ZyXEL Communications P-2302HW User Manual

0 (0)

P-2302HW SERIES

VoIP Station Gateway

(With Lifeline/ DECT/ USB)

Support Notes

Version 3.60

Aug. 2006

Prestige 2302 Support Notes

INDEX

Application Notes.........................................................................................................5

General Application Notes.....................................................................................5

Internet Connection........................................................................................5

Setup the Prestige as a DHCP Relay............................................................10

Configure an Internal Server Behind the Prestige .......................................12

Configure a PPTP server Behind SUA........................................................14

About Filters & Filter Examples..................................................................17

Using Dynamic DNS (DDNS).....................................................................40

Network Management Using SNMP...........................................................42

Using syslog.................................................................................................49

Using IP Alias ..............................................................................................52

Using IP Multicast .......................................................................................56

Using Prestige traffic redirect......................................................................58

Using Universal Plug n Play (UPnP)...........................................................61

Trunk Setup in P-2302HWL/HWUDL-P1 ..................................................68

VoIP Application Notes........................................................................................71

SIP Account Setup .......................................................................................71

Advanced Phone port settings......................................................................75

Speed dial Phone book setup .......................................................................77

FAQ .............................................................................................................................80

ZyNOS FAQ ........................................................................................................80

What is ZyNOS?..........................................................................................80

How to access the embedded web configurator?.........................................80

What is the default LAN IP address and password? And, how do I change

it?..................................................................................................................80

How do I upload the firmware via the web configurator?...........................81

How do I upgrade/back up the firmware using an FTP client program

through the LAN?........................................................................................81

How do I upload or back up the configuration file (the ROM file) via the

web configurator? ........................................................................................81

How do I back up/restore configurations using an FTP client program

through the LAN?........................................................................................82

Why can't I telnet into Prestige from the WAN?..........................................82

What should I do if I forget the system password?......................................82

What is SUA? When should I use SUA?.....................................................83

Prestige 2302 Support Notes

What is the difference between NAT and SUA?..........................................83

How many network users does SUA/NAT support?....................................83

What are Device and Protocol filters?.........................................................84

Why can't I configure device or protocol filters? ........................................84

Product FAQ ........................................................................................................84

What is the Prestige Internet Access Sharing Router?.................................84

Will the Prestige work with my Internet connection?..................................84

What do I need to use the Prestige?.............................................................85

What is PPPoE? ...........................................................................................85

Does the Prestige support PPPoE?...............................................................85

How do I know I am using PPPoE?.............................................................85

Why does my provider use PPPoE?.............................................................85

Which Internet Applications can I use with the Prestige?...........................85

How can I configure the Prestige?...............................................................85

What network interface does the Prestige support?.....................................86

What can I do with the Prestige? .................................................................86

Does the Prestige support dynamic IP addressing? .....................................86

What is the difference between the internal IP and the real IP from my

ISP?..............................................................................................................86

How does e-mail work through the Prestige?..............................................86

What is the difference between the 'Standard' and 'RoadRunner' service?..87 Is it possible to access a server running behind SUA from the outside

Internet? If possible, how?...........................................................................87

What DHCP capability does the Prestige support?......................................87

How do I use the reset button? And which parameter will be reset by the

reset button?.................................................................................................87

What network interface does the new Prestige series support?...................88

Does the Prestige support TFTP? ................................................................88

Does the Prestige support TFTP over WAN? ..............................................88

How fast is the DSL connection?.................................................................88

My Prestige cannot obtain a WAN IP address from the ISP to connect to

the Internet, what should I do?.....................................................................89

What is BOOTP/DHCP?..............................................................................92

What is DDNS?............................................................................................92

When do I need the DDNS service?............................................................92

What DDNS servers does the Prestige support?..........................................92

What is DDNS wildcard?.............................................................................93

Prestige 2302 Support Notes

Does the Prestige support DDNS wildcard?................................................93

Can VPN tunnels still work on a Prestige using SUA?...............................93

How do I set up my Prestige to route IPsec packets over SUA?.................93

VoIP FAQ .............................................................................................................93

What is Voice over IP?.................................................................................93

How does Voice over IP work?....................................................................94

Why use VoIP?.............................................................................................94

In addition, it would take a much longer time, more effort and money to implement new features using circuit switching. Since the IP technology is a standard and various applications are available, it is easier and more

cost-effective to integrate new services and applications using IP..............94

What is the relationship between codec and VoIP?.....................................94

What advantage does Voice over IP provide?..............................................94

What is the difference between H.323 and SIP?..........................................94

Can H.323 and SIP interoperate with each other?.......................................95

What is voice quality?..................................................................................95

How are voice quality normally rated?........................................................95

What is codec?.............................................................................................95

What is the relationship between codec and VoIP?.....................................95

What codec types does Prestige support?....................................................95

Which codec should I choose?.....................................................................96

What do I need in order to use SIP? ............................................................96

I am unable to register to a SIP server.........................................................96

I can register to the SIP server but cannot establish a call...........................96

I can make or receive a call but the voice traffic only goes one way, not

both way.......................................................................................................97

I have tried all the troubleshooting steps, but still cannot register to the SIP

server. What should I do next?.....................................................................97

What should I do if there may be a hardware problem with my Prestige?..97

Trouble Shooting........................................................................................................98

Unable to Get WAN IP from ISP.........................................................................98

Using Embedded Packet Trace ..........................................................................101

Debugging PPPoE Connection..........................................................................116

CLI Command List..................................................................................................128

Prestige 2302 Support Notes

Application Notes

General Application Notes

Internet Connection

The following figure shows a typical Internet access application using the Prestige. Before accessing the Internet in an office environment, you must configure the Prestige as outlined below.

• Before you begin

• Setting up Your Windows Computer

• Setting up the Prestige router

• Troubleshooting

• Before you begin

The following lists the default settings on the Prestige.

1. IP address = 192.168.1.1, subnet mask = 255.255.255.0 (24 bits)

2. DHCP server enabled with IP pool starting from 192.168.1.33

3. Default SMT menu password = 1234

• Setting up your Windows computer(s)

1. Ethernet connection

Your computer(s) must have an Ethernet card installed.

Prestige 2302 Support Notes

• If you have only one computer, connect the computer to the LAN port on the Prestige using a

crossover Ethernet cable (red).

• If you have more than one computer, you must use a hub or switch to connect the computers to the

LAN port on the Prestige using a straight-though Ethernet cable.

2. TCP/IP Installation

You must first install TCP/IP software on each computer before you can use it for Internet access. If you have already installed TCP/IP, go to the next section to configure it; otherwise, follow these steps to install the software:

• In the Control Panel/Network window, click Add button.

• In the Select Network Component Type window, select Protocol and click Add.

• In the Select Network Protocol window, select Microsoft and then select TCP/IP from the

Network Protocols field and click OK.

3. TCP/IP Configuration

Follow these steps to configure Windows TCP/IP:

• In the Control Panel/Network window, select TCP/IP and click Properties.

• In the TCP/IP Properties window, select obtain an IP address automatically.

Note: Do not assign arbitrary IP address and subnet mask to your computer(s). Otherwise, you will not be able to access the Internet.

• Click the WINS configuration tab and select Disable WINS Resolution.

• Click the Gateway tab. Select any installed gateways and click the Remove button until there is

none listed.

• Click the DNS Configuration tab and select Disable DNS.

• Click OK to save and close the TCP/IP properties window

• Click OK to close the Network window. You will be prompted to insert your Windows CD or disk.

When the drivers are updated, you will be asked if you want to restart the computer. Make sure your Prestige is turned on before clicking Yes. Repeat the above steps for each Windows computer on your network.

• Setting up the Prestige router

Prestige 2302 Support Notes

If you have a Single User Account (SUA), follow the procedure to configure the Prestige. You can use a web browser (such as IE) to access the embedded web server on the Prestige for device management. Before you can log into the web management interface, make sure that there is no one logging into the Prestige through Telnet or the console port.

1. Accessing the Prestige Web Management Interface

Open your web browser (such as IE) and enter the LAN IP address of the Prestige in the Address field. The default LAN IP of the Prestige is 192.168.1.1. Note that you can either enter http://192.168.1.1 or

https://192.168.1.1 (for secure login).

2. First Login

A login screen displays. Enter the password and press Login. The default password is '1234' which is the same as the one you use to log into the SMT.

Prestige 2302 Support Notes

3. Use the WIZARD SETUP screens to configure Internet access settings on the Prestige.

Prestige 2302 Support Notes

The Internet access configuration screen varies depending on the Internet connection type you select. The following figure shows an example screen for PPPoE connection type.

In the next wizard screen, select Get dynamically from your ISP if the ISP assigns you an IP address dynamically, otherwise select Use Fixed IP address and enter the static IP address given by ISP in the MY

Prestige 2302 Support Notes

WAN IP Address field.

Setup the Prestige as a DHCP Relay

• What is DHCP Relay?

DHCP (Dynamic Host Configuration Protocol) allows a network device to obtain IP settings from a server. You can configure the P-2602 as a DHCP server or DHCP relay.

Prestige 2302 Support Notes

When the P-2602 is configured as a DHCP server, it assigns IP address to clients on the LAN. When the P-2602 acts as a DHCP relay, it forwards client DHCP requests to the DHCP server and forwards the responds from the DHCP server to the DHCP clients. The following figure shows an example.

• Setup the Prestige as a DHCP Client

1. In SMT menu 3.2, select Relay in the DHCP field and enter the IP address of the DHCP server in the DHCP Server Address field.

Menu 3.2 - TCP/IP and DHCP Ethernet Setup

DHCP= Relay TCP/IP Setup:

Client IP Pool:

Starting Address= N/A IP Address= 192.168.1.1

Size of Client IP Pool= N/A IP Subnet Mask= 255.255.255.0

First DNS Server= N/A RIP Direction= Both

IP Address= N/A Version= RIP-1

Second DNS Server= N/A Multicast= None

IP Address= N/A Edit IP Alias= No

Third DNS Server= N/A

IP Address= N/A

DHCP Server Address= 192.168.1.2

Press ENTER to Confirm or ESC to Cancel:

Prestige 2302 Support Notes

Configure an Internal Server Behind the Prestige

• Introduction

SUA makes your LAN appear as a single machine to the outside world. However, you can make a server (such as a web server, FTP server or mail server) behind the ZyXEL device assessable/visible to the outside world. A server behind the ZyXEL device cannot be set to be a DHCP client. That is, the server must use a fixed IP address so outside users can access the server using the static IP address.

A service is identified by its standard port number. You can allow public access to servers for specified services based on the port number. In addition, you can also set a default server behind SUA. Thus service requests that do not match any of the servers are forwarded to the default server. If you do not set a default SUA server, then the unknown service requests are simply discarded.

• Configuration

To make an inside server visible to the outside world, specify the service port number and the IP address of the server in SMT menu 15.2.1 - NAT Server Setup or the Port Forwarding screen in the web configurator. Users use the WAN IP address of the Prestige to access the inside SUA servers. You can obtain the WAN IP address of the Prestige in SMT menu 24.1.

Prestige 2302 Support Notes

• The following figure shows a configuration example to allow public access to an internal Web

server.

• The following table lists some common service port numbers.

Service Port Number

FTP 21

Telnet 23

SMTP 25

DNS (Domain Name Server) 53

www-http (Web) 80

Prestige 2302 Support Notes

Configure a PPTP server Behind SUA

• Introduction

PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself.

In order to run the Windows 9x PPTP client, you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4.0 Remote Access Server.

Windows Dial-Up Networking uses the Internet standard Point-to-Point (PPP) to provide a secure, optimized multiple-protocol network connection over dial-up telephone lines. All data sent over this connection can be encrypted and compressed, and multiple network level protocols (TCP/IP, NetBEUI and IPX) can be run correctly. Windows NT Domain Login level security is preserved even across the Internet.

Window98 PPTP Client / Internet / NT RAS Server Protocol Stack

PPTP appears as new modem type (Virtual Private Networking Adapter) that can be selected when setting up a connection in the Dial-Up Networking folder. The VPN Adapter type does not appear elsewhere in the system. Since PPTP encapsulates its data stream in the PPP protocol, VPN requires a second dial-up adapter. This second dial-up adapter for VPN is added during the installation phase of the Upgrade in addition to the first dial-up adapter that provides PPP support for the analog or ISDN modem.

Prestige 2302 Support Notes

The PPTP is already supported in Windows NT and Windows 98. For Windows 95, a software upgrade with Dial-Up Networking 1.2 is required.

• Configuration

This application note explains how to establish a PPTP connection to a remote private network on the Prestige with SUA enabled. In ZyNOS, all PPTP packets are forwarded to the internal PPTP Server (Windows NT server) behind SUA. . You must specify the PPTP port number in SMT menu 15 for the Prestige to forward the packets to the intended Windows NT server using the private IP address.

• Example

The following example shows how to dial to an ISP via the Prestige and then establish a tunnel to a private network. You need to configure the settings on a PPTP server (such as a Windows NT server), a PPTP client (Windows 9x) and the Prestige to set up the PPTP application. The following summarizes the setting for the corresponding PPTP device.

o PPTP server setup (Windows NT)

 Create a new VPN service in Control Panel>Network  Create a new PPTP user account  Enable the RAS port  Select a network protocol (such as IPX, TCP/IP or NetBEUI) for the RSA port  Set the Prestige as the Internet gateway

o PPTP client setup (Windows n9x)

Prestige 2302 Support Notes

 In Dial-up Networking, create a secure VPN connection through the Prestige (using

the WAN IP address) and enter the correct user name and password to log into the Windows NT RAS server.

 Set the Prestige that connects to the ISP as the In ternet gateway.

o Prestige Setup

• Before establishing a VPN connection from the PPTP client (Windows 9x) to the PPTP server

(Windows NT server), you must first connect the Prestige to the ISP for Internet access.

• Enter the IP address and the port number(s) of the PPTP server to allow public access to the server

behind the Prestige. The following shows a configuration example.

After you have set the settings to allow public access to the PPTP server, test the connection from the PPTP client to the PPTP server. You can use Ping to check that the PPTP client can reach the PPTP server over the Internet connection. For example, enter “ping 203.66.113.2＂ if the WAN IP address of the Prestige is 203.66.113.2.

Prestige 2302 Support Notes

Once the connection is up, you can establish a secure VPN connection from the PPTP client to the ISP. The default gateway is then used to route the traffic between the PPTP client and the server.

However, before you can establish a secure VPN connection from the PPTP client to the PPTP server, you need to know the WAN IP address of the Prestige with the SUA feature enabled. Depending on your Internet account type and ISP, the Prestige WAN IP address is either fixed(static) or dynamic (different each time). You need to enter the WAN IP address of the Prestige in the VPN dial-up connection screen. You can check the WAN IP address of the Prestige in SMT menu 24.1 or using PNC Monitor. If the Prestige is using a fixed (static) IP address, you can always use this fixed IP address to connect to the PPTP server.

The following figure shows an example VPN dial-up screen. The VPN Server field is 140.113.1.225 which is a dynamic IP address assigned to the Prestige by the ISP. Make sure you enter the WAN IP address of the Prestige correctly; otherwise, the VPN connection will fail. After the VPN connection is established, you can start using Internet applications (such as on-line games).

About Filters & Filter Examples

How does the ZyXEL filter feature work?

Prestige 2302 Support Notes

• Filter Structure

The Prestige allows you to configure up to twelve filter sets with six rules in each set (for a total of 72 filter rules on the Prestige). You can apply up to four filter sets on a port to block packets that match the rules. Since you can configure up to six filter rules in a set, you can apply up to 24 filter rules on a port. The following figure shows the logic flow of a filter rule on the Prestige.

Prestige 2302 Support Notes

• Filter Types and SUA

You can configure two filter rule categories: device and protocol. The Generic filter rules belong to the device category; they act on the raw data from/to LAN and WAN. The IP and IPX filter rules belong to the protocol category; they act on the IP and IPX packets.

TCP/IP filters are applied before SUA address translation on outgoing traffic to the WAN and after SUA address translation on incoming traffic from the WAN. This allows the Prestige to apply the filters with the specified IP address and port number accurately before SUA.

Generic filters are applied at the point of transmission. For example when the traffic is received or transmitted on an interface.

Figure1 shows the filter logic flow sequence. Steps of the logic flow sequence for LAN-to-WAN traffic are listed below.

• LAN device and protocol input filter sets.

• WAN protocol call and output filter sets.

• If SUA is enabled, SUA changes the source IP address from 192.168.1.33 to 203.205.115.6 and

port number from 1023 to 4034.

• WAN device output and call filter sets.

Steps of the logic flow sequence for WAN-to-LAN traffic are listed below.

• WAN device input filter sets.

• If SUA is enabled, SUA changes the destination IP address from 203.205.115.6 to 92.168.1.33 and port

number from 4034 to 1023.

• WAN protocol input filter sets.

• LAN device and protocol output filter sets.

Prestige 2302 Support Notes

Generic and TCP/IP (and IPX) filter rules are in different filter sets. You can only activate one type of filter

rules on the Prestige. The SMT automatically detects and prevents you from activating two filter types at the same time. If you configure a Generic and a TCP/IP filter rule (as shown in the following figures) and try to activate them at the same time, the 'Protocol and device filter rules cannot be active together' error message displays.

Menu 21.1.1:

Menu 21.1.1 - Generic Filter Rule

Filter #: 1,1

Filter Type= Generic Filter Rule

Active= Yes

Offset= 0

Length= 0

Mask= N/A

Value= N/A

More= No Log= None

Action Matched= Check Next Rule

Action Not Matched= Check Next Rule

Menu 21.1.2:

Prestige 2302 Support Notes

Menu 21.1.2 - TCP/IP Filter Rule

Filter #: 1,2

Filter Type= TCP/IP Filter Rule

Active= Yes

IP Protocol= 0 IP Source Route= No

Destination: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #= 0

Port # Comp= None

Source: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #= 0

Port # Comp= None

TCP Estab= N/A

More= No Log= None

Action Matched= Check Next Rule

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Saving to ROM. Please wait...

Protocol and device rule cannot be active together

You have to apply the protocol and device filters separately (in SMT menu 3.1 and 11.5). This prevents you from mistakenly applying the wrong filters. The menus are modified to include new fields as shown below.

Menu 3.1:

Menu 3.1 - General Ethernet Setup

Input Filter Sets:

protocol filters=

device filters=

Output Filter Sets:

protocol filters=

device filters=

Prestige 2302 Support Notes

Menu 11.1:

Menu 11.1 - Remote Node Profile

Rem Node Name= LAN Route= IP

Active= Yes Bridge= No

Encapsulation= PPP Edit PPP Options= No

Incoming: Rem IP Addr= ?

Rem Login= test Edit IP/IPX/Bridge= No

Rem Password= ********

Outgoing: Session Options:

My Login= testt Edit Filter Sets= Yes

My Password= *****

Authen= CHAP/PAP

Press ENTER to Confirm or ESC to Cancel:

Menu 11.5:

Menu 11.5 - Remote Node Filter

Input Filter Sets:

protocol filters=

device filters=

Output Filter Sets:

protocol filters=

device filters=

The SMT does not allow you to apply a protocol filter set (configured in menu 21) to the device filters field in menu 3.1 or 11.5. Likewise, you cannot apply a device filter in the protocols filters field. However, the SMT cannot detect whether you have configured device and protocol filter rules in the same filter set. This was

Prestige 2302 Support Notes

allowed in the pre-ZyNOS v3.40 firmware. Thus when you upgrade the firmware to ZyNOS v3.40, the old configuration is translated to the new format and any filter configuration inconsistence is logged. It is highly recommended that you check the system log (in SMT menu 24.3.1) before setting up the device on the network.

Note: The Prestige automatically deactivates the routing/bridging functions when an inconsistency is detected in the filter rule settings.

Filter to block web services

• Configuration

Before configuring a filter, you need to know the following information:

1. The outbound packet type (the protocol and port number)

2. The source IP address

Generally, the outbound packets for a web service could be as follows:

a. HTTP packet, TCP (06) protocol with port number 80 b. DNS packet, TCP (06) protocol with port number 53 or c. DNS packet, UDP (17) protocol with port number 53

To block web services on all LAN hosts, enter 0.0.0.0 for the source IP address. Otherwise enter the IP address of a LAN computer to block web services for that computer. The configuration procedure is described below.

o Create a filter set in SMT menu 21, for example, set 1 o Create three filter rules in menu 21.1.1, 21.1.2, and 21.1.3

 Rule 1- block the HTTP packets, TCP (06) protocol type with port number 80  Rule 2- block the DNS packets, TCP (06) protocol type with port number 53  Rule 3- block the DNS packets, UDP (17) protocol type with port number 53

o Apply the filter set in menu 4

1. Create a filter set in menu 21

Menu 21 - Filter Set Configuration

Filter Filter

Prestige 2302 Support Notes

Set # Comments Set # Comments

------ ----------------- ------ -----------------

1 Web Request 7 _______________

2 _______________ 8 _______________

3 _______________ 9 _______________

4 _______________ 10 _______________

5 _______________ 11 _______________

6 _______________ 12 _______________

Enter Filter Set Number to Configure= 1

Edit Comments=

Press ENTER to Confirm or ESC to Cancel:

2. Configure rule one for (a). HTTP packets using TCP(06) and port number 80.

Menu 21.1.1 - TCP/IP Filter Rule

Filter #: 1,1

Filter Type= TCP/IP Filter Rule

Active= Yes

IP Protocol= 6 IP Source Route= No

Destination: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #= 80

Port # Comp= Equal

Source: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #=

Port # Comp= None

TCP Estab= No

More= No Log= None

Action Matched= Drop

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Prestige 2302 Support Notes

3. Configure rule 2 for (b). DNS requests using TCP(06) and port number 53.

Menu 21.1.2 - TCP/IP Filter Rule

Filter #: 1,2

Filter Type= TCP/IP Filter Rule

Active= Yes

IP Protocol= 6 IP Source Route= No

Destination: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #= 53

Port # Comp= Equal

Source: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #=

Port # Comp= None

TCP Estab= No

More= No Log= None

Action Matched= Drop

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

4. Rule 3 for (c). DNS packets using UDP(17) and port number 53.

Menu 21.1.2 - TCP/IP Filter Rule

Filter #: 1,2

Filter Type= TCP/IP Filter Rule

Active= Yes

IP Protocol= 17 IP Source Route= No

Destination: IP Addr= 0.0.0.0

Prestige 2302 Support Notes

IP Mask= 0.0.0.0

Port #= 53

Port # Comp= Equal

Source: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #=

Port # Comp= None

TCP Estab= No

More= No Log= None

Action Matched= Drop

Action Not Matched= Forward

Press ENTER to Confirm or ESC to Cancel:

5. After the three rules are configured, you will see the rule summary in menu 21.

Menu 21.1 - Filter Rules Summary

# A Type Filter Rules M m n

- - ---- -------------------------------------- - - -

1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80 N D N

2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=53 N D N

3 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0,DP=53 N D F

6. Apply the filter set in the 'Output Protocol Filter Set' field for the remote node.

A filter to block a specific client

Configuration

1. Create a filter set in SMT menu 21, for example, set 1

Prestige 2302 Support Notes

Menu 21 - Filter Set Configuration

Filter Filter

Set # Comments Set # Comments

------ ----------------- ------ -----------------

1 Block a client 7 _______________

2 _______________ 8 _______________

3 _______________ 9 _______________

4 _______________ 10 _______________

5 _______________ 11 _______________

6 _______________ 12 _______________

Enter Filter Set Number to Configure= 0

Edit Comments=

Press ENTER to Confirm or ESC to Cancel:

2.Create one rule to block all packets from this client.

Menu 21.1.1 - TCP/IP Filter Rule

Filter #: 1,1

Filter Type= TCP/IP Filter Rule

Active= Yes

IP Protocol= 0 IP Source Route= No

Destination: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #=

Port # Comp= None

Source: IP Addr= 192.168.1.5

IP Mask= 255.255.255.255

Port #=

Port # Comp= None

TCP Estab= N/A

More= No Log= None

Action Matched= Drop

Prestige 2302 Support Notes

Action Not Matched= Forward

Press ENTER to Confirm or ESC to Cancel:

Key Settings:

Source IP addr................Enter the IP address of the computer you want to block in this field

IP Mask..........................Enter the IP subnet mask bits in this field. For example, to block only one computer,

enter 255.255.255.255.

Action Matched................Select 'Drop' to discard all the packets from this computer

Action Not Matched.........Select 'Forward' to allow the packets from other computers.

3. After you have configure the filter rule, you can apply this filter set in the (by entering “1＂) in the 'Output

Protocol Filter Set' field for remote node setup.

A filter to block a specific MAC address

This configuration example shows you how to use a Generic Filter to block packets with a specific MAC address on the LAN.

Before you Begin

Before you configure the filter, you need to know the MAC address of the computer first. Check the MAC address of the network card on the computer (for example, you can use the “ipconfig –all＂ command or check the system hardware information). Also, you can use packet trace on the Prestige to identify packets with the specified MAC address. The following figure shows a packet trace example.

ras> sys trcp channel enet0 bothway

ras> sys trcp sw on

Now a client on the LAN is trying to ping Prestige………

ras> sys trcp sw off

ras> sys trcp disp

TIME: 37c060 enet0-RECV len:74 call=0

0000: [00 a0 c5 01 23 45] [00 80 c8 4c ea 63] 08 00 45 00

0010: 00 3c eb 0c 00 00 20 01 e3 ea ca 84 9b 5d ca 84

Prestige 2302 Support Notes

0020: 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66

0030: 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76

0040: 77 61 62 63 64 65 66 67 68 69

TIME: 37c060 enet0-XMIT len:74 call=0

0000: [00 80 c8 4c ea 63] [00 a0 c5 01 23 45] 08 00 45 00

0010: 00 3c 00 07 00 00 fe 01 f0 ef ca 84 9b 63 ca 84

0020: 9b 5d 00 00 4d 5c 03 00 05 00 61 62 63 64 65 66

0030: 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76

0040: 77 61 62 63 64 65 66 67 68 69

The following shows detailed information with Ethernet Version II:

+ Ethernet Version II

- Address: 00-80-C8-4C-EA-63 (Source MAC) ----> 00-A0-C5-23-45

(Destination MAC)

- Ethernet II Protocol Type: IP

+ Internet Protocol

- Version (MSB 4 bits): 4

- Header length (LSB 4 bits): 5

- Service type: Precd=Routine, Delay=Normal, Thrput=Normal, Reli=Normal

- Total length: 60 (Octets)

- Fragment ID: 60172

- Flags: May be fragmented, Last fragment, Offset=0 (0x00)

- Time to live: 32 seconds/hops

- IP protocol type: ICMP (0x01)

- Checksum: 0xE3EA

- IP address 202.132.155.93 (Source IP address) ---->

202.132.155.99(Destination IP address)

- No option

+ Internet Control Message Protocol

- Type: 8 - Echo Request

- Code: 0

- Checksum: 0x455C

- Identifier: 768

Prestige 2302 Support Notes

- Sequence Number: 1280

- Optional Data: (32 bytes)

Configurations

From the packet trace example above, we know that a client is trying to ping the Prestige. And from the second trace using Ethernet Version II, we know the Prestige will send a reply to the client. The following sample generic filter is configured to block the MAC address [00 80 c8 4c ea 63].

1. First, from the incoming packet on the LAN, the source MAC address to block starts at the 7th octet.

TIME: 37c060 enet0-RECV len:74 call=0

0000: [00 a0 c5 01 23 45] [00 80 c8 4c ea 63] 08 00 45 00

0010: 00 3c eb 0c 00 00 20 01 e3 ea ca 84 9b 5d ca 84

0020: 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66

0030: 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76

0040: 77 61 62 63 64 65 66 67 68 69

2. Based on the information obtained, configure the generic filter rule as shown below.

Menu 21.1.1 - Generic Filter Rule

Filter #: 1,1

Filter Type= Generic Filter Rule

Active= Yes

Offset= 6

Length= 6

Mask= ffffffffffff

Value= 0080c84cea63

More= No Log= None

Action Matched= Drop

Action Not Matched= Forward

Key Settings:

• Generic Filter Rule

Select Generic Filter Rule in the Filter Type field.

+ 98 hidden pages