Nortel Networks BCM50a User Manual

BCM50a Integrated Router Configuration — Basics

BCM50a

BCM50a Integrated Router

Document Number: N0115790 Document Version: 1.0 Date: September 2006

recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel.

Trademarks

Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel. Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. All other trademarks and registered trademarks are the property of their respective owners.

N0115790N0115790

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Hard copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

How to get Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Getting Help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Getting Help over the phone from a Nortel Solutions Center . . . . . . . . . . . . . . . .29

Getting Help from a specialist by using an Express Routing Code . . . . . . . . . . . . 29

Getting Help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . . 30

Chapter 1

Getting to know your BCM50a Integrated Router. . . . . . . . . . . . . . . . . . . . 31

Introducing the BCM50a Integrated Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Physical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Nonphysical features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

High-speed Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

ADSL standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Networking compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Multiplexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Four-Port switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Autonegotiating 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Autosensing 10/100 Mb/s Ethernet LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Time and date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Reset button . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

IPSec VPN capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

BCM50a Integrated Router Configuration — Basics

4 Contents

Applications for the BCM50a Integrated Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Nortel Contivity Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Brute force password guessing protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Universal Plug and Play (UPnP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Call scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Dynamic DNS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

IP Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Central Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

DHCP (Dynamic Host Configuration Protocol) . . . . . . . . . . . . . . . . . . . . . . . . 38

Full network management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Logging and tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Upgrade BCM50a Integrated Router Firmware . . . . . . . . . . . . . . . . . . . . . . . 39

Embedded FTP and TFTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Secure broadband internet access and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Chapter 2

Introducing the WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

WebGUI overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Accessing the BCM50a Integrated Router WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . .41

Restoring the factory-default configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Navigating the BCM50a Integrated Router WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . 44

N0115790

Contents 5

Chapter 3

Wizard setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Wizard overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

ENET ENCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

PPP over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

RFC 1483 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Multiplexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

VC-based multiplexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

LLC-based multiplexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

VPI and VCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Wizard setup configuration: first s creen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

IP address and subnet mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

IP address assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

IP assignment with PPPoA or PPPoE encapsulation . . . . . . . . . . . . . . . . . . . . . .52

IP assignment with RFC 1483 encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

IP assignment with ENET ENCAP encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . 52

Private IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Nailed-up connection (only with PPP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Wizard setup configuration: second screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

DHCP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

IP pool setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Wizard setup configuration: third screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Wizard setup configuration: connection tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Test your Internet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Chapter 4

User Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

General Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

BCM50a Integrated Router Configuration — Basics

6 Contents

Chapter 5

System screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Configuring General Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Predefined NTP time server list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Configuring Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Configuring ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Advanced Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Setting up the router when the system has a server . . . . . . . . . . . . . . . . . . . . 69

Connecting two sites to establish a virtual private network . . . . . . . . . . . . . . .69

Adding IP telephony to a multi-site network . . . . . . . . . . . . . . . . . . . . . . . . . .70

Configuring the router to act as a Nortel VPN Server (Client Termination) . . . 71 Configuring the router to connect to a Nortel VPN Server (Client Emulation) . 71 Configuring the router to allow remote management of a LAN-connected BCM50

Setting up the router for guest access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Preventing heavy data traffic from impacting telephone calls . . . . . . . . . . . . .72

DNS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Private DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

DYNDNS wildcard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Chapter 6

LAN screens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

LAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

DHCP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

LAN TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

N0115790

IP pool setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

Contents 7

Factory LAN defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

RIP setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Configuring IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Configuring Static DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Chapter 7

WAN screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

WAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

TCP/IP Priority (metric) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Configuring General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

PPPoE encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Configuring WAN ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Configuring WAN IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

Traffic redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

Configuring Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Configuring Dial Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Advanced Modem Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

AT Command Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

DTR Signal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Response Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring Advanced Modem Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Chapter 8

Network Address Translation (NAT) Screens . . . . . . . . . . . . . . . . . . . . . . 121

NAT overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

NAT definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

What NAT does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

How NAT works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Port restricted cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

NAT application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

NAT mapping types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Using NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

SUA (Single User Account) versus NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

BCM50a Integrated Router Configuration — Basics

8 Contents

SUA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Configuring SUA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Configuring Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

Trigger Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Configuring Trigger Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Chapter 9

Static Route screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Static Route overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Configuring IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Chapter 10

Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Default server IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Port forwarding: Services and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Configuring servers behind SUA (example) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Trigger Port Forwarding example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

Two points to remember about Trigger Ports . . . . . . . . . . . . . . . . . . . . . . . . . . .136

Configuring Route entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

Firewall overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Types of firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Introduction to the BCM50a Integrated Router firewall . . . . . . . . . . . . . . . . . . . . . . . 147

Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148

Stateful inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Guidelines for enhancing security with your firewall . . . . . . . . . . . . . . . . . . . . . . . . . 158

N0115790

Packet filtering firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146

Application level firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Stateful Inspection firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Types of DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Stateful inspection process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Stateful inspection and the BCM50a Integrated Router . . . . . . . . . . . . . . . . . . .155

TCP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

UDP/ICMP security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157

Upper layer protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Contents 9

Packet filtering vs. firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Packet filtering: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

When to use filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

When to use the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Chapter 11

Firewall screens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Access methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Firewall policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Rule logic overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Rule checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163

Security ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Key fields for configuring rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Source address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Destination address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Connection direction examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

LAN to WAN rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

WAN to LAN rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Configuring firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Configuring firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Configuring source and destination addresses . . . . . . . . . . . . . . . . . . . . . . . . . .173

Configuring custom ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Example firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Predefined services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

Configuring attack alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Threshold values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182

Half-open sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182

TCP maximum incomplete and blocking period . . . . . . . . . . . . . . . . . . . . . . 183

BCM50a Integrated Router Configuration — Basics

10 Contents

Chapter 12

Content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Introduction to content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Restrict web features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Days and Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Chapter 13

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191

BCM50a Integrated Router VPN functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191

VPN screens overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

IPSec architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

IPSec algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

IPSec and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Secure Gateway Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Summary screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

Keep Alive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204

Nailed up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Other terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

Data confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

Data integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

Data origin authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

VPN applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

AH (Authentication Header) protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

ESP (Encapsulating Security Payload) protocol . . . . . . . . . . . . . . . . . . . . . . . . .196

Key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Transport mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Tunnel mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Dynamic Secure Gateway Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

NAT Traversal configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206

N0115790

Contents 11

Preshared key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206

Configuring Contivity Client VPN Rule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206

Configuring Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208

ID Type and content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

ID type and content examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

My IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Configuring Branch Office VPN Rule Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Configuring an IP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

Port forwarding server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228

Configuring a port forwarding server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

IKE phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Negotiation Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Preshared key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232

Diffie-Hellman (DH) Key Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233

Perfect Forward Secrecy (PFS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Configuring advanced Branch office setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

SA Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

VPN Client Termination IP pool summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

VPN Client Termination IP pool edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247

Chapter 14

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Certificates overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

Advantages of certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Self-signed certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254

Configuration summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Certificate file formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258

Importing a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Creating a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

My Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265

Trusted CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

BCM50a Integrated Router Configuration — Basics

12 Contents

Importing a Trusted CA certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272

Trusted CA Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273

Trusted remote hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Verifying a certificate of a trusted remote host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Importing a certificate of a trusted remote host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Trusted remote host certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Directory servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286

Add or edit a directory server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Chapter 15

Bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Bandwidth management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291

Bandwidth classes and filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Proportional bandwidth allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Application based bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Subnet based bandwidth management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Application and subnet based bandwidth management . . . . . . . . . . . . . . . . . . . . . . .293

Configuring summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

Configuring class setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Trusted remote host certificate fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Reserving bandwidth for nonbandwidth class traffic . . . . . . . . . . . . . . . . . . . . . . 293

Bandwidth Manager Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297

Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Chapter 16

Authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Introduction to Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Edit Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Current split networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Current split networks edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Configuring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

N0115790

Contents 13

Chapter 17

Remote management screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Remote management overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315

Remote management limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Remote management and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316

System timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Introduction to HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Configuring WWW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

HTTPS example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320

Internet Explorer warning messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Netscape Navigator warning messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Avoiding the browser warning messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Logon screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

SSH overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

How SSH works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

SSH implementation on the BCM50a Integrated Router . . . . . . . . . . . . . . . . . . . . . . 331

Requirements for using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Secure Telnet using SSH examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Example 1: Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Example 2: Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334

Secure FTP using SSH example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335

Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Configuring TELNET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337

Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

REMOTE MANAGEMENT: SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Configuring Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344

Chapter 18

UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Universal Plug and Play overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

BCM50a Integrated Router Configuration — Basics

14 Contents

UPnP implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Configuring UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Displaying UPnP port mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350

Installing UPnP in Windows example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351

Using UPnP in Windows XP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Chapter 19

Logs Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Configuring View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Configuring Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361

Configuring Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

How do I know if I am using UPnP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347

NAT Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Cautions with UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348

Installing UPnP in Windows Me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Installing UPnP in Windows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Autodiscover Your UPnP-enabled Network Device . . . . . . . . . . . . . . . . . . . . . . . 355

WebGUI easy access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Viewing Web site hits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Viewing Protocol/Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369

Viewing LAN IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Reports specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Chapter 20

Call scheduling screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Call scheduling introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Chapter 21

Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Maintenance overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Status screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379

N0115790

Call schedule summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373

Call scheduling edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375

Applying Schedule Sets to a remote node . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377

System statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

Contents 15

DHCP Table screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Diagnostic Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384

F/W Upload screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Configuration screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389

Back to Factory Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Backup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Restore configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Restart screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Appendix A

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Problems Starting Up the BCM50a Integrated Router . . . . . . . . . . . . . . . . . . . . . . . .393

Problems with the LAN LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394

Problems with the LAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Problems with the WAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395

Problems with Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395

Problems accessing an Internet Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Problems with the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Problems with the WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Problems with Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Allowing Pop-up Windows, JavaScript and Java Permissions . . . . . . . . . . . . . . . . . .397

Internet Explorer Pop-up Blockers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Allowing Pop-ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397

Enabling Pop-up Blockers with Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Internet Explorer JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401

Internet Explorer Java Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403

JAVA (Sun) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404

Netscape Pop-up Blockers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405

Allowing Pop-ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406

Enable Pop-up Blockers with Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Netscape Java Permissions and JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Appendix B

Log Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

VPN/IPSec Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

BCM50a Integrated Router Configuration — Basics

16 Contents

VPN Responder IPSec Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423

Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Log Command Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Configuring what you want the BCM50a Integrated Router to log . . . . . . . . . . .431

Displaying Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432

N0115790

Figures

Figure 1 Secure Internet Access and VPN Application . . . . . . . . . . . . . . . . . . . . . 40

Figure 2 Login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Figure 3 Change password screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 4 Replace certificate screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 5 MAIN MENU Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Figure 6 Contact Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Figure 7 Wizard Screen 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Figure 8 Internet connection with PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Figure 9 Internet connection with RFC 1483 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Figure 10 Internet connection with ENET ENCAP . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Figure 11 Internet connection with PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Figure 12 Wizard Screen 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

Figure 13 Wizard: LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Figure 14 Wizard Screen 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Figure 15 Private DNS server example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Figure 16 System general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Figure 17 DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

Figure 18 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Figure 19 Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Figure 20 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Figure 21 LAN IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Figure 22 Static DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Figure 23 IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Figure 24 WAN: General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Figure 25 WAN: WAN ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Figure 26 WAN: IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Figure 27 Traffic Redirect WAN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Figure 28 Traffic Redirect LAN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Figure 29 Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

BCM50a Integrated Router Configuration — Basics

18 Figures

Figure 30 Dial Backup Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Figure 31 Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Figure 32 How NAT works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Figure 33 Port Restricted Cone NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

Figure 34 NAT application with IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Figure 35 Multiple servers behind NAT example . . . . . . . . . . . . . . . . . . . . . . . . . .129

Figure 36 SUA/NAT setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Figure 37 Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

Figure 38 Address Mapping edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Figure 39 Trigger Port Forwarding process: exampl e . . . . . . . . . . . . . . . . . . . . . . . 136

Figure 40 Trigger Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Figure 41 Example of Static Routing topology . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Figure 42 Static Route screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

Figure 43 Edit IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

Figure 44 BCM50a Integrated Router firewall application . . . . . . . . . . . . . . . . . . . 148

Figure 45 Three-way handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150

Figure 46 SYN flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Figure 47 Smurf attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

Figure 48 Stateful inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Figure 49 LAN to WAN traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Figure 50 WAN to LAN traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Figure 51 Enabling the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Figure 52 Creating and editing a firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Figure 53 Adding or editing source and destination addresses . . . . . . . . . . . . . . . 173

Figure 54 Creating or editing a custom port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Figure 55 Firewall edit rule screen example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Figure 56 Firewall rule edit IP example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Figure 57 Edit custom port example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176

Figure 58 MyService rule configuration example . . . . . . . . . . . . . . . . . . . . . . . . . .177

Figure 59 My Service example rule summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178

Figure 60 Attack alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Figure 61 Content filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188

Figure 62 Encryption and decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Figure 63 IPSec architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Figure 64 Transport and Tunnel mode IPSec encapsulation . . . . . . . . . . . . . . . . .198

N0115790

Figures 19

Figure 65 IPSec summary fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Figure 66 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202

Figure 67 NAT router between IPSec routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Figure 68 VPN Contivity Client rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Figure 69 VPN Contivity Client advanced rule setup . . . . . . . . . . . . . . . . . . . . . . .209

Figure 70 VPN Branch Office rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Figure 71 VPN Branch Office — IP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223

Figure 72 VPN Branch Office — IP Policy - Port Forwarding Server . . . . . . . . . . . 229

Figure 73 Two phases to set up the IPSec SA . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Figure 74 VPN Branch Office advanced rule setup . . . . . . . . . . . . . . . . . . . . . . . . 234

Figure 75 VPN SA Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Figure 76 VPN Global Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Figure 77 VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

Figure 78 VPN Client Termination IP pool summary . . . . . . . . . . . . . . . . . . . . . . . .245

Figure 79 VPN Client Termination IP pool edit . . . . . . . . . . . . . . . . . . . . . . . . . . . .246

Figure 80 VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248

Figure 81 Certificate configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

Figure 82 My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Figure 83 My Certificate Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Figure 84 My Certificate create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Figure 85 My Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Figure 86 Trusted CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270

Figure 87 Trusted CA import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272

Figure 88 Trusted CA details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274

Figure 89 Trusted remote hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Figure 90 Remote host certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Figure 91 Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Figure 92 Trusted remote host import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281

Figure 93 Trusted remote host details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

Figure 94 Directory servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Figure 95 Directory server add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

Figure 96 Subnet based bandwidth management example . . . . . . . . . . . . . . . . . . 293

Figure 97 Bandwidth Manager: Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Figure 98 Bandwidth Manager: Class setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Figure 99 Bandwidth Manager: Edit class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

BCM50a Integrated Router Configuration — Basics

20 Figures

Figure 100 Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Figure 101 Bandwidth manager monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Figure 102 Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Figure 103 Local User database edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306

Figure 104 Current split networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Figure 105 Current split networks edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

Figure 106 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Figure 107 HTTPS implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318

Figure 108 WWW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319

Figure 109 Security Alert dialog box (Internet Explorer) . . . . . . . . . . . . . . . . . . . . . . 321

Figure 110 Figure 18-4 Security Certificate 1 (Netscape) . . . . . . . . . . . . . . . . . . . . .322

Figure 111 Security Certificate 2 (Netscape) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323

Figure 112 Logon screen (Internet Explorer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

Figure 113 Login screen (Netscape) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326

Figure 114 Replace certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327

Figure 115 Device-specific certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328

Figure 116 Common BCM50a Integrated Router certificate . . . . . . . . . . . . . . . . . . .329

Figure 117 SSH Communication Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Figure 118 How SSH Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Figure 119 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Figure 120 SSH Example 1: Store Host Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Figure 121 SSH Example 2: Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334

Figure 122 SSH Example 2: Log on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Figure 123 Secure FTP: Firmware Upload Example . . . . . . . . . . . . . . . . . . . . . . . . 336

Figure 124 Telnet configuration on a TCP/IP network . . . . . . . . . . . . . . . . . . . . . . . 336

Figure 125 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337

Figure 126 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Figure 127 SNMP Management Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Figure 128 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

Figure 129 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Figure 130 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345

Figure 131 Configuring UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349

Figure 132 UPnP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Figure 133 Add/Remove programs: Windows setup . . . . . . . . . . . . . . . . . . . . . . . .352

Figure 134 Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

N0115790

Figures 21

Figure 135 Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Figure 136 Windows optional networking components wizard . . . . . . . . . . . . . . . . .354

Figure 137 Windows XP networking services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354

Figure 138 Internet gateway icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Figure 139 Internet connection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Figure 140 Internet connection properties advanced setup . . . . . . . . . . . . . . . . . . . 356

Figure 141 Service settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356

Figure 142 Internet connection icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357

Figure 143 Internet connection status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Figure 144 Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Figure 145 My Network Places: Local network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Figure 146 View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Figure 147 Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Figure 148 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Figure 149 Web site hits report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368

Figure 150 Protocol/Port report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Figure 151 LAN IP address report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Figure 152 Call schedule summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Figure 153 Call schedule edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375

Figure 154 System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Figure 155 System Status: Show statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Figure 156 DHCP Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Figure 157 Diagnostic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Figure 158 Firmware upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Figure 159 Firmware Upload In Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388

Figure 160 Network Temporarily Disconnected . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Figure 161 Firmware upload error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Figure 162 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Figure 163 Reset warning message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Figure 164 Configuration Upload Successful . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391

Figure 165 Network Temporarily Disconnected . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Figure 166 Restart screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392

Figure 167 Pop-up Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398

Figure 168 Internet Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399

Figure 169 Internet options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

BCM50a Integrated Router Configuration — Basics

22 Figures

Figure 170 Pop-up Blocker settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Figure 171 Internet options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Figure 172 Security Settings - Java Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403

Figure 173 Security Settings - Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404

Figure 174 Java (Sun) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405

Figure 175 Allow Popups from this site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Figure 176 Netscape Search Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406

Figure 177 Popup Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Figure 178 Popup Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Figure 179 Allowed Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409

Figure 180 Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Figure 181 Scripts & Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Figure 182 Example VPN Initiator IPSec Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423

Figure 183 Example VPN Responder IPSec Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

N0115790

Tables

Table 1 Feature specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Table 2 Wizard Screen 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Table 3 Internet connection with PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Table 4 Internet connection with RFC 1483 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

Table 5 Internet connection with ENET ENCAP . . . . . . . . . . . . . . . . . . . . . . . . . .56

Table 6 Internet connection with PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Table 7 Wizard: LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

Table 8 System general setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Table 9 DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

Table 10 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Table 11 Default Time Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

Table 12 Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

Table 13 ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Table 14 LAN IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Table 15 Static DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Table 16 IP Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Table 17 WAN: General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Table 18 WAN: WAN ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Table 19 WAN: IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Table 20 Traffic Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Table 21 Dial Backup Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Table 22 Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Table 23 NAT definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Table 24 NAT mapping type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Table 25 Services and port numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Table 26 SUA/NAT setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Table 27 Address Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Table 28 Address Mapping edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

Table 29 Trigger Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138

BCM50a Integrated Router Configuration — Basics

24 Tables

Table 30 IP Static Route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

Table 31 Edit IP Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

Table 32 Common IP ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Table 33 ICMP commands that trigger alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Table 34 Legal NetBIOS commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Table 35 Legal SMTP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Table 36 Firewall rules summary: First screen . . . . . . . . . . . . . . . . . . . . . . . . . . .168

Table 37 Creating and editing a firewall rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171

Table 38 Adding or editing source and destination addresses . . . . . . . . . . . . . . .173

Table 39 Creating/Editing A Custom Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Table 40 Predefined services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

Table 41 Attack alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Table 42 Content filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Table 43 VPN Screens Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Table 44 AH and ESP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Table 45 VPN and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

Table 46 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203

Table 47 VPN Contivity Client rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Table 48 VPN Contivity Client advanced rule setup . . . . . . . . . . . . . . . . . . . . . . . 209

Table 49 Local ID type and content fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Table 50 Peer ID type and content fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Table 51 Matching ID type and content configuration example . . . . . . . . . . . . . . 212

Table 52 Mismatching ID Type and Content Configuration Example . . . . . . . . . . 212

Table 53 VPN Branch Office rule setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Table 54 VPN Branch Office — IP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224

Table 55 VPN Branch Office — IP Policy - Port Forwarding Server . . . . . . . . . . .229

Table 56 VPN Branch Office Advanced Rule Setup . . . . . . . . . . . . . . . . . . . . . . . 234

Table 57 VPN SA Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Table 58 VPN Global Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Table 59 VPN Client Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242

Table 60 VPN Client Termination IP pool summary . . . . . . . . . . . . . . . . . . . . . . . .245

Table 61 VPN Client Termination IP pool edit . . . . . . . . . . . . . . . . . . . . . . . . . . . .246

Table 62 VPN Client Termination advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249

Table 63 My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Table 64 My Certificate Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

N0115790

Tables 25

Table 65 My Certificate create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Table 66 My Certificate details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Table 67 Trusted CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270

Table 68 Trusted CA import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272

Table 69 Trusted CA details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275

Table 70 Trusted Remote Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Table 71 Trusted remote host import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Table 72 Trusted remote host details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Table 73 Directory Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Table 74 Directory server add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Table 75 Application and Subnet based Bandwidth Management Example . . . . . 293

Table 76 Bandwidth Manager: Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Table 77 Bandwidth Manager: Class Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Table 78 Bandwidth Manager: Edit class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Table 79 Services and port numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Table 80 Bandwidth management statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Table 81 Bandwidth manager monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Table 82 Local User database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Table 83 Local User database edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Table 84 Current split networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Table 85 Current split networks edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

Table 86 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Table 87 WWW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319

Table 88 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332

Table 89 Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337

Table 90 FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Table 91 SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Table 92 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

Table 93 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Table 94 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345

Table 95 Configuring UPnP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349

Table 96 UPnP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Table 97 View Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Table 98 Log settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Table 99 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

BCM50a Integrated Router Configuration — Basics

26 Tables

Table 100 Web site hits report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

Table 101 Protocol/ Port Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370

Table 102 LAN IP Address Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Table 103 Report Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372

Table 104 Call Schedule Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Table 105 Call schedule edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Table 106 System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Table 107 System Status: Show Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Table 108 DHCP Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Table 109 Diagnostic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Table 110 Firmware Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387

Table 111 Restore configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Table 112 Troubleshooting the Start-Up of your BCM50a Integrated Router . . . . .393

Table 113 Troubleshooting the LAN LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Table 114 Troubleshooting the LAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394

Table 115 Troubleshooting the WAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Table 116 Troubleshooting Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395

Table 117 Troubleshooting Web Site Internet Access . . . . . . . . . . . . . . . . . . . . . . .396

Table 118 Troubleshooting the password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Table 119 Troubleshooting Remote Management . . . . . . . . . . . . . . . . . . . . . . . . .396

Table 120 System Error Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Table 121 System Maintenance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Table 122 UPnP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Table 123 Content Filtering Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Table 124 Attack Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Table 125 Access Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416

Table 126 ACL Setting Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421

Table 127 ICMP Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421

Table 128 Sys log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422

Table 129 Sample IKE Key Exchange Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425

Table 130 Sample IPSec Logs During Packet Transmission . . . . . . . . . . . . . . . . . 427

Table 131 RFC 2408 ISAKMP Payload Types . . . . . . . . . . . . . . . . . . . . . . . . . . . .428

Table 132 PKI Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Table 133 Certificate Path Verification Failure Reason Codes . . . . . . . . . . . . . . . .430

Table 134 Log categories and available settings . . . . . . . . . . . . . . . . . . . . . . . . . .431

N0115790

Preface

Before you begin

This guide assists you through the basic configuration of your BCM50a Integrated

Router for its various applications.

Note: This guide explains how to use the WebGUI to configure your BCM50a Integrated Router. See for how to use the System Management Terminal (SMT) or the command interpreter interface to configure your BCM50a Integrated Router. Not all features can be configured through all interfaces.

The WebGUI parts of this guide contain background information on features

configurable by the WebGUI and the SMT. For features not configurable by the

WebGUI, only background information is provided.

Text conventions

This guide uses the following text conventions:

Enter means type one or more characters and press the enter key. Select or Choose means use one of the predefined choices.

The SMT menu titles and labels are written in Bold Times New Roman font. The choices of a menu choices are written in Bold Arial font.

BCM50a Integrated Router Configuration — Basics

28 Preface

A single keystroke is written in Arial font and enclosed in square brackets. For instance, [ENTER] means the Enter key; [ESC] means the escape key and [SPACE BAR] means the space bar. [UP] and [DOWN] are the up and down arrow keys.

Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to Control Panels and then click Modem.

Related publications

• For more information about using the BCM50a Integrated Router, refer to the following publications:BCM50a Integrated Router Configuration — Advanced (N0115789)

This guide covers how to use the SMT menu to configure your BCM50a Integrated Router.

• WebGUI Online Help

Embedded WebGUI help is available to provide descriptions of individual screens and supplementary information.

Hard copy technical manuals

You can print selected technical manuals and release notes free, directly from the Internet. Go to www.nortel.com/documentation. Find the product for which you need documentation. Then locate the specific category and model or version for your hardware or software product. Use Adobe Reader to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to the Adobe Systems Web site at www.adobe.com to download a free copy of Adobe Reader.

How to get Help

This section explains how to get help for Nortel products and services.

N0115790

Preface 29

Getting Help from the Nortel Web site

The best way to get technical support for Nortel products is from the Nortel Technical Support Web site:

www.nortel.com/support

This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. More specifically, the site enables you to:

• download software, documentation, and product b ulletins

• search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues

• sign up for automatic notification of new software and documentation for Nortel equipment

• open and manage technical support cases

Getting Help over the phone from a Nortel Solutions Center

If you don’t find the information you require on the Nortel Technical Support W eb site, and have a No rtel support contract, you can also get help over the phone from a Nortel Solutions Center.

In North America, call 1-800-4NORTEL (1-800-466-7835).

Outside North America, go to the following Web site to obtain the phone number for your region:

www.nortel.com/callus

Getting Help from a specialist by using an Express Routing Code

To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to:

www.nortel.com/erc

BCM50a Integrated Router Configuration — Basics

30 Preface

Getting Help through a Nortel distributor or reseller

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.

N0115790

Chapter 1 Getting to know your BCM50a Integrated Router

This chapter introduces the main features and applications of the BCM50a Integrated Router.

Introducing the BCM50a Integrated Router

The BCM50a Integrated Router is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN).

Your BCM50a Integrated Router integrates high-speed 10/100 Megabits per second (Mb/s) autonegotiating LAN interfaces and a high-speed Asymmetrical Digital Subscriber Line Plus (ADSL2+) port into a single package. The BCM50a Integrated Router is ideal for high-speed Internet browsing and making LAN-to-LAN connections to remote networks. By integrating Digital Subscriber Line (DSL) and Network Address Translation (NAT), the BCM50a Integrated Router provides easy installation and Internet access. By integrating firewall and V irtual Private Network (VPN) capabilities, the BCM50a Integrated Router is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.

Features

This section lists the key features of the BCM50a Integrated Router.

Table 1 Feature specifications

Feature Specification

Number of static routes 12 Number of NAT sessions 4096

BCM50a Integrated Router Configuration — Basics

32 Chapter 1 Getting to know your BCM50a Integrated Router

Table 1 Feature specifications

Feature Specification

Number of SUA (Single User Account) servers 12 Number of address mapping rules 10 Number of configurable VPN rules (gateway policies) 10 Number of configurable IPSec VPN IP policies (network policies) 60 Number of concurrent IKE (Internet Key Exchange) Phase 1 Security

Associations: These correspond to the gateway policies.

Number of concurrent IPSec VPN tunnels (Phase 2 Security Associations): These correspond to the network policies and are also monitorable and manageable. For example, 5 IKE gateway policies could each use 12 IPSec tunnels for a total of 60 phase 2 IPSec VPN tunnels. This total includes both branch office tunnels and VPN client-termination tunnels.

Number of IP pools that can be used to assign IP addresses to remote users for VPN client termination

Number of configurable split networks for VPN client termination 16 Number of configurable inverse split networks for VPN client termination 16 Number of configurable subnets per split network for VPN client

termination

Physical features

N0115790

High-speed Internet access

Your BCM50a Integrated Router supports ADSL2+ (Asymmetrical Digital Subscriber Line) for high transmission speeds and long connection distances.

ADSL standards

• Multimode standard (ANSI (American National Standards Institute) T1.413, Issue 2; G.dmt (G.992.1 Discrete Multitone Modulation)

• EOC (Embedded Operations Channel) specified in ITU-T (Telecommunication Standardization Sector of the International Telecommunications Union) G.992.1

• ADSL2 G.dmt.bis (G.992.3)

• ADSL2+ (G.992.5)

Chapter 1 Getting to know your BCM50a Integrated Router 33

• Extended-reach ADSL (ER ADSL)

• SRA (Seamless Rate Adaptation)

• Autonegotiating rate adaptation

• ADSL physical connection ATM (Asynchronous Transfer Mode) AAL5 (Adaptation Layer type 5)·

• Multiprotocol over AAL5 (Request For Comments (RFC) 2684/1483)

• Support Point-to-Point-Protocol over ATM AAL5 (PPPoA) (RFC 2364)

• PPP over Ethernet support for DSL (Digital Subscriber Line) connection (RFC 2516)

• Support Virtual Circuit (VC) based and LLC (Logical Link Control) based multiplexing

• Support OAM (Operational, Administration and Maintenance) VC Hunt

• I.610 F4/F5 OAM

Networking compatibility

Your BCM50a Integrated Router is compatible with the major ADSL Digital Subscriber Line Access Multiplexer (DSLAM) providers, making configuration as simple as possible.

Multiplexing

The BCM50a Integrated Router supports VC-based and LLC-based multiplexing.

Encapsulation

The BCM50a Integrated Router supports PPPoA (RFC 2364 - PPP over ATM Adaptation Layer 5), RFC 1483 encapsulation over ATM, MAC (Media Access Control) encapsulated routing (ENET encapsulation) as well as PPP over Ethernet (RFC 2516).

Four-Port switch

A combination of switch and router makes your BCM50a Integrated Router a cost-effective and viable network solution. You can connect up to four computers or phones to the BCM50a Integrated Router without the cost of a switch. Use a switch to add more than four computers or phones to your LAN.

BCM50a Integrated Router Configuration — Basics

34 Chapter 1 Getting to know your BCM50a Integrated Router

Autonegotiating 10/100 Mb/s Ethernet LAN

The LAN interfaces automatically detect if they are on a 10 or a 100 Mb/s Ethernet.

Autosensing 10/100 Mb/s Ethernet LAN

The LAN interfaces automatically adjust to either a crossover or straight through Ethernet cable.

Time and date

Using the BCM50a Integrated Router, you can get the current time and date from an external server when you turn on your BCM50a Integrated Router. Y ou can also set the time manually.

Reset button

There is a 'Cold Reset Router' button that is accessible from the Element Manager Administration/Utilities/Reset page.Use this button to restore the factory default password to setup and the IP address to 192.168.1.1, subnet mask 255.255.255.0, and DHCP server enabled with a pool of 126 IP addresses starting at 192.168.1.2.

Nonphysical features

N0115790

IPSec VPN capability

Establish Virtual Private Network (VPN) tunnels to connect home or office computers to your company network using data encryption and the Internet; thus providing secure communications without the expense of leased site-to-site lines. VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN products.

Nortel Contivity Client Termination

The BCM50a Integrated Router supports VPN connections from co mputers using Nortel Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software.

Chapter 1 Getting to know your BCM50a Integrated Router 35

Certificates

The BCM50a Integrated Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.

SSH

The BCM50a Integrated Router uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network.

HTTPS

HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol that encrypts and decrypts web sessions. Use HTTPS for secure WebGUI access to the BCM50a Integrated Router.

Firewall

The BCM50a Integrated Router has a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN (Wide Area Network) to the LAN is blocked unless it is initiated from the LAN. The BCM50a Integrated Router firewall supports TCP/UDP inspection, DoS detection and protection, real time alerts, reports and logs.

Brute force password guessing protection

The BCM50a Integrated Router has a special protection mechanism to discourage brute force password guessing attacks on the BCM50a Integrated Router management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords.

BCM50a Integrated Router Configuration — Basics

36 Chapter 1 Getting to know your BCM50a Integrated Router

Content filtering

The BCM50a Integrated Router can block web features such as ActiveX controls, Java applets, and cookies, as well as disable web proxies. The BCM50a Integrated Router can block specific URLs by using the keyword feature. The administrator can also define time periods and days during which content filtering is enabled.

Packet filtering

The packet filtering mechanism blocks unwanted traffic from entering or leaving your network.

Universal Plug and Play (UPnP)

Using the standard TCP/IP protocol, the BCM50a Integrated Router and other UPnP-enabled devices can dynamically join a network, obtain an IP address, and convey its capabilities to other devices on the network.

Call scheduling

N0115790

Configure call time periods to restrict and allow access for users on remote nodes.

PPPoE

PPPoE facilitates the interaction of a host with an Internet modem to achieve access to high-speed data networks through a familiar dial-up networking user interface.

Dynamic DNS support

With Dynamic DNS (Domain Name System) support, you can have a static host name alias for a dynamic IP address, so the host is more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider.

Chapter 1 Getting to know your BCM50a Integrated Router 37

IP Multicast

The BCM50a Integrated Router can use IP multicast to deliver IP packets to a specific group of hosts. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The BCM50a Integrated Router supports versions 1 and 2.

IP Alias

Using IP Alias, you can partition a physical network into logical networks over the same Ethernet interface. The BCM50a Integrated Router supports three logical LAN interfaces through its single physical Ethernet LAN interface with the BCM50a Integrated Router itself as the gateway for each LAN network.

Central Network Management

With Central Network Management (CNM), an enterprise or service provider network administrator can manage your BCM50a Integrated Router. The enterprise or service provider network administrator can configure your BCM50a Integrated Router, perform firmware upgrades, and do troubleshooting for you.

SNMP

SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your BCM50a Integrated Router supports SNMP agent functionality, which means that a manager station can manage and monitor the BCM50a Integrated Router through the network. The BCM50a Integrated Router supports SNMP versions 1 and 2 (SNMPv1 and SNMPv2).

Network Address Translation (NAT)

NAT (Network Address Translation — NAT, RFC 1631) translate multiple IP addresses used within one network to different IP addresses known within another network.

BCM50a Integrated Router Configuration — Basics

38 Chapter 1 Getting to know your BCM50a Integrated Router

T raffic Redirect

Traffic Redirect forwards WAN traffic to a backup gateway when the BCM50a Integrated Router cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails.

Port Forwarding

Use this feature to forward incoming service requests to a server on your local network. You can enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.

DHCP (Dynamic Host Configuration Protocol)

With DHCP (Dynamic Host Configuration Prot ocol), individual client computers can obtain the TCP/IP configuration at start-up from a centralized DHCP server. The BCM50a Integrated Router has built in DHCP server capability, enabled by default, which means it can assign IP addresses, an IP default gateway, and DNS servers to all systems that support the DHCP client. The BCM50a Integrated Router can also act as a surrogate DHCP server, where it relays IP address assignment from another DHCP server to the clients.

N0115790

Full network management

The embedded web configurator is an all platform, web based utility that you can use to easily manage and configure the BCM50a Integrated Router. Most functions of the BCM50a Integrated Router are also software configurable through the SMT (System Management Terminal) interface. The SMT is a menu driven interface that you can access over a Telnet connection.

Logging and tracing

The BCM50a Integrated Router supports the following logging and tracing functions to help with management:

• Built in message logging and packet tracing

• Unix syslog facility support

Chapter 1 Getting to know your BCM50a Integrated Router 39

Upgrade BCM50a Integrated Router Firmware

The firmware of the BCM50a Integrated Router can be upgraded manually through the WebGUI.

Embedded FTP and TFTP Servers

The embedded FTP and TFTP servers enable fast firmware upgrades, as well as configuration file backups and restoration.

Applications for the BCM50a Integrated Router

Secure broadband internet access and VPN

The BCM50a Integrated Router provides broadband Internet access through ADSL. The BCM50a Integrated Router also provides IP address sharing and a firewall protected local network with traffic management.

The BCM50a Integrated Router VPN is an ideal, cost effective way to connect branch offices and business partners over the Internet without the need (and expense) of leased lines between sites. The LAN computers can share the VPN tunnels for secure connections to remote computers.

BCM50a Integrated Router Configuration — Basics

40 Chapter 1 Getting to know your BCM50a Integrated Router

Figure 1 Secure Internet Access and VPN Application

BCM50a Integrated Router

N0115790

Caution: Electro-static Discharge can disrupt the router. Use appropriate handling precautions to avoid ESD. Avoid touching the connectors on the router, particularly when it is in use.

Chapter 2 Introducing the WebGUI

This chapter describes how to access the BCM50a Integrated Router WebGUI and provides an overview of its screens.

WebGUI overview

There are two methods to access the WebGUI for the BCM50a Integrated Router. It can be launched from Element Manager or can be launched from a web browser on the same subnet as the router.

Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1 024 by 768 pixels.

In order to use the WebGUI you need to allow:

• Web browser pop-up windows from your device. Web pop-up blocking is enabled by default in Windows XP SP (Service Pack) 2.

• JavaScripts (enabled by default).

• Java permissions (enabled by default).

See “Allowing Pop-up Windows, JavaScript and Java Permissions” on page 397 if you want to make sure these functions are allowed in Internet Explorer.

Accessing the BCM50a Integrated Router WebGUI

Make sure your BCM50a Integrated Router hardware is properly connected and prepare your computer and computer network to connect to the BCM50a Integrated Router

BCM50a Integrated Router Configuration — Basics

42 Chapter 2 Introducing the WebGUI

1 Launch your web browser. 2 Type 192.168.1.1 as the URL. 3 Type the username (“nnadmin” is the default) and the password

(“PlsChgMe!” is the default) and click Login. Click Reset to clear any

information you have entered in the Username and Password fields.

Figure 2 Login screen

N0115790

4 A screen asking you to change your password (highly recommended) appears

and is shown in Figure 3. Type a new password (and retype it to confirm) and click Apply or click Ignore.

Chapter 2 Introducing the WebGUI 43

Figure 3 Change password screen

5 Click Apply in the Replace Certificate screen to create a certificate using

your BCM50a Integrated Router MAC address that is specific to this device.

Figure 4 Replace certificate screen

BCM50a Integrated Router Configuration — Basics

44 Chapter 2 Introducing the WebGUI

The MAIN MENU screen appears.

Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back on to the BCM50a Integrated Router if this happens to you.

Restoring the factory-default configuration settings

If you forget your password or cannot access the SMT menu, you will need to restore the factor-default configuration. This means that you will lose all configurations that you had previously. The password will be reset to “PlsChgMe!”.

Use one of the following ways to perform a reset on the BCM50a Integrated Router:

1 Router WebGUI LineFeed LAN access is required. Navigate to the

Maintenance screen and select the Reset button.

2 Element Manager LineFeed. Navigate to the Administration screen, Utilities,

Reset select the Router Cold Reset.

Navigating the BCM50a Integrated Router WebGUI

Follow the instructions in the MAIN MENU screen or click the help icon (located in the top right corner of most screens) to view online help.

Note: The help icon does not appear in the MAIN MENU screen.

N0115790

Figure 5 MAIN MENU Screen

Chapter 2 Introducing the WebGUI 45

Click the Contact link to display the customer support contact information. Figure 7 is a sample of what displays.

BCM50a Integrated Router Configuration — Basics

46 Chapter 2 Introducing the WebGUI

Figure 6 Contact Support

N0115790

Chapter 3 Wizard setup

This chapter provides information on the Wizard screens in the WebGUI.

Wizard overview

The setup wizard in the WebGUI helps you configure your device to access the Internet. The second screen has three variations, depending on which encapsulation type you use. Refer to your ISP checklist in the Nortel BCM50a Integrated Router 252 — Fundamentals (NN47923-301) to know what to enter in each field. Leave a field blank if you do not have the required information.

Encapsulation

Be sure to use the encapsulation method required by your ISP. The BCM50a Integrated Router supports the following methods.

ENET ENCAP

The MAC Encapsulated Routing Link Protocol (ENET ENCAP) is only implemented with the IP network protocol. IP packets are routed between the Ethernet interface and the WAN interface and then formatted so that they can be understood in a bridged environment. For instance, the BCM50a Integrated Router encapsulates routed Ethernet frames into bridged ATM cells. ENET ENCAP requires that you specify a gateway IP address in the ENET ENCAP Gateway field in the second wizard screen. You can get this information from your ISP.

BCM50a Integrated Router Configuration — Basics

48 Chapter 3 Wizard setup

PPP over Ethernet

PPP over Ethernet (PPPoE) provides access control and billing functionality in a manner similar to dial-up services using PPP. The BCM50a Integrated Router bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM (Asynchronous Transfer Mode) PVC (Permanent Virtual Circuit), which connects to an ADSL Access Concentrator where the PPP session terminates. One PVC can support any number of PPP sessions from your LAN. For more information about PPPoE, see the PPPoE appendix in the BCM50a Integrated Router Configuration — Advanced guide.

PPPoA

A Point to Point Protocol over ATM Adaptation Layer 5 (PPPoA) connection functions like a dial-up Internet connection. The BCM50a Integrated Router encapsulates the PPP session based on RFC 1483 and sends it through an ATM PVC (Permanent Virtual Circuit) to the Internet Service Provider (ISP) DSLAM (Digital Subscriber Line Access Multiplexer). For more information about PPPoA, refer to RFC 2364. For more information about PPP, refer to RFC 1661.

RFC 1483

RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 (AAL5). Using the first method, you can multiplex multiple protocols over a single ATM virtual circuit (LLC-based multiplexing). The second method assumes that each protocol is carried over a sepa rate ATM virtual circuit (VC-based multiplexing). For more detailed information, see RFC 1483.

Multiplexing

There are two conventions to identify which protocols the virtual circuit (VC) carries. Be sure to use the multiplexing method required by your ISP.

N0115790

VC-based multiplexing

In this case, by prior mutual agreement, each protocol is assigned to a specific virtual circuit; for example, VC1 carries IP. VC-based multiplexing can be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical.

LLC-based multiplexing

In this case, one VC carries multiple protocols with protocol-identifying information being contained in each packet header. Despite the extra bandwidth and processing overhead, this method can be advantageous if it is not practical to have a separate VC for each carried protocol, for example, if charging heavily depends on the number of simultaneous VCs.

VPI and VCI

Be sure to use the correct Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) numbers assigned to you. The valid range for the VPI is 0 to 255 and 32 to 65535 for the VCI (0 to 31 is reserved for local management of ATM traffic).

Chapter 3 Wizard setup 49

Wizard setup configuration: first screen

In the Site Map screen, click Wizard Setup to display the first wizard screen.

BCM50a Integrated Router Configuration — Basics

50 Chapter 3 Wizard setup

Figure 7 Wizard Screen 1

Table 2 describes the fields in Figure 7.

Table 2 Wizard Screen 1

Label Description

N0115790

Mode From the Mode drop-down list box, select Routing (default) if your ISP

allows multiple computers to share an Internet account. Otherwise, select Bridge.

Encapsulation Select the encapsulation type your ISP uses from the Encapsulation

drop-down list box. Choices vary depending on what you select in the Mode field.

If you select Bridge in the Mode field, select either PPPoA or RFC

1483. If you select Routing in the Mode field, select PPPoA, RFC 1483, ENET

ENCAP, or PPPoE.

Multiplex Select the multiplexing method used by your ISP from the Multiplex

drop-down list box, either VC-based or LLC-based.

Virtual Circuit IDVPI (Virtual Path Identifier) and VCI (Virtual Channel Identifier) define a

virtual circuit. VPI Enter the VPI assigned to you. This field can already be configured. VCI Enter the VCI assigned to you. This field can already be configured. Next Click this button to go to the next wizard screen. The next wizard screen

you see depends on which encapsulation you chose above.

IP address and subnet mask

Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.

Where you obtain your network number depends on your p articular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.

If the ISP did not explicitly give you an IP network number, you most likely have a single user account and the ISP assigns you a dynamic IP address when the connection is established. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; do not use any other number unless you are told otherwise. For example, you select 192.168.1.0 as the network number; which covers 254 individual addresses from 192.168.1.1 to

192.168.1.254 (0 and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network.

Chapter 3 Wizard setup 51

After you select the network number , p ick an IP address that is easy to remember, for instance, 192.168.1.1, for your BCM50a Integrated Router. Make sure that no other device on your network is using that IP address.

The subnet mask specifies the network number portion of an IP address. Your BCM50a Integrated Router computes the subnet mask automatically based on the IP address that you entered. You do not need to change the subnet mask computed by the BCM50a Integrated Router unless you are instructed to do so.

IP address assignment

A static IP is a fixed IP that your ISP gives you. A dynamic IP is not fixed; the ISP assigns you a different one each time. The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP. However, the encapsulation method assigned influences your choices for IP address and ENET ENCAP gateway.

BCM50a Integrated Router Configuration — Basics

52 Chapter 3 Wizard setup

IP assignment with PPPoA or PPPoE encapsulation

If you have a dynamic IP, the IP Address and ENET ENCAP Gateway fields are not applicable (N/A). If you have a static IP, then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field.

IP assignment with RFC 1483 encapsulation

In this case, the IP address assignment must be static with the same requirements for the IP Address and ENET ENCAP Gateway fields as stated above.

IP assignment with ENET ENCAP encapsulation

In this case, you can have either a static or dynamic IP. For a static IP, you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP. However, for a dynamic IP, the BCM50a Integrated Router acts as a DHCP client on the WAN and so the IP Address and ENET ENCAP Gateway fields are not applicable (N/A) as the DHCP server assigns them to the BCM50a Integrated Router.

Private IP addresses

N0115790

Every machine on the Internet must have a unique address. If your networks are isolated from the Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:

• 10.0.0.0 — 10.255.255.255

• 172.16.0.0 — 172.31.255.255

• 192.168.0.0 — 192.168.255.255

You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, consult your network administrator for the appropriate IP addresses.

Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information about address assignment, refer to Address Allocation for Private

Internets (RFC 1597) and Guidelines for Management of IP Address Space (RFC 1466).

Nailed-up connection (only with PPP)

A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The BCM50a Integrated Router does two things when you specify a nailed-up connection. First, idle timeout is disabled. Second, the BCM50a Integrated Router tries to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be expensive if you are billed by your Internet connection usage time.

Chapter 3 Wizard setup 53

Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern

NAT

Network Address Translation (NAT) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network to a different IP address known within another network.

Wizard setup configuration: second screen

The second wizard screen varies depending on which mode and encapsulation type you use. All screens shown use the routing mode. Configure the fields and click Next to continue.

BCM50a Integrated Router Configuration — Basics

54 Chapter 3 Wizard setup

Figure 8 Internet connection with PPPoA

Table 3 describes the fields in Figure 8.

N0115790

Table 3 Internet connection with PPPoA

Label Description

User Name Enter the logon name your ISP gave you. Password Enter the password associated with the username above. IP Address This option is available if you select Routing in the Mode field.

A static IP address is a fixed IP that your ISP gives you. A dynamic IP

address is not fixed; the ISP assigns you a different one each time you

connect to the Internet. The Single User Account feature can be used

with either a dynamic or static IP address.

Click Obtain an IP Address Automatically if you have a dynamic IP

address; otherwise click Static IP Address and type your

ISP-assigned IP address in the IP Address text box below.

Chapter 3 Wizard setup 55

Table 3 Internet connection with PPPoA (continued)

Label Description

Connection Select Connect on Demand if you do not want the connection up all

the time and specify an idle time-out (in seconds) in the Max. Idle

Timeout field. The default setting selects Connection on Demand

with 0 as the idle time-out, which means the Internet session does not

timeout.

Select Nailed-Up Connection if you want your connection up all the

time. The BCM50a Integrated Router tries to bring up the connection

automatically if it is disconnected.

The schedule rules in SMT menu 26 has priority over your Connection

settings. Network

Address Translation

Back Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen.

This option is available if you select Routing in the Mode field.

Select None, SUA Only, or Full Feature from the drop-down list box.

For more details, see Chapter 8, “Network Address Translation (NAT)

Screens,” on page 121.

Figure 9 Internet connection with RFC 1483

Table 4 describes the fields in Figure 9.

Table 4 Internet connection with RFC 1483

Label; Description

IP Address This field is available if you select Routing in the Mode field.

Type your ISP-assigned IP address in this field.

BCM50a Integrated Router Configuration — Basics

56 Chapter 3 Wizard setup

Table 4 Internet connection with RFC 1483 (continued)

Network Address Translation

Back Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen.

Select None, SUA Only, or Full Feature from the drop-down list box. For more details, see Chapter 8, “Network Address Translation (NAT)

Screens,” on page 121.

Figure 10 Internet connection with ENET ENCAP

Table 5 describes the fields in Figure 10.

N0115790

Table 5 Internet connection with ENET ENCAP

Label Description

IP Address

Subnet Mask Enter a subnet mask in dotted decimal notation.

A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. The Single User Account feature can be used with either a dynamic or static IP address.

Select Obtain an IP Address Automatically if you have a dynamic IP address; otherwise select Static IP Address and type your ISP-assigned IP address in the IP Address text box below.

If you are implementing subnetting, see the IP subnetting appendix in the BCM50a Integrated Router Configuration — Advanced guide.

Chapter 3 Wizard setup 57

Table 5 Internet connection with ENET ENCAP (continued)

Label Description

ENET ENCAP Gateway

Network Address Translation

Back Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen.

You must specify a gateway IP address (supplied by your ISP) when you use ENET ENCAP in the Encapsulation field in the previous screen.

Select None, SUA Only, or Full Feature from the drop-down list box. For more details, see Chapter 8, “Network Address Translation (NAT)

Screens,” on page 121.

Figure 11 Internet connection with PPPoE

BCM50a Integrated Router Configuration — Basics

58 Chapter 3 Wizard setup

Table 6 describes the fields in Figure 11.

Table 6 Internet connection with PPPoE

Label Description

Service Name Type the name of your PPPoE service here. User Name Enter the username exactly as your ISP assigned. If assigned a name in

Password Enter the password associated with the username above. IP Address A static IP address is a fixed IP that your ISP gives you. A dynamic IP

Connection Select Connect on Demand if you do not want the connection up all the

Network Address Translation

Back Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen.

the form user@domain

enter both components exactly as given.

address is not fixed; the ISP assigns you a different one each time you

connect to the Internet. The Single User Account feature can be used

with either a dynamic or static IP address.

Select Obtain an IP Address Automatically if you have a dynamic IP

address; otherwise select Static IP Address and type your

ISP-assigned IP address in the IP Address text box below.

time and specify an idle time-out (in seconds) in the Max. Idle Timeout

field. The default setting selects Connection on Demand with 0 as the

idle time-out, which means the Internet session does not timeout.

Select Nailed-Up Connection if you want your connection up all the

time. The BCM50a Integrated Router tries to bring up the connection

automatically if it is disconnected.

The schedule rules in SMT menu 26 has priority over your Connection

settings.

Select None, SUA Only, or Full Feature from the drop-down list box.

For more details, see Chapter 8, “Network Address Translation (NAT)

Screens,” on page 121.

, where domain identifies a service name, then

N0115790

DHCP setup

Using Dynamic Host Configuration Protocol (DHCP), individual clients can obtain TCP/IP configuration from a server. You can configure the BCM50a Integrated Router as a DHCP server. When configured as a server, the BCM50a Integrated Router provides the TCP/IP configuration for the clients. If you turn DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured. DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132)

IP pool setup

The BCM50a Integrated Router is preconfigured with a pool of IP addresses for the client machines.

Wizard setup configuration: third screen

1 Verify the settings in the following screen. To change the LAN information

on the BCM50a Integrated Router, click Change LAN Configurations. Otherwise click Save Settings to save the configuration and skip to “Test

your Internet connection” on page 63.

Chapter 3 Wizard setup 59

BCM50a Integrated Router Configuration — Basics

60 Chapter 3 Wizard setup

Figure 12 Wizard Screen 3

N0115790

2 To change your BCM50a Integrated Router LAN settings, click Change

LAN Configuration to display the following screen.

Note: If you change the BCM50a Integrated Router LAN IP address, you must use the new IP address to access the WebGUI again.

Figure 13 Wizard: LAN configuration

Chapter 3 Wizard setup 61

Table 7 describes the fields in Figure 13.

Table 7 Wizard: LAN configuration

Label Description

LAN IP Address Enter the IP address of your BCM50a Integrated Router in dotted

decimal notation, for example, 192.168.1.1 (factory default). LAN Subnet Mask Enter a subnet mask in dotted decimal notation. DHCP

BCM50a Integrated Router Configuration — Basics

62 Chapter 3 Wizard setup

Table 7 Wizard: LAN configuration (continued)

Label Description

DHCP With DHCP (Dynamic Host Configuration Protocol, RFC 2131

Client IP Pool Starting Address

Size of Client IP Pool This field specifies the size or count of the IP address pool. DHCP Server

Address First DNS Server

Second DNS Server Third DNS Server

Back Click Back to go back to the previous screen. Finish Click Finish to save the settings and proceed to the next wizard

and RFC 2132) individual clients (workstations) can obtain TCP/

IP configuration at startup from a server. Unless you are

instructed by your ISP, leave this field set to Server. When

configured as a server, the BCM50a Integrated Router provides

TCP/IP configuration for the clients. When set as a server, fill in

the IP Pool Starting Address and Pool Size fields.

Select Relay to have the BCM50a Integrated Router forward

DHCP requests to another DHCP server. When set to Relay, fill

in the DHCP Server Address field.

Select None to stop the BCM50a Integrated Router from acting

as a DHCP server. When you select None, you must have

another DHCP server on your LAN, or else the computers must

be manually configured.

This field specifies the first of the contiguous addresses in the IP

address pool.

Type the IP address of the DHCP server in dotted decimal

notation (like 192.168.1.5).

Select Obtained From ISP if your ISP dynamically assigns DNS

server information (and the BCM50a Integrated Router WAN IP

address). The field to the right displays the (read-only) DNS

server IP address that the ISP assigns.

Select UserDefined if you have the IP address of a DNS server.

Enter the DNS server IP address in the field to the right.

Select DNS Relay to have the BCM50a Integrated Router act as

a DNS proxy. The BCM50a Integrated Router LAN IP address

displays in the field to the right (read-only). The BCM50a

Integrated Router tells the DHCP clients on the LAN that the

BCM50a Integrated Router itself is the DNS server. When a

computer on the LAN sends a DNS query to the BCM50a

Integrated Router, the BCM50a Integrated Router forwards the

query to the BCM50a Integrated Router system DNS server

(configured in the SYSTEM General screen) and relays the

response back to the computer. You can only select DNS Relay

for one of the three servers;

Select None if you do not want to configure DNS servers. If you

do not configure a DNS server, you must know the IP addresses

of devices or web sites in order to access them.

screen.

N0115790

Chapter 3 Wizard setup 63

Wizard setup configuration: connection tests

The BCM50a Integrated Router automatically tests the connection to the computers connected to the LAN ports. To test the connection from the BCM50a Integrated Router to the ISP and the connected LAN devices, click Start Diagnose. Otherwise click Finish to go back to the site map screen.

Figure 14 Wizard Screen 4

Test your Internet connection

Launch your Web browser and navigate to www.nortel.com. Internet access is just the beginning. For more detailed information on the complete range of features for the BCM50a Integrated Router, see the rest of this guide. If you cannot access the Internet, open the WebGUI again to confirm that the Internet settings you configured in the Wizard Setup are correct.

BCM50a Integrated Router Configuration — Basics

64 Chapter 3 Wizard setup

N0115790

Chapter 4 User Notes

General Notes

There are some router functions that, although performing as expected, might cause some confusion. These are summarized below.

General

1 Default Address Mapping Rules When First Enable NAT Full Feature.

When NAT Full Feature is first enabled, two address mapping rules are added to the address mapping table. This is done to facilitate programming, and matches the default SUA rule. The rules can be deleted.

2 Response to Invalid User ID or Password

When the wrong user ID or password is entered into the router login screen, no error message is displayed. Instead, the login screen is simply displayed again.

3 First DHCP Address Reserved for BCM50

The first address of the DHCP Address Pool is reserved for a BCM50 in the subnet, and will not be assigned to any other equipment. Once assigned to a BCM50, it is reserved for that BCM50, and will not be assigned to any other. If the BCM50 is changed, the following command must be used to enable the router to assign the first address to a different BCM50:

ip dhcp enif0 server m50mac clear

4 Login Requires Reboot

BCM50a Integrated Router Configuration — Basics

66 Chapter 4 User Notes

If the Administrator Timeout is set to 0, and an administration session is terminated without logging off, the router needs to be rebooted in order for the administrator to log in to the WebGUI again. Alternatively, the administrator can log in using a TelNet session, if TelNet access has been enabled in the Remote Management menu.

Firewall

1 Address Range Validation

In the firewall rules, the router does not confirm when given an address range, that the second address is higher than the first. If this type of address range is entered, the range is ignored.

2 Automatic Firewall Programming

Configurations to various areas of the router, such as remote management or adding a SUA Server, do not automatically add the appropriate rules to the Firewall, to enable the traffic to pass through the router. These need to be added separately.

N0115790

Note: Firewall rules do not apply to IPSec tunnels.

NAT

1 Deleting NAT Rule Does Not Drop an Existing Connection

If a NAT rule is deleted, the router must be rebooted to apply the change to existing service connections. This is already noted in the GUI.

2 Confusing NAT Traversal Status

If NAT Traversal is enabled, but is not needed (because the client is not behind a NAT router), it will be shown as 'inactive' in the VPN Client Monitor. This may confuse some users.

VPN Client Termination

1 Change of User Account Does Not Drop Existing Connections

Chapter 4 User Notes 67

If a VPN Client user account is de-activated, deleted, or changed, and that user is currently connected, the connection is not automatically dropped. To drop the connection, the administrator needs to disconnect the user using the 'Disconnect' function in the VPN/SA Monitor GUI. This is consistent with other Nortel Contivity products.

2 User Name Restrictions

User names are limited to a maximum length of 63 characters.

3 VPN Client Account Password Restrictions

The password for a VPN Client user cannot contain the single- or double-quote characters.

4 IP Pool Address Overlap

When defining multiple VPN Client Termination IP pools, the router uses the IP Subnet mask, and not the pool size, to determine if the pools are overlapping. The subnet mask of each pool should be appropriate for the size of the VPN Client Termination IP pool.

5 VPN Client Termination - Failure In Specific Addressing Situation

If the Client has an assigned IP address that is the same as the IP address assigned for the Client Tunnel, the connection will fail to be established.

6 VPN Client Termination - Configuration Restrictions

This router has some restrictions when compared to larger Contivity Routers (1000 Series and above). In particular,

VPN Clients cannot be added to the LAN subnet. They must have addresses outside of the LAN subnet.

VPN Clients can have dynamically assigned IP addresses, or they can have a statically assigned addresses. However, the router does not support both modes at once. All addresses must either be dynamically assigned, or they must all be statically assigned.

BCM50a Integrated Router Configuration — Basics

68 Chapter 4 User Notes

Security

1 Exporting or Saving Self-Signed Certificate

To export or save a self-signed certificate, click details (the icon that looks like a paper note), then click 'Export' or copy the PEM text into the clipboard, and paste into a file.

Routing

1 RIP Version Advertisement Control

To change the version of generated RIP advertisements, the following CLI command needs to be used

ip rip mode [enif0|enif1] [in|out] [0|1|2|3]

where:

'enif0' is the LAN side, and 'enif1' is the WAN side

Advanced Router Configuration

N0115790

'in' affects recognition of received advertisements, and

'out' applies to generated advertisements

The number controls the operating mode:

None (disabled)

RIP-1 only

RIP-2 only

Both RIP-1 and RIP-2

The following notes are intended to help with advanced router configuration.

Chapter 4 User Notes 69

Setting up the router when the system has a server

1 If you are using a Full-Feature NAT configuration, first, do the following...

a In SUA/NAT / Address Mapping, add a 'Server' rule, specifying the

'Public' IP address of the server.

2 For both SUA-Only and Full-Feature NAT configurations, do the following...

a In SUA/NAT : SUA Server, add server private IP address and port

number(s) to the SUA/NAT Server table.

b In FIREWALL, add a WAN-to-LAN rule

c If the service is not in the list of available services, add it as a 'Custom

Port'.

d Add the rule, selecting the service, and entering the server IP address as

the destination IP address.

Connecting two sites to establish a virtual private network

The recommended method to do this is through a branch-to-branch IPSec tunnel.

1 In VPN / Summary, add a new tunnel by editing an unused rule. Create an

Active, Branch Office tunnel.

a Select 'Nailed Up' if the tunnel should not be closed while not in use.

b Enter the authentication information, with either a pre-shared key or an

imported certificate.

c Enter the IP Address assigned to the router WAN port. This should be a

static address, or a dynamic DNS name, and the IP address of the remote router.

d Select the encryption and authentication algorithms.

e Add an IP policy, by specifying the IP address ranges of the local and

remote hosts that will use the tunnel.

2 Repeat these steps at the other end of the branch.

Note: If VPN Client Termination is used on these sites, the client termination address range will need to be included in the tunnel policies in order for the VPN clients to see the other site.

BCM50a Integrated Router Configuration — Basics

70 Chapter 4 User Notes

Adding IP telephony to a multi-site network

Scenario 1: A BCM50 in the primary site acting as the gateway for both sites

1 Ensure that the DHCP Server in the BCM50 is disabled, that the BCM50 is

connected to the router, and both have booted.

2 Add the IP phones to the primary site as per BCM50 installation guide.

3 Create a tunnel to the remote site, as described above.

4 In the remote site, set the S1 and S2 addresses to the IP address of the

BCM50, which is identified in the router DHCP table or in the BCM50. This is done with a CLI command.

TELNET or SSH to the router. This needs TELNET or SSH enabled on that router. Select menu 24, select menu 8, and enter the commands:

ip dhcp enif0 server voipserver 1 <BCM50_IP_Address> 7000 1

ip dhcp enif0 server voipserver 2 <BCM50_IP_Address> 7000 1

N0115790

5 Add the IP phones to the remote site, configured for full DHCP client mode.

Scenario 2: A BCM50 in each site, each acting as the backup call server for the other site

1 At each site,

a Ensure that the DHCP Server in the BCM50 is disabled, that the BCM50

is connected to the router, and both have booted.

b Add the IP phones to the site as per BCM50 installation guide.

c At each router, change the S2 address to the IP address of the remote

BCM50, using TELNET or SSH, and the CLI command,

ip dhcp enif0 server voipserver 2 <Remote_BCM50_IP_Address> 7000 1

2 Create a tunnel between the sites, as described above.

3 Create an H.323 trunk between the BCM50s, as per the BCM50 User Guide.

Chapter 4 User Notes 71

Configuring the router to act as a Nortel VPN Server (Client Termination)

1 Under VPN / Client Termination,

a Enable Client Termination.

b Select authentication type and the encryption algorithms supported.

c If the clients are assigned IP addresses from a pool, define the pool, and

enable it.

2 Assuming a Local User Database is used for authentication,

a Add user name and password to the local user database as an IPSec user,

and activate it. If the hosts will be assigned a static IP address, enter the address that will be assigned to the user.

Configuring the router to connect to a Nortel VPN Server (Client Emulation)

1 Go to VPN / Summary, and select 'Edit'.

2 Select a connection type of Contivity Client, and fill in the web page with the

relevant data.

3 If Group authentication or On-Demand Client Tunnels are needed, click the

'Advanced' button to configure this.

Configuring the router to allow remote management of a LAN-connected BCM50

1 Create the appropriate NAT server rules to add the BCM50.

Go to SUA/NAT / SUA Server, and create two server rules for HTTPS and Element Manager access:

One named BCM_HTTPS, with port number 443, and the IP address of the BCM50

One named BCM_EM, with the port number 5989, and the IP address of the BCM50

Note: In DHCP Server mode, the BCM50 IP address will be the lowest address in the pool.

BCM50a Integrated Router Configuration — Basics

72 Chapter 4 User Notes

2 Create the appropriate Firewall rules to add BCM50 access.

Go to FIREWALL / Summary, and create two WAN-to-LAN firewall rules:

One rule allowing access from allowed remote computer IP addresses, to the BCM50 IP address, for service type HTTPS(TCP:443)

One rule allowing access from allowed remote computer IP addresses, to the BCM50 IP address, for custom port TCP:5989

Setting up the router for guest access

The recommended approach to provide guest access is by creating an IP Alias, and using static addressing for the corporate equipment, to make it a member of the defined Alias subnet. Then use firewall rules to restrict access of the guest equipment. NOTE: if a BCM50 is used, it will also need to be assigned a static IP address.

1 Go to LAN / IP Alias, and Enable IP Alias 1.

2 Define a subnet for the corporate equipment.

N0115790

3 Statically assign addresses to the corporate equipment that are within the IP

Alias subnet.

4 Set up LAN / IP to enable DHCP Server, with an address range that will be

used for guest equipment.

5 In the FIREWALL, set up a LAN-to-LAN rule to block traffic between the

guest subnet (DHCP Pool) and the corporate subnet (IP Alias subnet).

Note: If branch tunnels are being used, the policies on these tunnels should exclude the guest subnet.

Preventing heavy data traffic from impacting telephone calls

To ensure voice quality during heavy data traffic, bandwidth needs to be reserved for voice traffic. Bandwidth needs to be reserved on both the WAN side, and the LAN side.

1 On BANDWIDTH MANAGEMENT / Summary, activate WAN- and

LAN-side bandwidth management.

Chapter 4 User Notes 73

2 On BANDWIDTH MANAGEMENT / Class Setup, add a WAN subclass,

and reserve sufficient bandwidth based on the number of telephones, for Protocol ID 17 (UDP Traffic).

The amount of bandwidth should be based on a reasonable peak number of simultaneous calls, and the data rate needed by the IP telephony CODECs. Refer to the BCM IP Telephony (or other call server) documentation for calculation details.

3 Set up a similar LAN subclass.

BCM50a Integrated Router Configuration — Basics

74 Chapter 4 User Notes

N0115790

Chapter 5 System screens

This chapter provides information on the System screens.

System overview

This section provides background information on features that you cannot configure in the Wizard.

DNS overview

There are three places where you can configure DNS (Domain Name System) setup on the BCM50a Integrated Router.

Use the System General screen to configure the BCM50a Integrated Router to use a DNS server to resolve domain names for BCM50a Integrated Router system features like VPN, DDNS, and the time server.

Use the LAN IP screen to configure the DNS server information that the BCM50a Integrated Router sends to the DHCP client devices on the LAN.

Use the Remote Management DNS screen to configure the BCM50a Integrated Router to accept or discard DNS queries.

Private DNS server

In cases where you want to use domain names to access Intranet servers on a remote private network that has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or from the ISP because these DNS servers cannot resolve domain names to private IP addresses on the remote private network.

BCM50a Integrated Router Configuration — Basics

76 Chapter 5 System screens

Figure 15 depicts an example where three VPN tunnels are created from BCM50a

Integrated Router A; one to branch office 2, one to branch office 3, and another to headquarters (HQ). In order to access computers that use private domain names on the HQ network, the BCM50a Integrated Router at branch office 1 uses the Intranet DNS server in headquarters.

Figure 15 Private DNS server example

Note: If you do not specify an Intranet DNS server on the remote

network, then the VPN host must use IP addresses to access the computers on the remote private network.

Configuring General Setup

Click SYSTEM to open the General screen.

N0115790

Figure 16 System general setup

Table 8 describes the fields in Figure 16.

Chapter 5 System screens 77

Table 8 System general setup

Label Description

System Name Choose a descriptive name for identification purposes. Nortel

recommends that you enter your computer name in this field. This name can be up to 30 alphanumeric characters long. Spaces, dashes (-) and underscores (_) are accepted.

Domain Name Enter the domain name (if you know it) here. If you leave this field

blank, the ISP assigns a domain name through DHCP. The domain name entered by you is given priority over the

ISP-assigned domain name.

Administrator Inactivity Timer

Apply Click Apply to save your changes to the BCM50a Integrated Router. Reset Click Reset to begin configuring this screen afresh.

Type how many minutes a management session (either through the WebGUI or SMT) can be left idle before the session times out. The default is 5 minutes. After it times out you have to log in with your password again. Ve ry long idle timeouts can have security risks. A value of 0 means a management session never times out, no matter how long it has been left idle (not recommended).

BCM50a Integrated Router Configuration — Basics

78 Chapter 5 System screens

Table 8 System general setup

Label Description

System DNS Servers (if applicable)

First DNS Server

Second DNS Server

Third DNS Server

DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The BCM50a Integrated Router uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

Select From ISP if your ISP dynamically assigns DNS server information (and the BCM50a Integrated Router WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the BCM50a Integrated Router has a fixed WAN IP address, From ISP changes to None after you click Apply. If you chose From ISP for the second or third DNS server, but the ISP does not provide a second or third IP address, From ISP changes to None after you click Apply.

Select User-Defined if you have the IP address of a DNS server. The IP address can be public or a private address on your local LAN. Enter the DNS server's IP address in the field to the right.

A User-Defined entry with the IP address set to 0.0.0.0 changes to None after you click Apply. A duplicate User-Defined entry changes to None after you click Apply.

Select None if you do not want to configure DNS servers. If you do not configure a system DNS server, you must use IP addresses when configuring VPN, DDNS and the time server.

Select Private DNS if the DNS server has a private IP address and is located behind a VPN peer. Enter the DNS server's IP address in the field to the right.

With a private DNS server, you must also configure the first DNS server entry in the LAN IP screen to use DNS Relay.

You must also configure a VPN branch office rule since the BCM50a Integrated Router uses a VPN tunnel when it relays DNS queries to the private DNS server. The rule must also have an IP policy that includes the LAN IP address of the BCM50a Integrated Router as a local IP address and the IP address of the DNS server as a remote IP address.

A Private DNS entry with the IP address set to 0.0.0.0 changes to None after you click Apply. A duplicate Private DNS entry changes to None after you click Apply.

N0115790

Dynamic DNS

With Dynamic DNS, you can update your cu rrent dynami c IP address with one or many dynamic DNS services so that anyone can contact you (as in NetMeeting or CU-SeeMe). You can also access your FTP server or Web site on your own computer using a domain name (for instance, myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives can always call you even if they don't know your IP address.

First of all, you must register a dynamic DNS account with, for example www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that still wants a domain name. The Dynamic DNS service provider gives you a password or key.

DYNDNS wildcard

Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to use, for example, www.yourhost.dyndns.org and still reach your host name.

Chapter 5 System screens 79

Configuring Dynamic DNS

Note: If you have a private WAN IP address, you cannot use Dynamic

DNS.

To change the DDNS settings, click SYSTEM, then the DDNS tab. The screen illustrated in Figure 17 appears.

BCM50a Integrated Router Configuration — Basics

80 Chapter 5 System screens

Figure 17 DDNS

N0115790

Table 9 describes the fields in Figure 17.

Table 9 DDNS

Label Description

Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are registered for from your

Dynamic DNS service provider.

Host Names 1~3 Enter the host names in the three fields provided. You can

specify up to two host names in each field separated by a comma (,).

User Enter your username (up to 31 characters).

Chapter 5 System screens 81

Table 9 DDNS

Label Description

Password Enter the password associated with your username (up to 31

characters). Enable Wildcard Select the check box to enable DYNDNS Wildcard. Off Line This option is available when CustomDNS is selected in the

DDNS Type field. Check with your Dynamic DNS service

provider to have traffic redirected to a URL (that you can

specify) while you are off line. IP Address Update

Policy: DDNS Server Auto

Detect IP Address

Use Specified IP Address

Use IP Address Enter the IP address if you select the User Specify option. Apply Click Apply to save your changes to the BCM50a Integrated

Reset Click Reset to return to the previously saved settings.

Select this option only when there are one or more NAT routers

between the BCM50a Integrated Router and the DDNS server.

This feature has the DDNS server automatically detect and use

the IP address of the NAT router that has a public IP address.

Note: The DDNS server not be able to detect the proper IP

address if there is an HTTP proxy server between the BCM50a

Integrated Router and the DDNS server.

Select this option to update the IP address of the host names to

the IP address specified below. Use this option if you have a

static IP address.

Router.

Configuring Password

To change the password of your BCM50a Integrated Router (recommended), click SYSTEM, then the Password tab. The screen illustrated in Figure 18 appears. In this screen, you can change password of the BCM50a Integrated Router.

BCM50a Integrated Router Configuration — Basics

82 Chapter 5 System screens

Figure 18 Password

N0115790

Table 10 describes the fields in Figure 18.

Table 10 Password

Label Description

Administrator Setting The administrator can access and configure all of the BCM50a

Integrated Router's features.

Old Password Type your existing system administrator password (“PlsChgMe!”

is the default password).

New Password Type your new system password (u p to 31 characters). Note that

as you type a password, the screen displays a (*) for each character you type.

Retype to Confirm Retype your new system password for confirmation.

Chapter 5 System screens 83

Table 10 Password

Label Description

Client User Setting The client user is the person who uses the BCM50a Integrated

Router's Contivity Client VPN tunnel. The client user can do the following:

• Configure the WAN ISP and IP screens.

• Configure the VPN Contivity Client settings (except the Advanced screen exclusive use mode for client tunnel and MAC address allowed settings).

• View the SA monitor.

• Configure the VPN Global Setting screen.

• View logs.

• View the Maintenance Status screen.

• Use the Maintenance F/W Upload and Restart screens.

User Name Type a username for the client user (up to 31 characters). New Password Type a password for the client user (up to 31 characters). Note

that as you type a password, the screen displays a (*) for each

character you type. Retype to Confirm Retype the client user password for confirmation. Apply Click Apply to save your changes to the BCM50a Integrated

Reset Click Reset to begin configuring this screen afresh.

Router.

Predefined NTP time server list

The BCM50a Integrated Router uses the predefined list of NTP time servers listed in Table 11 if you do not specify a time server or if it cannot synchronize with the time server you specified.

The BCM50a Integrated Router can use this predefined list of time servers regardless of the Time Protocol you select.

BCM50a Integrated Router Configuration — Basics

84 Chapter 5 System screens

When the BCM50a Integrated Router uses the predefined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the BCM50a Integrated Router goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time servers have been tried.

Table 11 Default Time Servers

ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.mil ntp3.cs.wisc.edu ntp.cs.strath.ac.uk ntp1.sp.se time1.stupi.se tick.stdtime.gov.tw tock.stdtime.gov.tw time.stdtime.gov.tw

Configuring Time and Date

To change the time and date of your BCM50a Integrated Router, click SYSTEM, and then Time and Date. The screen in Figure 19 appears. Use this screen to configure the time based on your local time zone.

N0115790

Figure 19 Time and Date

Chapter 5 System screens 85

BCM50a Integrated Router Configuration — Basics

86 Chapter 5 System screens

Table 12 describes the fields in Figure 19.

Table 12 Time and Date

Label Description

Current Time and Date

Current Time This field displays the time on your BCM50a Integrated Rou ter.

Current Date This field displays the date on your BCM50a Integrated Router.

Time and Date Setup Manual Select this radio button to enter the time and date manually. If you

New Time (hh:mm:ss)

New Date (yyyy-mm-dd)

Get from Time Server

Time Protocol Select the time service protocol that your time server sends when

Time Server Address Enter the IP address or URL of your time server. Check with your

Synchronize Now Click this button to have the BCM50a Integrated Router get the

Each time you reload this page, the BCM50a Integrated Router synchronizes the time with the time server.

Each time you reload this page, the BCM50a Integrated Router synchronizes the date with the time server.

configure a new time and date, time zone and daylight saving at the same time, the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it.

This field displays the last updated time from the time server or the last time configured manually. After you set Time and Date Setup to Manual, enter the new time in this field and then click Apply.

This field displays the last updated date from the time server or the last date configured manually. After you set Time and Date Setup to Manual, enter the new date in this field and then click Apply.

Select this radio button to have the BCM50a Integrated Router get the time and date from the time server that you specified.

you turn on the BCM50a Integrated Router. Not all time servers support all protocols, so you need to check with your ISP or network administrator or use trial and error to find a protocol that works.

The main difference between the protocols is the format. Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0. The default, NTP (RFC 1305), is similar to Time (RFC 868).

ISP or network administrator if you are unsure of this information.

time and date from a time server (see the Time Server Address field). This also saves your changes (including the time server address).

N0115790

Chapter 5 System screens 87

Table 12 Time and Date

Label Description

Time Zone Setup Time Zone Choose the time zone of your location. This will set the time

difference between your time zone and Greenwich Mean Time (GMT).

Enable Daylight Saving

Start Date Configure the day and time when Daylight Saving Time starts if

End Date Configure the day and time when Daylight Saving Time ends if you

Apply Click Apply to save your changes to the BCM50a Integrated

Reset Click Reset to begin configuring this screen afresh.

Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.

Select this option if you use Daylight Saving Time.

you select Enable Daylight Saving. The o'clock field uses the 24-hour format. Here are a couple of examples:

Daylight Saving Time starts in most parts of the United States on the first Sunday of April. Each time zone in the United States starts using Daylight Saving Time at 2 a.m. local time. So, in the United States, select First, Sunday, April and type 2 in the o'clock field.

Daylight Saving Time starts in the European Union on the last Sunday of March. All of the time zones in the European Union start using Daylight Saving Time at the same moment (1 a.m. GMT or UTC). So, in the European Union, select Last, Sunday, March. The time you type in the o'clock field depends on your time zone. In Germany, for instance, type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).

select Enable Daylight Saving. The o'clock field uses the 24-hour format. Here are a couple of examples:

Daylight Saving Time ends in the United States on the last Sunday of October. Each time zone in the United States stops using Daylight Saving Time at 2 a.m. local time. So, in the United States, select Last, Sunday, October and type 2 in the o'clock field.

Daylight Saving Time ends in the European Union on the last Sunday of October. All of the time zones in the European Union stop using Daylight Saving Time at the same moment (1 a.m. GMT or UTC). So, in the European Union, select Last, Sunday, October. The time you type in the o'clock field depends on your time zone. In Germany for instance, type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1).

Router.

BCM50a Integrated Router Configuration — Basics

88 Chapter 5 System screens

ALG

With Application Layer Gateway (ALG), an application can pass through NAT and the firewall. You must also configure NAT and firewall rules depending upon the type of access you want to allow.

Note: You must enable the FTP ALG in order to use bandwidth management on that application.

Configuring ALG

To change the ALG settings of your BCM50a Integrated Router, click SYSTEM and then ALG. The screen appears as shown in Figure 20.

Figure 20 ALG

N0115790

Table 13 describes the labels in Figure 20.

Table 13 ALG

Label Description

Enable FTP ALG

Apply Click Apply to save your changes to the BCM50a Integrated Router. Reset Click Reset to begin configuring this screen afresh.

Select this check box to allow FTP (File Transfer Protocol) to send and receive files through the BCM50a Integrated Router.

Chapter 6

LAN screens

This chapter describes how to configure LAN settings.

LAN overview

Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, configure RIP and multicast settings, and partition your physical network into logical networks.

DHCP setup

Using DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132), individual clients can obtain TCP/IP configuration at start-up from a server. You can configure the BCM50a Integrated Router as a DHCP server or disable it. When configured as a server, the BCM50a Integrated Router provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be configured manually.

IP pool setup

The BCM50a Integrated Router is preconfigured with a pool of IP addresses for the DHCP clients (DHCP Pool). Do not assign static IP addresses from the DHCP pool to your LAN computers.

BCM50a Integrated Router Configuration — Basics

90 Chapter 6 LAN screens

DNS servers

Use the LAN IP screen to configure the DNS server information that the BCM50a Integrated Router sends to the DHCP client devices on the LAN.

LAN TCP/IP

The BCM50a Integrated Router has built in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.

Factory LAN defaults

The LAN parameters of the BCM50a Integrated Router are preset in the factory with the following values:

• IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)

• DHCP server enabled with 126 client IP addresses starting from 192.168.1.2.

RIP setup

N0115790

These parameters work for the majority of installations. If your ISP gives you explicit DNS server addresses, read the embedded WebGUI help regarding which fields need to be configured.

RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. RIP Direction controls the sending and receiving of RIP packets. When set to Both or Out Only, the BCM50a Integrated Router broadcasts its routing table periodically. When set to

Both or In Only, it incorporates the RIP information that it receives; when set to None, it does not send any RIP packets and ignores any RIP packets received.

RIP Version controls the format and the broadcasting method of the RIP packets

that the BCM50a Integrated Router sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.

Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so do not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also.

By default, RIP Direction is set to Both and RIP Version to RIP-1.

Multicast

Traditionally, IP packets are transmitted in one of two ways—Unicast (1 sender-1 recipient) or Broadcast (1 sender-everybody on the network). Multicast delivers IP packets to a group of hosts on the network—not everybody and not just 1.

IGMP (Internet Group Multicast Protocol) is a network layer protocol used to establish membership in a Multicast group—it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you want to read more detailed information about interoperability between IGMP version 2 and version 1, see sections 4 and 5 of Internet Group Management Protocol (RFC 2236). The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the

224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.

Chapter 6 LAN screens 91

The BCM50a Integrated Router supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the BCM50a Integrated Router queries all directly connected networks to gather group membership. After that, the BCM50a Integrated Router periodically updates this information. IP multicasting can be enabled or disabled on the BCM50a Integrated Router LAN, WAN or both interfaces in the WebGUI (LAN; WAN). Select None to disable IP multicasting on these interfaces.

BCM50a Integrated Router Configuration — Basics

92 Chapter 6 LAN screens

Configuring IP

Click LAN to open the IP screen.

Figure 21 LAN IP

N0115790

Table 14 describes the fields in Figure 21.

Table 14 LAN IP

Label Description

Chapter 6 LAN screens 93

DHCP With DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC

IP Pool Starting Address

Pool Size This field specifies the size, or count, of the IP address pool. The

DHCP Server Address

DNS Servers Assigned by DHCP Server

2132) individual clients (workstations) can obtain TCP/IP configuration at startup from a server. Unless you are instructed by your ISP, leave this field set to Server. When configured as a server, the BCM50a Integrated Router provides TCP/IP configuration for the clients. When set as a server, fill in the IP Pool Starting Address and Pool Size fields.

Select Relay to have the BCM50a Integrated Router forward DHCP requests to another DHCP server. When set to Relay, fill in the DHCP Server Address field.

Select None to stop the BCM50a Integrated Router from acting as a DHCP server. When you select None, you must have another DHCP server on your LAN, or else the computers must be manually configured.

This field specifies the first of the contiguous addresses in the IP address pool. The default is 192.168.1.2.

default is 126. Type the IP address of the DHCP server in dotted decimal notation (like

192.168.1.5). The BCM50a Integrated Router passes a DNS (Domain Name System)

server IP address (in the order you specify here) to the DHCP clients. The BCM50a Integrated Router only passes this information to the LAN DHCP clients when you select the DHCP Server check box. When you clear the DHCP Server check box, DHCP service is disabled and you must have another DHCP sever on your LAN, or else the computers must have their DNS server addresses manually configured.

BCM50a Integrated Router Configuration — Basics

94 Chapter 6 LAN screens

Table 14 LAN IP

Label Description

First DNS Server Second DNS Server Third DNS Server

LAN TCP/IP IP Address Type the IP address of your BCM50a Integrated Router in dotted

IP Subnet Mask The subnet mask specifies the netwo rk number portion of an IP

RIP Direction With RIP (Routing Information Protocol, RFC 1058 and RFC 1389) a

Select From ISP if your ISP dynamically assigns DNS server information (and the BCM50a Integrated Router's WAN IP address). The field to the right displays the (read-only) DNS server IP address that the ISP assigns.

Select User-Defined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right.

Select DNS Relay to have the BCM50a Integrated Router act as a DNS proxy. The BCM50a Integrated Router's LAN IP address displays in the field to the right (read-only). The BCM50a Integrated Router tells the DHCP clients on the LAN that the BCM50a Integrated Router itself is the DNS server. When a computer on the LAN sends a DNS query to the BCM50a Integrated Router, the BCM50a Integrated Router forwards the query to the BCM50a Integrated Router's system DNS server (configured in the SYSTEM General screen) and relays the response to the computer. You can only select DNS Relay for one of the three servers.

Select None if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.

decimal notation (192.168.1.1 factory default).

address. Your BCM50a Integrated Router automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the BCM50a Integrated Router 255.255.255.0.

router can exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the BCM50a Integrated Router broadcasts its routing table periodically. When set to Both or In Only, it incorporates the RIP information that it receives; when set to None, it does not send any RIP packets and ignores any RIP packets received. None is the default.

N0115790

Chapter 6 LAN screens 95

Table 14 LAN IP

Label Description

RIP Version The RIP V ersion field controls the format and the broadcasting method

of the RIP packets that the BCM50a Integrated Router sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so does not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.

Multicast Select IGMP V - 1 or IGMP V -2 or None. IGMP (Internet Group Multicast

Protocol) is a network layer protocol used to establish membership in a Multicast group—it is not used to carry user data. IGMP version 2 (RFC

2236) is an improvement over version 1 (RFC 1112 ) but IGMP version 1 is still in wide use. If you want to read more detailed information about interoperability between IGMP version 2 and version 1, see sections 4

and 5 of Internet Group Management Protocol (RFC 2236). Windows Networking (NetBIOS over TCP/IP) Allow between

LAN and WAN

Apply Click Apply to save your changes to the BCM50a Integrated Router. Reset Click Reset to begin configuring this screen afresh.

Select this check box to forward NetBIOS packets from the LAN to the

WAN and from the WAN to the LAN. If your firewall is enabled with the

default policy set to block WAN to LAN traffic, you also need to create a

WAN to LAN firewall rule that forwards NetBIOS traffic.

Clear this check box to block all NetBIOS packets going from the LAN

to the WAN and from the WAN to the LAN.

This field does the same as the Allow between WAN and LAN field in

the WAN IP screen. Enabling one automatically enables the other.

Configuring Static DHCP

With S tatic DHCP, you can assign IP addresses on the LAN to specific individual computers based on their MAC Addresses.

Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

BCM50a Integrated Router Configuration — Basics

96 Chapter 6 LAN screens

To change the static DHCP settings, click LAN, then the Static DHCP tab. The screen appears as shown in Figure 22.

Figure 22 Static DHCP

N0115790

Table 15 describes the fields in Figure 22.

Table 15 Static DHCP

Label Description

# This is the index number of the Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN. IP Address This field specifies the size, or count of the IP address pool. Apply Click Apply to save your changes to the BCM50a Integrated

Router.

Reset Click Reset to begin configuring this screen afresh.

Configuring IP Alias

With IP Alias, you can partition a physical network into different logical networks over the same Ethernet interface. The BCM50a Integrated Router supports three logical LAN interfaces through its single physical Ethernet interface with the BCM50a Integrated Router itself as the gateway for each LAN network.

Note: Make sure that the subnets of the logical networks do not overlap.

To change the IP Alias settings of your BCM50a Integrated Router, click LAN, then the IP Alias tab. The screen appears as shown in Figure 23.

Figure 23 IP Alias

Chapter 6 LAN screens 97

BCM50a Integrated Router Configuration — Basics

98 Chapter 6 LAN screens

Table 16 describes the fields in Figure 23.

Table 16 IP Alias

Label Description

IP Alias 1,2 Select the check box to configure another LAN network for the

IP Address Enter the IP address of your BCM50a Integrated Router in dotted

IP Subnet Mask Your BCM50a Integrated Router automatically calculates the

RIP Direction With RIP (Routing Information Protocol, RFC 1058 and RFC 1389),

RIP Version The RIP Version field controls the format and the broadcasting

Apply Click Apply to save your changes to the BCM50a Integrated

Reset Click Reset to begin configuring this screen afresh.

BCM50a Integrated Router.

decimal notation.

subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the BCM50a Integrated Router.

a router can exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/ None. When set to Both or Out Only, the BCM50a Integrated Router broadcasts its routing table periodically. When set to Both or In Only, it incorporates the RIP information that it receives; when set to None, it does not send any RIP packets and ignores any RIP packets received.

method of the RIP packets that the BCM50a Integrated Router sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on nonrouter machines because they generally do not listen to the RIP multicast address and so do not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting, also. By default, RIP direction is set to Both and the Version set to RIP-1.

Router.

N0115790

Chapter 7 WAN screens

This chapter describes how to configure WAN settings.

WAN overview

This section provides background information on features that you cannot configure in the Wizard.

TCP/IP Priority (metric)

The metric represents the cost of transmission. A router determines the best route for transmission by choosing a path with the lowest cost. RIP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. The number must be between 1 and 15; a number greater than 15 means the link is down. The smaller the number, the lower the cost.

1 The metric sets the priority for the BCM50a Integrated Router's routes to the

Internet. Each route must have a unique metric.

2 The priority of the WAN port route must always be higher than the traffic

redirect route priority.

If the WAN port route has a metric of 1 and the traffic redirect route has a metric of 2, then the WAN port route acts as the primary default route. If the WAN port route fails to connect to the Internet, the BCM50a Integrated Router tries the traffic redirect route next.

The traffic redirect route cannot take priority over the WAN route.

BCM50a Integrated Router Configuration — Basics

100 Chapter 7 WAN screens

Configuring General

Click WAN to open the General screen.

Figure 24 WAN: General

N0115790

Nortel Networks BCM50a User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Figures

Tables

Preface

Before you begin

Text conventions

Related publications

Hard copy technical manuals

How to get Help

Getting Help from the Nortel Web site

Getting Help over the phone from a Nortel Solutions Center

Getting Help from a specialist by using an Express Routing Code

Getting Help through a Nortel distributor or reseller

Introducing the BCM50a Integrated Router

Features

Physical features

Nonphysical features

Applications for the BCM50a Integrated Router

Secure broadband internet access and VPN

WebGUI overview

Accessing the BCM50a Integrated Router WebGUI

Restoring the factory-default configuration settings

Navigating the BCM50a Integrated Router WebGUI

Wizard overview

Encapsulation

ENET ENCAP

PPP over Ethernet

PPPoA

RFC 1483

Multiplexing

VC-based multiplexing

LLC-based multiplexing

VPI and VCI

Wizard setup configuration: first screen

IP address and subnet mask

IP address assignment

IP assignment with PPPoA or PPPoE encapsulation

IP assignment with RFC 1483 encapsulation

IP assignment with ENET ENCAP encapsulation

Private IP addresses

Nailed-up connection (only with PPP)

Wizard setup configuration: second screen

DHCP setup

IP pool setup

Wizard setup configuration: third screen

Wizard setup configuration: connection tests

Test your Internet connection

General Notes

Advanced Router Configuration

System overview

DNS overview

Private DNS server

Configuring General Setup

Dynamic DNS

DYNDNS wildcard

Configuring Dynamic DNS

Configuring Password

Predefined NTP time server list

Configuring Time and Date

Configuring ALG

LAN screens

LAN overview

DHCP setup

IP pool setup

DNS servers

LAN TCP/IP

Factory LAN defaults

RIP setup

Multicast

Configuring IP

Configuring Static DHCP

Configuring IP Alias

WAN overview

TCP/IP Priority (metric)

Configuring General