manualshive.com logo in svg

Fido FireBrick FB2700, User Manual, Page: 150 / 264

Share
Download
Fido FireBrick FB2700 User Manual Download Page 150

Internet Service Providers

129

20.8.2. BGP with carrier

This interlink is usually ised soley for the purpose of a BGP link to the carrier, and all other IPs used by the ISP
or carrier are announced via that BGP connection. You may want to configure filters on the BGP connection
to limit the prefixes accepted from the carrier or announced to the carrier.

An alternative approach is to configure the interlink interface on a separate routing table. The FB2700 can have
separate routing tables which act as completely separate internets. Using a separate table means you do not
have to worry about what prefixes are announced on the BGP link as they will only apply to that routing table.

Whilst we would recommend using a BGP connection like this, if the carrier does not handle BGP then you
will need static routes. Using a separate routing table can make this much simpler as you can set a default route
to the carrier gateway on the interlink subnet.

If using a separate routing table, you have to take care to correctly configure the routing table on the interface,
BGP, RADIUS, L2TP and loopback configuration elements.

20.8.3. RADIUS session steering

We recommend using RADIUS session steering with the carrier, if they support it. Session steering means
that the carrier sends a RADIUS request to the ISP before connecting each session by L2TP. The reply steers
the connection to a specific LNS. The connection details include the target (IP address) which will be one of
the FireBrick's address, and a pre-agreed hostname which identifies the tunnel level connection, along with a
secret to authentication the connection. Obviously these details have to match what the FireBrick is expecting
in its L2TP configuration. Session steering gives a lot of control to the ISP, and is ideal if you operate bonding
connections where multiple links need to use the same LNS.

The carrier will typically expect you to have two RADIUS endpoints to which they can send requests. One
for master and one for backup. Whilst the FB2700 will answer RADIUS on any of its IP addresses, we know
some carriers have issues using the interlink IP addresses. We recommend you create two additional loopback
addresses for session steering RADIUS.

These addresses are configured as a BGP announced loopback address. You can use MEDs to steer which IP is
on which LNSs. If you have more than two LNSs you can ensure that the same IPs are announced from more
than one LNS, and let BGP decide which LNS gets the RADIUS requests. RADIUS is a simple question and
answer protocol so it does not matter which LNS gets the request.

The  session  steering  configuration  (Platform  RADIUS)  is  very  flexible.  We  suggest  you  use  the  same
configuration on each LNS so that the replies are consistent regardless of where the request goes. The reply
says where to connect the session (as well as hostname and password to use). The reply can be a single LNS
or can be more than one reply with a priority tagging if the carrier supports this. The FB2700 can pick an LNS
randomly from a set, or pick one based on a hash of the username, part of the username, or circuit ID. This can
be useful when multiple lines are in a bonded arrangement where using the same prefix on a username ensures
all of the connections are steered to the same LNS for bonding.

If you have a lot of LNSs we recommend an N+1 arrangement. E.g. if you have 4 LNSs you may set your
RADIUS session steering to reply with one of three active LNSs as the first choice (perhaps ussing a hash)
and the 4th (backup) LNS as a second choice. This keeps one LNS as a hot standby for failure and also allows
maintenance on it, such as s/w updates. You can then change which of the there LNSs are active and either wait
for lines to move when the reconnect or clear lines on the new backup LNS. This makes it easy to do rolling
upgrades on s/w or other maintenance.

Session steering also allows specific configurations to be based on username, and circuit and so on, so allowing
different responses for different carriers and different end users to be customised if necessary. It is also possible
to send a copy of the session steering RADIUS to your own RADIUS server for logging.

Summary of Contents for FireBrick FB2700

Page 1: ...FireBrick FB2700 User Manual FB2700 Versatile Network Appliance ...

Page 2: ......

Page 3: ...FireBrick FB2700 User Manual This User Manual documents Software version V1 41 000 Copyright 2012 2015 FireBrick Ltd ...

Page 4: ...dd a new user 7 3 Configuration 9 3 1 The Object Hierarchy 9 3 2 The Object Model 9 3 2 1 Formal definition of the object model 10 3 2 2 Common attributes 10 3 3 Configuration Methods 10 3 4 Web User Interface Overview 10 3 4 1 User Interface layout 11 3 4 1 1 Customising the layout 11 3 4 2 Config pages and the object hierarchy 12 3 4 2 1 Configuration categories 12 3 4 2 2 Object settings 13 3 4...

Page 5: ... targets 30 5 1 1 1 Logging to Flash memory 30 5 1 1 2 Logging to the Console 31 5 2 Enabling logging 31 5 3 Logging to external destinations 31 5 3 1 Syslog 31 5 3 2 Email 32 5 3 2 1 E mail process logging 33 5 4 Factory reset configuration log targets 33 5 5 Performance 33 5 6 Viewing logs 33 5 6 1 Viewing logs in the User Interface 33 5 6 2 Viewing logs in the CLI environment 34 5 7 System even...

Page 6: ... 7 NAT with other types of external routing 55 7 4 8 Mixing NAT and non NAT 55 7 4 9 Carrier grade NAT 55 7 4 10 Using NAT setting on subnets 56 8 Routing 57 8 1 Routing logic 57 8 2 Routing targets 58 8 2 1 Subnet routes 58 8 2 2 Routing to an IP address gateway route 58 8 2 3 Special targets 59 8 3 Dynamic route creation deletion 59 8 4 Routing tables 59 8 5 Bonding 60 8 6 Route overrides 60 9 P...

Page 7: ...ections 76 12 1 2 4 6 Routing 76 12 1 2 4 7 Other parameters 76 12 1 2 5 Setting up Manual Keying 76 12 1 2 5 1 IP endpoints 77 12 1 2 5 2 Algorithms and keys 77 12 1 2 5 3 Routing 77 12 1 2 5 4 Mode 77 12 1 2 5 5 Other parameters 78 12 1 3 Using EAP with IPsec IKE 78 12 1 4 Using certificates with IPsec IKE 78 12 1 4 1 Creating certificates 80 12 1 5 Choice of algorithms 80 12 1 6 NAT Traversal 8...

Page 8: ...lling check 97 15 2 Access check 98 15 3 Packet Dumping 98 15 3 1 Dump parameters 99 15 3 2 Security settings required 99 15 3 3 IP address matching 100 15 3 4 Packet types 100 15 3 5 Snaplen specification 100 15 3 6 Using the web interface 100 15 3 7 Using an HTTP client 101 15 3 7 1 Example using curl and tcpdump 101 16 VRRP 102 16 1 Virtual Routers 102 16 2 Configuring VRRP 103 16 2 1 Advertise...

Page 9: ... 2 7 Announcing black hole routes 120 18 2 8 Announcing dead end routes 121 18 2 9 Bad optional path attributes 121 18 2 10 network element 121 18 2 11 route subnet and other elements 121 18 2 12 Route feasibility testing 121 18 2 13 Diagnostics 122 18 2 14 Router shutdown 122 18 2 15 TTL security 122 19 OSPF 123 19 1 What is OSPF 123 19 2 OSPF Setup 123 19 2 1 Overview 123 19 2 2 Standards 123 19...

Page 10: ...o 142 E 6 Incoming Call Request 142 E 7 Incoming Call Reply 143 E 8 Incoming Call Connected 143 E 9 Outgoing Call Request 143 E 10 Outgoing Call Reply 144 E 11 Outgoing Call Connected 144 E 12 Call Disconnect Notify 144 E 13 WAN Error Notify 144 E 14 Set Link Info 144 E 15 Notes 145 E 15 1 BT specific notes 145 E 15 2 IP over LCP 145 F Supported RADIUS Attribute Value Pairs for L2TP operation 146 ...

Page 11: ...163 I 1 11 Show profile status 163 I 1 12 Enable profile control switch 163 I 1 13 Disable profile control switch 163 I 1 14 Show RADIUS servers 163 I 1 15 Show DNS resolvers 163 I 2 Networking commands 164 I 2 1 Subnets 164 I 2 2 Ping and trace 164 I 2 3 Show a route from the routing table 164 I 2 4 List routes 164 I 2 5 List routing next hops 164 I 2 6 See DHCP allocations 165 I 2 7 Clear DHCP a...

Page 12: ...p level 174 K 1 1 config Top level config 174 K 2 Objects 175 K 2 1 system System settings 175 K 2 2 link Web links 176 K 2 3 user Admin users 176 K 2 4 eap User access controlled by EAP 177 K 2 5 log Log target controls 177 K 2 6 log syslog Syslog logger settings 178 K 2 7 log email Email logger settings 178 K 2 8 services System services 179 K 2 9 snmp service SNMP service settings 179 K 2 10 nt...

Page 13: ...iguration IKEv2 209 K 2 51 ike connection connection configuration 209 K 2 52 ipsec route IPsec tunnel routes 211 K 2 53 ike roaming IKE roaming IP pools 211 K 2 54 ike proposal IKE security proposal 212 K 2 55 ipsec proposal IPsec AH ESP proposal 212 K 2 56 ipsec manual peer configuration 212 K 2 57 ping Ping graph definition 214 K 2 58 profile Control profile 214 K 2 59 profile date Test passes ...

Page 14: ...l Control for RA and DHCPv6 bits 234 K 3 24 bgpmode BGP announcement mode 234 K 3 25 sfoption Source filter option 234 K 3 26 pppoe mode Type of PPPoE connection 234 K 3 27 pdp context type Type of IP connection 235 K 3 28 ipsec type IPsec encapsulation type 235 K 3 29 ipsec auth algorithm IPsec authentication algorithm 235 K 3 30 ipsec crypt algorithm IPsec encryption algorithm 235 K 3 31 peertyp...

Page 15: ...tegories 12 3 4 The Setup category 13 3 5 Editing an Interface object 14 3 6 Show hidden attributes 14 3 7 Attribute definitions 14 3 8 Navigation controls 15 4 1 Setting up a new user 21 4 2 Software upgrade available notification 27 4 3 Manual Software upload 28 7 1 Example sessions created by drop and reject actions 46 7 2 Processing flow chart for rule sets and session rules 48 C 1 Product lab...

Page 16: ...c algorithm proposals 81 14 1 List of system services 92 14 2 List of system services 93 15 1 Packet dump parameters 99 15 2 Packet types that can be captured 100 17 1 Ring Type 109 17 2 Ring Order 110 17 3 Access Accept 113 17 4 Default tones 115 18 1 Peer types 118 18 2 Communities 120 18 3 Network attributes 121 19 1 OSPF config attributes 124 C 1 DHCP client names used 139 E 1 SCCRQ 141 E 2 SC...

Page 17: ...og email Attributes 178 K 12 services Elements 179 K 13 snmp service Attributes 179 K 14 ntp service Attributes 179 K 15 telnet service Attributes 180 K 16 http service Attributes 181 K 17 dns service Attributes 181 K 18 dns service Elements 182 K 19 dns host Attributes 182 K 20 dns block Attributes 182 K 21 radius service Attributes 183 K 22 radius service Elements 184 K 23 radius service match A...

Page 18: ...s 206 K 66 fb105 Attributes 207 K 67 fb105 Elements 208 K 68 fb105 route Attributes 208 K 69 ipsec ike Attributes 209 K 70 ipsec ike Elements 209 K 71 ike connection Attributes 209 K 72 ike connection Elements 211 K 73 ipsec route Attributes 211 K 74 ike roaming Attributes 211 K 75 ike proposal Attributes 212 K 76 ipsec proposal Attributes 212 K 77 ipsec manual Attributes 212 K 78 ipsec manual Ele...

Page 19: ...ol setting 232 K 124 LinkClock Physical port Gigabit clock master slave setting 232 K 125 LinkLED LED settings 232 K 126 LinkPower PHY power saving options 233 K 127 LinkFault Link fault type to send 233 K 128 trunk mode Trunk port more 233 K 129 ramode IPv6 route announce level 234 K 130 dhcpv6control Control for RA and DHCPv6 bits 234 K 131 bgpmode BGP announcement mode 234 K 132 sfoption Source...

Page 20: ...FireBrick FB2700 User Manual xx K 152 ring group type Type of ring when one call in queue 239 K 153 record beep option Record beep option 239 K 154 Basic data types 239 ...

Page 21: ... a product that has the feature set and performance to handle the tasks encountered in today s office networking environments where new access technologies such as Fibre To The Cabinet FTTC deliver faster connections than ever before The new software is closely related to that which runs on FireBrick s big box product the FB6000 a carrier grade product that has been proven in the field for a numbe...

Page 22: ...ess to the FB2700 and can be applied if you have made configuration changes that have resulted in loss of access to the web user interface or any other situation where it is appropriate to start from scratch for example commissioning an existing unit for a different role or where you ve forgotten an administrative user password It is also possible to temporarily reset the FB2700 to allow you to re...

Page 23: ...n the devices in the FB2x00 series The main difference between the two devices in the series is that the FB2500 can route traffic at up to only 100Mb s whilst the FB2700 is faster typically up to 350Mb s The other advantage the FB2700 offers is that you can directly attach an ordinary 3G dongle via the USB port on the front and use a mobile data connection this is typically used as a back up for a...

Page 24: ...rsion on the FB2700 software downloads website http www firebrick co uk software php PRODUCT 2700 This includes the revision history for all software releases 1 2 2 Intended audience This manual is intended to guide FB2700 owners in configuring their units for their specific applications We try to make no significant assumption about the reader s knowledge of FireBrick products but as might be exp...

Page 25: ... related to the current discussion Note a specific but not critical point relating to the surrounding text Caution a potentially critical point that you should pay attention to failure to do so may result in loss of data security issues loss of network connectivity etc 1 2 6 Comments and feedback If you d like to make any comments on this Manual point out errors make suggestions for improvement or...

Page 26: ...g a library of Application Note documents that you can refer to each Application Note describes how to use and configure a FireBrick in specific scenarios such as using the device in a multi tenant Serviced Office environment or using the FireBrick to bond multiple WAN connections together 1 3 4 White Papers FireBrick White Papers cover topics that deserve specific discussion they are not related ...

Page 27: ... your LAN and it will get an address Port 4 is configured by default not to give out any addresses and as such it should not interfere with your existing network You would need to check your DHCP server to find what address has been assigend to the FB2700 2 2 Accessing the web based user interface If you used Method 1 you should browse to the FireBrick s web interface as follows or you can use the...

Page 28: ...page for managing the configuration 2 2 1 Add a new user You now need to add a new user with a password in order to gain full access to the FireBrick s user interface Click on the Users icon then click on the Add link to add a user The Users page is shown below with the Add link highlighted Figure 2 2 Initial Users page Enter a suitable username in the Name box and enter a password passwords are m...

Page 29: ...ve a new configuration that includes your new user definition You should now see a page showing the progress of storing the new configuration in Flash memory Figure 2 4 Configuration being stored On this page there is a Login link in red text click on this link and then log in using the username and password you chose We recommend you read Chapter 3 to understand the design of the FB2700 s user in...

Page 30: ...a locally attached subnet is a child of an object that defines an interface and as such defines that the subnet is accessible on that specific interface Since multiple interfaces can exist other interface objects establish different contexts for subnet objects Additional inter object associations are established via attribute values that reference other objects typically by name e g a firewall rul...

Page 31: ...s to avoid confusion 3 3 Configuration Methods The configuration objects are created and manipulated by the user via one of two configuration methods web based graphical User Interface accessed using a supported web browser an XML eXtensible Markup Language file representing the entire object hierarchy editable via the web interface or can be uploaded to the FB2700 The two methods operate on the s...

Page 32: ...nd showing the current software version the remaining page area contains the content for the selected part of the user interface Figure 3 1 shows the main menu when it is set to display horizontally Note that the main menu items themselves have a specific function when clicked clicking such items displays a general page related to that item for example clicking on Status shows some overall status ...

Page 33: ...s to set up FireBricks in a style and branding of their choice 3 4 2 Config pages and the object hierarchy The structure of the config pages mirrors the object hierachy and therefore they are themselves naturally hierachical Your postition in the hierachy is illustrated in the breadcrumbs trail at the top of the page for example Firewall mapping rules rule set 1 of 3 filters rule 7 of 19 ICMP This...

Page 34: ... factory reset configuration You can push down into the hierarchy by clicking the Edit link in a table row This takes you to a page to edit that specific object The page also shows any child objects of the object being edited using the same horizontal line delimited section style used in the top level categories You can navigate back up the hierarchy using various methods see Section 3 4 3 Caution...

Page 35: ...box is show the attribute name this is a compact string that exactly matches the underlying XML attribute name a short description of the attribute Tip If there is no default shown for an attribute then its value if needed is zero blank null empty string false internally it is zero bits In some cases the presence of an attribute will have meaning even if that attribute is an empty string or zero v...

Page 36: ... The configuration pages are generated on the fly using JavaScript within your web browser environment i e client side scripting As such the browser is essentially unaware of changes to page content and cannot track these changes this means the browser s navigation buttons Back Forward will not correctly navigate through a series of configuration pages Please take care not to use the browser s Bac...

Page 37: ...ML 3 5 1 Introduction to XML An XML file is a text file i e contains human readable characters only with formally defined structure and content An XML file starts with the line xml version 1 0 encoding UTF 8 This defines the version of XML that the file complies with and the character encoding in use The UTF 8 character coding is used everywhere by the FireBrick The XML file contains one or more e...

Page 38: ...element which contains the entire element hierarchy In the FB2700 the root element is config and it contains top level configuration elements that cover major areas of the configuration such as overall system settings interface definitions firewall rule sets etc In addition to this User Manual there is reference material is available that documents the XML elements refer to Section 3 2 1 3 5 3 Vie...

Page 39: ...chfront co uk resolvers 81 187 42 42 81 187 96 96 services port name WAN ports 1 port name LAN ports 2 interface name WAN port WAN subnet name ADSL ip 81 187 106 73 30 interface interface name LAN port LAN subnet name LAN ip 81 187 96 94 28 dhcp name LAN ip 81 187 96 88 92 log default interface rule set name filters no match action drop rule name Our Traffic source interface self comment FB origin...

Page 40: ...uploaded to the FireBrick using HTTP transfers done via tools such as curl Using these methods configuration of the FB2700 can be integrated with existing administrative systems Note Linebreaks are shown in the examples below for clarity only they must not be entered on the command line 3 6 1 Download To download the configuration from the FB2700 you need to perform an HTTP GET of the following UR...

Page 41: ...eed to send the configuration XML file as if posted by a web form using encoding MIME type multi part form data An example of doing this using curl run on a Linux box is shown below curl http FB2700 IP address or DNS name config config user username password form config filename ...

Page 42: ... As with any such object erase operation the object will not actually be erased until the configuration is saved Once you have added a new user or are editing an existing user the object editing page will appear as shown in Figure 4 1 Figure 4 1 Setting up a new user The minimum attributes that must be specified are name which is the username that you type in when logging in and password passwords...

Page 43: ...he default of full is suitable Table 4 2 Configuration access levels Level Description none No access unless explicitly listed view View only access no passwords read Read only access with passwords full Full view and edit access DEFAULT 4 1 3 Login idle timeout To improve security login sessions to either the web user interface or to the command line interface via telnet see Chapter 21 will time ...

Page 44: ...ch is a long string of random hexadecimal digits Some apps can provide a random key for you to copy paste in to the set up page If you have means to generate a suitably long random hex string you could enter in to the device settings and the setup page As long as the key matches then the AOTH device should work For a pysical OATH device the key is pre set and supplied with the device The key needs...

Page 45: ...Table 4 3 allow you to specify general administrative details about the unit Table 4 3 General administrative details attributes Attribute Purpose comment General comment field contact Contact name intro Text that appears on the home page the home page is the first page you see after logging in to the FB2700 This text is also displayed immediately after you login to a command line session location...

Page 46: ... SHA256 32 to 47 bytes of hex The first 32 bytes are an SHA256 hash of the password appended with up to 15 bytes of salt The preferred has is SHA256 with 15 bytes of salt 4 3 Software Upgrades FB2700 users benefit from FireBrick s pro active software development process which delivers fast fixes of important bugs and implementation of many customer enhancement requests and suggestions for improvem...

Page 47: ...ecated and a replacement attribute should be used instead A release where such an change has been made and existing configurations will need modifying are termed Breakpoint software releases Breakpoint releases are special as they are able to automatically update an existing configuration used with the previous software release so that it is compatible with the new release and functionality is ret...

Page 48: ... the main Status page the FB2700 checks whether there is newer software available given the current software version in use and whether alpha releases are allowed If new software is available you will be informed of this as shown in Figure 4 2 Figure 4 2 Software upgrade available notification To see what new software is available click on the Upgrade available link This will take you to a page th...

Page 49: ...Figure 4 2 This step is necessary since the manual upgrade feature currently shares the page used for Internet based manual upgrades which is reached by clicking Upgrade available link After clicking this link you will find the manual upgrade method at the bottom of the page as shown in Figure 4 3 Figure 4 3 Manual Software upload 4 4 Boot Process The FB2700 contains internal Flash memory storage ...

Page 50: ...lst the bootloader is waiting for an active Ethernet connection the green and yellow LEDs built into the physical port connectors flash in a continual left to right then right to left sequence The port LEDs on the panel on the opposite side to the physical ports also flash in a clock wise sequence Note The same port LED flashing sequences are observed if the app is running and none of the Ethernet...

Page 51: ...terface or command line which can show the history in the buffer and then follow the log in real time even when viewing via a web browser with some exceptions see Section 5 6 1 In some cases it is essential to ensure logged events can be viewed even after a power failure You can flag a log target to log to the non volatile Flash memory within the FB2700 where it will remain stored even after a pow...

Page 52: ... lot of information for example in some cases whole packets are logged e g PPP It is generally best only to use debug logging when needed 5 3 Logging to external destinations Entries in the buffer can also be sent on to external destinations such as via email or syslog Support for sending a text message via SMS using a suitable dongle attached to the USB port triggering SNMP traps and logging to a...

Page 53: ... sending another Having a hold off period means you don t get an excessive number of e mails since the logging system is initially storing event messages in RAM the e mail that is sent after the hold off period will contain any messages that were generated during the hold off period The following aspects of the e mail process can be configured subject you can either specify the subject by setting ...

Page 54: ...ser Interface or via the CLI A factory reset configuration also has a log target named fb support which is referenced by the log panic attribute of the system object see Section 5 7 This allows the FireBrick to automatically email the support team if there is a panic crash you can of course change or delete this if you prefer Caution Please only set things to log to fb support if requested by supp...

Page 55: ...ral Ethernet hardware messages log eth debug Ethernet hardware debug messages log eth error Ethernet hardware error messages log panic System Panic events log stats One second stats messages Specifying system event logging attributes is usually only necessary when diagnosing problems with the FB2700 and will typically be done under guidance from support staff For example log stats causes a log mes...

Page 56: ...witch directly transferring traffic at wire speed that is destined for a MAC address that is present on one of the other ports in the group The port group has a trunk setting which defaults to being false When only one port is in the group it makes no difference how this is set With more than one port when trunk is false the ports work as a switch passing traffic directly at gigabit speeds between...

Page 57: ...re than one physical port hold down the Ctrl key whilst clicking on a port number to toggle it between selected and unselected An optional comment can also be specified for the group which may be useful to act as a memory jogger for the purpose of the port group Editing an existing group works similarly click the Edit link next to the group you want to modify Certain USB devices eg 4G dongles and ...

Page 58: ... at layer 3 cannot be established between such subnets to achieve that subnets need to exist in different broadcast domains and thus be on different interfaces An example of this is seen in the factory default configuration which has two interfaces WAN and LAN allowing firewalling of the LAN from the Internet You may also have both IPv4 and IPv6 subnets on an interface where you are also using IPv...

Page 59: ...possible to set a source filter table which allows the check to be done in a different routing table This usually only makes sense when used with the blackhole option It allows a separate routing table to be used to define source filtering explicitly if needed Note Link local IPv6 addresses starting FE80 are always allowed as is the 0 0 0 0 null IP for DHCP usage IPv6 addresses within 2002 16 are ...

Page 60: ...so omitted as are any other addresses not within a subnet on the same interface Every allocation made by the DHCP server built in to the FB2700 is stored in non volatile memory and will survive power cycling and or rebooting The allocations can be seen using the DHCP item in the Status menu or using the show dhcp CLI command If a client does not request renewal of the lease before it expires the a...

Page 61: ...cturer which is registered to allocate that MAC address to an Ethernet device By specifying only these first three bytes six hexadecimal characters no colon delimiters in the mac attribute you can ensure that all devices from the associated manufacturer are allocated addresses from a particular address pool This is helpful if you have some common firewalling requirements for such a group of device...

Page 62: ...ys The table and allow allow you to limit the use of the DHCP Remote server to requests from specific sources note that renewal requests come from the allocated IP or NAT IP if behind NAT and not necessarily from the relay IP The allocation table attribute allows for this pool of IPs to be placed in a separate table thus allowing it to be independant from other DHCP allocations on the FireBrick an...

Page 63: ...ise that it is capable of either half or full duplex operation modes if you have reason to restrict the operation to either of these modes you can set the duplex attribute to either half or full This will cause the port to only advertise the specified mode if the auto negotiate capable link partner does not support that mode the link will fail to establish If auto negotiation is disabled the duple...

Page 64: ... when link up at 100Mbit s Link10 On when link up at 10Mbit s Link100 1000 On when link up at 100Mbit s or 1Gbit s Link10 1000 On when link up at 10Mbit s or 1Gbit s Link10 100 On when link up at 10Mbit s or 100Mbit s Duplex On when full duplex For example to configure the port LEDs to show the port link speed via the pattern of the green and yellow LEDs you could set the green attribute to Link10...

Page 65: ...e identifiers used to do the multiplexing For both UDP and TCP this identifier is a port number whose scope is local to the end point and is therefore usually different at each end point for a given flow connection Normally only one of the two port numbers involved will be known a priori this will be the documented port number used for a specific service at the server end for example port 80 for a...

Page 66: ...cessor load so in practice it can easily handle very large session tables hundreds of thousands of entries Note that TCP sessions also have time outs this is necessary since the connection may not be cleanly closed for example one end may crash if there were no time out the session table would hold a stale entry until the FB2700 was rebooted 7 3 Session Rules 7 3 1 Overview As each packet arrives ...

Page 67: ...ribute of the rule set is taken The available actions are the same as for a session rule Table 7 1 Action attribute values action attribute Action taken drop immediately cease rule processing quietly drop the packet and create a short lived session to drop further packets matching the rule criteria reject immediately cease rule processing drop the packet send rejection notification back to the tra...

Page 68: ...the FB2700 s session rule specifications you may interpret the no match action as specifying what happens if the rule set s entry criteria are not met i e at the beginning of processing a rule set no match action specifies what happens after the entry criteria were met and all the rules were considered but none of them matched no match i e at the very end of processing a rule set Caution If all ru...

Page 69: ...lowed Yes no match action is accept No No no match action is drop reject ignore No action is continue Yes action is drop reject ignore No No action is continue or accept Rule criteria met Yes Session Allowed Session Allowed Packet Dropped No Yes Yes Rule Processing Processing continues with next rule set Rule Set Processing Start processing rules within the rule set No rules within the rule set ma...

Page 70: ...imilarly click the Edit link next to the rule set you want to modify As described in Section 7 3 2 a rule set can optionally specify entry criteria in the web user interface these come under the heading Matching criteria for whole set when editing a rule set definition The entry criteria are detemined by the following attributes all of which are optional but if they are specified then the criteria...

Page 71: ... set per interface with the interface specified as the target interface in the entry criteria such that the rule set relates to sessions to that interface implement a default drop policy on each firewalling rule set such that you have to list exceptions to this policy to allow sessions to the specified target interface to implement this policy you set the no match action attribute to either drop o...

Page 72: ...ic Normally a session table entry holds enough information to allow return traffic to reach its destination without potentially being firewalled However a session rule can specify certain changes to be made to the outbound traffic in a session and the session table entry will hold additional information that allows the FB2700 to account for these changes when processing the return traffic For exam...

Page 73: ...ongoing timeout attribute Ongoing time out this time out period begins when each subsequent packet of the session arrives at the FB2700 it is specified by the set initial timeout attribute Note The actual timeout used is taken from a list of timeouts and set to the next highest available value The status sessions list shows the timeout in force as well as useful flags for session started and close...

Page 74: ...ection or charging where more are provided This means that it is common to require NAT for IPv4 on a typical Internet connection Tip It is strongly recommended that you make use of PPPoE to connect to such an Internet connection thereby affording the FireBrick itself with the single public IPv4 address assigned to the connection This allows a number of features to work without use of NAT including...

Page 75: ...not actually make these changes until the end of the processing of the rule sets i e a subsequent rule set or rule cannot test the new source ip or source port that NAT will apply 7 4 4 What NAT does What the NAT setting does is cause the FireBrick to change the source IP and port used for the session It picks an IP based on the interface to which the traffic will finally be sent and uses the most...

Page 76: ...a specific target interface and set the NAT setting Tip It is recommended that you use PPPoE where possible rather than an external router which may additionally perform an additional layer of NAT 7 4 8 Mixing NAT and non NAT In some cases you may have a combination of real routed IPv4 addresses and some RFC1918 private addresses These could be on different interfaces and subnets Typically in such...

Page 77: ...f the same port multiple times This allows a lot more sessions that would otherwise be expected based on number of TCP and UDP ports available This overloading of ports is automatic and part of the way the FireBrick handles NAT 7 4 10 Using NAT setting on subnets For backwards compatibility with older FireBricks there is a NAT setting on the subnet config The idea is that a subnet defined as an RF...

Page 78: ...es but routes can only use prefixes There are two cases that deserve special attention A routing destination may be a single IP address in which case it is a 32 in CIDR notation for IPv4 The 32 part for IPv4 or 128 for IPv6 is not shown when displaying such prefixes A routing destination may encompass the entire IPv4 or IPv6 address space written as 0 0 0 0 0 for IPv4 or 0 for IPv6 in CIDR notatio...

Page 79: ... to find the final MAC address to send the packet to In addition a subnet definition creates a very specific single IP a 32 for IPv4 or a 128 for IPv6 route for the IP address of the FB2700 itself on that subnet This is a separate loop back route which effectively internally routes traffic back into the FB2700 itself i e it never appears externally A subnet can also have a gateway specified either...

Page 80: ...affic to the route target will depend on the state of the link For such links you can specify route s to automatically create each time the link comes up when the link goes down these routes are removed automatically Refer to Chapter 12 for details on how to achieve this via the routes attribute on the tunnel definition objects This can be useful where a link such as PPPoE is defined with a given ...

Page 81: ...plicate subnets However the FB2700 also allows the possibility of route overrides which control routing in more more detail This feature is part of session tracking functionality and so applies on a per session basis contrasting with the per packet basis for the conventional routing For details on sessions and session tracking refer to Chapter 7 When establishing a session it is possible to scan a...

Page 82: ...Routing 61 rarely useful and probably not the configuration setting you are looking for waves hand in front of your face ...

Page 83: ...NOT allowing for some complex profile logic to be defined that determines a final profile state from several conditions When considering the state of another profile it is the previous second s state that is considered i e profile states are all updated in one go after considering all profiles By combining profiles with the FB2700 s event logging facilities they can also be used for automated moni...

Page 84: ...ts one or more Virtual Router group membership definitions see Chapter 16 by name if the FB2700 is not the master device in any of these Virtual Routers this test will fail Port state the ports attribute lists one of more physial Ethernet ports if any of thes ports is up then the test passes Tip You can also control port state with a profile so you could have a port come up if another port is down...

Page 85: ...o define who has control of the switch This control applies even if the user has no access to make configuration changes as the switch is not part of the config The switch state is automatically stored in the dynamic peristent data along with DHCP settings etc so survives a power cycle restart The control switch uses initial as the initial state when first added to the config but at start up it pi...

Page 86: ...om the FB2700 via the web User Interface to view a graph click the PNG item in the Graphs menu This will display all the graphs that are currently configured it is not currently possible to show a single graph within the web User Interface environment It is possible to access the graph data in many ways using the URL to control what information is shown labels and colours and also allowing graphs ...

Page 87: ...le objects can share the same graph Graphs can sometimes be created automatically and may have speeds applied For L2TP sessions the circuit ID which may be overridden by RADIUS auth responses is used to make a graph for the session 10 1 4 Long term shapers If defining a shaper using the shaper object there are a number of extra options which allow a long term shaper to be defined A long term shape...

Page 88: ...a bonded gateway route where multiple routes exist for the same target typically a default gateway and each route as a speed set which is itself a shaper This is used to control how much traffic goes via each of the bonded routes You simply create more than one route object with a speed or graph setting The egress interface can have a defined shaper 10 3 Basic principles Each shaper tracks how far...

Page 89: ...ppropriate knowledge of your ISP service and suitable equipment the FB2700 should work equally well with services that are available in other countries 11 1 Types of DSL line and router in the United Kingdom In the UK there are various types of DSL line and router than can be used Any device that supports PPPoE can work with the FireBrick but some options are only available with some devices as li...

Page 90: ... using VLANs then the configuration needed shown as an XML fragment would be ppp port 4 username password You may also want to give the PPPoE link a name by setting the name attribute you can then reference the link in for example a profile see Section 9 2 2 1 There are a number of additional options see below but for most configurations this is all you need It causes the FB2700 to connect and set...

Page 91: ...the PPPoE endpoint access controller In some cases there may be a choice of endpoints and setting this causes one to be selected by name Again this is rarely needed and if specified will only match the name you specify On Be O2 PPPoE lines for example you could select a specific LAC by name if you wanted to 11 2 2 3 Logging The PPP connection status and PPP negotiation can be logged by setting the...

Page 92: ...g end IPsec can also be used to set up a VPN between a roaming client and a server providing security for working at home or on the road scenarios This usage is usually known as a Road Warrior connection The FireBrick can be used as the server for Road Warrior connections it cannot act as a Road Warrior client There are three main aspects to IP Security integrity checking encryption and authentica...

Page 93: ... mechanisms to select the keys to be used using the Diffie Hellman key exchange mechanism IKE also performs authentication between the two link endpoints using for example X 509 certificates pre shared secrets or other methods such as those supported by EAP Extensible Authentication Protocol It is still necessary to install suitable certificates secrets or methods obviously but the configuration i...

Page 94: ...y need to authenticate with it is more normal to have a chain of trust you elect to trust a certificate from a certificate authority CA and you then implicitly trust any certificates which have been signed by that authority using that certificate and in turn any subordinate certificates signed by these without needing to explicitly install any of them beforehand In other words you are trusting tha...

Page 95: ... range of 16 or a single IPv6 range of 112 12 1 2 4 IKE connections To set up a new IKE connection select Add New IKE connections on the IPsec configuration page There are a large number of options available for configuring a connection but the majority can usually be left at their default settings 12 1 2 4 1 IKE connection mode and type Three connection modes are currently supported Wait provides...

Page 96: ...of ID are used there is no requirement for the domain or email address to actually be associated with the peer or even to exist at all If the prefix IP FQDN etc is omitted in the identity the FireBrick chooses the most appropriate type based on the syntax of the identity used During the connection setup phase these IDs are used to authenticate the two ends to each other Each peer passes its ID to ...

Page 97: ...for more complex routing a number of separate route elements can be added to the tunnel config Metrics and the routing tables to be used may also be specified The blackhole option can be set to ensure that traffic to be routed down the tunnel is discarded if the tunnel is not up If not set the normal FireBrick routing rules could select an alternate inappropriate transmission path thus compromisin...

Page 98: ...implementation when using manual keying the same key is used for both incoming and outgoing traffic The same keys and algorithms must be configured at the remote end of the link The above keys are examples only To reduce the possibility that your link could be compromised by keys becoming known or guessed you should generate them using a source of random or pseudo random data On a Unix Linux syste...

Page 99: ...tween the client and server These take place using the IKE control channel so although at this stage the server does not yet know the identity of the client connecting indeed it is purpose of the EAP interchange to achieve this the path to the client is secure and encrypted so a third party cannot snoop on the authentication 12 1 4 Using certificates with IPsec IKE The FireBrick IPsec IKE implemen...

Page 100: ...less the certificate is self signed the certificate s used as CAs to provide a trust chain must also be installed though private keys are not required for these and for security should not be installed During the IKE authentication procedure the FireBrick sends a copy of the certificate identifying itself to the peer and also sends the trust chain of certificate s used to sign the end entity certi...

Page 101: ...he company Paradigm Ltd who wish to set up a certificate suitable for authenticating one of their servers using IKE identity FQDN vpn server42 paradigm co uk To make a suitable CA and end entity certificate run the following commands Note that trailing backslash characters have been used below to split commands over multiple lines for readability Generate a new key for the CA certificate make key ...

Page 102: ...ontrol Data none DHGroup Data Yes MODP 1024 DHGroup Control Data MODP 2048 DHGroup Control Data Yes HMAC MD5 PRF Control HMAC SHA1 PRF Control Yes AES XCBC 128 PRF Control Yes HMAC SHA256 PRF Control Yes ALLOW ESN ESN Data Yes ALLOW SHORT SN ESN Data Yes Control items can be specified in IKE Proposal lists and Data items can be specified in IPsec Proposal lists If an IKE connection does not have a...

Page 103: ...unset in order to allow connections from any client Certificates An end entity certificate identifying the FireBrick should be created along with its private key and signed with a suitable CA certificate as described earlier Both certificates and the private key are installed on the FireBrick and the CA certificate should be installed on any clients wishing to connect The end entity certificate sh...

Page 104: ...e Several vendors have released IKEv2 support only recently it is worth checking with your vendor for firmware upgrades The FireBrick is known to interoperate well with StrongSwan implementations and with more recent OpenSwan implementations Road Warrior connections are possible using iPhone iPad running iOS 8 1 3 or later and using Android devices with the StrongSwan app 12 1 8 1 Using StrongSwan...

Page 105: ...should be configured as described earlier using certificate authentication for the FireBrick and EAP for the peers Install the StrongSwan app on the Android device this is a free app available from the Google app store Download a copy of the server CA certificate to the Android device The easiest way to do this is to access the FireBrick certificate config page using the Chrome browser on the devi...

Page 106: ...ives multiple IP addresses or IPv6 addresses Symptoms of this include being unable to connect at all for varying periods of time and connections dropping shortly after establishing while appearing to still be connected on the device An example of a make profile command where we assume the FireBrick address is 192 168 42 42 Note that trailing backslash characters have been used below to split comma...

Page 107: ...31415 A hmac sha1 0x0123456789012345678901234567890123456789 add 192 168 1 1 192 168 2 2 esp 2000 m tunnel E rijndael cbc 0x00010203040506070809101112131415 A hmac sha1 0x0123456789012345678901234567890123456789 spdadd 10 1 1 0 24 10 2 2 0 24 any P in ipsec esp tunnel 192 168 1 1 192 168 2 2 require spdadd 10 2 2 0 24 10 1 1 0 24 any P out ipsec esp tunnel 192 168 2 2 192 168 1 1 require Note that...

Page 108: ...c IP addresses to a network but it is either impossible to route the addresses directly to the network e g it is behind a NAT ing router or is connected via networks e g a 3rd party ISP that you have no control over or you wish to benefit from having portable public IP addresses e g you can physically relocate a tunnel end point FB2700 such that it is using different WAN connectivity yet still hav...

Page 109: ...do not need to manually change routing information to suit A dynamic route is defined by setting the routes attribute on the tunnel definition specifying one or more routing destinations in CIDR format as discussed in Section 8 1 12 2 5 Tunnel bonding Multiple FB105 tunnels can be bonded together to form a set such that traffic routed down the bonded tunnel set is distributed across all the tunnel...

Page 110: ...ends on whether the FB2700 behind the router has a far end IP address specified in tunnel definition s as follows If it does then it will be sending tunnel wrapper packets via the NAT router such that a session will have been created in the NAT router by the session tracking functionality that is used to implement NAT this assumes there is no outgoing firewall rule on the NAT router that would pre...

Page 111: ...rier network In addition the extra latency may cause problems with devices expecting LAN speed responses for example switches running LACP Configuring an ETUN connection is very simple Select Add New Ether tunnel RFC3378 on the tunnel configuration page and enter the IP of the remote Firebrick and the local port to be used for ETUN The local IP can be optionally set and the usual log profile and t...

Page 112: ...h the FB2700 13 1 USB configuration The USB subsystem of the FB2700 does not require any configuration itself as such however you can enable logging which may be useful for diagnostic purposes The top level usb object provides this configuration but is also a container for child objects that configure specific USB devices such as a 3G dongle In the web user interface the usb object is found in the...

Page 113: ...o the lists of child objects Where a service object is not present the table in that section will contain an Add link A maximum of one instance of each service object type can be present 14 1 Protecting the FB2700 Whilst the FB2700 does have a comprehensive firewall the design of the FB2700 is that it should be able to protect itself sensibly without the need for a separate firewall You can of cou...

Page 114: ...ration is saved You can also use name s of defined IP address group s which are pre defined ranges of IPs 14 3 HTTP Server configuration The HTTP server s purpose is to serve the HTML and supporting files that implement the web based user interface for the FB2700 It is not a general purpose web server that can be used to serve user documents and so there is little to configure 14 3 1 Access contro...

Page 115: ...es DNS typically means converting a name like www firebrick co uk to one or more IP addresses but it can also be used for reverse DNS finding the name of an IP address DNS service is normally provided by your ISP The DNS service on the FB2700 simply relays requests to external DNS servers and caches replies You can configure a list of external DNS servers using the resolvers attribute However DNS ...

Page 116: ...FB2700 as an NTP server Configuration of the NTP client service typically only requires setting the timeserver attribute to specify one or more NTP servers using either DNS name or IP address 14 7 SNMP configuration The SNMP service allows other devices to query the FB2700 for management related information using the Simple Network Management Protocol SNMP As with the HTTP server access can be res...

Page 117: ...l record a timeout To allow servers to recognise duplicate requests each request in the sequence that is to the same server has the same content and ID This allows the server to simply resend the previous reply if it was dropped In addition to these timeouts it is also possible to set a maximum queue for the set of servers This limits how many concurrent requests can be waiting Tip If your RADIUS ...

Page 118: ... flow when it comes to deciding whether to establish a new session see Section 7 2 for an overview of session tracking and its role in implementing firewalling The processing flow used to decide whether to allow a session i e to implement firewalling requirements is covered in Section 7 3 2 The firewalling check diagnostic facility allows you to submit the following traffic parameters and the FB27...

Page 119: ... only true DNS resolver access This address is not on a local Ethernet subnet and so not allowed access 15 3 Packet Dumping The FireBrick includes the ability to capture packet dumps for diagnostic purposes This might typically be used where the behaviour of the FB2700 is not as expected and can help identify whether other devices are correctly implementing network protocols if they are then you s...

Page 120: ...02132D94AE297DFF51E01 or you can use l2tp followed by a calling line ID this sets up logging for a session based on calling line id when it next connects dongle Dongle Where USB Dongles are available this is the name of the dongle from the config or the socket e g direct of the dongle snaplen Snaplen The maximum capture length for a packet can be specified in bytes Default 0 auto See notes below t...

Page 121: ... not Ethernet Table 15 2 Packet types that can be captured Type Notes Ethernet Interface based capture contains the full Ethernet frame with any VLAN tag removed IP IP only currently not possible to capture at this level An Ethernet header is faked PPP PPP from the protocol word HDLC header is ignored if present An Ethernet header is faked and also a PPPoE header The PPPoE header has the session P...

Page 122: ...g is currently running 15 3 7 1 Example using curl and tcpdump An example of a simple real time dump and analysis run on a Linux box is shown below curl silent no buffer user name pass http 1 2 3 4 pcap interface LAN amp timeout 300 amp snaplen 1500 usr sbin tcpdump r n v Note Linebreaks are shown in the example for clarity only they must not be entered on the command line In this example we have ...

Page 123: ...AC address to one port at a time You may also find some switches and some operatings systems do not work well and get confused about the same MAC appearing on different interfaces and VLANs As such it is generally a good idea to avoid doing this unless you are sure your network will cope i e use different VRIDs on different VLANs At any one time one physical device is the master and is handling al...

Page 124: ...fault Devices have to be using the same version IPv4 and IPv6 can co exist with one using VRRP2 and the other VRRP3 Setting the same config apart from priority on all devices ensures they have the same version 16 2 2 Priority Each device is assigned a priority which determines which device becomes the master and which devices remain as backups The working device with the highest priority becomes t...

Page 125: ...cond is selected It can also be specifically set in the config by setting the attribute version3 to the value true Caution If you have devices that are meant to work together as VRRP but one is version 2 and one is version 3 then they will typically not see each other and both become master The FB2700 s VRRP Status page shows if VRRP2 or VRRP3 is in use and whether the FireBrick is master or not 1...

Page 126: ...s the way registrations work 17 2 1 Registrar A SIP device can register with a service e g with the FB2700 or with a SIP carrier This is like logging in and means that incoming calls are then sent to the device The device will renew the registration periodically to stay logged in and if it fails to do this then incoming calls will fail This process uses a username and password for security Obvious...

Page 127: ...es There are a wide range of phones available in a range of price brackets The FireBrick has been tested well with snom phones including features such as busy lamp field lights and buttons The FB2700 scales well to support hundreds of phones in an office without needing extra FireBrick hardware This makes the FireBrick a much more scaleable and economical PABX solution than traditional systems It ...

Page 128: ...number for each telephone This is not a requirement and you can just use internal numbers for phones if you prefer It is a good idea to make a clear plan for how you will allocate the internal numbers especially if you have a corresponding block of real phone numbers Consider which are nice numbers you may want to publish for some reason and which could be obvious mis dials Maybe group extensions ...

Page 129: ...arrier is a service provider that can accept outgoing calls and route incoming calls Typically a VoIP carrier is expecting a handset to register with the carrier and will then send calls to the registered device It is also possible for a VoIP carrier to send calls to the FB2700 using a fixed pre set configuration To set up a VoIP carrier where the FB2700 registers with the carrier you need to spec...

Page 130: ...r These are taken from the right hand end of the dialled number so if 0134567890 is what was called 1XX would be extn 190 This makes it easy to define a trunk carrier for incoming calls 17 8 Hunt groups The basic idea of a hunt group is simple It has a number which when called causes a number of extensions to be rung perhaps in order to hunt for someone to take the calls In practice there are a nu...

Page 131: ... or you can set an alternative ring group to apply when out of profile This can cascade through out of profile groups You can instead set an alternative ring list to use when out of hours number Tip The ring list and overflow list cannot use the numbers of other hunt groups but the out of hours number can be another hunt group number 17 9 Call pickup steal By default it is possible to pick up a ri...

Page 132: ... can be used to log calls as they start and end to an external RADIUS server Note RADIUS for VoIP is only available on a fully loaded model Tip You have to configure each of the radius functions in the VoIP config leaving the radius setting unset will disable use of RADIUS for that feature There are separate configuration settings for register call and cdr 17 11 1 RADIUS accounting RADIUS accounti...

Page 133: ...tity attribute is set based on the configured CUI Access requests are made even when from a recognised carrier In such case the carrier is validated by the FireBrick directly and then the access request is made to decide call routing To identify such requests the User Name is the configured name of the carrier prefixed with an character Note In the case of a telephone user any charaters at the sta...

Page 134: ...stom response code such as 404 500 etc can be provided to indicate that the call is actually to be rejected 3NN URL A 3NN response code can be used where 3NN is then replaced by sip in the contact in the response This feature is somewhat experimental Tip If the originating call leg is incoming and not get been connected a single SIP AOR response can be provided in the format of a 3 digit response ...

Page 135: ...ll is made to the carrier outbound leg A CDR record is attached to the outbound leg with the telephone s CUI and the corresponding CLI and dialled number used When the call connects the start time is set on the CDR At the end of the call the CDR record is written out CDR records can be logged e g syslog and send by RADIUS accounting RADIUS accounting also carries details of each call leg start int...

Page 136: ...ed to work with all common VoIP handsets and carriers If you experience any difficulty with a carrier or a VoIP device please contact the FireBrick support team ideally with a full debug log Tip It is possible to set different source IP addresses to be used per carrier obviously to work these have to be IP addresses that the FireBrick has but it can be useful to force registration via specific add...

Page 137: ...ms 262Hz 1000ms 392Hz 1000ms bbc 50ms 345ms 122Hz 35ms 300ms 525Hz 2000ms 1000Hz 1000Hz beep 200ms 200ms 800Hz 200ms pi 350Hz 3dB 440Hz 3dB spi 750ms 350Hz 3dB 440Hz 3dB 750ms 440Hz 3dB pet 400ms 400Hz 6dB 350ms 225ms 400Hz 525ms sct 200ms 400Hz 300ms 1004Hz cnai 100ms 400Hz sit 330ms 950Hz 5ms 330ms 1400Hz 5ms 330ms 1800Hz cwi 100ms 400Hz 5000ms scwi 30ms 400Hz 10ms 30ms 400Hz 6000ms pt 125ms 400...

Page 138: ...possible to obtain IPv6 PI address space and an AS number to announce your own IPv6 addresses to multiple providers for extra resilience You can use BGP purely as an internal routing protocol to ensure parts of your network know how to route to other parts of your network and can dynamically reroute via other links when necessary In most cases unless you are an ISP of somesort you are not likely t...

Page 139: ...ur software release 18 2 4 Peer type The type attribute controls some of the behaviour of the session and some of the default settings as follows Table 18 1 Peer types Type Meaning normal Normal mode no special treatment Follows normal BGP rules transit Used when talking to a transit provider or a peer that provides more than just their own routes Peers only with different AS The community no expo...

Page 140: ... attributes The actual attributes are listed in the XML XSD documentation for the software version The main ones are A list of prefixes filters defining which prefixes to match There will be community tag checking and AS path checking in future You can have a rule with no matching attribute which will always be applied but this is generally pointless as no later rules will be considered If you wan...

Page 141: ...ing the D filter If L2TP is marked to BGP announce such routes they are set to be bgp true rathed than the bgp setting defined In order to ensure that your internal BGP network sees such routes as a black hole and not simply as a route to the router than has the black hole defined where the packets will be dropped you can ensure all black hole routes are announced using a suitable community tag In...

Page 142: ...k around this have by default ignore bad optional partial set to true The effect is that if a path attribute we understand is wrong and it is optional and trhe router that sent it to us did not understand or check it partial bit is set we ignore the specific route rather than dropping the whole BGP session 18 2 10 network element The network element defines a prefix that is to be announced by BGP ...

Page 143: ...ow priority announcement A special case of setting this delay to a negative value on a peer causes routes to be specifically withdrawn before the delay rather than announced low priority 18 2 15 TTL security The FireBrick supports RFC5082 standard TTL security Simply setting ttl security 1 on the peer settings causes all of the BGP control packets to have a TTL of 255 and expects all received pack...

Page 144: ...o settings it will operate OSPF unauthenticated on all Ethernet interfaces as the backbone 0 0 0 0 area More complex configurations allow use of OSPF within a specific area and authentication of OSPFv2 for IPv4 using a password It is also possible to configure various system timers to fit in with other devices configuration but the defaults will match in most cases Most networking configuration se...

Page 145: ...es the first matching config is used so you can have multiple configurations for different interfaces and even a final default if you wish priority Router priority setting impacts choice of designated router on a network instance OSPFv3 instance value password OSPFv2 MD5 based password or simple authentication key id OSPFv2 MD5 key id or 1 for simple auth instead of MD5 localpref Base localpref fo...

Page 146: ...rked with their type but it also provides negotiation protcols for Link Control LCP authentication CHAP and PAP and IP level negotiations IPCP and IPV6CP Once negotiation is complete then IP packets can be passed using PPP As networks became more complex a separation of the Access Concentrator in to a L2TP Access Concentrator LAC which has the modems and the L2TP Network Server LNS was sensible Th...

Page 147: ... the LNS to which the connection is to be sent This allows the ISP to steer sessions as they need Once the LNS gets the L2TP connection RADIUS is used to obtain the IP address details to be assigned to the specific connection RADIUS is also used for accounting to provide details of connections in progress and volumes of data transferred Appendix F provides details of the specific AVPs used with RA...

Page 148: ...This limits the speed of traffic to the line This is usually done so that the LNS is in control of the speed of the line as the FireBrick will drop larger packets before smaller packets which helps VoIP and many other protocols work well even on a full link The speed control can also be used to provide slower services In addition to the per connection graphs there is also an aggregate graph based ...

Page 149: ...r credit control systems 20 7 PPPoE In addition to working as a conventional LNS the FireBrick can also be configured to operate as a PPPoE endpoint as a BRAS The PPPoE connections appear as if they has arrived via L2TP so can have local IP termination or relay via L2TP to another LNS The FireBrick supports baby jumbo frame negotiation to allow full 1500 byte MTU operation If an interface is confi...

Page 150: ...for backup Whilst the FB2700 will answer RADIUS on any of its IP addresses we know some carriers have issues using the interlink IP addresses We recommend you create two additional loopback addresses for session steering RADIUS These addresses are configured as a BGP announced loopback address You can use MEDs to steer which IP is on which LNSs If you have more than two LNSs you can ensure that th...

Page 151: ...DIUS servers is used for all connections It can also specify defaults for DNS PPP endpoint addresses and so on 20 8 5 ISP RADIUS Once the L2TP connection arrives you can use RADIUS in your own network to control the connection accepting it or rejecting it and defining IP addressing DNS traffic speeds routing table and much more Appendix F provides details of the specific AVPs used with RADIUS for ...

Page 152: ... typed commands and these can be recalled using the Up and Down cursor keys Once you ve located the required command you can edit it if needed and then press Enter supports entering abbreviated commands you only need to type sufficient characters to make the command un ambiguous for example show dhcp and show dns can be abbreviated to sh dh and sh dn respectively show is the only command word that...

Page 153: ...for any reason or any other situation where it is appropriate to start from scratch Disconnect all network and power leads Connect lead between far left and far right ports ports 1 and 4 Connect power and wait a few seconds for all port LEDs to be on steadily Power LED blinks Disconnect loop leave power connected LEDs cycle and power LED blinks Note There is a timeout of 20 seconds in this process...

Page 154: ...o the existing saved configuration when next powered up or restarted It is also possible to recover the configuration stored in flash memory if you know an administrative username and password for it this gives you an opportunity to correct a configuration such as where you had made a change that prevented you from accessing the FB2700 A 1 Other types of reset To factory reset permanently follow t...

Page 155: ... CIDR The prefix notation introduced by CIDR was in the simplest sense to make explicit which bits in a 32 bit IPv4 address are interpreted as the network number or prefix associated with a site and which are the used to number individual end systems within the site In this sense the prefix is the N most significant bits that comprise the network ID bitfield CIDR notation is written as IPv4 Tradit...

Page 156: ...t IPv4 subnet on the LAN interface after factory reset is 10 0 0 1 24 the address of the FB2700 on this subnet is therefore 10 0 0 1 and the prefix length is 24 bits leaving 8 bits for host addresses on the subnet The subnet address range is therefore 10 0 0 0 to 10 0 0 255 A prefix length of 32 is possible and specifies a block size of just one address equivalent to a plain IP address specificati...

Page 157: ... useful on some cable modem type installations where multiple IPs are only available if the FireBrick appears to be multiple devices at once Whilst DHCP theoretically does not need separate MAC addresses experience suggests this is by far the most practical approach If you have more than one DHCP client subnets in your configuration they will automatically get separate MAC addresses In theory the ...

Page 158: ... group and VLAN tag of the interface This is used for dynamic IPv6 allocation on the interface using router announcements RA as well as OSPF and any other interface specific uses that are not relates to a subnet C 2 2 Subnet Each subnet object is allocated a MAC which is used for all of the IPs listed in that subnet object This allows many IPs to have the same MAC by listing them in the same subne...

Page 159: ...ss range In this example the range is specified as 000397 147C F this is interpreted as All addresses in the range start with 00 03 97 14 7 the next digit then ranges from C through to F the first address in the range has zero for the remaining digits C 00 the last address in the range has F for the remaining digits F FF Therefore this range spans 00 03 97 14 7C 00 to 00 03 97 14 7F FF inclusive 1...

Page 160: ...r the system name is set on the FB2700 as shown in Table C 1 Refer to Section 4 2 1 for details on setting the system name Table C 1 DHCP client names used System name Client name used not set e g factory reset configuration FB2700 set Main application software running If the FB2700 s system name is set and your DHCP server shows client names then this is likely to be the preferred way to locate t...

Page 161: ...each group from the others Where more than one switch is used with an uplink connection between switches VLAN tagging is used to multiplex packets from different VLANs across these single physical connections A IEEE 802 1Q VLAN tag is a small header prefixed to the normal Ethernet packet payload includes a 12 bit number range 1 4095 that identifies the tagged packet as belonging to a specific VLAN...

Page 162: ...ig RADIUS request Vendor Name 8 Ignored FireBrick Ltd Assigned Tunnel ID 9 Mandatory Mandatory our tunnel ID Receive Window Size 10 Accepted assumed 4 if not present or less than 4 is specified Value 4 Challenge 11 Accepted if a configured secret is defined a response is sent in the SCCRP Not sent at present E 2 Start Control Connection Reply Table E 2 SCCRP AVP No Incoming Outgoing Message Type 0...

Page 163: ...f a tunnel has been allocated Note that a StopCCN may not have a zero tunnel ID in the header If this is the case the source IP port and assigned tunnel are used to identify the tunnel If an unknown tunnel ID is received on any any incoming packet a StopCCN is generated once per 10 seconds with header tunnel ID 0 and specified assigned tunnel ID E 5 Hello Table E 5 HELLO AVP No Incoming Outgoing M...

Page 164: ...n if relaying Passed on incoming value Last Received LCP CONFREQ 28 Accepted used in RADIUS and passed on if relaying Passed on incoming value Proxy Authen Type 29 Accepted used in RADIUS and passed on if relaying Passed on incoming value Proxy Authen Name 30 Accepted used in RADIUS and passed on if relaying Passed on incoming value Proxy Authen Challenge 31 Accepted used in RADIUS and passed on i...

Page 165: ...lt Code 1 Ignored logged Sent as appropriate for tunnel close Q 931 Cause Code 12 Ignored Not sent Assigned Session ID 14 Expected see note Sent if assigned Note that a CDN may have a zero session ID in the header If this is the case the tunnel ID and assigned session ID are used to identify the session If an unknown session ID on a known tunnel ID is received on any any incoming packet a CDN is g...

Page 166: ...the internet when the broadband fully supports 1500 byte MTU This is also relevant where the FB6000 is deliberately configured to use a smaller MRU for example when the L2TP connection is remote via a 1500 MTU link There are options using Filter Id from RADIUS to force LCP restart However this does confuse some ppp implementations as it is after authentication is complete This can be useful where ...

Page 167: ...ceived on L2TP Calling Station Id 31 Calling number as received on L2TP Acct Session Id 44 Unique ID for session as used on all following accounting records NAS Identifier 32 Configured hostname of FireBrick NAS IP Address 4 NAS IPv4 address if using IPv4 NAS IPv6 Address 95 NAS IPv6 address if using IPv6 NAS Port 5 L2TP session ID NAS Port Id 87 For PPPoE port vlan MAC Service Type 6 Framed Frame...

Page 168: ...v6 Prefix 123 IPv6 prefix to be routed to line Maximum localpref used Framed IPv6 Prefix 97 IPv6 prefix to be routed to line Maximum localpref used Framed IPv6 Route 99 May appear more than once Text format is IPv6 Address Bits metric The target IP is ignored but must be valid IPv6 syntax The metric is used as localpref in routing Alternative format IPv6 Bits IPv4 Address metric defines that prefi...

Page 169: ...onnect Info response can be a simple number bits second tx rate or a number followed by a where this sets a speed based on a percentage of current line speed This can be followed by a slash and the same for rx rate if required default is rx is not limited It is also possible to set long term shapers where a Chargeable User Identity is also included this involves a number of additional parameters i...

Page 170: ...on received on L2TP or received in authentication response Class 25 From authentication response if present Chargeable User Identity 89 Graph name that applies sanitised to comply with CQM graph name rules Called Station Id 30 Called number as received on L2TP Calling Station Id 31 Calling number as received on L2TP Service Type 6 Framed Framed Protocol 7 PPP Framed MTU 12 Final MTU being used for...

Page 171: ...t Info F 4 Accounting Interim Table F 5 Accounting Interim AVP No Usage Acct Status Type 40 3 Interim Update Acct Delay Time 41 Seconds since accounting data collected Acct Event Timestamp 55 Data collected time unix timestamp Acct Session Id 44 Unique ID for session Chargeable User Identity 89 Graph name that applies sanitised to comply with CQM graph name rules Connect Info 77 Text Tx speed Rx s...

Page 172: ... as DOS attacks usually continue until the customer is off line F 6 Disconnect A disconnect message is accepted as per RFC5176 if the session can be disconnected and ACK is sent else a NAK Table F 7 Disconnect AVP No Usage Acct Session Id 44 Unique ID for session Chargeable User Identity 89 This is used as CQM graph name Acct Terminate Cause 49 Cause code as appropriate to be used in accounting st...

Page 173: ...changed To clear the session timeout send a value of 0 To clear outbound shaping send connect speed of 0 No other parameters are supported and if sent then they are ignored The Connect Info response can be a simple number bits second tx rate or a number followed by a where this sets a speed based on a percentage of current line speed It is also possible to set long term shapers where a Chargeable ...

Page 174: ...4 and IPv6 using the LCP type code only works if FireBrick doing PPP at far end O Mark session as low priority see shaper and damping P Mark session as premium see shaper and damping D Mark session as blackhole Normal IPv4 IPv6 routes are announced as black hole routes and any BGP is not restricted to local as etc Does not apply to 6over4 routes d Mark session as not blackhole b Disable anti spoof...

Page 175: ... from PAP CHAP If a second session starts with the same graph name as an existing session then the existing session is cleared with cause 13 Preempted It is recommended that a unique circuit ID is passed as the Chargeable User Identity in the authentication response to allow simple location of graphs F 9 3 IP over LCP IP over LCP is a non standard coding of PPP packets for IPv4 and IPv6 The coding...

Page 176: ...ent to the requestor Table G 1 Access request AVP No Usage User Name 1 Name of locally configured telephone user or and locally configured carrier name Chargeable User Identity 89 If request relates to locally configured telephone user or carrier Message Authenticator 80 Message signature as per RFC2869 Called Station Id 30 Local part of To header Calling Station Id 31 Local part of From header NA...

Page 177: ...ue Digest Stale 120 Digest Stale G 2 2 Accepted authentication registration Table G 3 Access Accept AVP No Usage Calling Station Id 31 Calling number to be set up for tel number routing to this registration if omitted then the registration is not recorded Session Timeout 27 Time to send in reply Expires header SIP AOR 121 SIP URI Contact for 302 redirect response G 2 3 Accepted authentication invi...

Page 178: ...number as received Acct Status Type 40 1 Start Acct Session Id 44 Unique ID for call leg Acct Multi Session Id 50 SIP Call ID for call leg Acct Event Timestamp 55 Time call started trying NAS Identifier 32 Configured hostname of FireBrick NAS IP Address 4 Far end IPv4 address for SIP if using IPv4 NAS IPv6 Address 95 Far end IPv6 address for SIP if using IPv6 NAS Port 5 Far end UDP port for SIP G ...

Page 179: ...d of the call leg Called Station Id 30 Dialled number as received Calling Station Id 31 Calling number as received Acct Status Type 40 2 Stop Acct Session Id 44 Unique ID for session Acct Multi Session Id 50 SIP Call ID for call leg Acct Terminate Cause 49 Cause code as appropriate Acct Event Timestamp 55 Time call ended Chargeable User Identity 89 CUI for this call NAS Identifier 32 Configured ho...

Page 180: ...tribute Value Pairs for VoIP operation 159 G 7 Change of Authorisation A change of authorisation message is accepted as per RFC5176 Table G 10 Change of Authorisation AVP No Usage Acct Session Id 44 Unique ID for session ...

Page 181: ...ved IPv4 prefixes IP 5 Integer Seconds since last state change IP 6 Integer Received IPv6 prefixes H 2 L2TP information Information about specific L2TP peers Note The OID contains the IP This is coded as either 4 a b c d for IPv4 address a b c d or 6 followed by 32 entries each 0 to 15 for each hex character in the IPv6 address The IP is the IP of the L2TP peer you wish to check You cannot walk al...

Page 182: ... CLOSING state 2 9 Integer Number of sessions in CLOSED state IP 1 String The login name IP 2 String The host name IP 3 Integer Number of incoming tunnels IP 4 Integer Number of outgoing tunnels IP 5 Integer Seconds since oldest live tunnel connected IP 6 Integer Number of live tunnels IP 7 Integer Number of sessions H 3 Monitoring information General monitoring information Table H 3 iso 3 6 1 4 1...

Page 183: ...w uptime Shows how long since the FB2700 restarted I 1 4 General status show status Shows general status information including uptime who owns the FireBrick etc This is the same as the Status on the web control pages I 1 5 Memory usage show memory Shows memory usage summary I 1 6 Process task usage show tasks Shows internal task list This is mainly for diagnostics purposes I 1 7 Login login Normal...

Page 184: ...n using this command as you can use the web interface and tools like curl to load configtations This command is provided as a last resort for emergency use so use with care I 1 11 Show profile status show profiles Shows profiles and current status I 1 12 Enable profile control switch enable profile string Turns a named profile control switch on I 1 13 Disable profile control switch disable profile...

Page 185: ...ponse hops There are a number of controls allowing you to fine tune what is sent Obviously you should only send from a source address that will return to the FB2700 correctly You can also ask for the results to be presented in an XML format Where possible the reverse DNS name is shown next to replies but there is deliberately no delay waiting for DNS responses so you may find it useful to run a tr...

Page 186: ...dress even if long expired I 2 9 Unlock DHCP allocations unlock dhcp ip IP4Addr table routetable Unlocks a DHCP allocation allowing the address to be re used if the expired I 2 10 Name DHCP allocations name dhcp ip IP4Addr name string table routetable Allows you to set a name for a DHCP allocation overridding the clientname that was sent I 2 11 Show ARP ND status show arp show arp IPAddr Shows det...

Page 187: ...s and rules that matched and the actions taken I 4 USB dongle commands I 4 1 Show dongle connectoons show dongle show dongle string Lists dongle data connections in use or shows details of a specific connection I 4 2 Reset USB interface and all attached devices clear usb Resets USB port and attached devices This is useful if a device has locked up somehow I 4 3 Reset PPP Dongle data connection cle...

Page 188: ...event with a specified message You need to specify confirm yes for the command to work This can be useful to test fallback scenarios by simulating a fatal error Note that panic crash logs are emailed to the FireBrick support by default so please use a meaningful string e g panic testing fallback confirm yes I 11 2 Reboot reboot unsignedInt hard confirm string A reboot is a more controlled shutdown...

Page 189: ...is can be overridden in the configuration for each user I 11 7 Flash memory list show flash contents Lists the content of flash memory this includes various files such as software releases configuration and so on Multiple copies are usually stored allowing you to delete a later version if needed and roll back to an older version I 11 8 Delete block from flash delete config unsignedInt confirm stri...

Page 190: ...ng line faults They are useful to the ISP but also useful to the back haul provider which is often a separate company e g BT or Be We recommend that you consider providing access to graphs for live circuits and archived data to your back haul provider when discussing faults with them FireBrick are working with several ISPs to ensure back haul providers are aware of the CQM graphs and how to use th...

Page 191: ...instead but the SHA1 is the preferred method J 3 Graph display options The graphs can have a number of options which define the colours text and layout These are defined as http form get attributes on the URL e g http host port cqm circuit png H a heading Note that they can also be included in the path before the graph name e g http host port cqm H a heading circuit png in which case they can be s...

Page 192: ... based on space provided left and right R Defines a number of pixels to be provided on the right of the graph Bandwidth and scale axis is shown based on space provided left and right T Defines a number of pixels to be provided on the top of the graph Time axes is show based on space at top and bottom B Defines a number of pixels to be provided on the bottom of the graph Time axes is show based on ...

Page 193: ...of the options this is used only for making the index of all graphs for that type see below graphname Graph name For XML this can be just to produce one XML file with all graphs ext Extension for file type required options Options can alternatively be included as a html form get field list Where no graph name or ext are provided i e the index page of a directory then an html page is served An ext ...

Page 194: ...is too long will be replaced with one that uses part of the name and a hash to try and ensure a consistent unique graph name is applied Graphs can be defined in some configuration settings such as interface names Graphs can also be created dynamically in some cases e g L2TP based graphs are made based on the Chargeable User Id Calling Station Id or User Name for a connected line and so can be defi...

Page 195: ...Optional Constant Quality Monitoring config dhcp relay dhcp relay Optional unlimited DHCP server settings for remote relayed requests eap eap Optional unlimited User access control via EAP ethernet ethernet Optional unlimited Ethernet port settings etun etun Optional unlimited Ether tunnel RFC3378 fb105 fb105 Optional up to 255 FB105 tunnel settings interface interface Optional up to 8192 Ethernet...

Page 196: ...ame dos chunk unsignedInt 200 DoS interrupt chunk time microsec leave at default dos delay unsignedInt 2 DoS restoration counter leave at default dos limit unsignedInt 5000 DoS max interrupt time microsec leave at default intro string Home page text location string Location description log NMTOKEN Web console Log system events log config NMTOKEN Web Flash console Log config load log debug NMTOKEN ...

Page 197: ...ted Home page links K 2 2 link Web links Links to other web pages Table K 5 link Attributes Attribute Type Default Description comment string Comment name string Link name profile NMTOKEN Profile name source string Source of data used in automated config management text string Link text url string Link address K 2 3 user Admin users User names passwords and abilities for admin users Table K 6 user...

Page 198: ...nal User password profile NMTOKEN Profile name source string Source of data used in automated config management subsystem eap subsystem Not optional Access controlled subsystem K 2 5 log Log target controls Named logging target Table K 8 log Attributes Attribute Type Default Description colour Colour Colour used in web display comment string Comment console boolean Log immediately to console flash...

Page 199: ...log email Email logger settings Logging to email Table K 11 log email Attributes Attribute Type Default Description comment string Comment delay duration 1 00 Delay before sending since first event to send from string One made up using serial number Source email address hold off duration 1 00 00 Delay before sending since last email log NMTOKEN Not logging Log emailing process log debug NMTOKEN No...

Page 200: ...P service has general service settings and also specific attributes for SNMP such as community Table K 13 snmp service Attributes Attribute Type Default Description allow List of IPNameRange Allow from anywhere List of IP ranges from which service can be accessed comment string Comment community string public Community string local only boolean false Restrict access to locally connected Ethernet s...

Page 201: ...om UTC tz12 date unsignedByte 1 31 datenum 25 Timezone 1 to 2 earliest date in month tz12 day day Sun Timezone 1 to 2 day of week of change tz12 month month Mar Timezone 1 to 2 month tz12 time time 01 00 00 Timezone 1 to 2 local time of change tz2 name string BST Timezone 2 name tz2 offset duration 1 00 00 Timezone 2 offset from UTC tz21 date unsignedByte 1 31 datenum 25 Timezone 2 to 1 earliest d...

Page 202: ...ocal only boolean true Restrict access to locally connected Ethernet subnets only log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors port unsignedShort 80 Service port profile NMTOKEN Profile name source string Source of data used in automated config management table unsignedByte 0 99 routetable 0 Routing table number trusted List o...

Page 203: ...al unlimited Fixed local DNS host blocks host dns host Optional unlimited Fixed local DNS host entries K 2 14 dns host Fixed local DNS host settings DNS forwarding resolver service Table K 19 dns host Attributes Attribute Type Default Description comment string Comment ip List of IPAddr Our IP IP addresses to serve or our IP if omitted name List of string Not optional Host names can use as a part ...

Page 204: ...kup L2TP connection class string Class field to send comment string Comment context name string Juniper Context Name SIN502 control port unsignedShort 3799 Control UDP port CoA DM dummy ip boolean true Send dummy framed IP response log NMTOKEN Not logging Log events log debug NMTOKEN Log debug log error NMTOKEN Log as event Log errors nsn conditional boolean Only send NSN settings if username is n...

Page 205: ...tional unlimited RADIUS server settings K 2 17 radius service match Matching rules for RADIUS service Rules for matching incoming RADIUS requests Table K 23 radius service match Attributes Attribute Type Default Description allow List of IPNameRange Match source IP address of RADIUS request authenticator boolean Require message authenticator backup ip List of IPNameAddr Target IP s or hostname for...

Page 206: ... IP s or hostname for primary L2TP connection target secret Secret Shared secret for L2TP connection test List of IPAddr List of IPs that must have routing for this target to be valid deprecated tunnel assignment id string Tunnel Assignment ID to send tunnel client return boolean Return tunnel client as radius IP username List of string One or more patterns to match username K 2 18 radius server R...

Page 207: ... setting for this port flow LinkFlow none Flow control setting green LinkLED Link Activity Green LED setting lacp boolean Auto Sent LACP packets lldp boolean true Sent LLDP packets optimise boolean true enable PHY optimisations port port Not optional Physical port power saving LinkPower full enable PHY power saving profile NMTOKEN Profile name send fault LinkFault Send fault status speed LinkSpeed...

Page 208: ...cluding DHCP and related events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors mtu unsignedShort 576 2000 mtu 1500 MTU for this interface name NMTOKEN Name ospf boolean true OSPF announce mode for route ospf cost unsignedShort 1 Outbound link cost ping IPAddr Ping address to add loss latency to graph for interface port NMTOKEN Not optional Port group name profile...

Page 209: ...ubnet Automatic by DHCP One or more IP len localpref unsignedInt 4294967295 Localpref for subnet highest wins mtu unsignedShort 576 2000 mtu As interface MTU for subnet name string Name nat boolean false Short cut to set nat default mode on all IPv4 traffic from subnet can be overridden by firewall rules ospf boolean true OSPF announce mode for route profile NMTOKEN Profile name proxy arp boolean ...

Page 210: ...s to announce log NMTOKEN Not logging Log events log error NMTOKEN log as event Log errors low priority unsignedByte 1 Lower priority applicable until routing established name NMTOKEN Name preempt boolean true Whether pre empt allowed priority unsignedByte 100 Normal priority profile NMTOKEN Profile name source string Source of data used in automated config management test List of IPAddr List of I...

Page 211: ...t of IP4Addr Our IP Time server Table K 32 dhcps Elements Element Type Instances Description send dhcp attr hex Optional unlimited Additional attributes to send hex send ip dhcp attr ip Optional unlimited Additional attributes to send IP send number dhcp attr number Optional unlimited Additional attributes to send numeric send string dhcp attr string Optional unlimited Additional attributes to sen...

Page 212: ... Comment force boolean Send even if not requested id unsignedByte Not optional Attribute type code tag name string Name value unsignedInt Not optional Value vendor boolean Add as vendor specific option under option 43 K 2 28 dhcp attr ip DHCP server attributes IP Additional DHCP server attributes IP Table K 36 dhcp attr ip Attributes Attribute Type Default Description comment string Comment force ...

Page 213: ...ot logging Log debug log error NMTOKEN Not logging Log as events mode pppoe mode client PPPoE server client mode mtu unsignedShort 576 2000 mtu 1492 MTU for link name NMTOKEN Name nat boolean false NAT IPv4 traffic to this link unless otherwise set by rules ospf boolean true OSPF announce mode for route password Secret User password pd interface List of NMTOKEN Auto Interfaces for IPv6 prefix dele...

Page 214: ...le name source string Source of data used in automated config management K 2 31 usb USB 3G dongle settings USB config settings including 3G data Table K 40 usb Attributes Attribute Type Default Description log NMTOKEN Web console Log events log debug NMTOKEN Not logged Log errors log error NMTOKEN Web Flash console Log errors profile NMTOKEN Profile name Table K 41 usb Elements Element Type Instan...

Page 215: ...ng standard switching Mode switch mechanism mtu unsignedShort 576 2000 mtu 1500 MTU for link name NMTOKEN Name nat boolean true NAT IPv4 traffic to this link unless otherwise set in rules ospf boolean true OSPF announce mode for route password Secret User password product hexBinary Product ID used to match a configuration with specific device vendor profile NMTOKEN Profile name remote IP4Addr Remo...

Page 216: ...olean true OSPF announce mode for route profile NMTOKEN Profile name source string Source of data used in automated config management speed unsignedInt Egress rate limit b s table unsignedByte 0 99 routetable 0 Routing table number K 2 34 network Locally originated networks Network blocks that are announced but not actually added to internal routes note that blackhole and nowhere objects can also ...

Page 217: ...rce string Source of data used in automated config management table unsignedByte 0 99 routetable 0 Routing table number tag List of Community List of community tags K 2 36 loopback Locally originated networks Loopback addresses define local IP addresses Table K 47 loopback Attributes Attribute Type Default Description as path List up to 10 unsignedInt Custom AS path as if network received bgp bgpm...

Page 218: ...hello interval duration 9 Default hello interval instance unsignedByte Instance ID for OSPFv3 interfaces List of NMTOKEN All Ethernet interfaces to which this OSPF config applies ipsec type ipsec type ESP Encapsulation type for OSPFv3 security key id integer 1 Key ID for OSPFv2 MD5 authentication 1 for simple auth localpref unsignedInt Base localpref highest wins log NMTOKEN Not logging Log calls ...

Page 219: ...t Description comment string Comment community Community Community that must be present to match detag List of Community List of community tags to remove drop boolean Do not import export this prefix localpref unsignedInt Set localpref highest wins med unsignedInt Set MED name string Name no community Community Community that must not be present to match pad unsignedByte Pad prefix stuff our AS on...

Page 220: ...e peer but this can be used for a group of similar peers Table K 54 bgppeer Attributes Attribute Type Default Description add own as boolean Add our AS on exported routes allow export boolean true for customer Ignore no export community and export anyway allow only their as boolean Only accept routes that are solely the peers AS allow own as boolean Allow our AS inbound as unsignedInt Peer AS blac...

Page 221: ... secret name string Name next hop self boolean false Force us as next hop outbound no fib boolean Don t include received routes in packet forwarding pad unsignedByte Pad prefix stuff our AS on export by this many profile NMTOKEN Profile name same ip type boolean true Only accept send IPv4 routes to IPv4 peers and IPv6 routes to IPv6 peers send default boolean false Send a default route to this pee...

Page 222: ...urce string Source of data used in automated config management tag List of Community List of community tags to add Table K 57 bgpmap Elements Element Type Instances Description match bgprule Optional unlimited List rules in order of checking K 2 43 cqm Constant Quality Monitoring settings Constant quality monitoring graphs and data have a number of settings Most of the graphing settings can be ove...

Page 223: ...ring Reject Label for rejected seconds label rx string Rx Label for Rx traffic level label score string Score Label for score label sent string Sent Label for seconds polled label shaper string Shaper Label for shaper label time string Time Label for time label traffic string Traffic bit s Label for traffic level label tx string Tx Label for Tx traffic level latency level unsignedInt 100000000 Lat...

Page 224: ... string Y m d H M S Time format top unsignedByte 4 Pixels space at top of graph tx Colour 080 Colour for Tx traffic level K 2 44 l2tp L2TP settings L2TP settings for incoming and outgoing L2TP connections Table K 59 l2tp Attributes Attribute Type Default Description accounting interval duration 1 00 00 Periodic interim accounting interval send acct delay boolean Send Acct Delay as well as Event Ti...

Page 225: ...ip IPAddr IP of our end localpref unsignedInt 4294967295 Localpref for remote ip routes highest wins log NMTOKEN Not logging Log events log debug NMTOKEN Not logging Log debug log error NMTOKEN Log as event Log errors min retry duration 10 Minimum session time before retrying connection mtu unsignedShort 576 2000 mtu Default MTU for sessions in this tunnel name string Name open timeout unsignedByt...

Page 226: ... string Comment damping boolean false Apply damping to sessions if limiting on shaper dhcpv6dns List of IP6Addr List of IPv6 DNS servers dos limit unsignedInt 10000 Per second per session tx packet drop limit for DOS protection fail lockout unsignedByte 60 Interval kept in failed state graph string Graph name hdlc boolean true Send HDLC header FF03 on all PPP frames hello interval unsignedByte 60 ...

Page 227: ...boolean Close session if cannot do RADIUS accounting retry timeout unsignedByte 60 Interval to retry sending control messages before fail secret Secret Shared secret shutdown boolean false Refuse all new sessions or tunnels source string Source of data used in automated config management speed unsignedInt Default egress rate limit b s table unsignedByte 0 99 routetable Any Routing table number for...

Page 228: ...utes List of IPPrefix Additional routes when link up local auth source string Source of data used in automated config management test List of IPAddr List of IPs that must have routing for this target to be valid deprecated username List of string One or more patterns to match username K 2 48 fb105 FB105 tunnel definition FB105 tunnel definition Table K 66 fb105 Attributes Attribute Type Default De...

Page 229: ... experimental secret Secret Unsigned Shared secret for tunnel set unsignedByte Set ID for reorder ID tagging create a set of tunnels together sign all boolean false All packets must be signed not just keepalives source string Source of data used in automated config management speed unsignedInt no shaping Egress rate limit used b s table unsignedByte 0 99 routetable 0 Routing table number for tunne...

Page 230: ...nges given higher priority when establshing new connections comment string Comment source string Source of data used in automated config management Table K 70 ipsec ike Elements Element Type Instances Description IKE proposal ike proposal Optional unlimited Proposals for IKE security association IPsec proposal ipsec proposal Optional unlimited Proposals for IPsec AH ESP security association connec...

Page 231: ...peed unsignedInt no shaping Egress rate limit used b s table unsignedByte 0 99 routetable 0 Routing table number for IKE traffic and tunnel wrappers tcp mss fix boolean true Adjust MSS option in TCP SYN to fix session MSS type ipsec type ESP Encapsulation type auth method ike authmethod Not optional method for authenticating self to peer blackhole boolean false Blackhole routed traffic when tunnel...

Page 232: ...refixes that are sent to the IPsec tunnel Table K 73 ipsec route Attributes Attribute Type Default Description bgp bgpmode Not announced BGP announce mode for routes comment string Comment ip List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network highest wins name string Name ospf boolean true OSPF announce mode for route profile NMTOKEN Pr...

Page 233: ...IKE messages name NMTOKEN Not optional Name K 2 55 ipsec proposal IPsec AH ESP proposal Proposal for establishing the IPsec AH ESP keying information Table K 76 ipsec proposal Attributes Attribute Type Default Description DHset Set of ike DH Accept any supported group Diffie Hellman group for IPsec key negotiation ESN Set of ike ESN Accept ESN or short SN Support for extended sequence numbers auth...

Page 234: ...outes when link up source string Source of data used in automated config management speed unsignedInt no shaping Egress rate limit used b s table unsignedByte 0 99 routetable 0 Routing table number for IKE traffic and tunnel wrappers tcp mss fix boolean true Adjust MSS option in TCP SYN to fix session MSS type ipsec type ESP Encapsulation type auth algorithm ipsec auth algorithm null Manual settin...

Page 235: ... config Table K 80 profile Attributes Attribute Type Default Description and List of NMTOKEN Active if all specified profiles are active as well as all other tests passing including not comment string Comment control switch users List of NMTOKEN Any users Restrict users that have access to control switch dongle List of NMTOKEN Dongle state any of these are up expect boolean true Defines state cons...

Page 236: ... before timeout i e how long test has been failing vrrp List of NMTOKEN VRRP state any of these is master Table K 81 profile Elements Element Type Instances Description date profile date Optional unlimited Test passes if within any date range specified ping profile ping Optional Test passes if address is answering pings time profile time Optional unlimited Test passes if within any time range spec...

Page 237: ...d traffic shaper Table K 85 shaper Attributes Attribute Type Default Description comment string Comment name token graphname Not optional Graph name rx unsignedInt Rx rate limit target b s rx max unsignedInt Rx rate limit max rx min unsignedInt Rx rate limit min rx min burst duration Rx minimum allowed burst time rx step unsignedInt Rx rate reduction per hour share boolean If shaper is shared with...

Page 238: ...ur source string Source of data used in automated config management tx unsignedInt Tx rate limit target b s tx max unsignedInt Tx rate limit max tx min unsignedInt Tx rate limit min tx min burst duration Tx minimum allowed burst time tx step unsignedInt Tx rate reduction per hour K 2 64 ip group IP Group Named IP group Table K 88 ip group Attributes Attribute Type Default Description comment strin...

Page 239: ...hash of IPs for load sharing name string Name profile NMTOKEN Profile name protocol List of unsignedByte Protocol s 1 ICMP 6 TCP 17 UDP set gateway IPAddr New gateway set graph string Graph name for shaping logging if not set by rule set set nat boolean Changed source IP and port to local for NAT source string Source of data used in automated config management source interface List of NMTOKEN Sour...

Page 240: ...ing Comment cug List of PortRange Closed user group ID s interface List of NMTOKEN Source or target interface s ip List of IPNameRange Source or target IP address range s log NMTOKEN Not logging Log session start log end NMTOKEN Not logging Log session end log no match NMTOKEN log start Log if no match name string Name no match action firewall action Not optional Default if no rule matches profile...

Page 241: ...ch comment string Comment cug List of PortRange Closed user group ID s hash boolean Use hash of IPs for load sharing interface List of NMTOKEN Source or target interface s ip List of IPNameRange Source or target IP address range s log NMTOKEN As rule set Log session start log end NMTOKEN As rule set Log session end name string Name profile NMTOKEN Profile name protocol List of unsignedByte Protoco...

Page 242: ... Description share session share Optional unlimited Load shared actions K 2 70 session share Firewall load sharing Firewall actions for load sharing Table K 98 session share Attributes Attribute Type Default Description comment string Comment profile NMTOKEN Profile name set gateway IPAddr New gateway set graph string Graph name for shaping logging set nat boolean Changed source IP and port to loc...

Page 243: ...min len unsignedByte 5 Local numbers min length log NMTOKEN Not logging Log calls log cdr NMTOKEN Not logged Log CDR records log debug NMTOKEN Not logging Log debug and SIP messages log error NMTOKEN Log as event Log errors log sip blf NMTOKEN Not logged SUBSCRIBE NOTIFY PUBLISH log sip call NMTOKEN Not logged INVITE ACK CANCEL BYE REFER log sip other NMTOKEN Not logged OPTIONS INFO etc log sip re...

Page 244: ...roups telephone telephone Optional up to 250 VoIP users tone tone Optional up to 25 Defined tones K 2 72 carrier VoIP carrier details VoIP carrier details Table K 101 carrier Attributes Attribute Type Default Description allow List of IPNameRange Allow from anywhere List of IP ranges from which invite accepted cli format voip format national CLI number format for outgoing calls comment string Comm...

Page 245: ... generate for hold with no media tone progress string Name of tone to generate for progress with no media tone queue string Name of tone to generate for queue with no media tone ring string Name of tone to generate for ring with no media tone wait string Name of tone to generate for wait with no media trust cli boolean true Trust inbound calling line identity username string Carrier username for o...

Page 246: ...registrations from Ethernet subnets only max calls unsignedInt Maximum simultaneous calls allowed name NMTOKEN Not optional User name local part of from password Secret Authentication password profile NMTOKEN Profile name realm string Realm record recordoption Automatically record calls source string Source of data used in automated config management table unsignedByte 0 99 routetable 0 Routing ta...

Page 247: ...unsignedByte Number allowed to queue name NMTOKEN Not optional Group name order ring group order strict Order of ring out of hours group NMTOKEN Alternative group if this is out of profile cascades out of hours ring List of string Numbers to ring if out of profile and no out of hours group set overflow List of string Numbers to ring when more than one call in queue overflow time duration 30 Includ...

Page 248: ...e Default Description allocation table unsignedByte 0 99 routetable Allocate same as request table Routing table for allocations suggest using separate tables for remote DHCP allow List of IPNameRange Allow from anywhere IPs allowed e g allocated IPs for renewal relay List of IPNameRange Any relay Relay server IP s table unsignedByte 0 99 routetable Allow any Routing table applicable Table K 107 d...

Page 249: ... Description NOBODY Unknown or not logged in user GUEST Guest user USER Normal unprivileged user ADMIN System administrator DEBUG System debugger K 3 4 eap subsystem Subsystem with EAP access control Table K 111 eap subsystem Subsystem with EAP access control Value Description IPsec IPsec IKEv2 VPN K 3 5 eap method EAP access method Table K 112 eap method EAP access method Value Description MD5 MD...

Page 250: ... 114 syslog facility Syslog facility Value Description KERN Kernel messages USER User level messges MAIL Mail system DAEMON System Daemons AUTH Security auth SYSLOG Internal to syslogd LPR Printer NEWS News UUCP UUCP CRON Cron deamon AUTHPRIV private security auth FTP File transfer 12 Unused 13 Unused 14 Unused 15 Unused LOCAL0 Local 0 LOCAL1 Local 1 LOCAL2 Local 2 LOCAL3 Local 3 LOCAL4 Local 4 LO...

Page 251: ... Sat Saturday K 3 10 radiuspriority Options for controlling platform RADIUS response priority tagging Table K 117 radiuspriority Options for controlling platform RADIUS response priority tagging Value Description equal All the same priority strict In order specified random Random order calling Hashed on calling station id called Hashed on called station id username Hashed on full username user Has...

Page 252: ... Port 2 3 Port 3 4 Port 4 K 3 13 Crossover Crossover configuration Physical port crossover configuration Table K 120 Crossover Crossover configuration Value Description auto Crossover is determined automatically MDI Force no crossover K 3 14 LinkSpeed Physical port speed Table K 121 LinkSpeed Physical port speed Value Description 10M 10Mbit sec 100M 100Mbit sec 1G 1Gbit sec auto Speed determined b...

Page 253: ... preference for slave force master Master status forced force slave Slave status forced K 3 18 LinkLED LED settings Table K 125 LinkLED LED settings Value Description Link Activity On when link up blink when Tx or Rx activity Link1000 Activity On when link up at 1G blink when Tx or Rx activity Link100 Activity On when link up at 100M blink when Tx or Rx activity Link10 Activity On when link up at ...

Page 254: ...escription none No power saving link down Power save only when link is down link up Power save only when link is up full Full power saving K 3 20 LinkFault Link fault type to send Table K 127 LinkFault Link fault type to send Value Description false No fault true Send fault off line Send offline fault 1G ane Send ANE fault 1G K 3 21 trunk mode Trunk port more Table K 128 trunk mode Trunk port more...

Page 255: ...fines the default advertisement mode for prefixes based on well known community tags Table K 131 bgpmode BGP announcement mode Value Description false Not included in BGP at all no advertise Not included in BGP not advertised at all no export Not normally exported from local AS confederation local as Not exported from local AS no peer Exported with no peer community tag true Exported as normal wit...

Page 256: ...ad K 3 29 ipsec auth algorithm IPsec authentication algorithm Table K 136 ipsec auth algorithm IPsec authentication algorithm Value Description null No authentication HMAC MD5 HMAC MD5 96 RFC 2403 HMAC SHA1 HMAC SHA1 96 RFC 2404 AES XCBC AES XCBC MAC 96 RFC 3566 HMAC SHA256 HMAC SHA 256 128 RFC 4868 K 3 30 ipsec crypt algorithm IPsec encryption algorithm Table K 137 ipsec crypt algorithm IPsec enc...

Page 257: ... allowing own AS reflector IBGP allowing own AS and working in route reflector mode confederate EBGP confederate ixp Internet exchange point peer on route server K 3 32 ike authmethod authentication method Table K 139 ike authmethod authentication method Value Description Secret Shared Secret Certificate X 509 certificate EAP Use EAP for authentication K 3 33 ike mode connection setup mode Table K...

Page 258: ... SHORT SN Allow short sequence numbers 32 bits K 3 37 ipsec encapsulation Manually keyed IPsec encapsulation mode Table K 144 ipsec encapsulation Manually keyed IPsec encapsulation mode Value Description tunnel IPsec tunnel transport IPsec transport K 3 38 switch Profile manual setting Manual setting control for profile Table K 145 switch Profile manual setting Value Description false Profile set ...

Page 259: ...eading plus national With nat int prefix local Local number extension transparent Unchanged block Do not use for calls K 3 42 uknumberformat Number formatting option Table K 149 uknumberformat Number formatting option Value Description false Don t format numbers for display true Format numbers for display with spacing replace zero Format numbers for display with spacing and replacing zeros may loo...

Page 260: ...option Value Description false No beep button Beep on record button press true Beep on start of record K 4 Basic types Table K 154 Basic data types Type Description string text string token text string hexBinary hex coded binary data integer integer 2147483648 2147483647 positiveInteger positive integer 1 4294967295 unsignedInt unsigned integer 0 4294967295 unsignedShort unsigned short integer 0 6...

Page 261: ...ddresses or domain names IPNameAddr datenum Day number in month 1 31 unsignedByte stringlist List of strings string iplist List of IP addresses IPAddr subnetlist List of subnets IPSubnet ra max Route announcement max interval seconds 4 1800 unsignedShort ra min Route announcement min interval seconds 3 1350 unsignedShort ip6list List of IPv6 addresses IP6Addr mtu Max transmission unit 576 2000 uns...

Page 262: ...packet queue 1 100 unsignedInt iprangelist List of IPranges IPRange ping size Data payload size to be sent in ping packet 0 1472 unsignedInt portlist List of protocol port ranges PortRange protolist List of IP protocols unsignedByte sip error SIP error code 400 699 unsignedShort userlist List of user names username prefix4list List of IPv4 Prefixes IP4Prefix routetableset Set of routetables routet...

Page 263: ...g speed and or duplex modes 41 defining port groups 36 relationship with interfaces 35 sequenced flashing of LEDs 29 Event logging external logging 31 overview 30 viewing logs 33 F Firewall definition of 44 Firewalling recommended method 50 G Graphs 65 H Hostname setting 24 HTTP service configuration 93 I Interfaces defining 36 Ethernet 35 relationship with physical ports 35 Internet Service Provi...

Page 264: ...see Hostname System services checking access to 98 configuring 92 definition of 92 list of 92 T Telnet service configuration 93 Time out login sessions 22 Traffic shaping overview 65 Tunnels bonding FB105 88 FB105 86 viewing status FB105 88 U USB socket identification value 91 3G dongle configuration 91 overview 91 subsystem configuration 91 User Interface customising layout 11 general layout 11 n...

Reviews:

No comments