Tiesse Imola 0220 User Manual Download

Page: 179 / 376

Firewall functions: IPTABLES

SER

UIDE

179

iptables -A FORWARD -p tcp

–

d 10.10.1.1 -j DROP

In order to prevent a possible ICMP flooding attack the command is:

iptables -A INPUT -p icmp -m limit --limit 10/s -j ACCEPT

iptables -A INPUT -p icmp -j DROP

In order to cancel ICMP packets bigger than 500 byte and addressed to

10.10.1.1

the command is:

iptables

–

A FORWARD

–

p icmp

–

d 10.10.1.1

–

m length --length 500:1500

In order to limit to 2 the number of simultaneous

telnet

connections to host

192.168.1.2

the

command is:

iptables

–

A FORWARD

–

p tcp --dport 23

–

d 192.168.1.2

–

m connlimit --connlimit-above 2

–

j REJECT

In order to simulate a link with 2% error rate to host

10.10.1.1

the command is:

iptables

–

A FORWARD

–

d 10.10.1.1

–

m random

–

-average 2

–

j DROP

Using the examples previously shown (

access-list

dest-nat

and

source-nat

), here follow

their respective

iptables

commands.

In order to accept only packets sent to a specific network, denying access to any other service:

iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT

iptables -A FORWARD -j DROP

Traffic addressed to port

(echo service), from any IP address and addressed to Imola, redirected

to IP address

192.168.0.2

iptables -t nat -A PREROUTING -p tcp --dport 7 -j DNAT --to 192.168.0.2

Traffic addressed to port

(echo service) coming from any IP address and addressed to Imola,

redirected to port

(daytime service).

iptables -t nat -A PREROUTING -p tcp --dport 7 -j REDIRECT --to-ports 13

Traffic destined to port

(echo service), from any IP address and addressed to Imola, redirected to

IP address

192.168.0.2

port

34.

iptables -t nat -A PREROUTING -p tcp --dport 7 -j DNAT --to-destination 192.168.0.2:34

Traffic addressed to port

(Telnet service), coming from any IP address and addressed to IP

address

10.10.2.9

, redirected to IP address

10.10.10.22

port

(echo service); in addition these

packets will be logged with prefix

REDIR

iptables -t nat -A PREROUTING -p tcp -d 10.10.2.9 --dport 23 -j LOG --log-prefix REDIR --log-level notice

iptables -t nat -A PREROUTING -p tcp -d 10.10.2.9 --dport 23 -j DNAT --to-destination 10.10.10.22:7

In order to replace source IP address of all packets addressed to network

10.10.0.0/255.255.0.0

with address

10.10.0.1

. Using

source-nat

set source-nat protocol any from any to 10.10.0.0/16 source-ip 10.10.0.1

By masking all outgoing packets from eth1

interface.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Summary of Contents for Imola 0220

Page 1: ...Imola Lipari Levanto Imola E User Guide CLI Commands ver 1 6 9...

Page 2: ...ights reserved Any disclosure derivation or reproduction of this document even partial is strictly prohibited without prior written authorization by Tiesse S p A Intellectual property rights Registere...

Page 3: ...ersons In case of a model equipped with rear bush for grounding see picture connect the device to the power system ground via lug and yellow green cable SIM INSERTION EXTRACTION Only for models in whi...

Page 4: ...ctrical and electronic equipment waste The crossed out wheelie bin symbol Waste Electrical and Electronic Equipment Directive WEEE Directive on Tiesse s routers and packaging indicates that the produc...

Page 5: ...gs 25 ACCESS VIA ETH0 AND ETH1 PORTS 26 eth0 eth1 default settings 26 USERNAME AND PASSWORD 26 GRANTING AND REVOKING PRIVILEGES 28 PRIVILEGE LEVELS AND ENABLE COMMAND 28 ACCESS VIA SSH 31 PASSWORD REC...

Page 6: ...TRODUCTION 67 CONFIGURATION OF PHYSICAL CONNECTION 67 ADSL CONFIGURATION 68 VDSL CONFIGURATION 70 DISPLAY 71 ADSL VDSL LEDS MEANING 72 SHDSL INTERFACE 73 CONFIGURATION 73 DISPLAYING SHDSL CONFIGURATIO...

Page 7: ...FIGURATION 118 DISPLAY 120 SERIAL CONNECTORS 120 USING THE CONSOLE PORT AS AUX 121 USING THE CONSOLE PORT TO CONNECT SERIAL DEVICES 122 TERMINAL SERVER 122 MODBUS RTU GATEWAY 123 AT HAYES EMULATOR 124...

Page 8: ...WALL FUNCTIONS IPTABLES 168 INTRODUCTION 168 TABLES CHAINS RULES AND TARGET 168 FIREWALL WITH FILTER TABLE 169 NETWORK ADDRESS TRANSLATION WITH NAT TABLE 170 PORT FORWARDING 170 PACKETS ALTERATION WIT...

Page 9: ...NSE MODE protocol configuration 224 PIM SPARSE MODE protocol Configuration 224 MULTICAST SOURCE DISCOVERY PROTOCOL 226 IGMP PROTOCOL 226 IGMP snooping 227 IGMP proxy 227 STATIC MULTICAST ROUTING 228 C...

Page 10: ...ATION AND STATISTICS 277 OUTPUT BANDWIDTH LIMITATION 280 COMANDI SET DSCP E SET DSCP CLASS 281 TACACS PROTOCOL 282 TACACS PROTOCOL CONFIGURATION 282 ACCOUNTING AND AUTHORIZATION 284 RADIUS PROTOCOL 28...

Page 11: ...IGURATION 326 SIP CONFIGURATION 327 SIP PROXY 327 SIP ALG 328 VOIP CONFIGURATION 329 REGISTRATION 329 Registering to a SIP provider registrar 329 Timings involved in the registration phase 329 Unregis...

Page 12: ...BLES 359 GRE PROTOCOL 359 CONFIGURATION EXAMPLES 360 DHCP SERVER 360 VLAN IN ACCESS MODE 360 ADSL NAT WITH AN IP LAN CUSTOMER WITH PUBLIC AND PRIVATE IP 361 ADSL IP WITH A POOL OF PUBLIC AND PRIVATE I...

Page 13: ...ls The following table shows the main models of both Imola and Imola LX family To those ones you may consider also the models with optional connectivity or with custom configuration Optionals comes wi...

Page 14: ...which may supply both an AC DC converter Internal Power Supply and a DC DC converter External Power Supply The main characteristics are Network Processor 64 256 MB RAM depending on the model 512KB Bo...

Page 15: ...tion 1 GPRS models no longer in production 2 GPRS EDGE 3 GPRS EDGE UMTS HSDPA 4 GPRS EDGE UMTS HSDPA HSUPA 5 GPRS EDGE UMTS HSDPA HSUPA LTE Y 0 1 Ethernet port present 1 2 Ethernet ports 2 5 switch Et...

Page 16: ...hed routed ports o 1 A VDSL2 port o 1 G SHDSL port The model 5262 IKW has o LTE interface o 1 Gigabit Ethernet port o 5 Gigabit Ethernet switched routed ports o 1 A VDSL2 port o 1 b g n Wifi These car...

Page 17: ...e with the central On Shows that the synch phase has been successful Data Green Blinking Data traffic ISDN interface 2 LEDs integrated in the connector Left Yellow On Physical ISDN level is active ong...

Page 18: ...ve xDSL interface xDSL Green Slow Blinking 1sec on 1sec off Activating the modem is waiting for the connection Fast Blinking 0 500 ms on 0 500 ms off Handshaking Fixed on The connection is active Mobi...

Page 19: ...uting RIP OSPF BGP routing and BFD support PIM protocol support Protocol Independent Multicast in Dense mode Sparse mode and Source Specific Multicast IGMP Proxy and IGMP Snooping support Band Optimiz...

Page 20: ...nal power supply AC DC 5Vdc 1A As in the Imola models in order to distinguish the different features and communication interfaces each model is identified by the label Lipari XY00 where X identifies t...

Page 21: ...CADA etc Levanto 410 has a 3G port a Ethernet port and a DB9 DCE serial port in the factory configuration the serial port is used as console Levanto 441 has a 4G port a Ethernet port and four RJ45 ser...

Page 22: ...nd the presence of redundant power supplies ensure the continuity of operation We particularly care about the immunity from electromagnetic perturbation environment conditions and safety reuglations I...

Page 23: ...e different from model to model Below you find a scheme for the different kind of console port Imola Lipari DB9 male connector Imola RJ45 connector Levanto 310 410 DB9 female connector Levanto 441 RJ4...

Page 24: ...uld be used Thanks to the auto mdx function any kind of cable may be used in case of connection to any port of the integrated switch Tiesse spa IMOLA Interworking Unit No Radius configured Using Local...

Page 25: ...addition of the Tacacs support it is possible to pass from release 4 3 0 to release 4 3 1 The suffix N indicates the build number It increases in case of small bug fixing which do not require non regr...

Page 26: ...etmask 255 255 0 0 255 255 0 0 Broadcast 10 10 255 255 172 151 255 255 Network Address 10 10 0 0 172 151 0 0 In models with a LAN integrated switch IMOLA X2X0 the connection to eth1 port can be made v...

Page 27: ...ttyp0 mario You are logged on ttyp0 mario Imola set hostname MyRouter Command set hostname MyRouter not allowed for this user mario Imola su root Password root Imola set hostname MyRouter Setting hos...

Page 28: ...s grant to operator set eth1 revoke to technician set isdn dialer ippp1 allow operator to configure the Ethernet port and denies technician the right to configure the ISDN dialer In order to eliminate...

Page 29: ...r example by using set privilege level 3 set adsl it is specified that users which have received a 3 level of privilege can execute all the configuration commands of the ADSL interface In order to eli...

Page 30: ...n occurs through the poor user telnet 10 10 113 1 Trying 10 10 113 1 Connected to 10 10 113 1 Escape character is IMOLA port 0 login poor Password TACACS Authentication OK Service Type is Login User P...

Page 31: ...to the Tacacs server ACCESS VIA SSH The command set ssh2 enabled enables the access to the router via SSHv2 protocol As in the Telnet sessions the access is governed by the RADIUS or Tacacs servers i...

Page 32: ...e commands the router reset itself to the factory configuration and the previous settings are lost REBOOT OF THE ROUTER The router can be rebooted using the command reboot After the reboot all the uns...

Page 33: ...Accessing IMOLA USER GUIDE 33 syslog disabled ADSL disabled GPRS disabled Dynamic Routing and tunneling disabled...

Page 34: ...ee different types of configuration current saved started The current configuration contains all the values set during configuration The saved configuration is that saved in Imola non volatile memory...

Page 35: ...necessary to execute the save command and make the reboot of the router The command sync config allows to accommodate the router to a specific configuration The specific configuration can be a default...

Page 36: ...int file the sintax is sync config checkpoint checkpoint name immediately sync config checkpoint checkpoint name in N seconds COMMAND LINE INTERFACE CLI GUIDE The Imola CLI has an online help which he...

Page 37: ...la Figure 3 command line completion and listing of parameters by pressing the TAB key root Imola set eth1 set eth1 ipaddr Configure IP address set eth1 broadcast Confgure Broadcast Address set eth1 dh...

Page 38: ...ew the password in encrypted form The original passwords are hidden from the user who is not authorized to know in this way they can be used to set up similar configurations on different routers This...

Page 39: ...in pppuser crypted password 6XY4 Gzy Configuration of a RADIUS server set radius authhost 1 2 3 4 set radius secret 1 2 3 4 mypassword set radius on executing set crypted passwords on show config curr...

Page 40: ...L VDSL2 port Gigabit Ethernet port 4 ports Fast Ethernet switch Wi Fi b g n ports FXO port 4 FXS ports 4 ISDN BRI ports V 35 interface expansion slot G SHDSL interface expansion slot while Imola 0760...

Page 41: ...n Slow Blinking 1sec on 1sec off Activating the modem is waiting for the connection Fast Blinking 0 5s on 0 5s off Handshaking Fixed on The connection is active FXS interface 1 2 3 4 Green Fixed on Th...

Page 42: ...is active GbE interface GbE Green Fixed on The connection is active Wi Fi interface Wi Fi Green Fixed on The connection is active FXS interface 1 2 3 4 Green Fixed on The port has been configured via...

Page 43: ...command is set eth0 ipaddr 10 10 9 1 netmask 255 255 0 0 broadcast 10 10 255 255 It is possible to enable the dynamic NAT over all outbound packets from the interface using set eth0 masquerade You ca...

Page 44: ...tmask For example in order to set or remove the alias with IP address 10 10 10 3 24 on the eth0 interface the following command can be used set alias eth0 ipaddr 10 10 10 3 netmask 255 255 255 0 set n...

Page 45: ...the specific chapter DISPLAYING INTERFACE STATUS In order to display the configuration of an interface the following CLI command is used ifconfig eth0 which shows IP address Netmask Broadcast MAC add...

Page 46: ...using the commands set trigger eth0 up action set trigger eth0 down action set trigger eth1 up action set trigger eth1 down action where action may be any CLI command supported by Imola A sequence of...

Page 47: ...hecks or sets the status of the eth0 and eth1 Fast Ethernet interfaces and of the 5 interfaces of the integrated switch eth1 eth2 eth3 eth4 and eth5 The command is mostly used for evaluation purposes...

Page 48: ...nal 1 Gigabit Ethernet port 1 Switch with 8 FE ports 1 ADSL VDSL port 1 Wi Fi port 1 Ethernet Power Supply PSE port The PSE port according to the IEEE 802 3af t has to its ends a supply voltage from 2...

Page 49: ...h set eps0 masquerade If you want to limit the outgoing bandwidth to a maximum value by using set eps0 bandwidth N where N is expressed in Kbit s You can set an IPv6 address with set eps0 ipv6addr X X...

Page 50: ...telephone number for outgoing calls login and password for authentication of outgoing calls login and password for authentication of incoming calls In order to make automatic outgoing calls an IP inte...

Page 51: ...pp0 Current setup of interface ippp0 EAZ MSN Phone number s Outgoing 0125629552 Incoming Dial mode manual Secure off Callback off Reject before Callback off Callback delay 5 Dialmax 1 Hangup Timeout 6...

Page 52: ...ap set isdn dialer ippp1 login user is used to configure the user which will be used for authentication during the connection to the telephone number set isdn dialer ippp1 ipaddr 1 1 1 1 nexthop 2 2 2...

Page 53: ...no Default Route no Masquerade no ippp1 is not connected 9 ippp1 POINTOPOINT NOARP UP mtu 1500 qdisc pfifo_fast qlen 30 link ppp RX bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX bytes pack...

Page 54: ...ivations 00000007 chan B2 deactivations 00000006 D frames rcvd 00000533 D frames sent 00000188 D rxowf 00000000 B1 frames rcvd 00000350 B1 frames sent 00000172 B1 rxowf 00000000 B2 frames rcvd 0000005...

Page 55: ...follows root Imola show interface isdn dialer ippp1 statistics 19 ippp1 POINTOPOINT NOARP UP mtu 1500 qdisc pfifo_fast qlen 30 link ppp RX bytes packets errors dropped overrun mcast 311 22 0 0 0 0 TX...

Page 56: ...er outgoing call number Sec Used line occupancy Setup Time duration setup time Term Cause disconnection cause code Txed Bytes Rxed Bytes transmitted and received bytes The value of the code shown in t...

Page 57: ...the same order through which they were set For example the following commands set trigger isdn up ip route add 12 12 12 12 dev ippp1 set trigger isdn up logger r 10 10 1 212 ISDN is up set trigger isd...

Page 58: ...from 85 34 166 18 icmp_seq 3 ttl 56 time 89 054 msec 64 bytes from 85 34 166 18 icmp_seq 4 ttl 56 time 82 312 msec 64 bytes from 85 34 166 18 icmp_seq 5 ttl 56 time 189 865 msec 64 bytes from 85 34 16...

Page 59: ...ed in the following example set isdn traffic control input threshold 30000 set isdn traffic control output threshold 20000 set isdn traffic control mode or set isdn traffic control timer unit 10 set i...

Page 60: ...1 p tcp dport 80 j QUEUE To activate the ISDN session only when you do a ping command from the router toward a host set isdn dial control on set iptables A OUTPUT o ippp1 p icmp d 10 10 10 10 j QUEUE...

Page 61: ...T I 363 5 ITU T I 432 ITU T I 610 ITU T I 731 RFC 2684 former RFC 1483 Multiprotocol over ATM RFC 2364 PPP over ATM RFC 2516 PPP over Ethernet In Imola XX20 models the following standards are also su...

Page 62: ...se according to the information received from the Service Provider the following commands could be used set adsl pvc atm0 atm7 ipaddr value set adsl pvc atm0 atm7 nexthop set adsl pvc atm0 atm7 netmas...

Page 63: ...n You can set the router so that it can send the Loopback F4 F5 OAM cells on a particular PVC In case there is no reply the PVC is put on a down state set adsl pvc atm0 atm7 oma manage interval N It i...

Page 64: ...w interface adsl statistics status For example the command show interface adsl status produces the following output root Imola show interface adsl status General Information FW Revision 0x061d 0x1235...

Page 65: ...tus by sending an F5 OAM cell Here follows an example usage root TLC GTW oamping flow 5 vpi 8 vci 35 seq 0 response from vpi vci 8 35 time 28 0 ms seq 1 response from vpi vci 8 35 time 27 6 ms seq 2 r...

Page 66: ...er adsl up action set trigger adsl down action where action can be any CLI command supported by Imola A sequence of actions is configured through a sequence of a commands set trigger adsl up action1 s...

Page 67: ...DSL or Multimode physical connection type using set dsl line mode multimode VDSL ADSL In multimode the router is able to recognize the standard reference during the alignment phase and consequently to...

Page 68: ...L configuration on those models that have ADSL interface only The ADSL mode supports up to 8 PVC Permanent Virtual Circuit and to configure them it can be used set ADSL pvc_number value To configure t...

Page 69: ...n and password for the authentication set ADSL login value password value To configure the ATM type traffic set ADSL pvc atm0 atm7 service service type where service type take the values UBR CBR VBR e...

Page 70: ...Paddr IP_address netmask netmask broadcast broadcast It is possible to set a IPv6 address by set vdsl0 IPv6addr X X X X M It is possible to set or to remove the DHCP Client service using set vdsl0 dhc...

Page 71: ...to use the PPPoE protocol on the VDSL connection see the specific chapter to learn all of its commands DISPLAY It is possible to view the informations on the operative status of the ADSL VDSL connect...

Page 72: ...count 0 0 CRC Slow count 0 1 Performance Counters Rx Tx Block Count Bearer 0 0 0 Block Count Bearer 1 2732066 9930 numReInit 0 numInitFailure 0 PowerOnNumReInit 0 FastLosShutDownCnt 0 NeLpr 0 Modem S...

Page 73: ...rder to activate the SHDSL interface the command is set shdsl on In order to deactivate the SHDSL interface the command is set shdsl off In order to deactivate the SHDSL interface and disable the conf...

Page 74: ...configure the encapsulation type the command is set shdsl pvc shdslX encap rfc1483 bridged rfc1483 llc In order to configure the PVC number and type the command is set shdsl pvc_number value set shdsl...

Page 75: ...ATUS AND STATISTICS It is possible to display information about SHDSL configuration PVCs statistics and status of the SHDSL interface The command show interface shdsl statistics produces the following...

Page 76: ...0 Modem Status DATA Mode for 10 hr 1 min 54 sec It is also possible to display OAM cells through the command show interface shdsl oam SHDSL LEDS MEANING In Imola4 routers the interface status is indi...

Page 77: ...ip route add 12 12 12 12 dev atm0 set trigger shdsl up logger r 10 10 1 212 SHDSL is up set trigger shdsl down ip route del 12 12 12 12 dev atm0 set trigger shdsl down logger r 10 10 1 212 SHDSL is do...

Page 78: ...Relay interface The command set no frame relay deactivates the Frame Relay interface and disables the configuration Before the activation of the Frame Relay interface it is necessary to execute some...

Page 79: ...s not available set backup checking interface pvcX set trigger backup up cmdUp set trigger backup down cmdDown set backup on off where the cmdUp command will be executed when the backup is activated a...

Page 80: ...1 1 Nexthop IP Address 1 1 1 2 Default Route on here yes Masquerade no DLCI 16 pvc0 Status active Last time pvc status changed 0 47 11 15 pvc0 POINTOPOINT UP mtu 1500 qdisc noqueue link dlci 00 10 pe...

Page 81: ...t root Imola show interface frame relay status Mode V 35 Clock EXTERNAL Encoding NRZ Parity CRC16_PR1_CCITT Modem Status DTR active DSR active CTS active Data Reception Packets 55753 Bytes 9476470 Dro...

Page 82: ...king the interface if there is no answer set pppofr lcp echo interval n set pppofr lcp echo failure n To turn on the service set pppofr on To turn off the service set pppofr off Displaying the interfa...

Page 83: ...ppp13 set trigger pppofr up logger PPPoFR is up set trigger pppofr down ip route del 173 151 0 0 24 dev ppp13 set trigger pppofr down logger PPPoFR is down these commands send a SYSLOG message to not...

Page 84: ...ure functions and values supplied by the Service Provider using the following CLI commands APN configuration set gprs apn value On router models 5xxx the protocol IPv6 is supported on the mobile netwo...

Page 85: ...set the frequency of transmission of lcp echo request packets and the number of attempts before ending the GPRS interface It will be automatically re established It is also possible to negotiate DNS p...

Page 86: ...rs selrat value where value can be 2G Only 3G Only 2G 3G Only LTE Only LTE Preferred 3G LTE 2G 3G LTE auto allows to specify the radio access technology Usually the value auto is used when you want to...

Page 87: ...and the assigned name is pppX where X is an index which usually has value 0 ppp0 In the same way an ADSL connection with PPP over ATM encapsulation PPPoA is indicated by pppX The choice of the index...

Page 88: ...576 Idle Timeout 3600 Masquerade yes Deflt Route yes The command show interface gprs status shows the status of the session The video output produced may change according to the access technology root...

Page 89: ...hed LTE band B7 LTE bw 15 MHz LTE Rx chan 3175 LTE Tx chan 21175 EMM state Registered Normal Service EMM connection RRC Connected RSSI dBm 53 Tx Power 26 RSRP dBm 77 TAC 0BDF 3039 RSRQ dB 7 Cell ID 04...

Page 90: ...Jan 1 04 47 38 localhost pppd 13380 Remote message TTP Com PPP Password Verified OK Jan 1 04 47 39 localhost pppd 13380 local IP address 217 201 192 147 Jan 1 04 47 39 localhost pppd 13380 remote IP a...

Page 91: ...x0 auth chap MD5 magic 0x6d503910 sent LCP ConfAck id 0x0 asyncmap 0x0 auth chap MD5 magic 0x6d503910 rcvd LCP ConfAck id 0x1 mru 1476 asyncmap 0x0 magic 0xe2270bc4 pcomp sent LCP EchoReq id 0x0 magic...

Page 92: ...mmands set trigger gprs up ip route add 12 12 12 12 dev ppp0 set trigger gprs up logger r 10 10 1 212 ADSL is up set trigger gprs up hello 85 34 166 18 514 set trigger gprs down ip route del 12 12 12...

Page 93: ...S Traffic is too High set trigger gprs tc down logger h 192 168 2 1 GPRS Traffic is at normal rate set trigger gprs up set gprs traffic control on set trigger gprs down set gprs traffic control off Tr...

Page 94: ...ive command can be used to send an ICMP request ping to the address associated with the GPRS interface In order to control the connection the command sends it at regular and configurable intervals set...

Page 95: ...egative test the output is the following root IMOLA gprsping 85 34 166 150 Starting GPRS Ping This will take some time please wait PING 85 34 166 150 85 34 166 150 from 95 74 64 177 ppp9 56 84 bytes o...

Page 96: ...ntains received and sent data since the router start up SMS HANDLING The package Tiesse SMS manages all the operations about the sending receiving of Short Text Messages by a router Tiesse equipped wi...

Page 97: ...ter so that upon receipt of an SMS Tiesse CLI commands it also provides the same output of any response to the sender As an example suppose you have configured the SMS messaging with password TIESSE a...

Page 98: ...ble the messaging service with the newly introduced parameter you should run the CLI command set sms on Once the service is properly set up and activated messages can be sent by the router using the c...

Page 99: ...md send sms d 3933523054400 Customer Innocenti Lambrate MI TGU 0123111321 ROUTER JUST REBOOTED The messaging service offers an interface for reading SMS conventional messages by which is meant the who...

Page 100: ...e IP address Using the following sequence of commands the hello message can be regularly sent set timer tick 600 set trigger timer tick hello 85 34 166 18 22000 The message is sent as a UDP packet If...

Page 101: ...CGSM DS ES OK Displaying the network signal root IMOLA gprsat AT CSQ AT CSQ CSQ 6 0 OK The dBm signal is obtained through 2 CSQ 113 Checking available network providers root IMOLA gprsat at cops 9 AT...

Page 102: ...r it is also available a specific seat for a second SIM externally accessible The internal SIM is the Primary SIM while the external SIM is the Secondary SIM Their usage is mutually exclusive and it i...

Page 103: ...dress DOUBLE SIM APPLICATION ON A LTE NETWORK The following sequence of command shows how a typical use of a double SIM on a LTE network works set gprs primary apn myapnprimary xxx it set gprs login m...

Page 104: ...up and in particular select the second SIM change the parameters and turn on the new connection The command set backup of the example above is well explained in the next chapters SIM UNLOCK The activ...

Page 105: ...NG The command show interface gprs status gives information about the performance of the mobile session and it also displays the IMEI code associated with the modem and the IMSI code associated with t...

Page 106: ...wifi no wlanx The service configuration is composed by radio and logical interface In the radio interface to select manually the channel use set wifi channel 1 11 To se the automatic selection of the...

Page 107: ...ptions can be the address of the accounting server set wifi wlanX encryp wpa eap accthost ADDRESS the port of the accounting server default 1813 set wifi wlanX encryp wpa eap acctport NUMBER secret sh...

Page 108: ...nX mac filter clean all mac On the wlanX interface you can configure the DHCP server using10 set dhcp server You can set the logging level of the Wi Fi module with set wifi wlanX debug level 1 2 3 4 5...

Page 109: ...tmask netmask To specify the DNS servers that the client on the LAN must use the syntax is set hotspot dns address address with this command you can specify up to two DNS server address To allow the c...

Page 110: ...the navigation To do so use To give authorization to the domains example huffingtonpost com tiesse com set hotspot uam allow domains string To give authorization certain hosts using IP address or hos...

Page 111: ...nid macaddr ipaddr value hotspot logout sessionid macaddr ipaddr value where sessionid macaddr ipaddr can be read thanks to the command show hotspot users If you want to make the Hotspot service activ...

Page 112: ...n thus established Conversely the data received on the TCP IP are unencapsulated and sent to the serial port it can work as a client in this case it is the router that establishes a TCP IP connection...

Page 113: ...d to the first port those for the second are the same but instead of 0 tserv0 you have to write 1 tserv1 set tserv0 tty speed value sets the transmission speed on the serial port 2400 4800 9600 19200...

Page 114: ...e serial port set tserv0 primary host ipaddr set tserv0 primary port port configures the IP address and the port of the primary host to which you connect and send the received data from the serial por...

Page 115: ...tserv0 allows to view the current configuration Below you find as example the default configuration output set tserv0 primary host 127 0 0 1 set tserv0 primary port 8899 set tserv0 no secondary host s...

Page 116: ...t iec101 0 station addr value configure the station address of the UP connected to the first serial port set iec101 0 speed value configures the speed on the first serial port The values from 2400 to...

Page 117: ...mber of outstanding frame without confirmation Default value is 12 set iec104 on activates the application with the set parameters and to deactivate the application set iec104 off To display the curre...

Page 118: ...ec104 logging 1 set iec104 dumping 0 set iec104 max sessions 1 set iec104 max buffer size 1024 set iec104 backlog 10 set iec104 idle timer 0 set iec104 t1 timer timer 15000 set iec104 t2 timer timer 1...

Page 119: ...me interval in seconds of inactivity of the PPP connection if in this time interval no data is received or sent the PPP connection is shut down set ppp serial0 idle 0 set ppp serial0 rx idle value it...

Page 120: ...with the name of the interface will be ppp1 for the first port MO and ppp2 for the second port M1 set ppp serial0 on activates the application with the set parameters To deactivate the application us...

Page 121: ...r other uses The command set ttyaux raw port PORT configures a service that listens on the specified TCP port and transmits on the serial port in a transparent mode all characters received from the ne...

Page 122: ...ork receives the data and send them to the serial port and viceversa The module manage also the data received in spontaneous mode from the serial port in this case if any TCP connections do not exist...

Page 123: ...dumping these commands enable disable the log messages and the trace of the package sent or received from to the serial port The dumping must not ben used when in regime but onl for trouble shooting...

Page 124: ...order to optimize the reception time set modbus no rtu parsing enables the transparent modality of the treatment of the answer from the RTU This is the default value set modbus on when the application...

Page 125: ...ped characters ATDa b c d port prot The value of a b c d is a valid IP address port is a sequence of decimal number that identify the port The command opens a connection toward the specified address a...

Page 126: ...sed to remotely access a router or a switch via console port linked to Levanto TRANSPARENT MODE To use this modality see below for the TCP serial port correspondence TCP port Serial port 20024 2 20025...

Page 127: ...x remote port PORT If the command aren t available the characters will be rejected The active connection toward a remote host will be shut down after 120 seconds of inactivity the same will happen if...

Page 128: ...v Code Point on a COS value Class of Service of 802 1p protocol set vlan vlan device map to cos cos dscp dscp_0 dscp_7 In order to cancel a VLAN the command is set vlan rem vlan device In order to rem...

Page 129: ...ccess trunk or hybrid mode access mode identifies a port which receives and transmits packets without 802 1q tags allowing a system that is not able to operate in 802 1q to participate in a 802 1q VLA...

Page 130: ...ity is disabled The command set switch port N crossover enables it again In order that the set configuration becomes operational the following command is necessary set switch on In order to remove the...

Page 131: ...In255Octets 00000000 In511Octets 00000000 In1023Octets 00000000 InMaxOctets 00000000 Jabber 00000000 Oversize 00000000 InDiscards 00000000 Filtered 00000000 OutUnicasts 00000000 OutBroadcasts 0000000...

Page 132: ...ion with Server set eth4 Any VLAN must be created on individual ports for example set vlan add vid 50 interface eth5 set vlan eth5 50 ipaddr 192 168 50 1 netmask 255 255 255 0 If you have a LAN Splitt...

Page 133: ...br br0 set bridge addif br0 eth1 50 set bridge addif br0 eth2 50 set bridge br br0 description Bridge between eth1 and eth2 set bridge br br0 ipaddr 192 168 50 1 netmask 255 255 255 0 set bridge br br...

Page 134: ...rt PortID mac 00 0d 5a ce fa f6 PortDescr eth5 PMD autoneg supported yes enabled yes Adv 10Base T HD yes FD yes Adv 100Base TX HD yes FD yes MAU oper type 100BaseTXFD 2 pair category 5 UTP full duplex...

Page 135: ...set lan bonding bond0 miimon 100 set lan bonding bond0 primary eth1 set lan bonding bond0 slave eth2 set lan bonding bond0 on In the first example the packets are sent to both eth1 and eth2 ports acc...

Page 136: ...et is not blocked even if the MAC address is different from the one that requested the authentication For example with set eth1 dot1x enable single mac set eth2 dot1x enable whole port on the eth1 por...

Page 137: ...uthentication process are Tunnel Type VLAN Tunnel Medium Type IEEE 802 Tunnel Private Group Id 10 20 Below you can see a typical configuration set eth1 dot1x set eth1 on set eth2 dot1x set eth2 on set...

Page 138: ...radius server add user vll password vll vlan id 10 set radius server on to the gmg user are associated the VLAN IDs 10 20 30 113 and 500 while to the user vll is associated the VLAN ID 10 If the authe...

Page 139: ...x1 mode trunk To operate in trunk mode and accept the native frame use the command set switch port fx0 fx1 mode hybrid In this case you must specify the ids of VLANs enabled through the door set switc...

Page 140: ...you have to build a VLAN on the switch interface with the same VLAN id in the following way set vlan add vid vid interface eth1 The command builds a VLAN device with notation eth1 vid which can be ass...

Page 141: ...0 0 set shdsl on The two circuits correspond to the network interfaces named shdsl 835 and shdsl 836 By setting the commands set pvc bundle pvc0 shdsl 835 set pvc bundle pvc1 shdsl 836 set pvc bundle...

Page 142: ...et pvc bundle ipaddr 192 168 1 2 set pvc bundle netmask 255 255 255 252 set iptables t mangle A PREROUTING p tcp dport 80 s 10 10 0 0 16 j MARK set mark 0x04 set iptables t mangle A PREROUTING p tcp d...

Page 143: ...uerade set adsl pvc atm0 ipaddr 0 0 0 0 set adsl pvc atm1 encap rfc1483 llc set adsl pvc atm1 vpi 8 vci 36 set adsl pvc atm1 service UB set adsl pvc atm1 no default route set adsl pvc atm1 no masquera...

Page 144: ...vc0 set pvc bundle pvc1 pvc1 set pvc bundle ipaddr 94 95 231 154 set pvc bundle netmask 255 255 255 252 set pvc bundle default route set pvc bundle on In order to add routes on bundle interface in add...

Page 145: ...he redistribution of routes the routing table for the operations of Policy Based Routing see next paragraph The available options are tag N tag N distance N table N tag N distance N For example set ro...

Page 146: ...oute In the default configuration the routes that are acquired via DHCP are set with an administrative distance of 180 The command set dhcpcd route opzioni allows to re configure the routing table cha...

Page 147: ...layed using the following command show ip route For example root IMOLA show ip route Router show ip route Codes K kernel route C connected S static R RIP O OSPF B BGP selected route FIB route C 10 10...

Page 148: ...efix 10 10 10 0 24 or the keyword any that mean any address or the keyword this that mean any address of the router itself PORT is a numeric number that identify UDP or TCP ports or a string that tell...

Page 149: ...e packets marked with M value To mark the packets you can use the command set mark for example set mark 4 protocol tcp from 10 10 0 0 16 from any source port any to any dest port 80 out interface any...

Page 150: ...order to display the status of the interface the command is show interface loopback For example root Imola show interface loopback 3 dummy0 BROADCAST NOARP UP mtu 1500 qdisc noqueue link ether 00 00 0...

Page 151: ...the broadcast address Bcast the value of Maximum Transfer Unit MTU together with some flags indicating the status of the interface Up indicates that the interface is administratively active ifAdminSt...

Page 152: ...over ATM encapsulation is root Imola ifconfig ppp0 ppp0 Link encap Point Point Protocol inet addr 82 54 202 150 P t P 192 168 100 1 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500...

Page 153: ...ce dummy1 up up 10 10 1 7 32 eth0 up up 10 10 7 11 16 100 100 113 1 24 eth1 up up 192 168 22 254 24 eth1 10 up up 192 168 10 1 24 shows the alias 100 100 113 1 24 as a secondary address of the eth0 in...

Page 154: ...tables providing correlation between IP addresses and physical addresses In order to operate on IPv6 elements addresses routes neighbour it is necessary to specify the 6 option For example ip 6 addr...

Page 155: ...t qlen 30 link ppp inet 11 11 11 11 peer 22 22 22 22 32 scope global ippp1 The command ip route show displays the routing tables root Imola ip route show 10 8 0 2 dev tun0 proto kernel scope link src...

Page 156: ...pecified address is already associated with another MAC address in that case you can replace it with ip neigh replace IPADDR lladdr xx xx xx xx xx xx dev ifname the above command adds the static entry...

Page 157: ...ip interface brief show interface brief Interface Status Protocol IP Address s Description dummy0 up up 10 10 0 7 32 Loopback Interface dummy1 up up 10 10 1 7 32 eth0 up up 10 10 7 11 16 100 100 113 1...

Page 158: ...are also useful to transfer certificates used by various service or for example to send log files to a remote system There are other two commands available telnet ssh they are used to access the rout...

Page 159: ...ng 151 1 1 1 s 1472 M do Q 192 i 0 2 c 4 PING 151 1 1 1 151 1 1 1 from 85 34 166 22 1472 1500 bytes of data 1480 bytes from 151 1 1 1 icmp_seq 0 ttl 55 time 58 794 msec 1480 bytes from 151 1 1 1 icmp_...

Page 160: ...1 1 1 all the packets excepting direct packets and those received from the 151 1 1 1 host tcpdump i eth0 host not 151 1 1 1 only packets received with source address 85 34 166 18 tcpdump i atm0 src ho...

Page 161: ...to the host exactly as they were captured while TZSP indicated that the packets will be encapsulated in a UDP frame The TEE protocol can be used in case the host target is on the same LAN of the route...

Page 162: ...0 overruns 0 collisions In order to interrupt the measuring the command is no load avg SET INTERFACE COMMAND The command set interface defines working parameters for a particular network interface Th...

Page 163: ...nd is described in detail in the following chapter ACCESS LIST The list of rules for accepting or rejecting IP packets known as Access List and optionally make the logging can be activated with the co...

Page 164: ...fy the network interfaces to which the access list have to be applied For example suppose to have a router where atm0 is the interface to the public network and eth0 to the internal one to allow the T...

Page 165: ...a network prefix 10 10 10 0 24 or the keyword any to point any address or the keyword this to point any address of the router itself PORT is a numeric value that identify the UDP or TCP port or a str...

Page 166: ...tocol PROT from ADDRESS to ADDRESS in interface INTF dest ip ADDRESS set dest nat protocol PROT from ADDRESS to ADDRESS in interface INTF dest subnet ADDRESS set dest nat protocol PROT from ADDRESS so...

Page 167: ...th the IP recipient 8 1 10 2 the packets aimed to the 8 8 10 3 public address will be processed with the IP recipient 8 1 10 3 and so on To perform the NAT operation more selectively and modify for ex...

Page 168: ...he network packets protocol IP address service etc e g p tcp dport 80 d 10 0 1 1 Each rule terminates with an indication target which indicates what to do with the packets identified e g j ACCEPT j DR...

Page 169: ...D s 10 0 1 1 d 192 168 0 1 j ACCEPT In order to deny access to port 80 to the host with IP 10 0 1 2 the command is iptables I FORWARD p tcp dport 80 s 10 0 1 2 d 192 168 0 1 j DROP Rules are analysed...

Page 170: ...ERADE Packets addressed to the sub network 192 168 1 0 24 have IP 172 16 1 1 while packets addressed to sub network 192 168 2 0 24 have IP 172 16 2 2 iptables t nat A POSTROUTING d 192 168 1 0 24 j SN...

Page 171: ...y In order to set MSS to a value of 1400 iptables A FORWARD p tcp tcp flags SYN RST SYN j TCPMSS set mss 1400 In order to adapt the value of MSS to that of MTU iptables A FORWARD p TCP TCP flags SYN R...

Page 172: ...l ports between 1 and 1024 dport port port The destination port or a range of destination ports For example 1 1024 all the ports between 1 and 1024 tcp flags flag Used to specify the presence of flags...

Page 173: ...rough syslog and moves on through the chains Possible options are log level and log prefix j DNAT The destination IP of the packet is modified The target is used only in NAT table PREROUTING and OUTPU...

Page 174: ...mple iptables j REJECT help iptables j TOS help iptables j DSCP help ADVANCED MATCH CRITERIA In addition to the previous criteria there are also very flexible and powerful extensions The following tab...

Page 175: ...e in order to cancel received multicast packets iptables A INPUT m addrtype dst type MULTICAST j DROP m length It sets a filter on packet length by using the option length len1 len2 For example in ord...

Page 176: ...ports to indicate both source and destination ports m nth It verifies the match every N packets for example iptables A FORWARD p icmp d 10 10 10 10 m nth every 3 j LOG every 3 consecutive matches a lo...

Page 177: ...ce 23 s 10 10 1 1 j LOG log level notice iptables A INPUT p tcp dport 23 s 10 10 1 1 j DROP The first rule logs packets with facility notice coming from address 10 10 1 1 towards the Telnet port The s...

Page 178: ...get prot opt in out source destination 86 3513 all eth0 any anywhere anywhere In order to reset the counters iptables Z In order to count all the packets addressed by the router to the IP address 10 1...

Page 179: ...IP address and addressed to Imola redirected to IP address 192 168 0 2 iptables t nat A PREROUTING p tcp dport 7 j DNAT to 192 168 0 2 Traffic addressed to port 7 echo service coming from any IP addre...

Page 180: ...guildwars h323 halflife2 deathmatch hddtemp hotline http http rtsp ident imap imesh ipp irc jabber kugoo live365 liveforspeed lpd mohaa msn filetransfer msnmessenger mute napste r nbns ncp netbios nn...

Page 181: ...class BESTEFFORT bandwidth percent 100 set qos ext class BESTEFFORT filter priority 2 set qos ext on Another example of action block the e mail traffic set iptables A FORWARD m layer7 l7proto pop3 j...

Page 182: ...until no more traffic about this connection appears When the entry changes status it is set to the default value Current status of the entry The internal status are slightly different from those used...

Page 183: ...92 168 1 5 dst 192 168 1 35 sport 1031 dport 23 src 192 168 1 35 dst 192 168 1 5 sport 23 dport 1031 use 1 The status of established is reached when the final ACK arrives tcp 6 431999 ESTABLISHED src...

Page 184: ...timeout_syn_sent Represents the time out bound to the SYN SENT state Default value is 120 seconds tcp_timeout_recv_sent Represents the time out associated with SYN RECEIVED State The default value is...

Page 185: ...since they never establish connections However there are some types of packets which generate return packets and as a consequence they can take NEW and ESTABLISHED status For example the packets echo...

Page 186: ...r active or passive When they are active the FTP client sends to the server a port and an IP address to connect to The FTP client then opens the port the server connects from a non privileged port cho...

Page 187: ...the command set conntrack sip alg timeout SECONDS defines the timeout associated to the SIP protocol sessions Finally the command set conntrack generic timeout SECONDS defines the timeout associated...

Page 188: ...nntrack snat show conntrack snat from ADDR show conntrack snat from ADDR1 to ADDR2 show conntrack snat proto PROT show conntrack snat proto PROTO from ADDR source port PORT to ADDR dest port PORT It i...

Page 189: ...he source interface eth1 100 address 192 168 0 1 and will go toward the peer with address 192 168 0 2 via UDP port 3780 Multicast This modality allows two or more routers to keep up to date their conn...

Page 190: ...et stfl nat primary and set stfl nat backup must be associated to some triggers on the up and down event of the VRRP module See the below example that clarifies better how to use the commands VRRP Mas...

Page 191: ...t group 3781 mcast address 225 0 0 50 interface eth1 source 10 1 1 2 set stfl nat on The command show stfl nat status shows the connection state both the local router and the peer root IMOLA show stfl...

Page 192: ...ddress 85 34 147 17 The default policy is to cancel packets iptables P INPUT DROP iptables P OUTPUT DROP iptables P FORWARD DROP Do not accept packets related to new sessions without SYN iptables A FO...

Page 193: ...34 147 17 dport 80 j DNAT to 192 168 1 2 S NAT towards outside iptables t nat A POSTROUTING o atm0 s 192 168 0 0 24 j SNAT to source 85 34 147 18 iptables t nat A POSTROUTING o atm0 s 192 168 1 2 j SN...

Page 194: ...ble the spoofing protection is set ifname reverse path filter where ifname can be one of the interfaces below set ethX reverse path filter set vlan ethX N reverse path filter set bridge br br0 reverse...

Page 195: ...it assumes the role of Master In the same way if the master node receives some advertisements with a higher priority value than the one it owns it becomes a backup In order to configure the interface...

Page 196: ...s used show vrrp which displays the following information root Imola show vrrp VRRP ID 11 on eth1 we are now the master router VRRP ID 11 Priority 100 Virtual IP s 10 10 10 10 Virtual MAC 00 00 5e 00...

Page 197: ...priority 100 set vrrp 12 vipaddr 10 10 12 11 set vrrp on In this case if you want to use the triggers mechanism you have to use set trigger vrrp VRID up command set trigger vrrp VRID down command wher...

Page 198: ...of VRRP groups For example the commands vrrpd i eth1 n v 12 p 120 12 12 1 1 vrrpd i eth1 n v 13 p 130 13 13 1 1 activate two VRRP services on the eth1 interface respectively with group 12 priority 12...

Page 199: ...up configured using the command set vrrp The command show vrrp shows the status of all the active instances root MR IMOLA show vrrp VRRP ID 12 on eth0 30 we are now the master router VRRP ID 12 Priori...

Page 200: ...URATION The RIP protocol includes a periodic announcement of networks directly connected with the router In order to configure the interface on which RIP announces will be sent the following command i...

Page 201: ...filter or apply various actions to the received routes or the ones to be announced set rip redistribute connected route map subnet out subnet out is the name associated to the route map subnet out can...

Page 202: ...h tag 1 65356 set rip route map rm name deny match interface word set rip route map rm name deny match ip address word set rip route map rm name deny match ip address prefix list word set rip route ma...

Page 203: ...1 0 0 16 area 0 0 0 0 set ospf on In order to configure parameters related to a specific interface the command is set ospf interface ifname parameter value For example in order to set a cost and a pri...

Page 204: ...set ospf area 0 4294967295 filter list prefix NAME in set ospf area 0 4294967295 filter list prefix NAME out set ospf redistribute kernel connected static rip bgp set ospf redistribute kernel connecte...

Page 205: ...x list WORD deny permit A B C D M ge 0 32 le 0 32 set ospf ip prefix list WORD deny permit A B C D M le 0 32 set ospf ip prefix list WORD deny permit A B C D M le 0 32 ge 0 32 set ospf ip prefix list...

Page 206: ...rip set bgp redistribute ospf set bgp neighbor peer remote as value set bgp neighbor peer ebgp multihop set bgp neighbor peer description set bgp neighbor peer version 4 set bgp neighbor peer next ho...

Page 207: ...ttl 1 255 route map name permit deny seq set weight 0 4294967295 route map name permit deny seq match as path WORD route map name permit deny seq match community 1 99 100 500 WORD route map name permi...

Page 208: ...nario without losing generality there are two routers A and PE connected to a WAN network The router called A is configured with following IP address loopback 172 20 1 221 LAN 10 45 15 192 27 The foll...

Page 209: ...st reset never Next connect timer due in 74 seconds Read thread off Write thread off When the router connection has been established it displays BGP neighbor is 88 58 10 245 remote AS 3269 local AS 65...

Page 210: ...1 32 0 0 0 0 0 32768 i Total number of prefixes 8 Where both announced and received routes from neighbor are displayed BGP routing table is displayed with the command show ip route bgp Codes K kernel...

Page 211: ...269 65210 i 10 8 0 0 24 88 58 10 245 0 0 3269 3269 65210 i 10 10 0 0 16 88 58 10 245 0 0 3269 i 192 168 184 6 32 88 58 10 245 0 3269 65201 i Total number of prefixes 7 A complete configuration could b...

Page 212: ...t i internal r RIB failure S Stale R Removed Origin codes i IGP e EGP incomplete Network Next Hop Metric LocPrf Weight Path 0 0 0 0 88 58 10 245 0 3269 i 7 0 255 1 32 88 58 10 245 0 0 3269 3269 65210...

Page 213: ...8 58 10 245 default originate Connected network redistribution with BGP By using the command set bgp network A B C D N or set bgp network A B C D N the network A B C D N will be announced in an indisc...

Page 214: ...redistribution with BGP In the same way it is possible to configure BGP in order to announce routes towards which there is a static route set bgp local as 65201 set bgp neighbor 88 58 10 245 remote a...

Page 215: ...es s suppressed d damped h history valid best i internal r RIB failure S Stale R Removed Origin codes i IGP e EGP incomplete Network Next Hop Metric LocPrf Weight Path 10 45 15 192 27 88 58 10 246 1 3...

Page 216: ...te FIB route O 10 45 15 192 27 110 10 is directly connected eth1 00 10 10 O 172 20 1 219 32 110 20 via 10 45 15 219 eth1 00 03 32 O 192 168 1 0 24 110 20 via 10 45 15 219 eth1 00 03 32 Now to the BGP...

Page 217: ...9 32 88 58 10 246 20 32768 172 20 1 221 32 88 58 10 246 1 32768 192 168 1 0 88 58 10 246 20 32768 Total number of prefixes 6 If the connection with router 0 is interrupted the routes status becomes ro...

Page 218: ...is directly connected eth0 00 13 32 O 172 20 1 219 32 110 10 is directly connected dummy0 00 22 01 O 192 168 1 0 24 110 10 is directly connected eth1 00 21 56 While there are two OSPF neighbor of the...

Page 219: ...ia OSPF are tagged14 so BGP redistributes only not tagged OSPF routes The sequence of commands on router A is set bgp local as 65201 set bgp neighbor 88 58 10 245 remote as 3269 set bgp neighbor 88 58...

Page 220: ...ap From B in set bgp neighbor 94 92 113 170 soft reconfiguration inbound set bgp neighbor 94 92 113 170 timers 60 180 set bgp neighbor 94 92 113 170 version 4 set bgp network 10 10 0 0 16 set bgp netw...

Page 221: ...16 88 58 10 246 0 150 0 65201 172 20 1 219 32 88 58 10 246 20 150 0 65201 94 92 113 170 20 140 0 65201 172 20 1 221 32 88 58 10 246 1 150 0 65201 192 168 1 0 88 58 10 246 20 150 0 65201 94 92 113 170...

Page 222: ...tive neighbor 94 92 113 170 advertisement interval 5 set bgp directive neighbor 94 92 113 170 default originate set bgp directive neighbor 94 92 113 170 remote as 65201 set bgp directive neighbor 94 9...

Page 223: ...l r RIB failure S Stale R Removed Origin codes i IGP e EGP incomplete Network Next Hop Metric LocPrf Weight Path 7 0 255 1 32 0 0 0 0 0 32768 3269 65210 i 7 0 255 2 32 0 0 0 0 0 32768 3269 65210 i 10...

Page 224: ...oves it from the configuration PIM DENSE MODE protocol configuration The configuration of PIM protocol in dense mode includes the following commands set pim mode dense used to define the working mode...

Page 225: ...es the value for Register Rate Limit The parameter can have a numeric value or infinity value set pim register source val It defines the IP address to be used as source for PIM Register messages set p...

Page 226: ...default groups 232 0 0 0 8 MULTICAST SOURCE DISCOVERY PROTOCOL The Multicast Source Discovery MSDP allows two routers to connect by using the PIM active service so you can manage the RP redundancy To...

Page 227: ...ted In order to specify the upstream interface the command is set igmp proxy upstream ifname In order to specify the downstream interface the command is set igmp proxy downstream ifname By using the c...

Page 228: ...set igmp proxy downstream eth1 set igmp proxy on Multicast traffic comes from the tunnel tun0 with source 10 84 23 0 24 In addition to the network associated with the tunnel it is also rerouted on the...

Page 229: ...n the established limit is reached With the option drop the route is not created There are commands useful to analyse and diagnose Multicast traffic The most useful are set multicast accept icmp echo...

Page 230: ...gured it is possible to set the following parameters MTU Max Transfer Unit TTL Time to Live Multicast enable multicast transmission keep alive it is possible to enable keep alive functionality by conf...

Page 231: ...GRE tunnel between the local GPRS interface and the remote host 89 119 108 108 it is possible to create the tgprs0 tunnel by using the following CLI commands set gre tunnel 0 name tgprs0 set gre tunne...

Page 232: ...value of the physical interface and 24 is the overhead of the tunnel itself The value of the TTL field is set with the command set gre generic ttl N To avoid possible problems with routing protocols o...

Page 233: ...v atm0 set trigger gre up ip route add 192 168 1 0 24 dev tunnel 0 set trigger gre down ip route del 192 168 1 0 24 dev tunnel 0 set trigger gre down ip route add 192 168 1 0 24 dev atm0 with which it...

Page 234: ...nel 0 set gre tunnel 0 multicast set gre tunnel 0 ttl 64 set gre tunnel 0 tunnel source 217 201 121 1 set gre tunnel 0 tunnel destination 85 34 166 17 set gre tunnel 0 tunnel address 192 168 10 11 24...

Page 235: ...HUB SPOKE SETTINGS WITH CON ENCRYPTED TRAFFIC The example below shows a Hub Spoke setting on a router Imola in the role of the Hub and two more Imola in the Spoke role The same argument is reopen in...

Page 236: ...ocol 47 set ipsec phase2 TUN0 mode transport set ipsec phase2 TUN0 security esp set ipsec phase2 TUN0 level unique set ipsec pre shared key NHRPSPOKE tiesseadm set ipsec on SPOKE 1 set gre tunnel 0 na...

Page 237: ...set gre tun0 tunnel destination 85 34 166 1 set gre tun0 tunnel address 172 16 66 2 24 set gre tun0 tunnel peer 172 16 66 254 24 set gre tun0 multicast set gre tun0 ttl 64 set gre tun0 on set nhrp in...

Page 238: ...figuration of MPLS Label using the command set gre tun0 mpls LABEL VALUE or implicitly by the BGP protocol when it is received an announcement of a VPNv4 network that contains the value of the Route D...

Page 239: ...ation parameter related to Phase I from those characteristics of Phase II In this way listings are much more synthetic and more comprehensible For example to configure the parameters referred to Phase...

Page 240: ...on has been indicated with the string 3DES_MD5 to explicitly relate this parameter s group to a particular way to operate the VPN encryption An explanation of the most important commands shown in the...

Page 241: ...CL_2 pfs group 2 set ipsec phase2 ACL_2 mode tunnel set ipsec phase2 ACL_2 security esp set ipsec phase2 ACL_2 level unique set ipsec phase2 ACL_2 local subnet 192 168 2 0 24 set ipsec phase2 ACL_2 lo...

Page 242: ...k_Lan pfs group 5 set ipsec phase2 NewYork_Lan mode tunnel set ipsec phase2 NewYork_Lan security esp set ipsec phase2 NewYork_Lan level unique set ipsec phase2 NewYork_Lan local subnet 192 168 1 0 24...

Page 243: ...uthentication algorithm hmac sha1 set ipsec phase2 3DES pfs group 2 set ipsec phase2 3DES lifetime 28800 sec set ipsec phase2 3DES mode tunnel set ipsec phase2 3DES security esp set ipsec phase2 3DES...

Page 244: ...some important command lines set ipsec phase1 WARRIOR mode cfg tells to the client to adopt the configuration mode which determines a sort of auto configuration of the client based on the arrival of...

Page 245: ...t ipsec phase1 PHASE_I xauth login use mac set ipsec phase1 PHASE_I proposal check obey set ipsec phase1 PHASE_I mode cfg set ipsec phase2 PHASE_II match phase1 WARRIOR set ipsec phase2 PHASE_II encry...

Page 246: ...enerate locally its certificates and then apply for the registration to an external CA To do that use make and enroll cert CA IPAddress that creates a group of certificates locally then it connect to...

Page 247: ...e2 NHRP mode tunnel set ipsec phase2 NHRP security esp set ipsec phase2 NHRP level unique set ipsec phase2 NHRP local subnet 1 1 1 1 32 set ipsec phase2 NHRP remote subnet 192 168 203 253 32 set ipsec...

Page 248: ...set ipsec on Starting ipsec daemon done root IMOLA VPN connexion established To see all messages of activation from the logs it s necessary to launch their visualization immediately after giving the...

Page 249: ...IMOLA racoon WARNING attribute has been modified Sep 2 18 49 42 IMOLA racoon INFO IPsec SA established ESP Tunnel 192 168 203 252 500 192 168 203 253 500 spi 158105024 0x96c7dc0 Sep 2 18 49 42 IMOLA...

Page 250: ...urity Policy Index related to the incoming from 1 1 1 1 to 3 3 3 3 and outgoing from 3 3 3 3 to 1 1 1 1 traffic To show ISAKMP policies we can use the simple command root IMOLA show ipsec isakmp Desti...

Page 251: ...0 s validtime 0 s spid 232 seq 22 pid 21170 refcnt 1 1 1 1 1 any 3 3 3 3 any 255 out prio def ipsec esp tunnel 192 168 203 252 192 168 203 253 require created Sep 2 18 48 48 2000 lastused Sep 2 19 05...

Page 252: ...sed to specify the authentication key for activating the Tunnel set l2tp source ipaddr is used to specify the IP address with which to send the connection requests The default value is the one associa...

Page 253: ...can be displayed with show interface l2tp that shows ppp13 Link encap Point to Point Protocol inet addr 13 13 0 2 P t P 13 13 0 1 Mask 255 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 M...

Page 254: ...4321 set l2tpv3 pseth0 remote cookie size 4 set l2tpv3 pseth0 local id 11 set l2tpv3 pseth0 remote id 22 set l2tpv3 pseth0 description Tunnel L2TPv3 Manual set l2tpv3 pseth0 on This activate an inform...

Page 255: ...te L2TPv3 If it is necessary to have in the group of bridge more than two interfaces such as eth0 and eth1 you must use the command set bridge like in the following chapters To delete a tunnel configu...

Page 256: ...ed by the peer itself TUNNEL SETTINGS IN VLAN MODE It is possible to set the tunnel L2TPv3 in VLAN mode and make possible that the packets on the tunnel have the TAG 802 1q To do so use the commands s...

Page 257: ...In certain cases it could be useful to make communicate two devices using different VLAN Ids you do so with set l2tpv3 pseth0 force vlan id N this command allows the transmission on the tunnel of pack...

Page 258: ...eth1 set bridge addbr br0 set bridge addif br0 eth1 30 set bridge addif br0 pseth0 30 set bridge br0 on L2TPV3 ON IPSEC ON LTE CONFIGURATION Like the GRE tunnels even the L2TPv3 tunnel can be configu...

Page 259: ...e2 PHASE2 level unique set ipsec phase2 PHASE2 local subnet 2 2 2 2 32 set ipsec phase2 PHASE2 remote subnet 1 1 1 1 32 set ipsec pre shared key 85 34 166 20 set ipsec off set l2tpv3 pseth0 tunnel sou...

Page 260: ...rm set tiesse esp 3des esp md5 hmac crypto dynamic map TIESSE 10 set transform set tiesse set pfs group5 set isakmp profile IMOLA match address 110 crypto map TIESSE 10 ipsec isakmp dynamic TIESSE int...

Page 261: ...ns 1 PeerIP 7 10 100 100 State established Session LNS MyID 55811 AssignedID 32030 State established To manually stop a session root IMOLA admin l2tpv3 tunnel stop session tunnel MyID 14685 Session My...

Page 262: ...o enable or disable a static default route on the PPP interface set pppoe default route set pppoe no default route To set the value of MTU Maximum Transmit Unit and MRU Maximum receie Unit of the PPP...

Page 263: ...show interface pppoe the command then shows the information as displayed below ppp0 Link encap Point to Point Protocol inet addr 13 13 0 2 P t P 13 13 0 1 Mask 255 255 255 255 UP POINTOPOINT RUNNING...

Page 264: ...route Configure this interface as default route description Configure description forward delay Configure forward delay time hello time Configure hello time ipaddr Configure ip address local proxy ar...

Page 265: ...out the Spanning Tree protocol show interface bridge br0 stp br0 bridge id 8000 000d5a8ef905 designated root 8000 000d5a8ef905 root port 0 path cost 0 max age 20 00 bridge max age 20 00 hello time 2 0...

Page 266: ...l port 4950 interface eth1 20 helper 88 1 1 2 set udp forwarding protocol port 4951 interface eth1 10 helper 88 1 1 3 The command set no udp forwarding protocol port 4950 interface eth1 20 stops the s...

Page 267: ...ers must be previously enabled This module provides the commands start peppino stop peppino show pep status The command start peppino activates the Proxy module and starts to listien on the 5000 TCP p...

Page 268: ...d 1 the session is authenticated via certificate if it is present and requested by the peer 2 a certificate is always requested 3 both router and peer certificates must be on the router itself the pee...

Page 269: ...l cert download sni client stunnel pem from 10 10 100 10 via tftp ssl cert download sni 2 CAcert pem from 10 10 100 10 via tftp ssl cert download sni 2 client stunnel pem from 10 10 100 10 via tftp ss...

Page 270: ...c secre used to set the pre shared password key for encryption set ezvpn id used to set the VPN group set ezvpn xauth username used to set the username for XAUTH authentication set ezvpn xauth passwor...

Page 271: ...set ezvpn xauth username user01 SampleVPN set ezvpn xauth password 01password01 set ezvpn vendor netscreen set ezvpn no masquerade set ezvpn directive Logging set ezvpn on EZVPN TRIGGER CONFIGURATION...

Page 272: ...cording to HTB Hierarchical Token Bucket while the default queuing behavior is FIFO First In First Out kind TRAFFIC POLICY CONFIGURATION It is necessary to configure a traffic policy first set qos ext...

Page 273: ...to indicate an absolute value in Kbits set qos ext class name bandwidth value or a percentage of the total available bandwidth set qos ext class name bandwidth percent value It is possible to specify...

Page 274: ...SFQ one but it is applied when the output interface is a GRE tunnel TRAFFIC CLASSIFICATION In order to assign traffic to a class one or more filters are defined by using the following command set qos...

Page 275: ...possible to specify on which chain pre routing or post routing the traffic must be filtered set qos ext filter group name chain pre routing post routing output forward It is also necessary to specify...

Page 276: ...d value of 2 set qos ext class name filter priority value TRAFFIC MARKING It is possible to set a value of DSCP of DSCP class or IP Precedence on all the packets which flow for a class In order to mar...

Page 277: ...not present anymore starting from NOS X 4 0 8 version So it will just do to add the following directive to the configuration set qos ext on In order to deactivate QoS rules the command is set qos ext...

Page 278: ...nt 1 protocol ip pref 1 fw handle 0x64 classid RT filter parent 1 protocol ip pref 2 fw filter parent 1 protocol ip pref 2 fw handle 0x12c classid DATA2 filter parent 1 protocol ip pref 2 fw handle 0x...

Page 279: ...CP all any any anywhere anywhere MARK match 0x12c DSCP set 0x00 0 0 ACCEPT all any any anywhere anywhere MARK match 0x12c Chain INPUT policy ACCEPT 4792 packets 407K bytes pkts bytes target prot opt i...

Page 280: ...with option which you have to specify when you configure a network interface For example set eth0 bandwidth N set eth1 10 bandwidth N set adsl pvc atm0 bandwidth N where N is a number in Kbit sec that...

Page 281: ...ORT to ADDRESS dest port PORT out interface INTF in interface INTF where VAL is a numeric value from 1 to 65 that you must insert in the packet s DSCP field PROTOCOL tells the protocol used that can b...

Page 282: ...o Tacacs Serve The use of accounting functions If they are enabled each command executed will be notified to the server e memorized by the server on its database The use of authorization functions If...

Page 283: ...command set tacacs source 172 20 1 1 establishes that Tacacs packets originated by the router must be sent by using the value 172 20 1 1 as IP source It is also available set tacacs source loopback in...

Page 284: ...g message sent to the server when there is the authentication Accounting start and a message is sent when the session ends Accounting stop The most important parts of the Start message are Name of the...

Page 285: ...ver used For example user limited login cleartext limited service exec priv lvl 15 cmd set permit eth1 permit gprs apn permit isdn dialer ippp1 cmd ping permit cmd show deny interface deny ip bgp perm...

Page 286: ...or rejected by TACACS limited IMOLA iptables A FORWARD i eth1 j DROP Command iptables A FORWARD i eth1 j DROP rejected by TACACS Allowed commands are executed without any problem limited IMOLA set gpr...

Page 287: ...he authentication request before the authentication of a user is presented to the RADIUS Server It is also possible to send all the commands set on the configuration interface to the Account Server Au...

Page 288: ...ndicates the reply timeout in seconds from the RADIUS Server set radius source 172 20 1 1 the RADIUS packets from the router will be sent by using the value 172 20 1 1 as IP source address It is also...

Page 289: ...e where the value of the parameter community must be a string of ASCII characters the value of the parameter source is the IP address of the manager which can use this community and the value of the p...

Page 290: ...poll frequency value set snmp trap retries value set snmp trap timeout value set snmp on For example the sequence of commands set snmp trap poll frequency 30 set snmp trap retries 5 set snmp trap time...

Page 291: ...n mode through the command set snmp user priv username DES AES secret priv pass phrase where DES and AES are encryption protocols If the optional parameter secret is not specified the same authenticat...

Page 292: ...set snmp trap retries 3 set snmp trap poll frequency 30 set snmp no trap isdn set snmp on In order to display the values of current SNMP configuration parameters the following CLI command is used sho...

Page 293: ...ic input NB It does not perform packet inspection and is not a technology IDS IPS Target Some network anomalies are detectable by processing the data provided by Fprobe search results for pattern a ho...

Page 294: ...he traffic set netflow interface IfName IP and collector Port server analyzing flows set netflow collector IP Collector port Port Port is optional if omit default value is 2055 Netflow version defines...

Page 295: ...he command is show netflow And the output is NetFlow Statistics received 0 0 0 pending 0 0 ignored 0 lost 0 0 dropped 0 cache 0 0 emit 0 0 0 memory 10000 9900 640016 where we have received total packe...

Page 296: ...gate ipaddr mask strip maskbit set ip accounting aggregate from port to port into port For example with set ip accounting aggregate 192 168 1 0 16 strip 24 set ip accounting aggregate 1024 65535 into...

Page 297: ...77 54442 22000 17 eth0 87 9 217 153 85 34 166 18 1 77 54442 22000 17 atm0 223 149 223 225 85 34 166 19 1 40 2048 23 6 atm0 54 229 186 149 85 34 166 17 2 104 53907 22 6 eth0 54 229 186 149 85 34 166 17...

Page 298: ...accounting data to a NetFlow collector To specify the IP address and the collector port use set ip accounting netflow export destination collector ip collector port to specify the Netflow protocol ve...

Page 299: ...er of lines with the following command set log max lines value It is also possible to specify the log level with the command set log level value Log levels from 1 to 4 allow to display system messages...

Page 300: ...activated by using the following CLI commands set log remote IP Addr set log level 4 set log on It is possible to specify additional servers to which send the logs using Show log If logging is active...

Page 301: ...nd Jan 1 00 01 06 localhost kernel 0x00000000 0x00100000 kernel Jan 1 00 01 06 localhost kernel 0x00100000 0x00400000 initrd Jan 1 00 01 06 localhost kernel 0x00400000 0x01000000 user Jan 1 00 01 06 l...

Page 302: ...stomdns dyndns org default no ip com default zoneedit com To set the DNS name associated with host set ddns alias dns name To configure the update period of the DNS set ddns update period value In ord...

Page 303: ...at no keep alive will be activated default setting Valid values are between 0 and 1200 In order to remove a keepalive setting and go back to the default value the following command is used set dlsw lo...

Page 304: ...ach saps value value The SAPs must be specified in hexadecimal notation and must be separated by a space All the information about accessibility is sent by the local DLSw to the remote partner during...

Page 305: ...erational modes of the physical connection In order to set an encoding value different from the default one nrz the following command is used set cdn encoding nrz nrzi fm mark fm space manchester the...

Page 306: ...sdlc binder addr address log off DISPLAYING DSLW CONFIGURATION STATUS AND STATISTICS It is possible to display the DSLW configuration from the current router configuration by using the command show co...

Page 307: ...50 255 1 Vendor Id 00C DLSW version 1 DLSW release 0 init pacing window 20 tcp connections 1 supported saps all MAC Address exclusivity 1 MAC Address list 400016702000 ffffffffffff version string Cisc...

Page 308: ...edgment 0 1 XIDFRAME XID frame 0 1 CONTACT contact remote station 1 0 CONTACTED remote station contacted 0 1 INFOFRAME information I frame 3 3 CAP_EXCHANGE capabilities exchange 2 2 Last SSP Received...

Page 309: ...the DLSw connection between the two peers and verify the performance set dlsw local peer ipaddr 10 10 0 1 set dlsw remote peer ipaddr 10 160 1 1 set dlsw remote peer target mac 00 0A 0B 0C 0D 0E set d...

Page 310: ...DLsw Host In order to display the circuits established the following command is used show dlsw circuits In order to display the messages exchanged by the DLSw the following command is used show dlsw...

Page 311: ...set ntp source loopback To specify the NTP frequency request to the server set ntp interval N Using the command set ntp listen on local ip it becomes a NTP server for the specified subnet and distribu...

Page 312: ...tion the following trigger should be programmed set trigger adsl up set ntp on It is possible to configure the service in order that it gives the date to possible clients requiring it The command is s...

Page 313: ...dayofweek dow It configures cron policy to execute every day at the time hour minutes predefined only in the configured month every day if day of the week is not defined otherwise only for the config...

Page 314: ...22th of April run DelRoute Commands to be run by Cron Policy DelRoute ip route del 1 1 1 1 dev eth1 ip route del 1 1 1 2 dev eth1 Commands to be run by Cron Policy AddRoute ip route add 1 1 1 1 dev et...

Page 315: ...g to NMEA specifications latitude ddmm nnnnnN S longitude dddmm nnnnnE W where dd degrees mm minutes and mmmmm a tenth of minute A maximum of 63 geographical areas can be configured called area0 area1...

Page 316: ...xecuted set no cps disables the georeference services and removes all the specified policies set cps no area N removes only the specified area For example set cps nmea source multicast 239 1 1 1 port...

Page 317: ...command between lines For example set cps area 1 command out comando 1 set cps area 1 command out sleep 3 set cps area 1 command out comando 2 between command 1 and command 2 the router wait three se...

Page 318: ...correct set cps area 1 latitude 4380 00000N longitude 01125 00000E radius 100 while set cps area 1 latitude 4380 00000N longitude 1125 00000E radius 100 Error Longitude must be XXXYY nnnnnE is wrong...

Page 319: ...cp server name end address ip address At every request from the client the router chooses and assigns one address between start address and end address The period of validity of the address assigned t...

Page 320: ...dhcp server name routes ipaddr ipaddr 33 set dhcp server name staticroutes subnet prefix ipaddr 121 set dhcp server name msstaticroutes subnet prefix ipaddr 249 For example to distribute static route...

Page 321: ...ns off the dhcp server service relative to the name process Some commands are available to remove the previous set options set dhcp server name no router set dhcp server name no subnet set dhcp server...

Page 322: ...ters XX is significant only at the end of the sequence This function is particularly useful when on the same network there are devices that need to receive different configurations for example when yo...

Page 323: ...nd to select the traffic based on the phone s MAC address For example the following commands configure the process to ignore requests from the MAC address 02 60 8C 01 02 01 and 02 60 8C 01 02 02 and a...

Page 324: ...as a released source IP address and as source MAC address the one of the PC that got that address To disable the antispoofing functions you must use set dhcp server vlan30 no antispoofing REDUNDANT DH...

Page 325: ...t dhcp relay name in interface interface with this command you specify the local interface i e the one from which the client request come You can specify a list of interfaces separated by a comma For...

Page 326: ...2 GMT 8 UTC GMT 11 GMT 6 GMT 10 GMT 3 GMT 9 Universal The correct time zone for Italy is GMT 1 during DST Daylight Saving Time and GMT 2 during GMT Standard Time Otherwise MET or CET Middle or Central...

Page 327: ...sent itself to the Registration Server typically it is the router s public IP address set siproxy static registrar ipaddress use this command to specify the URL towards which the router must register...

Page 328: ...on that is alternative to set siproxy on You can set which server SIP port the SIP ALG must manage default is 5060 For example set nat sip alg port list 5060 5076 manages the SIP UDP and TCP packages...

Page 329: ...d in the registration phase The timings involved in the registration phase are Registration Refresh Time default is 3600 sec validity time of the current registration Register Expires Refresh Percent...

Page 330: ...opensips1 registrar 10 3 10 110 set voip trunk sip opensips1 authentication password 1234 set voip trunk sip opensips1 enable yes set voip call mng inbound opensips in source trunk opensips1 destinati...

Page 331: ...FXO port also to prevent a possible incoming call on that port This functionality is implemented in a transparent way to the user No commands that enables it are necessary Basic calls via ISDN ports...

Page 332: ...f extensions associated with the GNR trunk If there is a match the trunk is identified to place the outgoing call In this manner it is possible to connect an ISDN PBX to any CPE s ports and to exit on...

Page 333: ...e routed cyclically to one of the terminals belonging to Line Group Hunting scan This parameter can take the value oneshot or circular The value oneshot means that it will run a single cycle on all te...

Page 334: ...te goofy set voip user terminal group pluto hunting mode ordered set voip user terminal group pluto hunting scan circular set voip user terminal group pluto timerprionoreplay 10 set voip user terminal...

Page 335: ...pluto enable yes set voip call mng inbound opensip2pluto source trunk opensip destination pluto incoming number all number Regarding the creation of outbound rules which have Line Group as source ter...

Page 336: ...55 255 0 set vlan eth1 4 ipaddr 192 168 4 1 netmask 255 255 255 0 set vlan eth1 10 ipaddr 192 168 10 1 netmask 255 255 255 0 it states that on port 1 of the switch can pass Ethernet packets containing...

Page 337: ...fter the activation of the voip cdr on functionality show voip history last NUMBER full using last you can specify the number of lines of the CDR to be put to video root imola pbx show voip history fu...

Page 338: ...fresh State Reg Time 10 3 10 110 5060 N 082310010 1184 Registered Fri 07 Jan 2000 01 56 09 1 SIP registrations root imola pbx Information on registration channel terminal codec extent and direction of...

Page 339: ...DOWN L2 state tei 0 RELEASED Number of B channels 2 B1 alloc FREE state BC_UNINITIALIZED use count 0 sock 1 activated 0 mode TXRX off BC0 ridx 1 dropped 0 B2 alloc FREE state BC_UNINITIALIZED use coun...

Page 340: ...kup Timer tick GPRS tc DHCP client OpenVPN IPSec For example the ADSL interface can be activated any time after the start up of Imola if the user wants to activate the bgp service when this interface...

Page 341: ...address is available again the router comes back from the backup status by executing programmed actions for example set trigger backup off set rip off set trigger backup off set gprs off For example i...

Page 342: ...set gprs traffic control on set trigger gprs off set gprs traffic control off In the example above traffic control begins with activation of the GPRS session and is deactivated when the session ends 1...

Page 343: ...0 commands are executed CPU USAGE CONTROL The command cpustate mon periodically verifies the CPU occupancy and defines two thresholds When these two thresholds are reached they generate an event which...

Page 344: ...ured by using the commands set backup check retries N set backup check wait T1 set backup check interval T2 The sequence of ICMP packets is still transmitted on the specified interface and the primary...

Page 345: ...on is available as soon as a reply is received By using the command set backup check tos N it is possible to specify the value of the Type of service TOS field of transmitted packets 3 Periodic transm...

Page 346: ...r if rx idle 1 1 1 1 via icmp through interface atm0 rx threshold 500 activates the transmission of ping packets if less than 500 characters have been received during the specified time interval 5 Ver...

Page 347: ...sh eight other conditions by using the command following command This option is available from the firmware version x 3 0 set extbackup N the syntax is the same of set backup options excepting for the...

Page 348: ...iated with the ppp0 interface of Imola and 3 3 3 2 is the nexthop the network accessible through the atm0 interface is ADSL the network accessible through the ppp0 interface is GPRS two hosts with add...

Page 349: ...source port any to any dest port 8899 out interface any in interface any set route net 0 0 0 0 netmask 0 0 0 0 dev atm0 set route net 0 0 0 0 netmask 0 0 0 0 dev ppp0 table 2 set policy based routing...

Page 350: ...eth1 set vlan add vid 836 interface eth1 set vlan eth1 835 ipaddr 192 168 35 1 netmask 255 255 255 0 set vlan eth1 835 description VLAN Cliente1 set vlan eth1 836 ipaddr 192 168 36 1 netmask 255 255...

Page 351: ...6 lookup table 2 If you want to use the BGP routing protocol on one or both PVCs to acquire the routes in dynamic mode you have to add to the BGP configuration the information that the acquired routes...

Page 352: ...ed from an ICMP echo request packet towards the address dst addr and optionally with source address src addr set rtr type udpEcho dst addr value dst port value src addr value src addr value It defines...

Page 353: ...they have been inserted The command set rtr start time immediately activates the probe immediately set rtr start time in N It activates the probe within an interval of time not lower than N seconds It...

Page 354: ...nning RTR Responder is not running IP SLA RESPONDER It is possible to configure the router in order to replies to probes received using the commands rtr responder local address local port where local...

Page 355: ...stablish personalized checkpoint by using the command set checkpoint name where name is an alphanumeric string which identifies the checkpoint In order to restore the saved configuration the command i...

Page 356: ...ds can be used show config current tmp imola cli txt upload command file tmp imola cli txt to 192 168 1 1 the first command creates the file tmp imola cli txt containing the router configuration and t...

Page 357: ...Feb 27 11 33 23 CET 2007 Software updates consists in loading a new version of one of the present packages For example supposing that it is available version 1 1 2 more recent than the version instal...

Page 358: ...tails see chapters about triggers configuration and backup status handling The following examples clarify the use of this these programmed automatic executions For example supposing that a GRE Tunnel...

Page 359: ...saved set route host 1 2 3 4 dev atm0 There are different ways to add static routes For example set adsl pvc atm0 default route in this way a default route is activated on the atm0 interface Or set a...

Page 360: ...INS IP ADDRESS it is better to use set dhcp server DHCP POOL NAME directive option wins IPADDR1 IPADDR2 Configuring the service for more than one DHCP POOL NAME it is possible to activate the multiple...

Page 361: ...paddr 192 168 50 1 netmask 255 255 255 0 ADSL NAT WITH AN IP LAN CUSTOMER WITH PUBLIC AND PRIVATE IP In this chapter it is described a base configuration of the ADSL RFC 1483 interface with a NAT on t...

Page 362: ...s on the interface eth0 In order to enable data exchange with the outside a NAT rule is set for packets from the private LAN set eth0 ipaddr PUBLIC IP netmask NETMASK IP PUBLIC set eth0 on set eth1 ip...

Page 363: ...the eth0 interface To permit the data exchange with to outside a NAT rule is set for those packets coming from the private LAN set eth0 ipaddr PUBLIC IP netmask NETMASK IP PUBLIC set eth0 on set eth1...

Page 364: ...TERNET NAVIGATION It is described here a base configuration of the GPRS interface with a public internet connection profile with the management IP on the eth0 interface and a private IP on the eth1 LA...

Page 365: ...nagement IP address on the eth0 and a private IP on the eth1 LAN The private internal LAN connection with the Master in its center is being realized with a GRE tunnel keepAlive with a default route To...

Page 366: ...namic mode and in CHAP or PAP mode If the RADIUS does not support only the PAP authentication and not the CHAP one then you need to add the following commands set gprs sgauth 1 set gprs directive refu...

Page 367: ...et eth1 ipaddr PRIVATE IP netmask NETMASK IP set eth1 on set isdn dialer ippp1 eaz 999999 set isdn dialer ippp1 out number NUMBER TO DIAL set isdn dialer ippp1 login ISDN USER password ISDN PASSWORD s...

Page 368: ...link a primary public ADSL with GPRS backup It is configured a private address on eth1 LAN and an IP address of the public addresses pool on the eth0 interface To allow the data exchange with the outs...

Page 369: ...0 0 0 0 netmask 0 0 0 0 dev atm0 distance 10 set route net 0 0 0 0 netmask 0 0 0 0 dev ppp0 distance 5 set iptables t nat A POSTROUTING s PRIVATE LAN N o atm0 j SNAT to PUBLC IP set autocmd set backup...

Page 370: ...0 0 0 0 netmask 0 0 0 0 dev ppp0 distance 5 set iptables t nat A POSTROUTING s 192 168 1 0 24 o atm0 j SNAT to 2 21 172 162 set autocmd set backup on set autocmd set gprs off ADSL WITH GPRS BACKUP WIT...

Page 371: ...t backup check interval 30 set backup check retries 3 set backup check wait 5 set backup deactivate delay 30 set backup on set trigger backup up send sms d TEL NUMBER ADSL DOWN BACKUP ON set trigger b...

Page 372: ...et adsl encap rfc1483 llc set adsl pvc number 1 set adsl pvc atm0 vpi 8 vci 35 set adsl pvc atm0 service UBR set adsl pvc atm0 pcr 0 set adsl pvc atm0 default route set adsl pvc atm0 no masquerade set...

Page 373: ...ed to BE class to which is assigned the 100 of the remaining band set no qos ext set qos ext policy voip set qos ext policy voip interface atm0 set qos ext class RT set qos ext class RT policy voip se...

Page 374: ...oip set qos ext class BE default set qos ext class BE bandwidth percent 100 set autocmd set qos ext on LOOPBACK CONFIGURATION set loopback 0 ipaddr ip address set loopback on SNMP CONFIGURATION set sn...

Page 375: ...e a different port from the default ones using set radius authhost 192 168 1 1 1645 192 168 1 2 1645 set radius accthost 192 168 1 1 1646 192 168 1 2 1646 BANNER CONFIGURATION To set a system banner o...

Page 376: ...t limitation in handling keyboard input concerning characters classified as special such as and these are prohibited To work around this restriction you can use these characters equally preparing its...

Search results

Summary of Contents for Imola 0220

Reviews:

Related manuals for Imola 0220

Brands by name

Popular brands

Tiesse Imola 0220, User Manual

Search results

Summary of Contents for Imola 0220

Reviews:

Related manuals for Imola 0220

Brands by name

Popular brands