set valueoption domainnameserver 192.168.254.2 192.168.254.3
code
>
Commands for Specific Option Values for a Subnetwork
To set the value for an option associated with a subnetwork, use:
net
dhcp set valueoption <
To clear the value for an option associated with a subnetwork, use:
dhcp clear valueoption <
Examples:
dhcp set valueoption 192.168.254.0 gateway 192.168.254.254
dhcp set valueoption 6 192.84.210.75 192.84.210.68
76Chapter 4. Configuring Special Features
> <
net
code
> <
> <
code
value
>
>...
Page 77
Commands for Specific Option Values for a Client Lease
To set the value for an option associated with a specific client, use:
dhcp set valueoption
To clear the value for an option associated with a specific client, use:
dhcp clear valueoption <
Example:
dhcp set valueoption 192.168.254.251 winserver 192.168.254.7
<ipaddr
ipaddr
> <
code
> <
> <
code
value
>
>...
Commands for Listing and Checking Option Values
To list the values for global options as well as subnet and client lease information, use:
dhcp list
To list options that are set for that subnet/client lease as well as subnet/client lease information, use:
net
dhcp list
This command lists all available options (predefined and user-defined options):
dhcp list definedoptions
This command lists all available options starting with the string “name”.
dhcp list definedoptions name
To list the lease time use:
dhcp list lease
<
>|<
ipaddr
>
Example:
This command lists the subnet 192.168.254.0 including any options set specifically for that subnet:
dhcp list 192.168.254.0
BootP
Administrators may wish to specify that certain client leases
About BootP and DHCP
BootP and DHCP provide services that are very similar. However, as an older service, BootP offers only a
subset of the services provided by DHCP.
The main difference between BootP and DHCP is that the client lease expiration for a BootP client is always
infinite
.
Caution:
By default, the DHCP server will
BootP (at the subnetwork or lease level).
Remember that when BootP is enabled, the client assumes that the lease is infinite.
not
satisfy BootP requests unless the adm inistrator has explicitly enabled
and
certain subnetworks can satisfy BootP re quests.
Chapter 4. Configuring Special Features77
Page 78
Enable/Disable BootP
To allow BootP request processing for a particular client/subnet, use the command:
net
dhcp bootp allow <
>|<
ipaddr
>
To disallow BootP request processing for a particular client/subnet, type:
net
dhcp bootp disallow
<
>|<
ipaddr
>
Use BootP to Speci fy the Boot Server
The following commands let the administrator specify the TFTP server (boot server) and boot file name. The
administrator will first configure the IP address of the TFTP serv er and file name (kern el) fr om which to bo ot.
This is particularly useful if the kernel in the router’s flash is corrupt or does not exist.
To set the IP address of the server and the file to boot from, use the commands:
net
dhcp bootp tftpserver [<
dhcp bootp file [<
net
>|<
>|<
ipaddr
ipaddr
>] <
To clear the IP address of the server and the file to boot from, use:
dhcp bootp tftpserver
[<net>|<
ipaddr
Example 1:
To set the global BootP server IP address to 192.168.254.7:
dhcp bootp tftpserver 192.168.254.7
Example 2:
tftpserver ipaddr
>] <
file name
>] 0.0.0.0
>
>
To set the subnet 192.168.254.0 server IP address to 192.168.254.8:
dhcp bootp tftpserver 192.168.254.0 192.168.254.8
Example 3:
To set the client 192.168.254.21 server IP address to 192.168.254.9
To set the subnet 192.168.254.0 boot file to “kernel.100”:
dhcp bootp file 192.168.254.0 kernel.100
Example 5:
To clear the global BootP server IP address and file name:
dhcp bootp tftpserver 0.0.0.0
Example 6:
To clear the subnet 192.168.254.0 server IP address and file name:
dhcp bootp tftpserver 192.168.254.0 0.0.0.0
78Chapter 4. Configuring Special Features
Page 79
Defining Option Types
Concepts
A DHCP option is a code, length, or value. An option also has a “type” (byte, word, long, longint, binary, IP
address, string).
The subnet mask, router gateway, domain name, domain name servers, NetBios name servers are all DHCP
options. Refer to RFC 1533 if you require more information.
Usually users will
1533 can be shown by typing
not
need to define their own option types. The list of predefined option types based on RFC
dhcp list definedoptions.
Commands
The following commands are available for adding/deleting option types:
dhcp add
To list option types that are currently defined, use:
dhcp list definedoptions...
To list the definitions for all known options, use:
dhcp list definedoptions
To get help information, use:
dhcp list definedoptions?
To list the definition for option 1, if option 1 is defined, type:|
dhcp list definedoptions 1
To list the definition for all options that are well-known AND have a name starting with “h”, type:
dhcp list definedoptions h
Example:
To define a new option with a code of 128, a minimum number of IP addresses of 1, a maximum number of
IP addresses of 4, of type “IP address”, type:
dhcp add 128 1 4 ipAddress
This information implies that:
code
<
> <
min
> <
max
> <
type
>
•Some DHCP client will know about the option with code 128.
•Option 128 allows IP addresses.
•The server can have a minimum of 1 IP address.
•The server can have up to 4 IP addresses.
•The administrator will still need to set the option value either globally, specific to a subnetwork, or
specific to a client for the option to have any meaning.
To delete the definition of the option with code 128, type:
dhcp del 128
Chapter 4. Configuring Special Features79
Page 80
cannot
not
be
The values for this option that have been set globally, specific to a subnetwork, or specific to a client will
be removed. The administrator must remove those values explicitly. Well-known type option codes
changed or deleted.
Configuring BootP/DHCP Relays
BootP/DHCP Relays are used by system administrators when the DHCP configuration parameters are acquired
from a BootP/DHCP server other than the router’s DHCP server.
This feature allows configuration information to be centrally controlled. Enabling a BootP/DHCP Relay disables
DHCP on the router since (by definition) only one policy mechanism can be supported.
BootP/DHCP Relays are enabled and disabled using the command:
system bootpserver
Other Information
DHCP information is kept in the file DHCP.DAT, a self-contained file.
This file contains
•the option definitions
•the subnetworks that have been added
•the client lease information
•the option values that have been set
This file can be uploaded/downloaded from one router to another.
all
DHCP information including:
Network Address Translation (NAT)
The router supports classic NAT (one NAT IP address assigned to one PC IP address) and a NAT technique
known as masquerading (one single NAT IP address assigned to many PC IP addresses).
General NAT Rules
1.IP routi ng must be enabled.
2.NAT can be run on a per-remote-router basis.
3.Any number of PCs on the LAN may be going to the same or different remote routers at the same time. In
reality, the number of PCs on the LAN that can be supported is limited by how much memory the router
consumes maintaining table information
and
by how many connections are currently active.
4.Some operations will
not work
changed. Remember that the router is remapping both IP addresses and ports.
80Chapter 4. Configuring Special Features
until the router examines their packets and figures out what information in the data needs to be
not
work. Specifically, services that place IP address/port information in the data
may
Page 81
5.When using NAT with a remote router, either the remote ISP
or the user
6.Any number of PCs on the LAN may have a connection to the same or different remote routers at the same
time. In reality, the number of PCs on the LAN that can be supported is limited by the amount of memory
consumed by the router to maintain table information
are currently active. Theoretically, up to 64,000 active connections per protocol type—TCP/UDP—can be
concurrently running, if the table space is available.
must
configure the IP address for NAT translation locally.
and
must
supply the IP address for NAT translation
by the number of connections the router “thinks”
Masquerading
With masquerading, multiple local (PC) IP addresses are mapped to a single global IP address. Many local ( PCs)
IP addresses are therefore hidden behind a single global IP address. The advantage of this type of NAT is that
users only need one global IP address, but the entire local LAN can still access the Internet. This NAT technique
requires not only remapping IP addresses but also TCP and UDP ports.
Each PC on the LAN side has an IP address and a mask. When the router connects to an ISP, the router appears to
be a “host” with one IP address and mask. The IP address that the router uses to communicate with the ISP is
obtained dynamically (with PPP/IPCP or DHCP) or is statically conf igur ed. When the PC connects to the ISP, the
IP address and port used by the PC are remapped to the IP address assigned to the router. This remapping is done
dynamically.
Client Configuration
Enable NAT
!!!!
To enable NAT, use the commands:
remote setIpTranslate on <
save
save
The
you are connected to this remote router.
Obtain an IP Address for NAT
!!!!
The IP address (the IP address “known” by the remote ISP) used for this type of NAT can be assigned in
two ways.
The ISP dynamically assigns the IP address. Use the commands:
remote setSrcIpAddr
save
The IP address is assigned locally. Use the commands:
remote setSrcIpAddr
save
Note:
command makes the above changes persistent across boots; these changes turn NAT on when
ww.xx.yy.zz
is the IP address that the user on the local LAN assigns.
remoteName
0.0.0.0 0.0.0.0 <
ww.xx.yy.zz
255.255.255.255 <
>
remoteName
>
remoteName
>
Chapter 4. Configuring Special Features81
Page 82
Server Configuration
This section is intended for users and network administrators who wish to allow WAN access to a Web
server, FTP server, SMTP server, etc., on their local LAN, while using NAT.
NAT needs a way to identify which local PC [local IP address(es)] should receive these server requests.
The servers can be configured on a
Remote Commands
!!!!
The following two commands are used to enable/disable a local IP address (on your LAN) as the server
for a particular protocol for the remote router
per-remote-router
<remoteName
basis as well as
globally.
>.
remote addServer
last port
[<
remote delServer
last port
[<
where
first port:
last port:
for the server on your LAN.
first private port:
first port
first port
last port
first port
first private port
the server on your local LAN will receive the request.
This command is used to view all of the remote entries, including the changes.
remote list <
>[<
>[<
this is the first or only port as seen by the remote end.
if specified, this is used with <
maps to
+ 1 maps to
maps to
through
remoteName
ipaddr
<
first private port
ipaddr
<
first private port
if specified, this is a port remapping of the incoming request from the remote end.
first private port
first private port
last port
through
> |discard|me <
>]] <
> |discard|me <
>]] <
.
first private port
+
are the ports as seen by the remote end.
first private port
>
protocolid
remoteName
protocolid
remoteName
first port
+ 1.
last port
-
last port
+
> tcp|udp <
>
> tcp|udp <
>
> to specify a range of ports as seen by the remote end
first port
first port
-
first port
first port
are the equivalent ports through which
> ftp|telnet|smtp|snmp|http
> ftp|telnet|smtp|snmp|http
Remember to type
Example 1:
Assume that the local LAN network is 192.168.1.0 255.255.255.0. The following commands are typed to
enable a Telnet server on the local LAN with the IP address 192.168.1.3, and an FTP server with the IP
address 192.168.1.2.
When the local router receives a request from
local router will send the request to 192.168.1.3. If
router will send the request to 192.168.1.2.
Example 2:
Assume that the local LAN network is 192.168.1.0 255.255.255.0. When the port value of 0 (zero) is
used, it directs all ports of the specified protocol to the IP address specified.
remote addServer 192.168.1.4 tcp 0 router1
82Chapter 4. Configuring Special Features
save
to make the changes persistent across boots.
router1
to communicate with the local Telnet server, the
router1
asks to talk to the local FTP server, the local
Page 83
Note: addserver
192.168.1 .4 will be ask ed to serve requests coming from
also has the same Telnet and FTP entries from the previous example, 192.168.1.3 will serve the Telnet
request, 192.168.1.2 will serve the FTP request, and 192.168.1.4 will serve any other request, including
HTTP, SMTP, etc.
Let us assume this command gets an error. If the remote end send s a se rver requ est to port 90 00, it can not
know to which server, 192.168.1.10 or 192.168.1.11, to send the request, if both entries exist.
Not enough memory was available to create an entry.
because the amount of memory needed for a server entry is less than 30 bytes. Should this problem
occur, it may cause many related problems or failures.
System Commands
!!!!
The following two commands are used to globally enable/disable a local IP add ress (o n yo ur LAN) as the
server for that particular protocol.
system addServer
last port
[<
>[<
Failed to add server
One or more of the ports would be visible to the remote end overlap. For example, you
ipaddr
<
first private port
> discard|me <
>]]
is printed if a server entry could not be created. This can occur
This condition should not ordinarily occur
protocolid
> tcp|udp <
first port
> ftp|telnet|smtp|snmp|http
system delServer
port
where
first port:
last port:
the server on your LAN.
Chapter 4. Configuring Special Features83
first private port
>[<
this is the first or only port as seen by the remote end.
if specified, it is used with <
ipaddr
<
> discard|me <
>]]
protocolid
first port
> tcp|udp <
> to specify a range of ports as seen by the remote end for
first port
> ftp|telnet|smtp|snmp|http [<
last
Page 84
first private port:
first port
first port
maps to
+ 1 maps to
if specified, this is a port remapping of the incoming request from the remote end.
first private port.
first private port
+ 1
last port
first port
first private port
your local LAN will receive the request.
Remember to type
Examples:
system addserver 192.168.1.5 tcp smtp
system addserver 192.168.1.6 tcp 0
system addserver 192.168.1.6 udp 0
The router sends a server request for SMTP to 192.168.1.5 when such a request comes from any remote
router running NAT. The router sends any other server request (tcp or udp) to 192.168.1.6.
Server Request Hierarchy
!!!!
When handling a request from a remote router (to which the local router has NAT enabled), the local
router selects a server based on the following priority algorithm:
maps to
through
first private port
last port
through
are the ports as seen by the remote end.
first private port
save
to make the changes persistent across boots.
last port
+
-
last port
+
first port
first port
-
are the equivalent ports the server on
remote addserver
1.
particular protocol/port.
system addserver
2.
port.
remote addserver
3.
that particular protocol (such as tcp/udp) and
system addserver
4.
protocol and
5.If an IP address is used for true NAT host remapping as well as for IP address/port translation, the IP
address of the local remapped host as the server is selected.
6.Router’s
IP address
— The local router selects a server for the remote router that handles that
— The local router selects a global server that handles that particular protocol/
port
any
with
with
port.
— The local router selects itself (the local router) as the server.
0 — The local router selects a server for the remote router that handles
any
port.
port
0 — The local router selects a global server that handles that particular
Classic NAT
With classic NAT, one PC IP address is translated to one NAT IP address. This NAT technique is primarily used
to make certain hosts on a private LAN globally visible and give them the ability to remap these IP addresses as
well.
84Chapter 4. Configuring Special Features
Page 85
Client Configuration
Classic NAT requires that you first enable NAT Masquerading (as describe d in th e prev ious section); thus,
for the Classic and Masquerading forms of NAT, the clients are configured in the same way. Refer to the
Client Configuration, page 81
Host Remapping
Remote Commands
!!!!
Use the following two commands to enable or disable host remapping on a per-remote basis:
remote addHostMapping <
remoteName
<
>
section.
first private addr
second private addr
> <
first publ i c addr
> <
>
remote delHostMapping <
remoteName
<
Use the command
addresses to different remotes.
System Commands
!!!!
Use these commands to enable or disable host remapping systemwide:
system addHostMapping
system delHostMapping <
Use the command
address on all remotes.
IP Address Range
!!!!
The range of local LAN IP addresses to be remapped is defined by <
private addr
The range of public IP address es i s defined by <
automatically (from <
inclusive.
>
remote addHostMapping
system addHostMapping
> inclusive. These addresses are mapped one-to-one to the public addresses.
first private addr
first private addr
<
first private addr
first public addr
> to <
second private addr> <first pub li c a ddr
> <
whenever a host on the local LAN is known by different IP
second private addr> <first public addr
> <
second private addr
> <
whenever a host on the local LAN is known by the same IP
first public addr
first pub li c a ddr
>
>
first public addr
> <
first private addr
> only. The rest of the range is computed
> + number of addresses r emapped - 1)
>
<second
> to
Chapter 4. Configuring Special Features85
Page 86
Multiple-Host Remapping Entries
!!!!
Users may enter as many host remapping entries as they wish.
192.168.207.40 through 192.168.207.49 are mapped to 10.0.20.11 through 10.0.20.20
192.168.207.93 through 192.168.207.99 are mapped to 10.0.20.4 through 10.0.20.10
192.168.209.71 through 192.168.209.80 are mapped to 10.12.14.16 through 10.12.14.25
Range Overlap Rules
!!!!
remote addHostMapping,
With
remote addHostMapping
With
system addHostMa pping
With
system addHostMa pping
With
private IP address ranges cannot overlap for a remote router.
, public IP address ranges cannot overlap for a remote router.
, private IP address ranges cannot overlap for a system.
, public IP address ranges cannot overlap for a system.
If a private IP address range for a remote router and a private IP address range for the system overlap, the
private IP address range for the remote has precedence.
If a public IP address range for a remote and the public IP address range for the system overlap, the
public IP address range for the remote has precedence.
Private IP addresses and public IP addresses can be the same
For example, to enable IP/port translation to a remote router and make the IP addresses 10.1.1.7 through
10.1.1.10 globally visible, it is permissible to use either one of the following commands:
If the remapped host’s IP address (classic NAT, one-to-one IP address translation) and the masquerading
IP address (many-to-one IP address translation) are the same, then NAT masquerading has precedence
over classic NAT.
.
86Chapter 4. Configuring Special Features
Page 87
Management Security
With the following security control features, the user can prevent the router from being remotely managed via
Telnet and/or SNMP. Disabling SNMP will stop the Configuration Manager from accessing the router, which in
some environments is desirable.
Disable Telnet and SNMP
To completely disable remote management, the following commands should be entered from the command line.
login admin
system telnetport disable
system snmpport disable
save
reboot
Restore Telnet and SNMP
To reestablish the Telnet and SNMP services, the default values should be restored with the commands:
system telnetport default
system snmpport default
Validation of Telnet and SNMP Clients
The following commands are used to validate Telnet, SNMP, or HTTP clients. They define a range of IP
addresses that are allowed to access the router via Telnet, SNMP, or HTTP. Only the IP addresses in the range
specified for Telnet, SNMP, or HTTP can access the router via Telnet, SNMP, or HTTP. This validation feature is
off
by default.
system addtelnetFilter <
system addSNMPFilter <
system addHTTPFilter <
where:
first ip addr
last ip addr
LANLocal Ethernet LAN
Example:
system addsnmpfilter 192.168.1.5 192.168.1.12
Multiple ranges can be specified for Telnet and SNMP clients. If no range is defined, then access to the router is
through the LAN or WAN.
Note 1:
These commands do
First IP address of the client range
Last IP address of the client range. May be omitted if the range contains only one IP address.
first ip addr
first ip addr
first ip ad dr
not
require a reboot and are effective immediately.
last ip addr
> [<
last ip addr
> [<
last ip addr
> [<
>] | LAN
>] | LAN
>] | LAN
Note 2:
Chapter 4. Configuring Special Features87
The following commands are used to delete client ranges previously defined by the
addtelnetFilter, system addSNMPFilter,
system addHTTPFilter
and
commands:
system
Page 88
system deltelnetFilter <
first ip addr
last ip addr
> [<
>] | LAN
Note 3:
system delSNMPFi l ter <
system delHTTPFilter <
To list the range of allowed clients, use the command
write permission (login with password).
first ip addr
first ip addr
last ip addr
> [<
last ip addr
> [<
>] | LAN
>] | LAN
system list
when you are logged in with read and
Restrict Remote Access
To allow management via SNMP or Telnet, while making it more difficult for non-authorized persons to access
the router, you may redefine the Telnet and SNMP ports to a non well-known value. When Network Address
Translation (NAT) is used, this port redefinition feature also allows you to continue using the standard Telnet and
SNMP ports with another device on the LAN (provided the appropriate NAT server ports commands are issued),
while simultaneously managing the router (with non-standard ports). The following commands show how this is
done.
Example:
login admin
system telnetport 4321
system snmpport 3214
Changing the SNMP Community Name
Changing the SNMP community name from its default value of “public” to another string may further enhance
SNMP security. This string then acts like a password, but this password is sent in the clear o ver th e WAN/LAN, in
accordance with the SNMP specification.
Use the following commands to change the SNMP community name.
login admin
system community
save
reboot
snmp community name
<
-- (e.g.,
>
system community fred)
Disable WAN Management
You may wish to allow management of the router on the local LAN, but not over the WAN. If the router has been
configured to use NAT, you can define two servers that
Telnet requests, and thus WAN management of the router cannot occur. The following commands show how this
could be done.
Example:
login admin
system addServer 192.168.254.128 udp snmp - (no computer at 192.168.254.128)
system addServer 192.168.254.128 tcp telnet
save
reboot
do not
exist on the LAN side to handle WAN SNMP and
88Chapter 4. Configuring Special Features
Page 89
System Log
system syslogport default|disabled|<port>
To manage the system log default when the port becomes disabled.
system addSyslogFilter <first ip address>[<last ip addr>]
When system log is filtered from the ip address: first or last.
system addSyslogFilter LAN
The Filter allows LAN access while using the filter.
Software Option Keys
This router has several optional software features that can be purchased as software option keys, when ordering
the router. These optional features are:
•DES encryption (for more information, refer to
•IP filters (for more information, refer to
•L2TP Tunneling (for more information, refer to
These options are usually ordered with the router.
To find out which software options are installed on your router, use the
vers
command follows:
Maximum users: unlimited
Options: SDSL, IP, ~IP FILTERING, IP TRANS, HOST MAPPING, DHCP, ~L2TP,
~ENCRYPT, BRIDGE, IPX
The features that are present in the firmware, but not are not enabled are preceded by a "~". These features can be
enabled a software key that can be purchased from your distributor.
To install a software options key that has been purchased separately, follow the instructions provided with that
key.
Encryption, page 89
IP Filtering, page 93
L2TP Tunneling — Virtual Dial-Up, page 96
)
)
)
vers
command. A sample output of the
Encryption
Note:
Encryption is a software option. The following section applies only for routers with this o pt ion.
For routers shipped with the following encryption options, two variants of encrypted data links over PPP have
been implemented:
•PPP DES (Data Encryption Standard) (RFC1969)
Chapter 4. Configuring Special Features89
Page 90
•Diffie-Hellman
Encryption requires PPP.
Caution:
Canada.
PPP DES and Diffie-Hellman encryption options may not be exported outside the United States or
PPP DES (RFC 1969) Encryption
PPP DES (Data Encryption Standard) implementation uses a 56-bit key with fixed
are specified in each router. With RFC 1969 , users mu st man age th e key s. This implementation has been tested for
interoperability with other PPP DES vendors such as IBM and Network Express (part of Cabletron).
transmit
Configuration Notes
Simply add the encryption commands to your standard configuration. For PPP DES, the encryption
commands are:
•PPP DES can only be configured using the Command Line Interface (CLI).
•The choice of keys should be carefully considered: they must have eight hexadecimal digits, and values
that are considered cryptographically weak should be avoided. Consult a security expert for advice.
•Use the console port or a Telnet port (use the
If you see “Unknown protocol” errors, the router
and
receive
keys that
•Different keys may be used with different remote destinations.
•For maximum security, as shown in the following configuration examples, Telnet and SNMP access
should be disabled, and PPP CHAP authentication should be used by both ends.
Sample Configuration
Refer to the section
(the remote router) are configured in the same manner as shown in Chapter 3, but the following encryption
commands are added. Don’t forget to save the configuration and reboot the router (
commands).
Remember that the
SOHO is the
Use this sample configuration with the additional encryption commands as a guideline to confi gur e your o wn
routers.
With Diffie-Hellman encryption, each router has an encryption file that is associated with a public key providing
768-bit security. The predefined keys can be replaced by the user. The key files have a suffix of “num” by
convention (e.g., dh96.num).
Configuration Notes
Simply add the encryption command to your standard configuration. For Diffie-Hellman, the encryption
command is:
remote setEncryption
Observe the following guidelines:
•DESE_1_KEY specifies that the same key is used in both directions, whereas DESE_2_KEY specifies
that the keys are different. Having the same keys in both directions can significantly reduce time needed
to compute the DES keys from the Diffie-Hellman exchange.
•routers’
•Different keys and key files may be used with different remote destinations.
•For maximum security, as shown in these examples, Telnet and SNMP access should be disabled, and
PPP CHAP should be used. Use the console port to view error messages and progress.
receive
DESE_1_KEY|DESE_2_KEY [
key and
sender
Tx key don't match.
<fileName>]| <remoteName
>
Sample Configuration
The sample configuration is the same as the one provided in the preceding PPP DES encryption example, but
the Diffie-Hellman encryption comman d is us ed in stead of the PPP DES encryption commands.
Sample:
login admin
remote setEncryption DESE_1_KEY dh96.num SOHO
save
reboot
File Format for the Diffie-Hellman Number File
The file consists of 192 bytes, in binary format. There are two 96-byte numbers stored, with the most
significant byte in the first position. For example, the number 0x12345678 would appear as
000000...0012345678.
The first 96 bytes form the modulus. In the equation
and Hellman, the modulus should be prime, and
The second 96 bytes form the generator, or g in the above equation. The generator should be a primitive root
mod n.
The remaining pieces of the encryption key (x and y) are randomly generated at connection time and will
change every time the device connects.
Contact an encryption expert to obtain cryptographically sound generator and mod ulus pairs if you wish to
change the default values.
92Chapter 4. Configuring Special Features
x' = g^x mod n, n
(n-1)/2
should also be prime.
is the modulus. According to Diffie
Page 93
Default Modulus
!!!!
00000000: c9 b4 ed 33 ba 7f 00 9e - ce e0 83 5d a5 4c 19 25
00000010: e0 2d 99 44 e8 8d cd 16 - 02 0e 6c 26 6d 15 7c 95
00000020: 82 9a 8c 2b 19 d0 56 da - 9b 5b a9 cd cf fb 45 2b
00000030: c9 6a 3c 26 e5 b8 1a 25 - 07 b8 07 22 ed 15 8a 56
00000040: 8b f4 30 f2 28 fc 6b f1 - bf a4 3e 87 f0 be d6 1c
00000050: 33 92 b9 5e d1 b7 20 8c - 92 02 cb e5 26 45 02 1d
Default Generator
!!!!
00000000: 90 f0 09 78 cc 23 79 a8 - 6c 23 a8 65 e0 dc 0f 6d
00000010: fb a7 26 e8 63 0a 21 67 - 5a f8 0f 59 84 09 5c da
00000020: ef af af fc d2 5f 83 e2 - a7 27 05 34 17 94 1a 4f
00000030: b2 87 76 97 e7 48 43 db - 62 29 70 9e 7f eb 2c 6e
00000040: 5d 25 1d a1 65 f0 b4 e6 - 47 4d 25 23 0b 20 b9 93
00000050: 27 f0 56 12 5a 97 f6 c5 - 31 b6 19 fc 67 22 93 f5
IP Filtering
Note:
Filtering is a software option. The following section applies only for rout ers with this option.
IP Filtering is a type of firewall used to control network traffic. The process involves filtering packets received
from one interface and deciding whether to route them to another interface or discard them.
When it is filtering packets, the router examines information such as the source and destination address co nt ained
in the IP packet, the type of connection, etc., and then screens (filters) the packets based on this information;
packets are either allowed to be forwarded from one interface to another interface or simply discarded.
IP filtering requires IP routing to be enabled. This type of filtering offers great flexibility and control of IP filters,
but configuration of this feature requires using a series of commands that may appear complex to a casual user.
Filters and Interfaces
Filters are commands used to screen IP packets: packets are simply matched against a series of filters. The result
is that packets are either allowed to come through the interface/link or they are dropped. If no filter “matches” the
incoming packet, the packet is accepted by default.
Filters operate at the interface level. Each interface has a series of IP filters associated with it and is defined by
three types of filters: Input filters, Output filters, and Forward filters. A list of filters is created for each interface.
The following illustrates the filter process.
Chapter 4. Configuring Special Features93
Page 94
Input Phase
12
Input
Filter
Forward Phase
3
N
A
T
IP-ES
ICMP
Redirect
Forward
Filters
IP Routing
Table
Output Phase
45
N
Output
A
Filter
T
Forward filters on
the input interface
Routing
Table
Processing
Forward filters on
the output interface
In the following description of the Input, Forward, and Output phases, the reference numbers associated with
filtering steps match the numbers used in the above illustration.
Input Phase
When an IP packet comes in through an interface (i.e., the Input interface), the router tries to recognize the
packet. The router then examines the Input filters for this interface and, based on the first Input filter that
matches the IP packet, it decides how to handle the packet (forward or discard it).
If NAT translation is enabled for the Input interface, NAT translation is performed.
Forward Phase
At this stage, the router determines to which interface or link the packets will be sent out using its routing
table. It then applies the Forward filters based on the Input interface information. Next the router applies the
Forward filters based on the Output interface information.
Output Phase
If NAT translation is enabled for the Output interface, then NAT translation is performed. The router
examines the Output filters for this interface and, based on the first Output filter that matches the IP packet, it
decides how to handle the packet.
Configuring Filters with Network Address Translation Enabled
General NAT Information
Network Address Translation is an IP address con versi on feature that trans lates a PC’s local ( int ernal) addr ess
into a global (outside/Internet) IP address. NAT is needed when a PC (or several PCs) on a Local Area
Network wants to connect to the Internet or get to a remote network that uses global, registered addresses:
94Chapter 4. Configuring Special Features
Page 95
NAT swaps the local IP address with a global IP address: the IP address and port information that the PC uses
are remapped (changed) to the IP address that was assigned to the router and a new port number is assigned.
Note:
The preceding section,
Filters and Interfaces
, describes how NAT “behaves” for each filtering phase.
Filter Actions
For an IP packet to be forwarded successfully, a filter at each implementation point (Input, Forward, and Output)
must
accept the IP packet.
If no filter at a particular point matches the incoming IP packet, it is assumed that the packet is accepted.
Each IP filter can initiate one of the following three possible actions:
Accept
When the packet is accepted at a filter interface (Input, Forward, or Output), the router lets it proceed for
further processing.
Drop
With Drop, the packet is discarded.
Reject
With Reject, an ICMP REJECT (Internet Control Management Protocol) is sent to reject the packet.
IP Filter Commands
The following two commands are used respectively to define IP filters on the Ethernet interface and on the remote
interface. For extensive information on the syntax of these two commands, refer to the
IP filters of Input type are checked
LANs that use ICMP redirect to dynamically learn IP routes. IP filters of Input type are checked
packet is sent to the router itself as a host.
Example:
The following commands will stop
packet to the telnet port. Hence, the router will not see the packet, and the packet will not be forwarded.
remote ipfilter insert input drop -p tcp -dp 23 internet
save
before
the IP packet is redirected by ICMP. This could adversely affect local
before
any
attempt by a host coming from the remote internet from sending an IP
the IP
Chapter 4. Configuring Special Features95
Page 96
These commands will stop
the telnet port “through” the router to a different interface. The router itself could still receive the IP packet, hence
the remote host could Telnet to the router itself.
remote ipfilter insert forward drop -p tcp -dp 23 internet
save
any
attempt by a host coming from the remote internet from sending an IP packet to
L2TP Tunneling — Virtual Dial-Up
This section has four parts:
•The
•The
•
•The
Introduction
L2TP Concepts
Configuration
with the configuration of L2TP and PPP sessions.
Sample Configurations
client configuration example and a complete LNS and L2TP client configuration example.
describes preliminary configuration steps and verification steps and lists commands associated
section provides two examples with step-by-step instructions: a simple L2TP
Introduction
L2TP (Layer 2 Tunneling Protocol) is used to forward a PPP link from a remote site to a corporate site across the
Internet, thus creating virtual paths called tunnels. Because tunneling involves encapsulating data, packets can be
transported across networks using different protocols. The advantages for tunneling the PPP protocol are listed
below:
•Different network protocols such as NetBEUI, IPX, and Appletalk can be transported through the Internet
using a tunnel. The protocol packets are encapsulated and routed across the network through the Internet.
•Tunnels provide a way to reduce costs and complexity associated with remote dial-up networking by using a
local ISP: users connect to the remote site by dialing into their local ISP and letting the Internet ha ndle th e
long-distance connections, thus avoiding long-distance phone charges.
•Tunneling PPP allows compression of data through the entire tunnel, which translates into greater throughput.
•By allowing encryption over the PPP link, L2TP contributes to more secure networks over the Internet.
•Remote users can access the company network, even if there is a company firewall (provided, of course, that
tunnels can come through the firewall).
Note:
This feature can interoperate with any vendor that supports L2TP - Draft II.
L2TP Concepts
This section defines the major L2TP concepts such as LNS, L2TP client, LAC, and Dial user. These concepts are
illustrated with L2TP client examples. Also described are tunnels and sessions’ creations and destr ucti ons.
96Chapter 4. Configuring Special Features
Page 97
LNS, L2TP Client, LAC, and Dial User
An L2TP tunnel is created between an L2TP client and LNS. The L2TP client and LNS control the tunnel
using the L2TP protoco l.
Since routers are more often configured as L2TP clients or LNS than as LACs, this section, therefore,
emphasizes L2TP client- and LNS-related information.
LNS (L2TP Network Server)
!!!!
The LNS is the point where the call is actually managed and terminated (e.g., within a corporate
network).
L2TP Client
!!!!
With an L2TP client, the dial user and LAC are combined in the same hardware device. In this case, the
PPP session is between the LAC and the LNS.
As shown in the following illustration ( Figure 1), an L2TP client is used to tunnel a PPP session between
a small office (our router) and a corporate office through the Internet.
LAC (L2TP Access Concentrator)
!!!!
The LAC can be envisioned as the ph ys ical hard ware ( e.g., a ro uter) used for placing and receiving p hon e
calls.
Dial User
!!!!
A dial user is the remote system or router that is either placing the call to the LAC or receiving the call
from the LAC.
The dial user does not actually dial in to the LNS or receive a call from the LNS, since this is a virtual
connection.
The dial user is one end of a PPP session. The LNS is the other end of the PPP session.
L2TP Client Example
The tunnel uses UDP/IP traffic as the transport medium over IP. This implementation of L2TP as illustrated
below shows a tunnel from a remote user’s perspective.
Note:
There is one PPP session over ISDN and another PPP session over the tunnel.
Chapter 4. Configuring Special Features97
Page 98
Figure 1
Remote User
PPP session running over the tunnel
PC
L2TP Client:
Dial User+LAC
(ISDN router)
Physical LinkPhysical Link
IP traffic to the Internet
PPP session
ISDN line
LNS and L2TP Client Relationship
Logical Link
TUNNEL
INTERNET
DSL/ATM traffic
Company
LNS Router
Company
LAN/server
The LNS acts as the supervising system. The L2TP client acts both as the dial user and the LAC.
One end of the tunnel terminates at the L2TP client. The other end of the tunnel terminates at the LNS.
One end of the PPP session going through the tunnel terminates at the L2TP client acting as the dial user; the
other end terminates at the LNS.
Tunnels
Tunnels are virtual paths that exist between an L2TP client and LNS.
An LNS can communicate simultaneously with more than one L2TP client.
An L2TP client can communicate simultaneously with more than one LNS.
Some L2TP implementations including the one discussed in this section allow the
an L2TP client and LNS simultaneously, if so configured.
Caution:
Verify that the IP address of the other end of the tunnel is correctly routed through the right, local
interface/remote and will not appear to be routed through the tunnel. An attempt to route the tunnel endpoint
within itself will fail.
same
router to act as
both
98Chapter 4. Configuring Special Features
Page 99
Sessions
Sessions can be thought of as switched virtual circuit “calls” carried within a tunnel and can only exist within
tunnels. One session carries one “call”. This “call” is one PPP session. Multiple sessions can exist wit hin a
tunnel. The following briefly discusses how sessions are created and destroyed.
Session creation
!!!!
Traffic destined to a remote entry (located at the end of the tunnel) will initiate a tunnel session. When
the L2TP client wishes to establish a session to an LNS, the L2TP client assumes the role of a LAC and
sends control packets containing incoming call information to the LNS over the tunnel.
Session destruction
!!!!
A tunnel session will automatically time out after the data session stops. W hen instructed to destroy a
session, the L2TP client closes any PPP session associated with that session. The L2TP client may also
send control messages to the LNS indicating that the L2TP client wishes to end the PPP session.
When the LNS wants to hang up the call, it sends control messages destroying the session.
Configuration
Preliminary Steps to Configure a Tunnel
The following logical steps should be considered before configuring a tunnel:
1.Decide if the router will act as an L2TP Client or LNS.
2.Decide if one side or both sides of the connection can initiate a tunnel.
3. Create the L2TP Tunnel Entry with these characteristics:
•An L2TP client host name
•An LNS host name
•A Tunnel CHAP secret (both sides of the connection must use the same secret)
•The IP address of the other party must be provided to the initiating side of the tunnel
•Type of flow control (pacing, sequence numbers or not)
4.Create a remote entry for the PPP session. Associate the remote entry with the Tunnel.
Verification Steps
1.Verify that the IP address of the other end of the tunnel is correctly routed through the right, local
interface/remote and will not appear to be routed through the tunnel. An attempt to route the tunnel
endpoint within itself will fail.
2.Try to establish IP connectivity (using the
Chapter 4. Configuring Special Features99
ping
or
tracert
commands).
Page 100
a.“Pin ging” from the L2TP client or LNS to the opposite tunnel endpoint will succeed (this tests the
tunnel pat h).
b.“Pinging” from a tunnel endpoint IP address to an IP address within the tunnel will probably fail due
to the existence of the IP firewall.
Configuration Commands
There are two categories of L2TP commands which are respectively associated with:
•Tunnels and the L2TP protocol
•The PPP session
Commands associated with tunnels and the L2TP Protocol
!!!!
These commands are used to configure L2TP tunnels. For additional information on the syntax of the
commands listed below, please refer to the L2TP commands section in the Command Line Interface
Reference chapter.
L2TP tunnel entry:
l2tp add
The remote tunnel host name:
l2tp set remoteName
TunnelName
<
>
<name> <TunnelName>
The local tunnel host name:
l2tp set ourTunnelName
<name> <TunnelName>
CHAP Secret:
l2tp set CHAPSecret
<secret> <TunnelName>
Tunnel Authentication:
l2tp set authen on|off
<TunnelName>
Type of L2TP support for tunnel:
A tunnel entry can be configured to act as a LAC, an LNS, both a LAC and LNS, or disabled.
l2tp set type all|lns|l2tpclient|disabled
<TunnelName>
Remote tunnel IP address:
l2tp set address
Note:
Verify that the IP address of the other end of the tunnel is correctly routed. It should not be routed
through the tunnel itself, but over a physical link.
<ipaddr> <TunnelName>
Our PPP system name and secret/password:
The following commands specify the router’s name and password/secret for authentication purposes on a
per-tunnel basis.
l2tp set ourSysName
l2tp set ourPassword
100Chapter 4. Configuring Special Features
<name> <TunnelName>
<password> <TunnelName>
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.