manualshive.com logo in svg

Patton electronics IPLink Series, Software Configuration Manual, Page: 298 / 331

Share
Download
Patton electronics IPLink Series Software Configuration Manual Download Page 298

Key Management (IKE)

298

IPLink Software Configuration Guide 

26 • VPN configuration

Creating/modifying an outgoing ACL profile for IPSEC

This is basically the same as for manual keyed IPSEC connections (

“Creating an IPsec policy profile”

 on 

page 290). Make sure that your ACL allows traffic from and to UDP port 500 in plaintext to allow ISAKMP 
messages to be exchanged.

Configuration of an IP interface and the IP router for IPSEC

This is exactly the same as for manual keyed IPSEC connections (

“Creating an IPsec policy profile”

 on 

page 290).

Policy matching

Normally, if an initial ISAKMP message is received from the network, the system tries to find the correspond-
ing ISAKMP IPSEC policy by matching the received source-ip address with the peer IP address of an IPSEC 
policy.

However, in applications with dynamic IP addressing, a Fully Qualified Domain Name (FQDN) might be 
specified as the peer, rather than using an IP address. In this case, it is not possible to find the correct policy 
using the source-ip address. To solve this problem, you specify the same protection-group ID in the ISAKMP 
IPSEC policy profiles for all of the peers. The peers should all use the same remote policy. In this case, if the 
system receives an initial IKE packet, it will search for an ISAKMP IPSEC policy profile, which has the same 
protection-group ID as the policy that created the ISAKMP packet.

Sample configuration snippet

Below you see a sample of the minimal required settings to be added to a configuration file in order to establish 
an IKE IPSEC connection:

profile acl WAN_Out

permit 1 esp any any

permit 2 ah any any

permit 3 udp any any eq 500

permit 4 ip any 10.0.0.0 0.255.255.255 ipsec-policy VPN

permit 5 ip any any

profile ipsec-transform IPSEC_3DES_192

esp-encryption 3des-cbc 192

profile isakmp-transform ISAKMP_3DES_192

encryption 3des-cbc 192

authentication-algorithm sha1

9

optional

node(pf- ipsik)

[<

name>

]# 

protection-

group <group>

If required, you can specify a protection group. 
The protection-group is a proprietary feature and 
is not compatible with third-party devices. There-
fore do not configure it for connections to third 
party devices.

Step

Command

Purpose

Summary of Contents for IPLink Series

Page 1: ...re Release 3 20 Software Configuration Guide Sales Office 1 301 975 1000 Technical Support 1 301 975 1007 E mail support patton com URL www patton com Document Number 13220U8 001 Rev A Part Number 07M...

Page 2: ...ded for use as critical components in human life support systems equipment used in hazardous environments or nuclear control systems Patton Electronics Company disclaims any express or implied warrant...

Page 3: ...128 13 Ethernet port configuration 137 14 Link scheduler configuration 148 15 Serial port configuration 167 16 T1 E1 port configuration 185 17 Basic IP routing configuration 195 18 RIP configuration 2...

Page 4: ...Africa EMEA 22 Warranty Service and Returned Merchandise Authorizations RMAs 23 Warranty coverage 23 Returns for credit 23 Return for credit policy 23 RMA numbers 23 Shipping instructions 23 1 System...

Page 5: ...bling the Telnet server 42 Logging onto the IPLink software 42 Selecting a secure password 43 Password encryption 43 Configure operators and administrators 44 Password encryption 44 Factory preset adm...

Page 6: ...he serial link 70 Factory configuration 70 7 Configuration file handling 71 Introduction 72 Understanding configuration files 72 Factory configuration 74 Configuration file handling task list 74 Copyi...

Page 7: ...s in the RADIUS request message 107 Attributes in the RADIUS accept message 108 Configuring the local database accounts 108 10 IP context overview 110 Introduction 111 IP context overview configuratio...

Page 8: ...PT profile 132 Configuring a NAPT DMZ host 133 Defining NAPT port ranges 134 Preserving TCP UDP port numbers in NAPT 134 Defining the UDP NAPT type 134 Activate NAT NAPT 135 Displaying NAT NAPT config...

Page 9: ...ght 158 Defining the bit rate 159 Defining absolute priority 159 Defining the maximum queue length 159 Specifying the type of service TOS field 159 Specifying the precedence field 160 Specifying diffe...

Page 10: ...T1 E1 line code 187 Configuring T1 E1 framing 187 Configuring T1 E1 line build out T1 only 188 Configuring T1 E1 used connector E1 only 188 Configuring T1 E1 application mode 188 Configuring T1 E1 LO...

Page 11: ...ng RIP configuration of an IP interface 209 Displaying global RIP information 210 19 Access control list configuration 211 Introduction 212 About access control lists 212 What access lists do 212 Why...

Page 12: ...1 SNTP client configuration task list 241 Selecting SNTP time servers 242 Defining SNTP client operating mode 242 Defining SNTP local UDP port 243 Enabling and disabling the SNTP client 244 Defining S...

Page 13: ...roubleshooting 268 25 PPP configuration 270 Introduction 271 PPP configuration task list 272 Creating an IP interface for PPP 272 Disable interface IP address auto configuration from PPP 274 Creating...

Page 14: ...uration of an IP interface and the IP router for IPSEC 298 Policy matching 298 Sample configuration snippet 298 Troubleshooting 299 Using an alternate source IP address for specific destinations 299 S...

Page 15: ...le_provisioning 321 context_ip 321 interface 321 dyndns 322 subscriber_ppp 322 port_ethernet 322 pppoe 322 vlan 323 port_serial 323 framerelay 323 Other 324 Show help 324 Show command history 324 Show...

Page 16: ...IPLink software 150 24 Example of Hierarchical Scheduling 152 25 Elements of link scheduler configuration 154 26 Scenario with Web server regarded as a single source host 155 27 Structure of a Servic...

Page 17: ...41 6 Permanent built in interface slot and port mapping for IPLink Series 139 7 Command cross reference 153 8 TOS values and their meaning 160 9 Traffic control info TCI field 161 10 Values defining d...

Page 18: ...chnicians How to read this guide IPLink software is a complex and multifaceted operating system running on your IPLink device Without the necessary theoretical background you will not be able to under...

Page 19: ...al overview of IPLink interfaces and describes the tasks involved in their configuration Chapter 12 NAT NAPT configuration on page 128 provides a general overview of the network address port translati...

Page 20: ...overview of IPLink software circuit switching CS context and its associated components and describes the tasks involved in its configuration Chapter 28 CS interface configuration on page 349 gives an...

Page 21: ...iew button in the Adobe Acrobat Reader toolbar to return to your starting point Futura bold type Commands and keywords are in boldface font Futura bold italic type Parts of commands which are related...

Page 22: ...t Available at www patton inalp com E mail support E mail sent to support patton inalp com will be answered within 1 business day Telephone support Standard telephone support is available five days a...

Page 23: ...he purchase price If you have ordered the wrong equipment or you are dissatisfied in any way please contact us to request an RMA number to accept your return Patton is not responsible for equipment re...

Page 24: ...24 Chapter 1 System overview Chapter contents Introduction 25 IPLink hardware platforms 26 IPLink software embedded software 26 IPLink Software management center tools 27...

Page 25: ...ware platforms or network nodes that provide the physical connectivity and the CPU resources All IPLink models support packet routed traffic The second element comprises the embedded software called I...

Page 26: ...IPLink hardware platforms IPLink software is available in several releases that support all available IPLink models Refer to IPLink software release notes for detailed information about hardware suppo...

Page 27: ...d in the factory and requires no upgrading The PMC loader initializes the PMC interface cards when mounted in IPLink devices It checks the hard ware versions and determines whether compatible PMC driv...

Page 28: ...t System NMS With the aid of configuration files and TFTP up and downloads the IPLink devices can also be managed offline using standard text editors and file systems A number of host based management...

Page 29: ...ation concepts Chapter contents Introduction 30 Contexts and Gateways 31 Context 31 Interfaces Ports and Bindings 31 Interfaces 31 Ports and circuits 31 Bindings 32 Profiles and Use commands 32 Profil...

Page 30: ...it switched and packet routed networks and services In order to consistently support a growing set of func tions protocols and applications IPLink software configuration is based on a number of abstra...

Page 31: ...in IPLink software differs from that in traditional networking devices Tradition ally the term interface is often synonymous with port or circuit which are physical entities In IPLink software however...

Page 32: ...ings form the association between circuits or ports and the interfaces configured on a context No user data can flow on a circuit or Ethernet port until some higher layer service is configured and ass...

Page 33: ...34 CLI prompt 34 Navigating the CLI 35 Initial mode 35 System changes 35 Configuration 35 Changing Modes 35 Command editing 35 Command help 35 The No form 35 Command defaults returning parameters to d...

Page 34: ...nment within which a group of related commands is valid All commands are mode specific and certain commands are valid in more than one mode A command mode provides command line completion and context...

Page 35: ...any of configuration modes For example when in pvc configuration mode typing exit will take you to framerelay configuration mode The exit command terminates a CLI session when typed from the operator...

Page 36: ...opy and context are displayed Command history IPLink software maintains a list of previously entered commands that you can go through by pressing the up arrow and down arrow keys and then pressing ent...

Page 37: ...Ctrl c Quit editing the current line Ctrl l Refresh redraw the display Ctrl t Transpose characters Ctrl v Insert a code to indicate to the system that the keystroke immediately fol lowing should be tr...

Page 38: ...2 Logging onto the IPLink software 42 Selecting a secure password 43 Password encryption 43 Configure operators and administrators 44 Password encryption 44 Factory preset administrator account 44 Cre...

Page 39: ...on If you type part of a command and then press the tab key the IPLink software shell will present you with either the remaining portion of the command or a list of possible commands These features ar...

Page 40: ...via the con sole port Console port procedure Before using the CLI to enter configuration commands do the following 1 Set up the hardware as described in the getting started guide that came with your I...

Page 41: ...active Note The default IP addresses listed in table 5 apply to an operating scenario com patible with the factory configured settings of the IPLink If your operating requirements are significantly di...

Page 42: ...he local console port or via a Telnet session opens a login screen The following description of the login process is based on a Telnet session scenario but is identical to that used when accessing via...

Page 43: ...ry words or any of the above mentioned examples Every password should be at least 6 characters long and include at least one capital letter one number and one lowercase letter A good example of a pass...

Page 44: ...assword mypassword always appears in encrypted form as HUAvCYeILWZz3hQvS0IEpQ encrypted when doing a show command The command show running config always displays the passwords in encrypted format To e...

Page 45: ...ple Create an administrator account The following example shows how to add a new administrator account with a login name super and a matching password Gh3 Ke4h IPLink enable IPLink configure IPLink cf...

Page 46: ...k show accounts administrator accounts super operator accounts support Switching to another account A user can use the su command to switch from one user account to working in another With this comman...

Page 47: ...who is logged in or more detailed information about users and process states depending on the execution mode in which you are working Used in administrator execution mode IPLink who ID User name Stat...

Page 48: ...m of the list Also you can change a com mands position in a listing moving it up or down in the list by changing its index number Example 1 Moving the test1 cfg from position 1 in the list to position...

Page 49: ...to cancel After confirming the dialog with yes the Telnet session to the IPLink is terminated and the Telnet applica tion window on your host closes Note Using the command exit in the operator execut...

Page 50: ...ion tasks 51 Entering the IP context creating IP interfaces and assigning an IP address 51 Defining IP Ethernet encapsulation and binding an IP interface to a physical port 52 Activating a physical po...

Page 51: ...IP context creating IP interfaces and assigning an IP address Defining IP Ethernet encapsulation and binding an IP interface to a physical port see page 52 Activating the physical port see page 52 Dis...

Page 52: ...n which it is located It is assumed that you would like to bind the IP interface name to port port of slot slot Mode Configure Example Define IP Ethernet encapsulation and bind IP interface to physica...

Page 53: ...o shutdown command in port configuration mode Example Activating the physical port It is assumed that you would like to activate the physical port 0 on slot 0 for which you use the following com mands...

Page 54: ...mode which creates a list of all the defined IP interfaces IPLink cfg context ip router IPLink ctx ip router interface interface New interface external Existing interface internal Existing interface...

Page 55: ...t 0 Figure 8 shows the relation between the IP interface lan and the Ethernet port 0 on slot 0 The configuration procedure below starts in the operator execution mode Figure 8 Relation between IP Inte...

Page 56: ...he interface lan you just defined to the Ethernet port and then activate the port IPLink prt eth 0 0 bind interface lan router IPLink prt eth 0 0 no shutdown 5 Store the configuration s 6 ettings in t...

Page 57: ...s from a network server to Flash memory 61 Copying driver software from a network server to Flash memory 62 Auto provisioning of firmware and configuration 63 Boot procedure 65 Bootloader 67 Start Boo...

Page 58: ...nfiguration file sets the initial basic operating parameters of the IPLink such as enabling the Ethernet ports setting the default IP addresses and the DHCP server Other configuration files may be sto...

Page 59: ...terminology On powering up an IPLink or pressing the Reset button on applicable units with no pre configured user con figuration files the default factory config file is also the startup config and th...

Page 60: ...network server to the Flash memory see page 62 Displaying system image information This procedure displays information about system images and driver software Volatile Persistent nvram Factory Config...

Page 61: ...ently into the flash memory of your IPLink to be present when booting the device Since the system image file is preloaded at the Patton Electronics Co factory you will have to download a new IPLink so...

Page 62: ...le download starts automatically Mode Administrator execution Example Copy system images from a network server to the Flash memory The following example shows how to download the driver software image...

Page 63: ...sh memory The following example shows how to download the driver software image file from the TFTP server at IP address 172 16 36 80 The download is defined by a script file which has to be downloaded...

Page 64: ...tiva tion reload graceful Explanation Step Command Purpose 1 name pf prov FIRMWARE destination script Chooses the unit s script interpreter as des tination of the downloaded file Use this for firmware...

Page 65: ...rovisioning execute FIRMWARE timer CONFIG_UPDATE now 2 minutes every 10 minutes provisioning execute CONFIG Boot procedure During a normal boot procedure of an IPLink the bootstrap application checks...

Page 66: ...back panel of the IPLink If a valid application image is not available The bootloader ensures that basic operations network access and downloads are possible in case of interrupted or corrupted appli...

Page 67: ...startup configuration is loaded into the volatile mem ory and is used to parameterize the IPLink software Bootloader Recall that the bootloader ensures that basic operations network access and downloa...

Page 68: ...e used to receive the new application image mask_len is the length of the network address or the number of 1 s within the subnet mask See Note below 2 optional RedBoot ip_address g gateway Sets the IP...

Page 69: ...ge IPLink software RedBoot ip l 172 16 40 98 19 RedBoot ip g 172 16 32 1 RedBoot ping h 172 16 32 100 Network PING from 172 16 40 98 to 172 16 32 100 PING received 10 of 10 expected RedBoot load r v h...

Page 70: ...he operation of an IPLink See section Boot procedure on page 65 and section Start up with factory configuration on page 68 for information on how to restore the factory configuration Step Command Purp...

Page 71: ...ration with a configuration from Flash memory 76 Copying configurations to and from a remote storage location 78 Replacing the startup configuration with a configuration downloaded from TFTP server 79...

Page 72: ...th the command configure Once in configuration mode enter the configuration commands that are necessary to configure your IPLink You can also create a new configuration file or modify an existing one...

Page 73: ...he end of the line 2805 Factory configuration file dns relay sntp client sntp client server primary 129 132 2 21 port 123 version 4 profile napt NAPT profile dhcp server DHCP network 192 168 1 0 255 2...

Page 74: ...uide included with your IPLink device describes the restoration procedure for restoring the default settings Configuration file handling task list This section describes how to create load and maintai...

Page 75: ...opied into the persistent memory region nvram by using a user specified name for conservation or later activation As shown in figure 12 the local memory regions are identified by their unique names li...

Page 76: ...place the startup configuration by a configuration that is already present in the flash memory You can do so by copying it to the area of the flash memory where the startup configuration is stored Mod...

Page 77: ...n in the file new startup stored in flash memory 1 Replace the current startup configuration by using the copy command into the flash memory area where the startup configuration is stored IPLink copy...

Page 78: ...stored to a file whose name is defined as one of the arguments of the copy command Figure 13 Remote memory regions for IPLink software Finally configuration files i e the startup configuration or a u...

Page 79: ...ontained in the file new startup located on the TFTP server at IP address 172 16 36 80 1 Download the startup configuration with the copy command into the flash memory area where to store the startup...

Page 80: ...which is significantly longer To hide these hidden commands again issue the no cli config defaults command Modifying the running configuration at the CLI IPLink software accepts interactive modificat...

Page 81: ...no the question whether to reload or not with yes Mode Administrator execution Example Modifying the running configuration at the CLI The following example shows how to modify the currently running co...

Page 82: ...00 At this point in time the offline editing of the configuration file current config on the TFTP server takes place IPLink copy tftp 172 16 36 80 user current config nvram startup config Download 100...

Page 83: ...s IPLink show nvram Persistent configurations backup startup config factory config Encrypted file download This section explains the encrypted configuration download feature of IPLink software TFTP as...

Page 84: ...ed before stored to flash A custom encryption key can be Downloaded to the IPLink software Specified with the PC encryption tool The encryption key may include the MAC address and or serial number of...

Page 85: ...ead of the variable on the IPLink system serial The serial number of the IPLink Execute the show version command on the IPLink to display the serial number When your key file contains the following li...

Page 86: ...ies to decrypt the file using the pre installed key Upload an encrypted configuration file The IPLink immediately decrypts a configuration file after downloading it This is the configuration file is s...

Page 87: ...m banner 91 Setting time and date 92 Display clock information 92 Display time since last restart 93 Configuring and starting the Web server 93 Determining and defining the active CLI version 93 Resta...

Page 88: ...r Basic system management configuration task list All tasks in the following sections are optional though some such as setting time and calendar services and sys tem information are highly recommended...

Page 89: ...server The following example shows the command used to install license keys which are stored in a license file on a TFTP server IPLink cfg copy tftp 172 16 4 3 keystore sn1x00_120393 lic licenses Mode...

Page 90: ...d with the chosen name Assigning explanatory location information to describe the system physical location of your IPLink e g server room wiring closet 3rd floor etc is very supportive This entry corr...

Page 91: ...istrators and operators such as scheduled maintenance or system shutdowns By default no banner is present on login To create a system banner use the banner command followed by the message you want dis...

Page 92: ...ncludes an integrated SNTP client which allows synchro nization of time of day and date to a reference time server Refer to chapter 21 SNTP client configuration on page 240 for more details Example Se...

Page 93: ...al console Without a Java applet the value of the embedded web server is limited Contact Patton Electronics Co for any questions about custom designed Java configuration tools for IPLink software Mode...

Page 94: ...l they all are closed to reload forced reloads the system without prompting for confirmation or for saving the running configuration no need to type yes or no The question whether to save the running...

Page 95: ...NFO Warm start 2001 12 14T08 51 09 LOGINFO Slot 2 Event Logging Service for ic 4brvoip started 2001 12 14T08 51 09 LOGINFO Slot 2 DrvPckt_Dsp_Ac48xx DSP driver for AC481xx cre ated Controlling command...

Page 96: ...0 Time 10ms Reply from 172 16 36 80 Time 10ms Reply from 172 16 36 80 Time 10ms Reply from 172 16 36 80 Time 10ms Ctrl z suspend active command Suspended System prompt reappears and is ready to execut...

Page 97: ...FIRMWARE timer volatile RELOAD midnight 1 hour reload graceful Starts a volatile timer named RELOAD does not appear in the running configuration and thus is not stored in the startup configuration The...

Page 98: ...nal session is automatically closed If longer session periods are required logging debugging this command allows to increase the session timeout or to disable it com pletely 3 name sys terminal more E...

Page 99: ...100 General AAA Configuration 101 RADIUS configuration 103 Configuring RADIUS clients 104 Configuring RADIUS accounting 105 Configuring the RADIUS server 107 Attributes in the RADIUS request message...

Page 100: ...user s authentication login information with credentials stored in a database If the information is verified the user is granted access to the network Otherwise authentication fails and network access...

Page 101: ...sequence in which methods are applied to obtain AAA information Figure 16 illustrates the correlation between the Telnet login and console login services Figure 16 How to use AAA methods and AAA prof...

Page 102: ...n and console login services IPLink enable IPLink configure IPLink cfg profile aaa remote radius IPLink pf aaa remote method radius radius_deepblue IPLink pf aaa remote method radius radius_extern IPL...

Page 103: ...the console login service use this profile If an emergency occurs you can reload this default configuration by reloading the factory configuration as described in section Boot procedure on page 65 RA...

Page 104: ..._extern IPLink radius radius_ radius server 219 144 12 1 IPLink radius radius_ shared secret authentication dd9351e13cc335 IPLink radius radius_ exit IPLink cfg IPLink cfg show radius client RADIUS cl...

Page 105: ...a ATTRIBUTE Connect Time 33 string Patton a ATTRIBUTE Disconnect Time 34 string Patton a ATTRIBUTE Disconnect Cause 35 integer Patton b ATTRIBUTE Disconnect Source 36 string Patton c ATTRIBUTE Called...

Page 106: ...efine your newly created radius client as the AAA method to be used Note If you require redundancy you can create multi ple radius clients and add all of them to the AAA profile 6 node pf auth pf name...

Page 107: ...pdate interval seconds Define the interval after which an interim update shall be sent if necessary The default is not to send periodic interim updates 14 node svc aaa svc name port name Create a port...

Page 108: ...ndor data including Vendor Type and Vendor Length Vendor String Not null terminated String with the value console or Telnet Configuring the local database accounts The final step in configuring the au...

Page 109: ...k cfg Note If you are creating an account that does not require a password type to indicate that no password is needed For example if you were configuring an account for an operator named James that d...

Page 110: ...112 IP interface related information 112 Serial interface related information 113 QoS related information 113 Configuring Ethernet and serial ports 113 Creating and configuring IP interfaces 113 Conf...

Page 111: ...router by default This IP context can contain interface static routes RIP parameters NAPT QoS and access control profiles In figure 17 on page 111 the IP context with all its related elements is conta...

Page 112: ...Depending on your application scenario some tasks are mandatory or might be optional The following tasks use a bottom up approach starting from the ports followed by the interfaces up to the services...

Page 113: ...at the device Signaling protocol required by the device must be X 21 or V 35 QoS related information Check with your access service provider if there are any QoS related requirements which you need t...

Page 114: ...work addresses IP addresses to map multiple private network addresses to a single outside address NAPT enables small offices to save money by requiring only one official outside IP address to connect...

Page 115: ...movement through the network Such control can help to limit net work traffic and to restrict network use by certain users or devices To permit or deny packets from crossing specified interfaces IPLin...

Page 116: ...lity of service QoS 116 IPLink Software Configuration Guide 10 IP context overview IPLink software QoS features described in chapter 14 Link scheduler configuration on page 148 address these diverse a...

Page 117: ...20 ICMP message processing 121 ICMP redirect messages 121 Router advertisement broadcast message 121 Defining the MTU and MSS of the interface 122 Configuring an interface as a point to point link 123...

Page 118: ...list To configure interfaces perform the tasks in the following sections Creating an IP interface see page 118 Deleting an IP interface see page 119 Setting the IP address and netmask see page 120 ICM...

Page 119: ...default Deleting an existing interface in the IP context is often necessary Mode Context IP Example Delete IP interfaces The procedure below assumes that you would like to delete an IP interface name...

Page 120: ...anslations although their traffic is routed through an IP interface to which a NAPT profile is bound This configuration is usually neces sary for DMZ networks connected to an Ethernet port which uses...

Page 121: ...ving this device at all The redirect message instructs the sender to remove the receiving device from the route and substitute a specified device representing a more direct path This feature is enable...

Page 122: ...ll devices on a physical medium must have the same protocol MTU in order to operate accurately Procedure To set the MTU packet size or the MSS to size on the interface name Mode Interface Example Defi...

Page 123: ...router interface lan IPLink if ip lan point to point Displaying IP interface information IPLink software contains the show ip interface command which displays IP information for all interfaces The com...

Page 124: ...the path to host reliability delays over the path and whether the host can be accessed or is functioning Mode Either operator or administrator execution When using ping for fault isolation you should...

Page 125: ...from 172 16 1 10 Time 10ms Ping statistics for 172 16 1 10 Packets Sent 5 Received 5 Lost 0 0 loss RTT Minimum 10ms Maximum 10ms Average 10ms Traceroute This procedure describes how to print the route...

Page 126: ...1 Lost 0 0 loss RTT Minimum 10ms Maximum 10ms Average 10ms Example Display the ARP information IPLink cfg show arp IP Interface eth0 Remote IP Remote MAC State TTL TxReq RxRep Usage 69 138 216 1 00 01...

Page 127: ...interface wan no longer exists IPLink ctx ip router interface interface New interface lan Existing interface Step Command Purpose 1 node ctx ip ctx name interface if name Go to the IP interface which...

Page 128: ...NAPT traversal 131 NAT NAPT configuration task list 132 Creating a NAPT profile 132 Configuring a NAPT DMZ host 133 Defining NAPT port ranges 134 Preserving TCP UDP port numbers in NAPT 134 Defining t...

Page 129: ...plies the terminology defined in RFC 2663 IPLink software provides four types of NAT NAPT Dynamic NAPT Cisco terminology NAT Overload Static NAPT Cisco terminology Port Static NAT Dynamic NAT Static N...

Page 130: ...dress can either be the address of the global interface or a configured global NAPT address Usually the local and the global port of a static NAPT entry are the same however they may be different Figu...

Page 131: ...makes local hosts globally accessible Static NAT entries map global addresses to local addresses The global address must be a configured global NAT address It cannot be the address of the global inter...

Page 132: ...page 135 Creating a NAPT profile A NAPT profile defines the behavior of the NAT NAPT component comprising all four types of NAT NAPT this profile is called NAPT profile and not NAT NAPT profile for hi...

Page 133: ...the device itself The following procedure shows how a DMZ host can be configured Mode profile napt pf name 4 optional node pf napt name range local ip range start local ip range stop global ip start...

Page 134: ...ocedure The NAPT sup ports the UDP translation types shown in the following list The list is ordered by the security of the NAPT type starting with the highest security type symmetric port restricted...

Page 135: ...an IPLink cfg context ip router IPLink ctx ip router interface lan IPLink if ip lan use profile napt access Displaying NAT NAPT configuration information Two commands are available to display an exist...

Page 136: ...STATIC NAPT RANGE MAPPINGS Local IP Start Local IP Stop Global IP 192 168 1 10 192 168 1 19 131 1 1 15 STATIC NAT RANGE MAPPINGS Local IP Start Local IP Stop Global IP Start Global IP Stop 192 168 1 3...

Page 137: ...139 Configuring Ethernet encapsulation type for an Ethernet port 140 Binding an Ethernet port to an IP interface 140 Multiple IP addresses on Ethernet ports 141 Configuring a VLAN 142 Configuring laye...

Page 138: ...router for port Ethernet 0 1 and bind interface eth0 router for port Ethernet 0 0 Enabled The information in this chapter applies to all Ethernet ports on the system including the Ethernet manage ment...

Page 139: ...nt on board interfaces of an IPLink are described as being on slot 0 Configuring medium for an Ethernet port All Ethernet ports are configured by default to auto sense both the port speed and the dupl...

Page 140: ...Configure Example Configuring Ethernet encapsulation type for an Ethernet port The following example shows how to configure the encapsulation type to IP for the Ethernet port on slot 0 and port 0 of a...

Page 141: ...PLink prt eth 0 0 bind interface lan router Multiple IP addresses on Ethernet ports It is possible to use multiple IP addresses on an Ethernet port by binding the port to multiple IP interfaces Each o...

Page 142: ...hat is bound to this port is also closed All static routing entries that are using this interface change their state to invalid and all dynamic routing entries will be removed from the route table man...

Page 143: ...ribes how to change layer 2 CoS to service class mapping Step Command Purpose 1 node config port ethernet slot port Enter Ethernet port configura tion 2 node prt eth slot port vlan id Create new VLAN...

Page 144: ...nto a firm ware specific service class value Each conversion is stored as a mapping table entry so the receive mapping table consists of several mapping table entries This procedure describes how to a...

Page 145: ...he shutdown command This command also disables and closes the IP interface that is bound to that port All static routing entries that are using this interface change their state to invalid and all dyn...

Page 146: ...0 and port 0 gets also closed Checking the state of the IP interface wan indicates this with the CLOSED for parameter state IPLink prt eth 0 1 show ip interface Context router Name wan IP Address 172...

Page 147: ...the capture buffer is full 2 Now the sniffer is active and will capture the datapackets on the specified ethernet port 3 name cfg no sniff ether net 0 1 Disable the sniffer on ethernet port 0 1 Note t...

Page 148: ...ontrol list 155 Creating a service policy profile 156 Specifying the handling of traffic classes 158 Defining fair queuing weight 158 Defining the bit rate 159 Defining absolute priority 159 Defining...

Page 149: ...een voice and data packets To improve QoS you can configure the IPLink to send no more data to the Internet than the modem can carry This keeps the modem s queue empty and gives the IPLink software co...

Page 150: ...ecause they will not use up the entire bandwidth Weighted fair queuing WFQ This arbitration method assures a given minimal bandwidth for each source An example you specify that traf fic class A gets t...

Page 151: ...urstiness needed for sources to catch up after collisions is implicitly allowed Future versions of IPLink software might allow setting the burst rate and bursting size if more control over its behavio...

Page 152: ...igura tion Setting the modem rate To match the voice and data multiplexing to the capacity of the access link is the most common application of the IPLink software link scheduler 1 Create a minimal pr...

Page 153: ...dministrators to straightforwardly configure IPLink devices In table 7 the Cisco IOS Release 12 2 QoS commands are in con trast with the respective IPLink software commands Link scheduler configuratio...

Page 154: ...n IPLink software consists of a series of packet descriptions like addressed to xyz Those descriptions are called rules For each packet the list of descriptions is sequentially checked and the first r...

Page 155: ...he necessary steps to tag any outbound traffic from a Web server The scenario is depicted in figure 26 The IP address of the Web server is used as source address in the permit statement of the IP filt...

Page 156: ...control lists the link arbiter needs rules defining how to handle the different traffic classes For that purpose you create a service policy profile The service policy profile defines how the link ar...

Page 157: ...ass local voice priority source traffic class Web share 30 source traffic class local default share 20 source traffic class default queue limit 40 share 50 The first line specifies the name of the lin...

Page 158: ...g fair queuing weight The command share is used with wfq link arbitration to assign the weight to the selected traffic class When defining a number of source classes the values are relative to each ot...

Page 159: ...he class name Excess pack ets are dropped Used in class mode queuing only happens at the leaf of the arbitration hierarchy tree The no form of this command reverts the queue limit to the internal defa...

Page 160: ...ice RFC791 RFC1349 The precedence field is defined by the first three bits and supports eight levels of priority The low est priority is assigned to 0 and the highest priority is 7 The no form of this...

Page 161: ...time critical data Under 802 1p a 4 byte Tag Control Info TCI field is inserted in the Layer 2 header between the Source Address and the MAC Client Type Length field of an Ethernet Frame Table 9 list...

Page 162: ...packets that have to be included in the QoS process base upon their size In the service policy profile exists a command that allows mapping of a specific packet size or a range to a traffic class The...

Page 163: ...d voice traffic will be pro cessed like local generated voice traffic 4 name pf srvp name out source traffic class local voice Enters traffic class configuration mode 5 name src local v priority Speci...

Page 164: ...ers may use input shaping to improve downlink voice jitter in the absence of voice support The default setting no service policy sets the interface to FIFO queuing Mode Interface Example Devoting the...

Page 165: ...eduling profile information The show profile service policy command displays link scheduling profile information of an existing ser vice policy profile This command is only available in the administra...

Page 166: ...r all queues of a profile The following example shows how to enable statistic gathering for all traffic classes IPLink enable IPLink configure IPLink cfg profile service policy sample IPLink pf srvpl...

Page 167: ...udrate 172 Enter Frame Relay mode 173 Configuring the LMI type 173 Configuring the keep alive interval 174 Enabling fragmentation 174 Entering Frame Relay PVC configuration mode 176 Configuring the PV...

Page 168: ...ay protocol on the synchronous serial interface Frame Relay is an example of a packet switched technology Packet switched networks enable end stations to dynamically share the network medium and the a...

Page 169: ...show port serial IPLink cfg port serial 0 0 IPLink prt ser 0 0 shutdown IPLink prt ser 0 0 show port serial Serial Interface Configuration Port serial 0 0 0 State CLOSED Hardware Port V 35 Transmit E...

Page 170: ...se the encapsulation interface configuration command This procedure describes how to set the encapsulation type of the serial interface for Frame Relay Mode Administrator execution Example Configuring...

Page 171: ...active clock edge of the serial interface Mode Port serial Example Configuring the active clock edge The following example enables to send data on the negative edge on slot 0 and port 0 of an IPLink...

Page 172: ...00 bps on the serial interface Verify that the command show port serial detail 5 output displays the correct baudrate True baudrate in the Status section shows the baudrate of the selected hardware IP...

Page 173: ...interface on slot 0 and port 0 of an IPLink IPLink cfg port serial 0 0 IPLink prt ser 0 0 framerelay IPLink frm rel 0 0 Configuring the LMI type For a Frame Relay network the line protocol is the per...

Page 174: ...ives on networks that do not utilize LMI use the no keepalive interface configuration command Example Configuring the keep alive interval The following example sets the keepalive interval to 10 second...

Page 175: ...e delay to the real time data The FRF 12 Implementation Agree ment defines FRF 12 fragmentation This standard was developed to allow long data frames to be fragmented into smaller pieces fragments and...

Page 176: ...is for connections between stations attached to the same Frame Relay network The resulting set of interconnected devices forms a private Frame Relay group which may be either fully inter connected wit...

Page 177: ...a Frame Relay network This procedure describes how to set the encapsulation type to comply with RFC 1490 Mode Frame Relay Example Configuring the PVC encapsulation type The following example sets the...

Page 178: ...hich is related to the IP context router Mode PVC Example Binding the Frame Relay PVC to IP interface The following example binds the Frame Relay PVC 1 to the IP interface wan of IP context router to...

Page 179: ...verify that the entry no shutdown occurs in the con figuration part responsible for this PVC IPLink pvc 1 show running config Running configuration pvc 1 encapsulation rfc1490 bind interface wan route...

Page 180: ...y impact your system performance This procedure describes how to display the Frame Relay configuration settings for the serial interface Mode Administrator execution Command Purpose no debug framerela...

Page 181: ...isplaying Frame Relay information Since Frame Relay configuration for the serial interface is complex and requires many commands it is helpful to list the frame relay configuration on screen This proc...

Page 182: ...st PVC labeled as PVC 1 connects to the MSP access device The second PVC labeled PVC 2 connects to the VPN provider access device on the leased line network An IPLink is working as a DTE and accesses...

Page 183: ...up the IP interface configuration first Be aware that not all of the necessary settings are listed below IPLink cfg context ip router IPLink ctx ip router interface external IPLink if ip external int...

Page 184: ...ble fragmentation for PVC 1 The voice uses codec G 723 at a packet size of 30ms so the minimum fragment size must be 66 Bytes Setting the fragment size to 300 Bytes introduces an additional delay of a...

Page 185: ...uring T1 E1 application mode 188 Configuring T1 E1 LOS threshold 189 Configuring T1 Loopback detection 189 Configuring T1 E1 encapsulation 190 Create a Channel Group 190 Configuring Channel Group Time...

Page 186: ...Disable T1 E1 port Configuring the T1 E1 port type Configuring T1 E1 clock mode Configuring T1 E1 line code Configuring T1 E1 framing Configuring T1 line build out LBO T1 only Configuring E1 impedance...

Page 187: ...the other case the data transmission will fail due to bit failures Mode port e1t1 slot port Configuring T1 E1 line code Three different line codes can be selected on the T1 E1 port whereas only ami is...

Page 188: ...ching must be adapted RJ45 120 Ohm BNC 75 Ohm Mode port e1t1 slot port Configuring T1 E1 application mode The T1 E1 port can be configured to work in either short haul or in long haul mode Short haul...

Page 189: ...the customer It sends the loopback up code to the customer device then subsequently starts for example a Pseudo Random Bit Sequence PRBS to determinate the quality of the connection Depending on the...

Page 190: ...for channelized afterwards the channel group command is used to create the channel group In the channel group configura tion mode the user selects the specific timeslots and the encapsulation hdlc wil...

Page 191: ...e channel group configuration mode only the encapsulation type hdlc is available For more details see Configuring T1 E1 Encapsulation Mode channel group group name Entering HDLC Configuration Mode The...

Page 192: ...ing up framerelay or ppp is exactly the same as for an X 21 V 35 serial port For that reason see chapter 15 Serial port configuration on page 167 for more details about frame relay configu ration and...

Page 193: ...1 E1 port configuration Example 1 Frame Relay without a channel group port e1t1 0 0 port type e1 framing crc4 encapsulation hdlc hdlc encapsulation framerelay framerelay lmi type itu pvc 100 encapsula...

Page 194: ...itu pvc 100 encapsulation rfc1490 bind interface pvc100 router no shutdown port e1t1 0 0 no shutdown Example 3 PPP without a channel group port e1t1 0 0 port type e1 framing crc4 encapsulation hdlc h...

Page 195: ...ing tables 196 Static routing 196 Basic IP routing configuration task list 196 Configuring static IP routes 196 Deleting static IP routes 197 Displaying IP route information 198 Examples 199 Basic sta...

Page 196: ...address and outgoing interface Routing algorithms must converge rapidly i e all routers must agree on optimal routes When a network event causes routes either to go down or to become unavailable rout...

Page 197: ...cifies the desirability of the route when compared against other routes The range is 0 through 15 where 0 is the preferred route If no metric is specified the static route is assumed to have a metric...

Page 198: ...tric flags U up H host G Gateway L local D default and amount of use for each route in the routing table If there are multiple routes to the same destination the preferred route is indicated by an ast...

Page 199: ...ers and four networks The necessary routing table entries for the scenario described are listed below IPLink enable IPLink configure IPLink cfg context ip router IPLink ctx ip router route 10 1 5 10 2...

Page 200: ...uting configuration Changing the default UDP port range for RTP and RTCP The UDP port range to be used for RTP streams can be configured using the following procedure Mode context ip Step Command Purp...

Page 201: ...pecifying the receive RIP version 205 Enabling RIP learning 205 Enabling an interface to receive RIP 206 Enabling RIP announcing 206 Enabling RIP auto summarization 207 Specifying the default route me...

Page 202: ...running RIP or the router can source generate the default network itself with RIP In both cases the default network is advertised through RIP to other RIP neighbors IPLink software software will send...

Page 203: ...commands have the character of a flag which is either enabled or disabled Enabling send RIP Enabling an interface to receive RIP see page 204 Specifying the send RIP version see page 204 Specifying t...

Page 204: ...nd RIP version By default IPLink software application software sends RIP 1compatible packets The IPLink software applica tion software allows sending RIP version 1 version 1 compatible or version 2 pa...

Page 205: ...ing update contains a route to a destination that does not already exist If the update describes a route whose destination is already in the local table the new route is used only if it has a lower co...

Page 206: ...rip listen Enabling RIP announcing The RIP protocol supports announcing features which are used to proclaim specific routing information to other elements e g routers or IPLink devices in a network T...

Page 207: ...le auto summarization on IP interface wan on an IPLink IPLink cfg context ip router IPLink ctx ip router interface wan IPLink if ip wan rip auto summary Specifying the default route metric RIP uses a...

Page 208: ...ly when links are broken However with non broadcast networks such as Frame Relay situations can arise for which this behavior is less than ideal For these situations you might want to disable split ho...

Page 209: ...rned Enabling this function enhances the stability of the RIP topology in the presence of transients This procedure describes how to enable holding down of aged routes on an interface Mode Interface E...

Page 210: ...disabled announce static disabled announce default disabled announce self as default disabled route holddown enabled poison reverse disabled auto summary disabled split horizon disabled default route...

Page 211: ...ccess control list 214 Creating an access control list profile and enter configuration mode 215 Adding a filter rule to the current access control list profile 215 Adding an ICMP filter rule to the cu...

Page 212: ...ne whether to forward or drop the packet based on the criteria you specified within the access lists Access list criteria could be the source address of the traffic the destination address of the traf...

Page 213: ...oned between two parts of your network to control traffic entering or exiting a specific part of your internal network To provide the security benefits of access lists you should configure access list...

Page 214: ...matching the criteria to be dropped To delete an entire access control list enter configuration mode and use the no form of the profile acl com mand naming the access list to be deleted e g no profile...

Page 215: ...ements that will make up the access control list Use the no form of this command to delete an access control list profile You cannot delete an access control list profile if it is currently linked to...

Page 216: ...s of control list entry that denies access defined according to the command options Keyword Meaning src The source address to be included in the rule An IP address in dotted decimal format e g 64 231...

Page 217: ...rocedure describes how to create an ICMP access control list entry that denies access Mode Profile access control list Step Command Purpose 1 node pf acl name permit icmp src src wildcard any host src...

Page 218: ...included in the rule An IP address in dotted decimal format e g 64 231 1 10 dest wildcard A wildcard for the destination address See src wildcard host dest The address of a single destination host msg...

Page 219: ...ess Mode Profile access control list This procedure describes how to create a TCP UDP or SCTP access control list entry that denies access Mode Profile access control list Step Command Purpose 1 node...

Page 220: ...al Indicates that a packets port must be equal to the specified port in order to match the rule lt port Optional Indicates that a packets port must be less than the specified port in order to match th...

Page 221: ...profile to incoming packets on the interface wan in the IP router context IPLink cfg context ip router IPLink cfg ip router interface wan IPLink cfg if wan use profile acl WanRx in Step Command Purpos...

Page 222: ...rofile Mode Administrator execution or any other mode except the operator execution mode Example Displaying an access control list entries The following example shows how to display the access control...

Page 223: ...le disables the debug monitor for access control lists globally IPLink no debug acl Step Command Purpose 1 node cfg context ip router Selects the IP router context 2 node ctx ip router interface if na...

Page 224: ...hat have to be entered are listed below The commands access the IPLink device via a Telnet session running on a host with IP address 172 16 2 13 which accesses the IPLink via IP interface lan 172 16 2...

Page 225: ...tification of the IPLink devices via SNMP 228 SNMP tools 228 SNMP configuration task list 228 Setting basic system information 229 Setting access community information 231 Setting allowed host informa...

Page 226: ...v3 is pending This chap ter provides general descriptions of the SNMP version 1 and 2 protocol operations Be aware that the SNMP agent running in IPLink software is SNMP version 1 SNMPv1 compliant SNM...

Page 227: ...ief overview of the current SNMP management framework An overall architecture is described in RFC 2571 An Architecture for Describing SNMP Management Frameworks The SNMP man agement framework has seve...

Page 228: ...list To configure SNMP perform the tasks described in the following sections The tasks in the first three sections are required the tasks in the remaining sections are optional but might be required...

Page 229: ...hyphens Names must be 63 characters or fewer For more information refer to RFC 1035 This procedure describes how to set these MIB II system group objects Mode Administrator execution If any of the com...

Page 230: ...me of the System Group objects Example Setting the system group objects In the following example the system information is set for later access via SNMP See figure 35 for a typical MIB browser applica...

Page 231: ...dividual MIB In the absence of additional configuration options to constrain access knowledge of the single community string for the device is all that is required to gain access to all objects both r...

Page 232: ...of this system Mode Configure Use the no command option to remove a SNMP allowed host setting Example Setting allowed host information In the following example the host with IP address 172 16 224 45 s...

Page 233: ...behavior of the SNMP agent running on an IPLink device This procedure describes how to display information and configuration settings for SNMP Mode Configure Example Displaying SNMP related informatio...

Page 234: ...cryptic information which is not easily understandable to the users trap parsers are required to translate or parse traps into understandable information Using the MibBrowser Figure 36 depicts the pr...

Page 235: ...sent from any host IPLink device send their traps to the SNMP standard port 162 Invoke the TrapViewer through the usage of the MibBrowser To get to know more about the MibBrowser refer to section Usin...

Page 236: ...clicking this button TrapViewer begins to receive traps according to the as specified port and community Once received the traps are listed in the trap table of the TrapViewer By default the trap tabl...

Page 237: ...sUpTime variable converted into hours minutes and seconds Enterprise This field shows the OID of the management enterprise that defines the trap message The value is represented as an OBJECT IDENTIFIE...

Page 238: ...munication links represented in the agent s configuration has come up 3 Note The linkUp trap is not sent if any of the ISDN ports has come up authenticationFailure TRAP TYPE ENTERPRISE snmp DESCRIPTIO...

Page 239: ...fy the Interface Traps These assign ments depend on the hardware and software configurations The command show snmp if alias mapping displays the relations between the indexes and the interfaces It als...

Page 240: ...SNTP client poll interval 244 Defining SNTP client constant offset to GMT 244 Defining the SNTP client anycast address 245 Enabling and disabling local clock offset compensation 246 Showing SNTP clien...

Page 241: ...nticate traffic although you can configure extended access lists to provide some protection An SNTP client is more vulnerable to misbe having servers than an NTP client and should only be used in situ...

Page 242: ...relative to the server In anycast mode multipoint to point the client sends a request to a designated local broadcast or multicast group address and expects a reply from one or more anycast servers In...

Page 243: ...nation port on SNTP time server fields in the UDP header The local port number which the SNTP client uses to contact the primary or secondary SNTP time server in unicast mode has to be defined Note Th...

Page 244: ...ure Example Setting the SNTP client poll interval In the following example the SNTP client poll interval is set to 30 seconds IPLink cfg sntp client poll interval 30 Defining SNTP client constant offs...

Page 245: ...used One or more anycast servers listen on the designated local broadcast address or multicast group address Each anycast server upon receiving a request sends a unicast reply message to the originat...

Page 246: ...iseconds relative to the server In addition this provides a simple method to verify that the server reply is in fact a legitimate response to the specific client request and to avoid replays In multic...

Page 247: ...ntp client SNTP client enabled Operating mode unicast Local port 123 Primary server 172 16 1 10 123 v4 Secondary server 128 138 140 44 123 v4 Anycast address 224 0 1 1 123 Poll interval 30sec Local cl...

Page 248: ...mmended public SNTP time servers NIST Internet time service The National Institute of Standards and Technology NIST Internet Time Service allows users to synchronize computer clocks via the Internet T...

Page 249: ...Service Area Switzerland Europe Access Policy open access Contact Christoph Wicki time iis ee ethz ch Germany DE ntp0 fau de 131 188 34 75 Location University Erlangen Nuernberg D 91058 Erlangen FRG...

Page 250: ...many Europe Access Policy open access Contact Gerard Gschwind gg cs tu berlin de Additional information on NTP and a list of other NTP servers The University of Delaware hosts a World Wide Web site th...

Page 251: ...an IP interface 253 Release or renew a DHCP lease manually advanced 255 Get debug output from DHCP client 255 DHCP server configuration tasks 256 Configure DHCP server profiles 256 Use DHCP server pro...

Page 252: ...inistrator had to manually configure each new network device before it could be used on the network are past In addition to distributing IP addresses DHCP enables configuration information to be distr...

Page 253: ...perform the steps mentioned below Enable DHCP client on an IP interface Release or renew a DHCP lease manually advanced see page 255 Get debug output from DHCP client see page 255 Configure DHCP agen...

Page 254: ...rface IPLink cfg context ip IPLink ctx ip router interface eth0 IPLink if ip eth0 ipaddress dhcp IPLink if ip eth0 show dhcp client Context router Name eth0 IpAddress 172 16 224 102 255 255 0 0 Defaul...

Page 255: ...mmand dhcp client release and dhcp client renew IPLink cfg context ip IPLink ctx ip router interface eth0 IPLink if ip eth0 debug dhcp client IPLink if ip eth0 dhcp client release 01 12 28 DHCPC route...

Page 256: ...igure the IPLink as DHCP server perform the steps mentioned below Configure DHCP server profiles Use DHCP server profiles and enable the DHCP server and to clear lease database see page 258 Check DHCP...

Page 257: ...f dhcps name lease time days hours minutes Defines the time a lease is valid DHCP Option 51 6 optional node pf dhcps name no domain name domain name A PC DHCP client may use this domain name to comple...

Page 258: ...rver This example shows how to assign a profile to the DHCP server and to start the DHCP server IPLink ctx ip router dhcp server use LAN IPLink ctx ip router dhcp server 10 optional node pf dhcps name...

Page 259: ...192 168 1 32 192 168 1 63 Lease Time 2 days Default Router 192 168 1 1 Domain Name Server 80 254 161 125 80 254 161 126 Bound leases 192 168 1 32 Dufour Address ethernet 00 10 A4 7C 7A F8 Client Id 0...

Page 260: ...FFER to 192 168 1 32 via 255 255 255 255 68 21 41 29 DHCPS Deferring save of lease database 21 41 29 DHCPS Last saved at 2002 12 04T21 40 29 next at 2002 12 04T21 55 29 21 41 29 DHCPS Request from eth...

Page 261: ...261 Chapter 23 DNS configuration Chapter contents Introduction 262 DNS configuration task list 262 Enabling the DNS resolver 262 Enabling the DNS relay 263...

Page 262: ...ated the query This process enables the IPLink to provide answers more quickly to often queried DNS names reducing the number of DNS queries that must be sent across the access link DNS configuration...

Page 263: ...covered IP 81 221 250 10 Not used Discovered IP 81 221 252 10 Not used IPLink cfg Configured IP indicates a domain name server that has been configured as shown at the beginning of this section Discov...

Page 264: ...n be consulted from the IPLink The DNS resolver must be configured before you can use the DNS relay feature see section Enabling the DNS resolver on page 262 to enable the DNS resolver if you have not...

Page 265: ...ion 266 DynDNS configuration task list 266 Creating a DynDNS account 266 Configuring the DNS resolver 266 Configuring basic DynDNS settings 267 Configuring advanced DynDNS settings optional 267 Defini...

Page 266: ...ifferent levels of service The basic services are offered free of charge while the more advanced services are chargeable The IPLink supports the following DynDNS services Dynamic DNS Static DNS Custom...

Page 267: ...name If required you can define a mail exchanger or a backup mail exchanger for your hostname on the DynDNS server Mode DynDNS Step Command Purpose 1 node dyndns authentication user pass word Defines...

Page 268: ...64 Hostname test dyndns org You can also monitor current activities of the DynDNS client This includes ongoing DNS queries for DynDNS servers verification of the currently registered IP address and up...

Page 269: ...ou can also force the DynDNS client to resume normal operation if the state of the DynDNS client is shown as blocked and the problem which led to the blocked state has been solved The DynDNS client wi...

Page 270: ...able interface IP address auto configuration from PPP 276 Configuring a PPPoE session 276 Configuring a serial port for PPP 278 Creating a PPP profile 279 Displaying PPP configuration information 280...

Page 271: ...overview Since the purpose of PPP is providing IP connectivity over different types of link layers all PPP configuration elements connect to the IP context through an IP interface This connection is r...

Page 272: ...ort translation NAPT if the PPP service provider only offers a single IP address and not an IP sub net or if the IP addresses on the LAN shall be private and hidden behind a public IP address see 12 N...

Page 273: ...address offered by the PPP remote peer The parameter netmask specifies the size of the subnet in case no point to point is configured 4 optional node if ip name no tcp adjust mss rx tx mtu mss Limits...

Page 274: ...p Creating a PPP subscriber One or more PPP subscriber shall be configured if either PPP peer requires authentication This procedure describes how to create a PPP subscriber Mode Configure 5 optional...

Page 275: ...tions if it happens during the day The timer allows to discon nect and reopen the PPP session at a predefined time such as 0200 hours 3 node subscr name no authentication chap pap chap pap Defines the...

Page 276: ...protocol identifies the PPP remote peer on the Ether net and establishes a PPPoE session with it The PPPoE session provides a logical point to point link that to runs PPP as if it was a physical poin...

Page 277: ...ion with the name name 7 node pppoe slot port no bind inter face name router or node pppoe slot port no bind sub scriber name Binds the PPPoE session directly to the IP inter face name in case no auth...

Page 278: ...r profile above IPLink cfg port serial 0 0 IPLink prt ser 0 0 encapsulation ppp IPLink prt ser 0 0 bind subscriber joe_example Step Command Purpose 1 node cfg port serial slot port Enters the configur...

Page 279: ...ame default Creates the new PPP profile name and enters the PPP profile configuration The profile default already exists 2 optional node pf ppp name mtu min min max max Defines the minimum and maximum...

Page 280: ...ection dial out Authentication pap Identification inbound none Identification outbound patton patton Timeout for disconnect no absolute timeout no idle timeout Max sessions no limit IP address none Ca...

Page 281: ...CP Configure Request interval 3000 ms max 10 LCP Configure Nak max 5 LCP Terminate Request interval 3000 ms max 2 LCP Echo Request interval 10000 ms max 3 MTU 68 1492 MRU 68 1492 Callback both CHAP al...

Page 282: ...configuration information and sta tistics of PPPoE in general and of the PPPoE ses sion s Check whether state of the respective session is Opened level specifies to level of details displayed 1 4 defa...

Page 283: ...Local ID 100000020390 Remote ID Local configured options Magic Number 0x00000000 MRU 1492 68 1492 ACCM 0xffffffff Local acknowledged options Remote configured options Magic Number 0xb89d9e6b MRU 1492...

Page 284: ...ion Protocol VJC Max Slot Id 31 Comp Slot Id 1 Remote configured options IP Address 0 0 0 0 IP Compression Protocol VJC Max Slot Id 24 Comp Slot Id 1 Remote acknowledged options IP Address 10 10 10 1...

Page 285: ...ipaddress 172 16 1 1 255 255 0 0 interface ppp_interface ipaddress unnumbered point to point tcp adjust mss rx mtu tcp adjust mss tx mtu use profile napt WAN context ip router route 0 0 0 0 0 0 0 0 p...

Page 286: ...numbered interface context ip router interface ppp_interface ipaddress 172 17 1 1 255 255 255 252 point to point port serial 0 0 encapsulation ppp bind interface ppp_interface no shutdown With authen...

Page 287: ...profile 296 Creating an ISAKMP transform profile 296 Creating an ISAKMP IPSEC policy profile 296 Creating modifying an outgoing ACL profile for IPSEC 298 Configuration of an IP interface and the IP ro...

Page 288: ...96 is a combination of the keyed hashing for message authentication HMAC and the mes sage digest version 5 MD5 hash algorithm It requires an authenticator of 128 bit length and calculates a hash of 9...

Page 289: ...hardware applied to reverse engineering a DES key it can take from 3 hours to 3 days to break the key Thus for maximum security DES keys must be manually updated regularly AES or 3DES keys because th...

Page 290: ...e defines which IPsec transformation profile to apply and whether transport or tunnel mode shall be most effective The SPI identifies a secured communication channel The IPsec component needs the SPI...

Page 291: ...section Authentication on page 288 and Encryption on page 288 or explicit specification Keys must be available for inbound and out bound directions They can be different for the two directions Make s...

Page 292: ...affic passes an ACL if available twice once before and once after encryption authentication So the respective ACLs must permit the encrypted authenticated and the plain traffic For detailed informatio...

Page 293: ...nformation This section shows how to display and verify the IPsec configuration information Procedure To display IPsec configuration information Mode Configure Step Command Purpose 1 node cfg context...

Page 294: ...problems Procedure To debug IPsec connections Mode Configure Example IPsec Debug Output IPLink cfg debug ipsec IPSEC monitor on 23 11 04 ipsec Could not find security association for inbound ESP packe...

Page 295: ...the ISPEC security associations To achieve all of this IKE is split into two phases called MAIN MODE and QUICK MODE In MAIN MODE IKE mutually authenticates the peers establishes a shared secret betwe...

Page 296: ...ofile Mode Configure Creating an ISAKMP IPSEC policy profile You need to create an ISAKMP IPSEC policy profile to define all the settings and profiles needed to establish an IPSEC security association...

Page 297: ...be established 4 node pf ipsik name use profile isakmp transform name Define one or more ISAKMP transform profiles to be used by this policy If more than one is defined IKE will negotiate a transform...

Page 298: ...cy using the source ip address To solve this problem you specify the same protection group ID in the ISAKMP IPSEC policy profiles for all of the peers The peers should all use the same remote policy I...

Page 299: ...w ike policy policy name Displays information about the configuration options of specific policy as well as an indication if the policy is valid or not A policy might be invalid if one or more configu...

Page 300: ...64 profile ipsec policy manual VPN_DES use profile ipsec transform DES session key inbound esp encryption 1234567890ABCDEF session key outbound esp encryption FEDCBA0987654321 spi inbound esp 1111 sp...

Page 301: ...ess 172 16 1 1 255 255 0 0 interface FastEthernet0 1 ip address 200 200 200 1 255 255 255 252 crypto map VPN_DES ip route 192 168 1 0 255 255 255 0 FastEthernet0 1 IPsec tunnel AES encryption at 256 b...

Page 302: ...nge the name of the IPsec policy profile in the ACL profile VPN_Out IPsec tunnel 3DES encryption at 192 bit key length ESP authentication with HMAC MD5 96 IPLink configuration profile ipsec transform...

Page 303: ...87654321 authenticator FEDCBA0987654321FEDCBA0987654321 set session key outbound esp 7777 cipher 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF authenticator 1234567890ABCDEF1234567890ABCDEF set tra...

Page 304: ...304 Appendix A Terms and definitions Chapter contents Introduction 305 IPLink software architecture terms and definitions 305...

Page 305: ...g the IPLink to be accessed and upgraded over the network even if the IPLink software application should not start The boot loader is installed in the factory and is in general never upgraded Bootload...

Page 306: ...an IPLink Echo Canceller Some voice devices unfortunately have got an echo on their wire Echo cancellation provides near end echo compensation for this device Factory Configuration The factory config...

Page 307: ...Highway A 30 channel interface connecting the switching engine with optional interface cards containing circuit ports PMC The optional interface cards for IPLink series which are compatible to the PC...

Page 308: ...rsistent memory nvram and is always copied for execution to the running configuration in the volatile memory system after a system start up System Image A collective term for application images and in...

Page 309: ...309 Appendix B Mode summary Chapter contents Introduction 310...

Page 310: ...y on page 313 Figure 42 Mode overview 1 of 2 Operator Exec hostname Administrator Exec hostname Configure hostname cfg Execution Modes Configuration Modes Contexts and interfaces mode name enter comma...

Page 311: ...et slot port port virtual slot port Profiles Profile ACL profile acl profile_name Gateway H323 gateway h323 name Profile Authentication profile authentication name host pf auth name Gateway H323 gatew...

Page 312: ...Introduction 312 IPLink Software Configuration Guide B Mode summary...

Page 313: ...profile_ppp 319 profile ipsec transform 320 ipsec manual policy 320 profile_dhcp server 320 profile_authentication 321 profile_provisioning 321 context_ip 321 interface 321 dyndns 322 subscriber_ppp 3...

Page 314: ...arameters and arguments The command syntax is Extended Backus Naur Form EBNF and is described as follows Arguments where you must supply the value are surrounded by angle brackets Optional arguments w...

Page 315: ...e_show resolve router show rip interface ip_interface_name_show router show port ethernet print slot print port show port serial print slot print port detail detail show framerelay pvc print dlci show...

Page 316: ...x session rx session timer state machine control management error no debug serial no debug framerelay all error lmi packet management no debug ipsec no debug flashserver show accounts show nvram runni...

Page 317: ...ent server primary server_address port sntp_port version version_number sntp client server secondary server_address port sntp_port version version_number sntp client operating mode unicast multicast a...

Page 318: ...o permit deny index before after new index up down positions before after index ip ah esp gre igmp any host src host address src base address src wildcard any host dst host address dst base address ds...

Page 319: ...ce policy arbiter name mode shaper wfq burst shaper burst wfq no rate limit rate_limit header length header_length atm modem voice margin voice_margin no map packet size routed voice routed voice encr...

Page 320: ...name no esp encryption aes cbc 128 192 256 des cbc 64 3des cbc 128 192 null no esp authentication hmac md5 96 hmac sha1 96 no ah authentication hmac md5 96 hmac sha1 96 exit ipsec manual policy ipsec...

Page 321: ...me no route destaddr destmask gwaddr interface metric interface interface no interface ip_interface_name ipaddress unnumbered dhcp ip_address ip_mask mtu mtu no point to point no icmp router discovery...

Page 322: ...name dial in out no authentication chap no authentication pap no authentication chap pap no identification outbound id password password no identification inbound id password password no timeout absol...

Page 323: ...lation framerelay ppp hardware port v35 x21 transmit data on edge positive negative crc type crc16 crc32 length length threshold threshold mask mask address address 1 address 2 address 3 address 4 add...

Page 324: ...system Check network connection to remote system Step Command Purpose 1 help topic Shows command help Step Command Purpose 1 show history Shows command history Step Command Purpose 1 show version Show...

Page 325: ...325 Appendix D Internetworking terms acronyms Chapter contents Abbreviations 326...

Page 326: ...CBR Constant Bit Rate CD ROM Compact Disc Read Only Memory CDR Call Detail Record CFP Call Forwarding Procedure CLEC Competitive Local Exchange Carriers CLI Command Line Interface CLIP Calling Line I...

Page 327: ...Hybrid Fiber Coax HTTP HyperText Transport Protocol HW Hardware I IAD Integrated Access Device ICMP Internet Control Message Protocol ILEC Incumbent Local Exchange Carriers IP Internet Protocol IPLink...

Page 328: ...l Equipment Manufacturer OSF Open Software Foundation OSPF Open Shortest Path First P PBR Policy Based Routing principles PBX Private Branch Exchange PC Personal Computer PMC Production Technology Man...

Page 329: ...Initiation Protocol SME Small and Medium Enterprises SNMP Simple Network Management Protocol SOHO Small Office Home Office SONET Synchronous Optical Network SS7 Signaling System No 7 STM SDH Transmiss...

Page 330: ...330 Appendix E Used IP ports in the IPLink software Chapter contents Used IP ports in the IPLink software 331...

Page 331: ...Used IP ports in the IPLink software Component Port Description NAPT TCP 8000 15999 NAPT port range Telnet TCP 23 TCP server port Webserver TCP 80 TCP server port DHCP UDP 67 Source port DHCP Server U...

Reviews:

No comments