Alcatel-Lucent SPEDDTOUCH DSL ROUTERS User Manual
Alcatel™ DSL Router Family
Command Line Interface Guide
P/N 3EC 16963 AAAA-TCZZA
October 1999
Copyright
Alcatel provides this publication “as is” without warranty of any kind, either expressed or implied, including, but
not limited to, the implied warranties of merchantability or fitness for a particul ar purpos e.
All rights reserved. No part of this book may be reproduced in any form or by any means without written
permission from Alcatel .
Changes are periodically made to the information in this book. They will be incorporated in subs equent editions.
Alcatel may make improvements and/or changes in the product described in this publication at any time.
© Copyright 1996-1999 Alcatel
Trademarks
Alcatel is a trademark of Alcatel.
All other trademarks and registered trademarks mentioned in this manual are the sole property of their respective
companies.
2 Alcatel™ DSL Router Family Command Line Interface
Preface
About This Guide
Command Line Interface
The
for the family of DSL routers. It provides the steps and information needed to configure the router software and
troubleshoot problems using the Command Line Interface. Configuration of network connections, bridging,
routing, and security features are essentially the same for all DSL routers, unless otherwise noted. The guide also
provides detailed information about the system’s bridging, routing, addressing, and security oper ations.
This guide is intended for small and home office users, remote office users, and other networking professionals
who are installing and maintaining bridged and routed networks.
How This Guide is Organized
This guide is intended to help you configure and manage the router using the Command Line Interface. The guide
assumes that you have read the information about the router and installed the hardware using the
Start Guide
. The guide is divided into eight parts:
guide contains information on the syntax and use of the Command Line Interface
Internet Quick
Introduction.
Advanced Topics.
operations, PAP/CHAP security negotiation, bandwidth management, protocol conformance, and the file system.
Planning for Router Configurat ion.
Interface including worksheets for collecting required information.
Configuring Router Software.
Configuring Special Features.
NAT, Management Security, Software Options Keys, Encryption, IP Filtering, and L2TP Tunneling.
Command Line Interface Reference.
is entered.
Managing the Router.
how to upgrade the system software, boot code, backup and restore configuration files, FLASH memory recovery
procedures, and batch file command execution.
Troubleshooting.
Describes the features of the Command Line Interface.
Contains additional information on topics such as interoperability, routing and bridging
Provides information unique to configuration using the Command Line
Describes how to configure the router using the Command Line Interface.
Describes how to configure features such as Bridging Filtering, RI P, DH CP,
Describes the syntax of each command and the results when the comman d
Describes SNMP management capabilities, TFTP client and s erver , TE LNET s upport and
Describes diagnostic tools used for identifying and correcting hardware and software problems.
References
User Guide.
installation and software configuration using the Windows-based Configuration Manager.
Quick Start Guide.
Contains an overview of the router’s software and hardware features and details on hardware
Describes the configuration process involved in setting up a specific router model.
Typographic Conventions
The following conventions are used in this guide:
Item Type Face Examples
Book titles, command
reference parameters,
reference to a specific
section/chapter in this
guide, emphasis in text.
Keywords in command
reference instructions
Examples showing you what
to type and what is
displayed on the terminal.
Italics Refer to Chapter 1.
Features
system name <
Bold
Mono-spaced font
save
remote listIpRoute hq
Advanced
name>
File names Upper case Copy file CFGMGR.EXE
4 Preface
Table of Contents
Preface 3
About This Guide 3
How This Guide is Organized 3
References 4
Typographic Conventions 4
Table of Contents 5
Introduction 9
Chapter 1. Advanced Topics 11
Interoperability 11
Routing 11
Bridging 12
Bridging and Routing Operation 12
Bridging and Routing Configuration Settings 13
Point-To-Point Pr otocol (PPP ) 14
PAP/CHAP Security Authentication 14
General Security Authentication 15
Security Configuration Settings 16
Authentication Process 16
Protocol Conformance 17
Protocol Standards 17
IP Routing 17
IPX Routing 17
Encapsulation Options 17
PPP 18
PPPLLC 18
RFC 1483 or RFC 1490 18
MAC Encapsulated Routing: RFC 1483MER (ATM) or RFC 1490MER (Frame Relay) 19
FRF8 19
rawIP 19
System Files 20
Bridge Filtering 20
Unique System Passwords 22
Chapter 2. Planning for Router Configuration 23
Important Terminology 23
Essential Configuration Information 24
PPP Link Protocol (over AT M or Frame Relay) 25
RFC 1483/RFC 1490 Link Protocols 30
MAC Encapsulated Routing: RFC 1483MER/RFC 1490MER Link Protocols 35
FRF8 Link Protocol 37
Dual-Ethernet Router Configuration 39
Chapter 3. Configuring Router Software 40
Configuration Tables 41
Configuring PPP with IP Routing 42
Configuring PPP with IPX Routing 43
Configuring PPP with Bridging 44
Configuring RFC 1483 / RFC 1490 with IP Routing 45
Configuring RFC 1483 / RFC 1490 with IPX Routing 46
Configuring RFC 1483 / RFC 1490 with Bridging 47
Table of Contents 5
Configuring MAC Encapsulated Routing: RFC 1483MER / RFC 1490MER with IP Routing 48
Configuring FRF8 with IP Rout ing 49
Configuring Mixed Network Protocols 50
Configuring a Dual-Ethernet Router for IP Routing 51
Verify the Router Configuration 52
Test IP Routing 52
Test Bridging to a Remote Destination 52
Test IPX Routing 53
Sample Configurations 54
Sample Configuration 1: PPP with IP and IPX 54
Sample Confi guration 2: RFC 1483 with IP and Bridging 62
Sample Configuration 3: Configuring a Dual-Ethernet Router for IP Routing 68
Chapter 4. Configuring Special Features 69
Bridge Filtering and IP Firewall 69
General Information 69
Configure Bridge Filtering 69
Enable/Disable Internet Firewall Filtering 70
IP (RIP) Protocol Controls 71
Dynamic Host Configuration Protocol (DHCP) 72
General Information 72
Manipulating Subnetwor ks and Explici t Clien t Leases 73
Setting Option Values 75
BootP 77
Defining Option Types 79
Configuring BootP/DHCP Relays 80
Other Information 80
Network Address Translation (NAT) 80
General NAT Rules 80
Masquerading 81
Classic NAT 84
Client Configuration 85
Management Security 87
Disable Telnet and SNMP 87
Restore Telnet and SNMP 87
Validation of Telnet and SNMP Clients 87
Restrict Remote Access 88
Changing the SNMP Community Name 88
Disable WAN Management 88
System Log 89
Software Option Ke ys 89
Encryption 89
PPP DES (RFC 1969) Encryption 90
Diffie-Hellman Encryption 92
IP Filtering 93
Filters and Interfaces 93
Configuring Filters with Network Address Translation Enabled 94
Filter Actions 95
IP Filter Commands 95
Special Notes 95
L2TP Tunneling — Virtual Dial-Up 96
Introduction 96
L2TP Concepts 96
Configuration 99
6 Table of Contents
Sample Configurations 101
Chapter 5. Command Line Interface Reference 109
Command Line Interface Conventions 109
Command Input 109
Command Output 109
Command Or ganization 109
? or HELP 110
System-Level Commands 111
Frame Statistics 113
Router Configuration Com mands 120
Target Router System Configuration Commands (SYSTEM) 121
Target Router Ethernet LAN Bridging and Routing (ETH) 134
Remote Router Access Configuration (REMOTE) 143
Asymmetric Digital Subscriber Line Commands (ADSL) 166
Asynchronous Transfer Mode Commands (ATM) 168
DMT Command 171
Dual-Ethernet Router Commands (ETH) 172
High-Speed Digital Subscriber Line Commands (HDSL) 176
ISDN Digital Subscriber Line (IDSL) 179
Symmetric Digital Subscriber Line Commands (SDSL) 181
Dynamic Host Configuration Protocol Commands (DHCP) 185
L2TP — Virtual Dial-Up Configu ration (L2TP) 196
Bridge Filtering Commands (FILTER BR) 204
Save Configuration Commands (SAVE) 206
Erase Configuration Commands (ERASE) 208
File System Commands 210
Chapter 6. Managing the Router 215
Simple Network Management Protocol (SNMP) 215
Telnet Remote Access 216
Client TFTP Facility 216
TFTP Server 216
BootP Server 217
Boot Code 217
Manual Boot Menu 217
Identifying Fatal Boot Failures 221
Software Kernel Upgrades 221
Booting an d Upgrading from the LAN 221
Upgrading from the WAN Line 223
Backup and Restore Configuration Files 224
Backup Configuration Files (Recommended Procedure) 224
Restore Configuration Files 224
FLASH Memory Recovery Procedures 225
Recovering Kernels for Routers with Configuration Switches 225
Recovering Kernels for Routers with a Reset Button 226
Recovering Passwords and IP Addresses 227
Routers with Configuration Switches 227
Routers with a Reset Button 2 28
Batch File Command Execution 228
Chapter 7. Troubleshooting 231
Diagnostic Tools 231
Using LEDs 231
Table of Contents 7
History Log 232
Ping Command 233
Investigating Hardware Installation Problems 234
Check the LEDs to Solve Common Hardware Problems 234
Problems with the Terminal Window Display 234
Problems with the Factory Configuration 234
Investigating Software Configuration Problems 235
Problems Connecting to the Router 235
Problems with the Login Password 235
Problems Accessing the Remote Network 236
Problems Accessing the Router via Telnet 238
Problems Downloading Software 238
System Messages 238
Time-Stamped Messages 239
History Log 241
How to Obtain Technical Support 241
Appendix A. Network Information Worksheets 243
Configuring PPP with IP Routing 244
Configuring PPP with IPX Routing 245
Configuring PPP with Bridging 246
Configuring RFC 1483 / RFC 1490 with IP Routing 247
Configuring RFC 1483 / RFC 1490 with IPX Routing 248
Configuring RFC 1483 / RFC 1490 with Bridging 249
Configuring RFC 1483MER / RFC 1490MER with IP Routing 250
Configuring FRF8 with IP Rout ing 251
Configuring a Dual-Ethernet Router for IP Routing 252
Appendix B. Configuring IPX Routing 253
IPX Routing Concepts 253
Configure IPX Routing 253
Step 1: Collect Your Network Information for the Target (Local) Router 254
Step 2: Review your Settings 255
Appendix C. Access the
Command Line Interface 257
Connect the PC to the Console Port of the Router 257
Access the Command Line Interface 257
Terminal Window under Configuration Manager 257
Terminal Session under Windows (HyperTerminal) 258
Terminal Session for a Non-Windows Platform (Macintosh or UNIX) 258
Telnet Session 258
Index 259
8 Table of Contents
Introduction
This guide provides steps and information needed to con figur e the DSL or Dual-Ethernet router software using the
Command Line Interface
The Command Line Interface covers the following basic configuration topics:
• Set names, passwords, PVC numbers, and link and network parameters
• Configure specific details within a protocol, such as IP or IPX addresses and IP protocol controls
• Activate bridging and routing protocols
• Enable the Internet firewall filter with IP routing
The Command Line Interface also provides the following advanced features:
• Manage the router’s file system
• Set bridging filters
• Configure the type of DSL technology specific to your router (e.g., ADSL, SDSL)
• Configure the Dual-Ethernet router
• Issue online status commands
1
.
• Monitor error messages
• Set RIP options
• Configure DHCP
• Configure NAT
• Configure Telnet/SNMP security
• Configure host mapping
• Configure IP multicast
• Create and execute script files
• Configure encryption
• Configure IP filtering
• Configure L2TP tunneling
• Enable software options keys
1. The Microsoft® Windows™-based
to-use, point-and-click GUI interface) provides another way to configure the router’s software. Please refer to
Access the Command Line Interface
Start as your primary configuration tool.
Configuration Manager or Quick Start
section in this guide if you intend to use Configuration Manager or Quick
program (featuring an easy-
10 Introduction
Chapter 1. Advanced Topics
This chapter provides information on advanced topics useful to network administrators.
Interoperability
The router uses industry-wide standards to ensure compatibility with routers and equipment from other vendors.
To interoperate, the router supports standard protocols on the physical level, data link level for frame type or
encapsulation method, and network level. For two systems to communicate directly, they must use the same
protocol at each level. Most protocols do not support negotiable options, except for PPP.
The physical protocol level includes hardware and electrical signaling characteristics. This support is provided by
the router Ethernet and modem hardware interfaces.
The data-link protocol level defines the transmission of data packets between two systems over the LAN or WAN
physical link.
The frame type or encapsulation method defines a way to run multiple network-level protocols over a single LAN
or WAN link. The router supports the following WAN encapsulations:
• PPP (VC multiplexing)
• PPP (LLC multiplexing)
• RFC 1483 (for ATM)
• RFC 1483 with MAC encapsulated routing (for ATM)
• FRF8 (for ATM)
• RFC 1490 (for Frame Relay)
• RFC 1490 with MAC encapsulated routing (for Frame Relay)
Routing
The network protocol provides a way to route user data from source to destination over different LAN and WAN
links. Routing relies on routing address tables to determine the best path for each packet to take.
The routing tables can be seeded; i.e., addresses for remote destinations are placed in the table along with path
details and the associated costs (path latency).
The routing tables are also built dynamically; i.e., the location of remote stations, hosts, and networks are updated
from broadcast packet information.
Routing helps to increase network capacity by localizing traffic on LAN segments. It also provides security by
isolating traffic on segmented LANs. Routing extends the reach of networks beyond the limits of each LAN
segment.
Numerous network protocols have evolved, and within each protocol are associated protocols for routing, error
handling, network management, etc. The following chart displays the networking and associated protocols
supported by the router.
Chapter 1. Advanced Topics 11
Network Protocol Associated Protocols Description
Internet Protocol
(IP)
Internet Packet
Exchange (IPX)
a Used only during a networ k boot
b IPX-RIP is a different protocol from IP-RIP and it includes time delays
Most of the router’s operation on each protocol level is transparent to the user. Some functions are influenced by
configuration parameters, and these are described in greater detail in the following sections.
Routing Information Protocol (RIP) Maintains a map of the network
Address-Resolution Protocol (ARP) Maps IP addresses to datalink
addresses
Reverse Address Resolution Protocol (RARP)
Internetwork Control Message Protocol
(ICMP)
Simple Network Management Protocol
(SNMP)
Routing Information Protocol (RIP)
Service Advertising Protocol (SAP) Distributes information about service
a
b
Maps data-link addresses to IP
addresses
Diagnostic and error reporting/
recovery
Network management
Maintains a map of the network
names and addresses
Bridging
Bridging connects two or more LANs so that all devices share the same logical LAN segment and network
number. The MAC layer header contains source and destination addresses used to transfer frames.
An address table is dynamically built and updated with the location of devices when the frames are received.
Transparent bridging allows locally connected devices to send frames to all devices as if they were local.
Bridging allows frames to be sent to all destinations regardless of the network protocols used. It allows protocols
that cannot be routed (such as NETBIOS) to be forwarded and allows optimizing internetwork capacity by
localizing traffic on LAN segments. A bridge extends the physical reach of networks beyond the limits of each
LAN segment. Bridging can increase network security with filtering.
The router bridging support includes the IEEE 802.1D standard for LAN-to-LAN bridging and the Spanning Tree
Protocol for interoperability with other vendors’ bridge/routers. Bridging is provided over PPP as well as adjacent
LAN ports. Most of the r outer’s bridging operation is t rans parent . S ome f unct ion s are influenced by configuration
parameters, which are described in greater detail in the following sections.
Bridging and Routing Operation
The router can operate as a bridge, a router, or as both (sometimes called a brouter).
12 Chapter 1. Advanced Topics
• The router will operate as a router for network protocols that are enabled for routing (IP or IPX).
• The router will operate as a bridge for protocols that are not supported for routing.
• Routing takes precedence over bridging; i.e., when routing is active, the router uses the packet’s protocol
address information to route the packet.
• If the protocol is not supported, the router will use the MAC address information to forward the packet.
Operation of the router is influenced by routing and bridging controls and filters set during router configuration as
well as automatic spoofing and filtering performed by the router. For example, general IP or IPX routing, and
routing or bridging from specific remote routers are controls set during the configuration process.
Spoofing and filtering, which minimize the number of packets that flow across the WAN, are performed
automatically by the router. For example, RIP routing packets and certain NetBEUI packets are spoofed even if
only bridg ing is enabled.
Bridging and Routing Configuration Settings
The router can be configured to perform general routing and bridging while allowing you to set specific controls.
One remote router is designated as the outbound default bridging destination. All outbound bridging traffic with
an unknown destination is sent to the default bridging destination. Bridging from specific remote routers can be
controlled by enabling or disabling bridging from individual remote routers.
Routing is performed to all remote routers entered into the remote router database. All routing can be enabled or
disabled with a system-wide control.
The following charts describe the operational characteristics of the router, based on configuration settings.
IP/IPX Routing On Bridging to/from Remote Router Off
Data packets carried IP (TCP, UDP), IPX
Operational
characteristics
Typical usage When only IP/IPX traffic is to be routed and all other traffic is to be
Basic IP, IPX connectivity
ignored. For IP, used for Internet access.
Note:
This is the most easily controlled configuration.
Chapter 1. Advanced Topics 13
IP/IPX Routing On Bridging to/from Remote Router On
Data packets carried IP/IPX routed; all other packets bridged.
Operational
characteristics
T ypical usage When only IP/IPX traffic is to be routed b ut some non-r outed proto col is
IP/IPX routing and allows other protocols, such as NetBEUI (that can’t
be routed) , to be bridged.
required. Used for client/server configurations.
IP/IPX Routing Off Bridging to/from Remote Router On
Data packets carried All packets bridged.
Operational
characteristics
Typical usage Peer-to-peer bridging and when the remote end supports only bridging.
Allows protocols, such as NetBEUI (that can’t be routed) to be bridged.
Point-To-Point Protocol (PPP)
PPP is an industry standard WAN protocol for transporting multi-protocol datagrams over point-to-point
connections. PPP defines a set of protocols, such as security and network protocols, that can be negotiated over
the connection. PPP includes the following protocols:
• Link Control Protocol (LCP) to negotiate PPP; i.e., establish, configure and test the datalink connection.
• Network Control Protocols (NCPs), such as:
TCP/IP routing Internet Protocol Control Protocol (IPCP)
IPX routing Control Protocol (IPXCP)
Bridge Control Protocol (BN CP)
• Security Protocols including PAP and CHAP
A more detailed description of the router’s implementation of some of these protocols appears the following
section. A list of PPP protocol conformance is included later in this section.
PAP/CHAP Security Authentication
Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) under PPP
are supported by the router. However, security authentication may or may not be needed depending on the
requirements of the remote end.
The nature of the connection in a DSL environment (traffic occurs on a dedicated line/virtual circuit) does not
require authentication unless that is specifically required by the remote end, the ISP, or the NSP. When
authentication is not required, security can be disabled with the command
remote disauthen
.
14 Chapter 1. Advanced Topics
General Security Authentication
Security authentication may be required by the remote end. The following information describes how
authentication occurs.
PAP provides verification of passwords between routers using a two-way handshake. One router (peer) sends the
system name and password to the other router. Then the other router (known as the authenticator) checks the
peer’s password against the configured remote router’s password and returns acknowledgment.
PAP Authentication
New York
System Name=New York
System Password=xyz
Remote Router Database
Remote=Chicago
Password=abc
1
...New York & xyz.......
2
.....Accepted/Rejected.......
Chicago
System Name=Chicago
System Password=abc
Remote Router Database
Remote=New York
Password=xyz
CHAP is more secure than PAP because unencrypted passwords are not sent across the network. CHAP uses a
three-way handshake. One router (known as the authenticator) challenges the other router (known as the peer) by
generating a random number and sending it along with the system name. The peer then applies a one-way hash
algorithm to the random number and returns this encrypted information along with the system name.
The authenticator then runs the same algorithm and compares the result with the expected value. This authentication method depends up on a password or secret known only to both ends.
CHAP Authentication
New York
CHALLENGE
...New York & random number.......
1
Chicago
Hashes random
number and
secret ‘abc’
System Name=New York
System Password=xyz
Remote Router Database
Remote=Chicago
Password=abc
Performs same
hash with number
and secret ‘abc’
and compares
results
.....Chicago & encrypted secret.......
.....Accepted/Rejected.......
2
3
System Name=Chicago
System Password=abc
Remote Router Database
Remote=New York
Password=xyz
Chapter 1. Advanced Topics 15
Security Configuration Settings
The router has one default system password used to access any remote router. This “system authentication
password” is utilized by remote sites to authenticate the local site. The router also allows you to assign a unique
“system override password” used only when you are connecting to a specific remote router for authentication by
that remote site. Each remote router entered in the remote router database has a password used when the remote
site attempts to gain access to the local router. This “remote authentication password” is utilized by the router to
authenticate the remote site.
Each remote router entered in the remote router database also has a minimum s ecurity level, k no wn as the “remote
authentication protocol,” that must be negotiated before the remote router gains access to the local router. In
addition, a system-wide control, “system authentication protocol,” is available for overriding the minimum
security level in the entire remote router database.
Authentication Process
The authentication process occurs regardless of whether a remote router connects to the local router or vice versa,
and even if the remote end does not request authentication. It is a
authenticate the other using the protocol of its choice (provided the other end supports it).
During link negotiation (LCP), each side of the link negotiates which protocol to use for authentication during the
connection. If both the system and the remote router have PAP authentication, then they negotiate PAP
authentication.
bi-directional process
, where each end can
Otherwise, the router
the remote end does not accept either PAP or CHAP, the link is dropped; i.e., the router will not communicate
without a minimum security level. On the other hand, the router will accept any authentication scheme required by
the remote node, including no authentication at all.
During the authentication phase, each side of the link can request authentication using the method they negotiated
during LCP.
For CHAP, the router issues a CHAP challenge request to the remote side. The challenge includes the system
name and random number. The remote end, using a hash algorithm associated with CHAP, transforms the name
and number into a response value. When the remote end returns the challenge response, the router can validate the
response challenge value using the entry in the remote router database. If the response is invalid, the call is
disconnected. If the other end negotiated CHAP, the remote end can, similarly, request authentication from the
local router. The router uses its system name and password to respond to CHAP challenge.
For PAP, when a PAP login request is received from the remote end, the router checks the remote router PAP
security using the remote router database. If the remote router is not in the remote router database or the remote
router password is invalid, the call is disconnected. If the remote router and password are valid, the local router
acknowledges the PAP login request.
If PAP was negotiated by the remote end for the remote-side authentication, the router will issue PAP login
requests
router, or if the remote end returned a successful CHAP challenge response. For security reasons, the router will
never
If PAP was negotiated by the remote end for the local side of the authentication process and the minimum security
level is CHAP, as configured in the remote router database, the link will be dropped for a security violation.
only
if it knows the identity of the remote end. The identity is known if the call was initiated from th e
identify itself using PAP without first knowing the identity of the remote router.
always
requests CHAP authentication first; if CHAP is refused, PAP will be negotiated. If
16 Chapter 1. Advanced Topics
Protocol Conformance
Protocol Standards
The router conforms to RFCs designed to address performance, authentication, and multi-protocol encapsulation.
The following RFCs are supported:
• RFC 1058 Routing Informat ion Protocol (RIP)
• RFC 1144 Compressing TCP/IP headers (Van Jacobson)
• RFC 1220 Bridging Control Protocol (BNCP)
• RFC 1332 IP Control Protocol (IPCP)
• RFC 1334 Password Authentication Protocol and Challenge Handshake Authentication Protocol (PAP/
CHAP)
• RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5
• RFC 1490 Multiprotocol Interconnect over Frame Relay
• RFC 1552 Novell IPX Control Protocol (IPXCP)
• RFC 1577 Classical IP and ARP over ATM
• RFC 1661 Point-to-P oi nt Protocol (PPP)
• RFC 1723 RIP Version 2
• RFC 1962 PPP Compression Control Protocol (CCP)
• RFC 1973 PPP in Frame Relay
• RFC 1974 Stac LZS compression protocol
• RFC 1990 Multi-Link Prot ocol (MLP)
• RFC 2131 and 2132 Dynamic Host Configuration Protocol (DHCP)
IP Routing
IP routing support, in conformance with RFC 791, provides the ability to process TCP/IP frames at the network
layer for routing. IP routing support includes the Routing Interface Protocol (RIP), in conformance with RFC
1058 (RIP v.1) and RFC 1723 (RIP v.2).
IPX Routing
IPX routing conforms to the Novell® NetWare™ IPX Router Development Guide, Version 1.10.
Encapsulation Options
This section describes in technical terms the format of each packet associated with a particular encapsulation
option supported by th e router.
The encapsulation type for each remote entry is defined using the
remote setProtocol
command.
Chapter 1. Advanced Topics 17
PPP
Each packet begins with a one- or two-byte protocol ID. Typical IDs are:
0xc021—LCP
0x8021—IPCP
0x0021—IP
0x002d— Van Jacobson compressed TCP/IP
0x002f—Van Jacobson uncompressed TCP/IP
0x8031—Bridge NCP
0x0031—Bridge Frame
The command for this encapsulation option is:
Note:
With PPP over ATM, the address and control fields (i.e., FF03) are never present; this also is the case for
LCP packets.
remote setProtocol PPP
remoteName
<
>
PPPLLC
This protocol (LLC-multiplexed) allows PPP traffic to be carried simultaneously with other traffic on a single
virtual circuit (as opposed to the PPP method of encapsulation—VC multiplexin g—which dedicates a virtual
circuit to PPP traffic only).
Each PPP packet is prepended with the sequence 0xFEFE03CF. Thus, an LLC packet has the format:
0xFEFE03CF 0xC021.
The command for this encapsulation option is:
remote setProtocol PPPLLC
remoteName
<
>
RFC 1483 or RFC 1490
Bridging
User data packets are prepended by the sequence 0xAAAA0300 0x80c20007 0x0000 followed by the
Ethernet frame containing the packet.
802.1D Spanning Tree packets are prepended with the header 0xAAAA0300 0x80C2000E.
Routing
IP packets are prepended with the header 0xAAAA0300 0x00000800.
IPX packets are prepended with the header 0xAAAA0300 0x00008137.
The commands for this encapsulation option are:
remote setProtocol RFC1483
remote setProtocol FR
18 Chapter 1. Advanced Topics
<
remoteName
<
remoteName
> (for ATM)
> (for Frame Relay - RFC 1490)
MAC Encapsulated Routing: RFC 1483MER (ATM) or RFC 1490MER (Frame Relay)
MER encapsulation allows IP packets to be carried as bridged frames, but does not prevent bridged frames from
being sent as well, in their normal encapsulation format: RFC 1483 (ATM) or RFC 1490 (Frame Relay).
If IP routing is enabled, then IP packets are prepended with the sequence 0xAAAA0300 0x80c20007 0x0000 and
sent as bridged frames. If IP routing is not enabled, then the packets appear as bridged frames.
The commands for this encapsulation option are:
remote setProtocol RFC1483MER
remote setProtocol MER
(for Frame Relay)
remoteName
<
> (for ATM)
FRF8
IP packets have prepended to them the following sequence: 0x03CC.
The command for this encapsulation option is:
Note:
This protocol allows sending ATM over Frame Relay.
remote setprotocol FRF8
remoteName
<
>
rawIP
IP packets do not have any protocol headers prepended to them; they appear as IP packets on the wire. Only IP
packets can be transported since there is no possible method to distinguish other types of packets (bridged frames
or IPX).
The command for this encapsulation option is:
remote setProtocol rawIP
remoteName
<
>
Chapter 1. Advanced Topics 19
System Files
The router’s file system is a DOS-compatible file system, whose contents are as follows: :
SYSTEM.CNF:
DOD Remote Router Database
SYS System Settings: name, message, authentication method, and passwords
ETH Ethernet LAN configuration settings
DHCP.DAT:
FILTER.DAT:
KERNEL.F2K:
ETH.DEF:
ASIC.AIC:
ATM.DAT:
I2TP Tunnening Database
ATOM.DAT
SDSL.DAT
DMT.DAT
IPSEC.DAT
These are configuration files containing:
DHCP files.
Bridge filters.
Router system software (KERNEL.F P 1 for IDSL routers).
File used by the manufacturer to set a default Ethernet configuration.
Firmware for the xDSL modem or ATM interface.
ATM configuration file.
IKE.DAT
AUTOEXEC.BAT - Autoexec file of commands to run on next reboot.
AUTOEXEC.OLD - Autoexec file that has run already
Note:
Users should not delete any of these files, unless advised by Tech Support.
Any file contained within the system may be retrieved or replaced using the TFTP protocol. Specifically,
configuration files and the operating system upgrades can be updated. Only one copy for the router software is
allowed in the router’s FLASH memory.
Refer to
copying configuration files, and restoring router software to FLASH memory.
Chapter 6. Managing the Router on page 215
for details on software upgrades, booting router software,
Bridge Filtering
You can control the flow of packets across the router using bridge filtering. Bridge filtering lets you “deny”or
“allow” packets to cross the network based on position and hexadecimal content within the packet. This featu re
lets you restrict or forward messages with a specified address, protocol, or data content. Common uses are to
prevent access to remote networks, control unauthorized access to the local network, and limit unnecessary traffic.
20 Chapter 1. Advanced Topics
For example, it might be necessary to restrict remote access for specific users on the local network. In this case,
bridging filters are defined using the local MAC address for each user to be restricted. Each bridging filter is
specified as a “deny” filter based on the MAC address and position of the address within the packet. Deny
filtering mode is then enabled to initiate bridge filtering. No packet with one of the MAC addresses can be bridged
across the router until the deny filtering mode is disabled.
Similarly, protocol filtering can be used to prevent a specific protocol from being bridged. In this case, the
protocol ID field in a packet is used to deny or allow a packet. You can also restrict, for example, the bridging of
specific broadcast packets.
Chapter 1. Advanced Topics 21
Unique System Passwords
As described in
override password for a remote router with the command
password” is used instead of the general system password
allows you to set a unique CHAP or PAP authentication password for authentication of the local site by the remote
only
site
A common use is to set a password assigned to you by Internet Service Providers (ISPs). Similarly, the system
name of the local router can be overridden for connecting to a specific remote with the command
setoursysname
when the router connects to that remote site.
Security Configuration Settings on page 16
.
of this chapter, you can specify a unique system
remote SetOurPasswd
only
for connecting to a specific remote router. This
. This “system override
remote
22 Chapter 1. Advanced Topics
Chapter 2. Planning for Router Configuration
This chapter describes the terminology and the information that you need to obtain before configuring the router.
The information needed to configure the router is contingent on the chosen Link Protocol. It is therefore important
to know which Link Protocol you are using (this is determined by your Network Service Provider) so that you can
refer to the configuration sections that apply to your setup.
When you configure the router using the Command Line Interface, the planning is sim ilar to the process des cribed
for Configuration Manager with very few exceptions.
Important Terminology
You should familiarize yourself with the following terminology as it will be u sed thro ughout this chapter.
Target router.
Remote routers.
Remote router database.
routers to which the target router may connect
Remote router entry.
Router that you are configuring. Also referred to as
All the routers to which the target (local) router may connect.
Database which resides in the target router and contains information about the remote
.
Entry about a remote router in the target router database. A remote router entry defines:
• Connection parameters
• Security features
• Route addressing and bridging functions
The following diagram illustrates these key words and concepts.
Configuration Process for Router A
TARGET ROUTER
Router A
Target Router:
System Settings
DSL/ATM
local
router
REMOTE ROUTERS
Router B
Router C
.
Remote Router Database
Remote Router B
Remote Router C
Remote Router D
Router D
Chapter 2. Planning for Router Configuration 23
Essential Configuration Information
This section describes the configuration information associated with each Link Protocol/Network Protocol
combination and also provides configuration information for the Dual-Ethernet router.
If you are using Link and Network Protocols:
1. Determine which Link Protocol/Network Protocol association you are using from your Network Service
Provider (NSP).
2. Select (click) one of the following Link/Network information that applies to your situation:
PPP Link Protocol with:
• IP Routing Network Protocol, on page 25
• IPX Routing Network Protocol, on page 27
• Bridging Network Protocol, on page 29
RFC 1483 or RFC 1490 Link Protocol with:
• IP Routing Network Protocol, on page 30
• IPX Routing Network Protocol, on page 32
• Bridging Network Protocol, on page 34
MAC Encapsulated Routing: RFC 1483MER or RFC 1490MER Link Protocol with:
• IP Routing Network Protocol, on page 35
FRF8 Link Protocol with:
• IP Routing Network Protocol, on page 37
3. Collect the information applicable to your Link/Network Protocol associatio n. Thi s information will be used
later in conjunction with the
Network protocol. These configuration tables provide step-by-step instructions for a basic configuration for
each Link/Network protocol.
Note:
Use the blank Network Information Worksheets in Appendix A to collect your network information.
If you are using a Dual-Ethernet Router:
Select (click) one of the two following configurations that applies to your situ ation:
Configuring the Dual-Ethernet Router as a Bridge, on page 39
Configuring the Dual-Ethernet Router for IP Routing, on page 39
Configuration Tables
for easy configuration of your router based on your Link/
24 Chapter 2. Planning for Router Configuration
PPP Link Protocol (over ATM or Frame Relay)
The PPP Link Protocol is an encapsulation method that can be used over ATM (for ATM routers) or Frame Relay
(for Frame-Relay routers)
Combined with the IP, IPX, or Bridging Network Protocols, PPP over ATM and PPP over Frame Relay share the
same configuration characteristics, except for the connection iden tifiers : VPI/VCI numb ers are us ed f or ATM, an d
a DLCI number is used for Frame Relay.
Select the Network Protocol that applies to your situation: IP or IPX or Bridging. Collect th e information
described in the appropriate section. This data wi ll be later used to conf ig ure yo ur rou ter using the Co mmand Line
Interface commands (see
IP Routing Network Protocol
System Names and Authentication Passwords
!!!!
For the Target Router
Configuration Tables, on page 41).
This information is defined by the user. You must
target router. They are used by a remote router to authenticate the target router.
For the Remote Site(s)
This information is obtained from the Network Service Provider. For each remote site, you
site name and its authentication password. They are used by the target router to authenticate the remote
end. The name and password are used in both PAP and CHAP authentication. Refer to the diagram under
General Security Authentication, on page 15
Note 1:
Configuration 1: PPP with IP and IPX, on page 54
Note 2:
remote disauthen
VPI and VCI Numbers (for ATM routers)
!!!!
Your router may have been preconfigured with VPI/VCI numbers. If not, you will have to obtain these
numbers from your Network Service Provider and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
A sample configuration containing names and passwords is provided in the section
If the ISP does not support the authentication of the ISP system by the caller, use the command
remoteName
<
> to disable the authentication.
choose a name and authentication password for the
to see how this information is used.
Chapter 3.
must
Sample
have the
DLCI (for Frame Relay routers)
!!!!
The DLCI number applies to Frame Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a Data Link Connection Identifier (DLCI). The DLCI is
an address identifying your connection.
Chapter 2. Planning for Router Configuration 25
DNS Internet Account Information (optional)
!!!!
This information is obtained from your Network Service Provider. Consult with you Network Service
Provider to find out if you need to enter the following information:
• DNS server address
• DNS second server address
• DNS domain name
IP Routing Addresses
!!!!
For the Ethernet Interface
This information is defined by the user or your Network Administrator.
Ethernet IP Address (local LAN)
An Ethernet LAN IP address and subnet mask are required for the router’s local Ethernet LAN
connection
Note:
exchange routing information. This feature is not normally used, except in special circumstances.
For the WAN Interface
This information is defined by the Network Service Provider
Source (Target/Local) WAN Port Address
If Network Address Translation (NAT) is enabled, you must specify a source WAN IP address for the
WAN connection to the remote router if IP address negotiation under PPP does not provide one. Check
with your system administrator for details on whether the router must communicate in numbered or
unnumbered mode and which addresses are required.
Remote WAN Address
You may need to specify a remote WAN IP address for the WAN connection to the remote router
depending on IP address negotiation under PPP. Check with your system administrator for details on
whether the router must communicate in numbered or unnumbered mode and which addresses are
required.
TCP/IP Remote Routes
An IP route includes an IP address, subnet mask, and metric (a number representing the perceived cost in
reaching the remote network or station).
.
An Ethernet route is usually defined when there are multiple routers on the Ethernet that cannot
.
TCP/IP Default Route
A
to other specific routes. You will need to define the default route to a remote router or, in special
circumstances, define an Ethernet gateway. There can be only one default route specified.
26 Chapter 2. Planning for Router Configuration
should be designated in the routing table for all traffic that cannot be directed
IPX Routing Network Protocol
System Names and Authentication Passwords
!!!!
For the Target Router
This information is defined by the user. You
target router. They are used by a remote router to authenticate the target router.
For the Remote Site(s)
This information is obtained from the Network Service Provider. For each remote site, you
site name and its authentication password. They are used by this target router to authenticate the remote
end. The name and password are used in both PAP and CHAP authentication. Refer to the diagrams
General Security Authentication, on page 15
under
Note 1:
Configurations, on page 54
Note 2:
remote disauthen
VPI and VCI Numbers
!!!!
Your router may have been preconfigured with VPI/VCI numbers. If not, you will have to obtain these
numbers from your Network Service Provider and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
A sample configuration containing names and passwords is provided in the section
.
If the ISP does not support the authentication of the ISP system by the caller, use the command
remoteName
<
> to disable the authentication.
must
choose a name and authentication password for the
to see how this information is used.
must
Sample
have the
DLCI (for Frame-Relay Routers)
!!!!
The DLCI number applies to Frame-Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a Data Link Connection Identifier (DLCI). The DLCI is
an address identifying your connection.
IPX Routing Entries
!!!!
These numbers are defined by the Network Administrator. You will need to obtain the following
information (most likely from your network administrator) for IPX Routing.
Note: IPX routes
allow the servers and clients to exchange packets. A path to a file server will be based on the Internal
Network Number of the server. A path to a client will be based on the External Network Number
(Ethernet) of the client.
define a
path
to a specific destination. They are primarily needed by the routers to
Chapter 2. Planning for Router Configuration 27
Internal Network Number
It is a logical network number that identifies an individual Novell server. It is needed to specify a route to
the services (i.e., file services, print services) that Novell offers. It must be a unique number.
External Network (a.k.a. IPX Network Number)
It refers to a physical LAN/wire network segment to which servers, routers, and PCs are connected
(Ethernet cable-to-router segment). It must be a unique number.
WAN Network Number
Important
between the two routers. Note that only those two routers need to have the WAN Network Number
configured.
Service Advertisement Protocol (SAP)
SAP entries should reflect primary logon servers for the clients on the local LAN. Only the servers on the
remote side of the link have to be entered. Local servers do not need to be entered.
Frame Type
With local servers on your LAN, make sure to select the proper frame type for the IPX network number.
To determine this, consult with your network administrator. When you have only NetWare clients on
your LAN, keep the default (802.2) selected as most clients can support any typ e. The fr ame type cho ices
are:
: This number is part of the routing information. It is only used to identify the WAN segment
802.2
802.3
DIX
becoming obsolete.
Note:
Appendix B provides step-by-step information on how to configure IPX routing.
Default recommended by Novell
Other most common type
For DEC, Intel, Xerox; this setting is also referred to as “Ethernet II”, and it is rapidly
28 Chapter 2. Planning for Router Configuration
Bridging Network Protocol
System Names and Authentication Passwords
!!!!
For the Target Router
This information is defined by the user. You
target router. They are used by a remote router to authenticate the target router.
For the Remote Site(s)
!!!!
This information is obtained from the Network Service Provider. For each remote site, you
site name and its authentication password. They are used by the target router to authenticate the remote
end. The name and password are used in both PAP and CHAP authentication. Please refer to the diagram
General Security Authentication, on page 15
under
Note 1:
Configuration 1: PPP with IP and IPX, on page 54.
Note 2:
remote disauthen
VPI and VCI Numbers
!!!!
Your router may have been preconfigured with VPI/VCI numbers. If not, you will have to obtain these
numbers from your Network Service Provider and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
A sample configuration containing Names and Passwords is provided in the section Sample
If the ISP does not support the authentication of the ISP system by the caller, use the command
remoteName
<
> to disable the authentication.
must
choose a name and authentication password for the
to see how this information is used.
must
have the
DLCI (for Frame-Relay Routers)
!!!!
The DLCI number applies to Frame-Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a Data Link Connection Identifier (DLCI). The DLCI is
an address identifying your connection.
DNS Internet Account Information (optional)
!!!!
This information is obtained from the Network Service Provider. Consult with you Network Ser vice
Provider to find out if you need to enter the following information:
• DNS server address
• DNS second server address
• DNS domain name
Note:
If you intend to connect to the Internet only, enter this information using the Internet Quick Start
configurator.
Chapter 2. Planning for Router Configuration 29
RFC 1483/RFC 1490 Link Protocols
The Link Protocol RFC 1483 is a multiprotocol encapsulation method over ATM and is used by ATM routers.
RFC 1490 is a multiprotocol encapsulation method over Frame-Relay and is used by Frame-Relay routers.
RFC 1483 and RFC 1490 com bi ned with th e IP, IP X , or Bri d gi ng Net w or k P rotocols share the same configuration
characteristics, except for the connection identifiers: VPI/VCI numbers are used for RFC 1483 and a DLCI
number is used for RFC 1490.
Obtain the information as described in the appropriate section. This data will be used later to configure your router
using the Command Line Interface (see
IP Routing Network Protocol
VPI and VCI Numbers (for RFC 1483)
!!!!
The VPI and VCI number s apply to ATM routers only. Your router may ha ve been preconfigured with
VPI/VCI numbers. If not, you will have to obtain these numbers from your Network Service Provider
and then configure them.
If you are connecting to multiple remote sites, you will need to obtain additional VPI and VCI n umb ers
from your Network Service Provider and/or Network Access Provider. These numbers identify the
remote destination and must, therefore, be unique for each remote.
Configuration Tables, on page 41).
DLCI (for RFC 1490)
!!!!
The DLCI number applies to Frame-Relay routers only. Your Network Service Provider or your
Network Access Provider will provide you with a Data Link Connection Identifier (DLCI). The DLCI is
an address identifying your connection.
DNS Internet Account Information (optional)
!!!!
This information is obtained from the Network Service Provider. Consult with you Network Service
Provider to find out if you need to enter the following information:
• DNS server address
• DNS second server address
• DNS domain name
IP Routing Entries
!!!!
For the Ethernet Interface
This information is defined by the user or the Network Administrator.
Ethernet IP Address (Local LAN)
An Ethernet LAN IP address and subnet mask are required for the router’s local Ethernet LAN
connection.
30 Chapter 2. Planning for Router Configuration
Loading...