manualshive.com logo in svg

Patton electronics IPLink Series, Руководство по настройке программного обеспечения, Страница: 295 / 331

Поделиться
Скачать
Patton electronics IPLink Series Скачать руководство пользователя страница 295

Key Management (IKE)

295

IPLink Software Configuration Guide 

26 • VPN configuration

IN  MANUAL      ToBerne    Tunnel     no
200.200.200.1   -          1111       -            -           AES-CBC 128
3622/unlimited                19047/unlimited

OUT MANUAL      ToBerne    Tunnel     no
200.200.200.1   -          2222       -            -           AES-CBC 128
2857/unlimited                19047/unlimited

Key Management (IKE)

As briefly described in the Introduction, key management is done either by pre-shared keys or automatically 
keyed IPSEC connections usgin the Internet Key Exchange (IKE / RFC 2409). IKE is based on Internet Secu-
rity Association and Key Management Protocol (ISAKMP / RFC 2408). The IKE module supports authenti-
cation using pre-shared keys. There is currently no support for authentication using Public Key Infrastructure 
(PKI) and digital certificates. 

IKE is used to establish a shared secret between two peers, which can be used to derive encryption and/or 
authentication keys for the exchange of encrypted and or authenticated packets between the peers through an 
IPSEC connection. IKE also authenticates the two peers to thwart man in the middle attacks. In addition IKE 
empowers IPSEC to do replay protection to prevent re-injection of previously captured packets into the pro-
tected network. Furthermore IKE negotiates a set of cryptographic transforms used by IPSEC for encryption 
and/or authentication of IP packets. IKE is also responsible for periodic establishment of new session keys for 
the ISPEC security associations. 

To achieve all of this, IKE is split into two phases called MAIN MODE and QUICK MODE. 

In MAIN MODE, IKE mutually authenticates the peers, establishes a shared secret between them and negoti-
ates cryptographic transforms in order to create an ISAKMP security association between the two peers. The 
ISAKMP security association is only used to provide a secure, authenticated and encrypted channel between 
the peers, which can be used for any further communication. 

In QUICK MODE, IKE negotiates all the security parameters like cryptographic transforms, SPIs and sessions 
keys. They are required for establishing one or more IPSEC security association. All QUICK MODE commu-
nication is protected by a previously established ISAKMP security association. 

Note

The same ISAKMP security association can be used to establish multiple 
quick modes.

Main differences between manual & IKE IPSEC configurations

For IKE connections the ACLs must allow traffic from and to UDP port 500 in plaintext, because this 
port is used by IKE to negotiate security associations.

The ¨profile ipsec-transform¨ defines the cryptographic transforms used for the IPSEC connections, but 
it is necessary also to define also a ¨profile isakmp-transform¨, that defines the cryptographic trans-
forms used to protect the negotiation of new IPSEC security associations using ISAKMP

.

Instead of the ¨profile ipsec-policy-manual¨, which is used to create manual keyed IPSEC connections, 
you need to create a ¨profile ipsec-policy-isakmp¨, which contains all the IKE specific configuration 
options.

Содержание IPLink Series

Страница 1: ...re Release 3 20 Software Configuration Guide Sales Office 1 301 975 1000 Technical Support 1 301 975 1007 E mail support patton com URL www patton com Document Number 13220U8 001 Rev A Part Number 07M...

Страница 2: ...ded for use as critical components in human life support systems equipment used in hazardous environments or nuclear control systems Patton Electronics Company disclaims any express or implied warrant...

Страница 3: ...128 13 Ethernet port configuration 137 14 Link scheduler configuration 148 15 Serial port configuration 167 16 T1 E1 port configuration 185 17 Basic IP routing configuration 195 18 RIP configuration 2...

Страница 4: ...Africa EMEA 22 Warranty Service and Returned Merchandise Authorizations RMAs 23 Warranty coverage 23 Returns for credit 23 Return for credit policy 23 RMA numbers 23 Shipping instructions 23 1 System...

Страница 5: ...bling the Telnet server 42 Logging onto the IPLink software 42 Selecting a secure password 43 Password encryption 43 Configure operators and administrators 44 Password encryption 44 Factory preset adm...

Страница 6: ...he serial link 70 Factory configuration 70 7 Configuration file handling 71 Introduction 72 Understanding configuration files 72 Factory configuration 74 Configuration file handling task list 74 Copyi...

Страница 7: ...s in the RADIUS request message 107 Attributes in the RADIUS accept message 108 Configuring the local database accounts 108 10 IP context overview 110 Introduction 111 IP context overview configuratio...

Страница 8: ...PT profile 132 Configuring a NAPT DMZ host 133 Defining NAPT port ranges 134 Preserving TCP UDP port numbers in NAPT 134 Defining the UDP NAPT type 134 Activate NAT NAPT 135 Displaying NAT NAPT config...

Страница 9: ...ght 158 Defining the bit rate 159 Defining absolute priority 159 Defining the maximum queue length 159 Specifying the type of service TOS field 159 Specifying the precedence field 160 Specifying diffe...

Страница 10: ...T1 E1 line code 187 Configuring T1 E1 framing 187 Configuring T1 E1 line build out T1 only 188 Configuring T1 E1 used connector E1 only 188 Configuring T1 E1 application mode 188 Configuring T1 E1 LO...

Страница 11: ...ng RIP configuration of an IP interface 209 Displaying global RIP information 210 19 Access control list configuration 211 Introduction 212 About access control lists 212 What access lists do 212 Why...

Страница 12: ...1 SNTP client configuration task list 241 Selecting SNTP time servers 242 Defining SNTP client operating mode 242 Defining SNTP local UDP port 243 Enabling and disabling the SNTP client 244 Defining S...

Страница 13: ...roubleshooting 268 25 PPP configuration 270 Introduction 271 PPP configuration task list 272 Creating an IP interface for PPP 272 Disable interface IP address auto configuration from PPP 274 Creating...

Страница 14: ...uration of an IP interface and the IP router for IPSEC 298 Policy matching 298 Sample configuration snippet 298 Troubleshooting 299 Using an alternate source IP address for specific destinations 299 S...

Страница 15: ...le_provisioning 321 context_ip 321 interface 321 dyndns 322 subscriber_ppp 322 port_ethernet 322 pppoe 322 vlan 323 port_serial 323 framerelay 323 Other 324 Show help 324 Show command history 324 Show...

Страница 16: ...IPLink software 150 24 Example of Hierarchical Scheduling 152 25 Elements of link scheduler configuration 154 26 Scenario with Web server regarded as a single source host 155 27 Structure of a Servic...

Страница 17: ...41 6 Permanent built in interface slot and port mapping for IPLink Series 139 7 Command cross reference 153 8 TOS values and their meaning 160 9 Traffic control info TCI field 161 10 Values defining d...

Страница 18: ...chnicians How to read this guide IPLink software is a complex and multifaceted operating system running on your IPLink device Without the necessary theoretical background you will not be able to under...

Страница 19: ...al overview of IPLink interfaces and describes the tasks involved in their configuration Chapter 12 NAT NAPT configuration on page 128 provides a general overview of the network address port translati...

Страница 20: ...overview of IPLink software circuit switching CS context and its associated components and describes the tasks involved in its configuration Chapter 28 CS interface configuration on page 349 gives an...

Страница 21: ...iew button in the Adobe Acrobat Reader toolbar to return to your starting point Futura bold type Commands and keywords are in boldface font Futura bold italic type Parts of commands which are related...

Страница 22: ...t Available at www patton inalp com E mail support E mail sent to support patton inalp com will be answered within 1 business day Telephone support Standard telephone support is available five days a...

Страница 23: ...he purchase price If you have ordered the wrong equipment or you are dissatisfied in any way please contact us to request an RMA number to accept your return Patton is not responsible for equipment re...

Страница 24: ...24 Chapter 1 System overview Chapter contents Introduction 25 IPLink hardware platforms 26 IPLink software embedded software 26 IPLink Software management center tools 27...

Страница 25: ...ware platforms or network nodes that provide the physical connectivity and the CPU resources All IPLink models support packet routed traffic The second element comprises the embedded software called I...

Страница 26: ...IPLink hardware platforms IPLink software is available in several releases that support all available IPLink models Refer to IPLink software release notes for detailed information about hardware suppo...

Страница 27: ...d in the factory and requires no upgrading The PMC loader initializes the PMC interface cards when mounted in IPLink devices It checks the hard ware versions and determines whether compatible PMC driv...

Страница 28: ...t System NMS With the aid of configuration files and TFTP up and downloads the IPLink devices can also be managed offline using standard text editors and file systems A number of host based management...

Страница 29: ...ation concepts Chapter contents Introduction 30 Contexts and Gateways 31 Context 31 Interfaces Ports and Bindings 31 Interfaces 31 Ports and circuits 31 Bindings 32 Profiles and Use commands 32 Profil...

Страница 30: ...it switched and packet routed networks and services In order to consistently support a growing set of func tions protocols and applications IPLink software configuration is based on a number of abstra...

Страница 31: ...in IPLink software differs from that in traditional networking devices Tradition ally the term interface is often synonymous with port or circuit which are physical entities In IPLink software however...

Страница 32: ...ings form the association between circuits or ports and the interfaces configured on a context No user data can flow on a circuit or Ethernet port until some higher layer service is configured and ass...

Страница 33: ...34 CLI prompt 34 Navigating the CLI 35 Initial mode 35 System changes 35 Configuration 35 Changing Modes 35 Command editing 35 Command help 35 The No form 35 Command defaults returning parameters to d...

Страница 34: ...nment within which a group of related commands is valid All commands are mode specific and certain commands are valid in more than one mode A command mode provides command line completion and context...

Страница 35: ...any of configuration modes For example when in pvc configuration mode typing exit will take you to framerelay configuration mode The exit command terminates a CLI session when typed from the operator...

Страница 36: ...opy and context are displayed Command history IPLink software maintains a list of previously entered commands that you can go through by pressing the up arrow and down arrow keys and then pressing ent...

Страница 37: ...Ctrl c Quit editing the current line Ctrl l Refresh redraw the display Ctrl t Transpose characters Ctrl v Insert a code to indicate to the system that the keystroke immediately fol lowing should be tr...

Страница 38: ...2 Logging onto the IPLink software 42 Selecting a secure password 43 Password encryption 43 Configure operators and administrators 44 Password encryption 44 Factory preset administrator account 44 Cre...

Страница 39: ...on If you type part of a command and then press the tab key the IPLink software shell will present you with either the remaining portion of the command or a list of possible commands These features ar...

Страница 40: ...via the con sole port Console port procedure Before using the CLI to enter configuration commands do the following 1 Set up the hardware as described in the getting started guide that came with your I...

Страница 41: ...active Note The default IP addresses listed in table 5 apply to an operating scenario com patible with the factory configured settings of the IPLink If your operating requirements are significantly di...

Страница 42: ...he local console port or via a Telnet session opens a login screen The following description of the login process is based on a Telnet session scenario but is identical to that used when accessing via...

Страница 43: ...ry words or any of the above mentioned examples Every password should be at least 6 characters long and include at least one capital letter one number and one lowercase letter A good example of a pass...

Страница 44: ...assword mypassword always appears in encrypted form as HUAvCYeILWZz3hQvS0IEpQ encrypted when doing a show command The command show running config always displays the passwords in encrypted format To e...

Страница 45: ...ple Create an administrator account The following example shows how to add a new administrator account with a login name super and a matching password Gh3 Ke4h IPLink enable IPLink configure IPLink cf...

Страница 46: ...k show accounts administrator accounts super operator accounts support Switching to another account A user can use the su command to switch from one user account to working in another With this comman...

Страница 47: ...who is logged in or more detailed information about users and process states depending on the execution mode in which you are working Used in administrator execution mode IPLink who ID User name Stat...

Страница 48: ...m of the list Also you can change a com mands position in a listing moving it up or down in the list by changing its index number Example 1 Moving the test1 cfg from position 1 in the list to position...

Страница 49: ...to cancel After confirming the dialog with yes the Telnet session to the IPLink is terminated and the Telnet applica tion window on your host closes Note Using the command exit in the operator execut...

Страница 50: ...ion tasks 51 Entering the IP context creating IP interfaces and assigning an IP address 51 Defining IP Ethernet encapsulation and binding an IP interface to a physical port 52 Activating a physical po...

Страница 51: ...IP context creating IP interfaces and assigning an IP address Defining IP Ethernet encapsulation and binding an IP interface to a physical port see page 52 Activating the physical port see page 52 Dis...

Страница 52: ...n which it is located It is assumed that you would like to bind the IP interface name to port port of slot slot Mode Configure Example Define IP Ethernet encapsulation and bind IP interface to physica...

Страница 53: ...o shutdown command in port configuration mode Example Activating the physical port It is assumed that you would like to activate the physical port 0 on slot 0 for which you use the following com mands...

Страница 54: ...mode which creates a list of all the defined IP interfaces IPLink cfg context ip router IPLink ctx ip router interface interface New interface external Existing interface internal Existing interface...

Страница 55: ...t 0 Figure 8 shows the relation between the IP interface lan and the Ethernet port 0 on slot 0 The configuration procedure below starts in the operator execution mode Figure 8 Relation between IP Inte...

Страница 56: ...he interface lan you just defined to the Ethernet port and then activate the port IPLink prt eth 0 0 bind interface lan router IPLink prt eth 0 0 no shutdown 5 Store the configuration s 6 ettings in t...

Страница 57: ...s from a network server to Flash memory 61 Copying driver software from a network server to Flash memory 62 Auto provisioning of firmware and configuration 63 Boot procedure 65 Bootloader 67 Start Boo...

Страница 58: ...nfiguration file sets the initial basic operating parameters of the IPLink such as enabling the Ethernet ports setting the default IP addresses and the DHCP server Other configuration files may be sto...

Страница 59: ...terminology On powering up an IPLink or pressing the Reset button on applicable units with no pre configured user con figuration files the default factory config file is also the startup config and th...

Страница 60: ...network server to the Flash memory see page 62 Displaying system image information This procedure displays information about system images and driver software Volatile Persistent nvram Factory Config...

Страница 61: ...ently into the flash memory of your IPLink to be present when booting the device Since the system image file is preloaded at the Patton Electronics Co factory you will have to download a new IPLink so...

Страница 62: ...le download starts automatically Mode Administrator execution Example Copy system images from a network server to the Flash memory The following example shows how to download the driver software image...

Страница 63: ...sh memory The following example shows how to download the driver software image file from the TFTP server at IP address 172 16 36 80 The download is defined by a script file which has to be downloaded...

Страница 64: ...tiva tion reload graceful Explanation Step Command Purpose 1 name pf prov FIRMWARE destination script Chooses the unit s script interpreter as des tination of the downloaded file Use this for firmware...

Страница 65: ...rovisioning execute FIRMWARE timer CONFIG_UPDATE now 2 minutes every 10 minutes provisioning execute CONFIG Boot procedure During a normal boot procedure of an IPLink the bootstrap application checks...

Страница 66: ...back panel of the IPLink If a valid application image is not available The bootloader ensures that basic operations network access and downloads are possible in case of interrupted or corrupted appli...

Страница 67: ...startup configuration is loaded into the volatile mem ory and is used to parameterize the IPLink software Bootloader Recall that the bootloader ensures that basic operations network access and downloa...

Страница 68: ...e used to receive the new application image mask_len is the length of the network address or the number of 1 s within the subnet mask See Note below 2 optional RedBoot ip_address g gateway Sets the IP...

Страница 69: ...ge IPLink software RedBoot ip l 172 16 40 98 19 RedBoot ip g 172 16 32 1 RedBoot ping h 172 16 32 100 Network PING from 172 16 40 98 to 172 16 32 100 PING received 10 of 10 expected RedBoot load r v h...

Страница 70: ...he operation of an IPLink See section Boot procedure on page 65 and section Start up with factory configuration on page 68 for information on how to restore the factory configuration Step Command Purp...

Страница 71: ...ration with a configuration from Flash memory 76 Copying configurations to and from a remote storage location 78 Replacing the startup configuration with a configuration downloaded from TFTP server 79...

Страница 72: ...th the command configure Once in configuration mode enter the configuration commands that are necessary to configure your IPLink You can also create a new configuration file or modify an existing one...

Страница 73: ...he end of the line 2805 Factory configuration file dns relay sntp client sntp client server primary 129 132 2 21 port 123 version 4 profile napt NAPT profile dhcp server DHCP network 192 168 1 0 255 2...

Страница 74: ...uide included with your IPLink device describes the restoration procedure for restoring the default settings Configuration file handling task list This section describes how to create load and maintai...

Страница 75: ...opied into the persistent memory region nvram by using a user specified name for conservation or later activation As shown in figure 12 the local memory regions are identified by their unique names li...

Страница 76: ...place the startup configuration by a configuration that is already present in the flash memory You can do so by copying it to the area of the flash memory where the startup configuration is stored Mod...

Страница 77: ...n in the file new startup stored in flash memory 1 Replace the current startup configuration by using the copy command into the flash memory area where the startup configuration is stored IPLink copy...

Страница 78: ...stored to a file whose name is defined as one of the arguments of the copy command Figure 13 Remote memory regions for IPLink software Finally configuration files i e the startup configuration or a u...

Страница 79: ...ontained in the file new startup located on the TFTP server at IP address 172 16 36 80 1 Download the startup configuration with the copy command into the flash memory area where to store the startup...

Страница 80: ...which is significantly longer To hide these hidden commands again issue the no cli config defaults command Modifying the running configuration at the CLI IPLink software accepts interactive modificat...

Страница 81: ...no the question whether to reload or not with yes Mode Administrator execution Example Modifying the running configuration at the CLI The following example shows how to modify the currently running co...

Страница 82: ...00 At this point in time the offline editing of the configuration file current config on the TFTP server takes place IPLink copy tftp 172 16 36 80 user current config nvram startup config Download 100...

Страница 83: ...s IPLink show nvram Persistent configurations backup startup config factory config Encrypted file download This section explains the encrypted configuration download feature of IPLink software TFTP as...

Страница 84: ...ed before stored to flash A custom encryption key can be Downloaded to the IPLink software Specified with the PC encryption tool The encryption key may include the MAC address and or serial number of...

Страница 85: ...ead of the variable on the IPLink system serial The serial number of the IPLink Execute the show version command on the IPLink to display the serial number When your key file contains the following li...

Страница 86: ...ies to decrypt the file using the pre installed key Upload an encrypted configuration file The IPLink immediately decrypts a configuration file after downloading it This is the configuration file is s...

Страница 87: ...m banner 91 Setting time and date 92 Display clock information 92 Display time since last restart 93 Configuring and starting the Web server 93 Determining and defining the active CLI version 93 Resta...

Страница 88: ...r Basic system management configuration task list All tasks in the following sections are optional though some such as setting time and calendar services and sys tem information are highly recommended...

Страница 89: ...server The following example shows the command used to install license keys which are stored in a license file on a TFTP server IPLink cfg copy tftp 172 16 4 3 keystore sn1x00_120393 lic licenses Mode...

Страница 90: ...d with the chosen name Assigning explanatory location information to describe the system physical location of your IPLink e g server room wiring closet 3rd floor etc is very supportive This entry corr...

Страница 91: ...istrators and operators such as scheduled maintenance or system shutdowns By default no banner is present on login To create a system banner use the banner command followed by the message you want dis...

Страница 92: ...ncludes an integrated SNTP client which allows synchro nization of time of day and date to a reference time server Refer to chapter 21 SNTP client configuration on page 240 for more details Example Se...

Страница 93: ...al console Without a Java applet the value of the embedded web server is limited Contact Patton Electronics Co for any questions about custom designed Java configuration tools for IPLink software Mode...

Страница 94: ...l they all are closed to reload forced reloads the system without prompting for confirmation or for saving the running configuration no need to type yes or no The question whether to save the running...

Страница 95: ...NFO Warm start 2001 12 14T08 51 09 LOGINFO Slot 2 Event Logging Service for ic 4brvoip started 2001 12 14T08 51 09 LOGINFO Slot 2 DrvPckt_Dsp_Ac48xx DSP driver for AC481xx cre ated Controlling command...

Страница 96: ...0 Time 10ms Reply from 172 16 36 80 Time 10ms Reply from 172 16 36 80 Time 10ms Reply from 172 16 36 80 Time 10ms Ctrl z suspend active command Suspended System prompt reappears and is ready to execut...

Страница 97: ...FIRMWARE timer volatile RELOAD midnight 1 hour reload graceful Starts a volatile timer named RELOAD does not appear in the running configuration and thus is not stored in the startup configuration The...

Страница 98: ...nal session is automatically closed If longer session periods are required logging debugging this command allows to increase the session timeout or to disable it com pletely 3 name sys terminal more E...

Страница 99: ...100 General AAA Configuration 101 RADIUS configuration 103 Configuring RADIUS clients 104 Configuring RADIUS accounting 105 Configuring the RADIUS server 107 Attributes in the RADIUS request message...

Страница 100: ...user s authentication login information with credentials stored in a database If the information is verified the user is granted access to the network Otherwise authentication fails and network access...

Страница 101: ...sequence in which methods are applied to obtain AAA information Figure 16 illustrates the correlation between the Telnet login and console login services Figure 16 How to use AAA methods and AAA prof...

Страница 102: ...n and console login services IPLink enable IPLink configure IPLink cfg profile aaa remote radius IPLink pf aaa remote method radius radius_deepblue IPLink pf aaa remote method radius radius_extern IPL...

Страница 103: ...the console login service use this profile If an emergency occurs you can reload this default configuration by reloading the factory configuration as described in section Boot procedure on page 65 RA...

Страница 104: ..._extern IPLink radius radius_ radius server 219 144 12 1 IPLink radius radius_ shared secret authentication dd9351e13cc335 IPLink radius radius_ exit IPLink cfg IPLink cfg show radius client RADIUS cl...

Страница 105: ...a ATTRIBUTE Connect Time 33 string Patton a ATTRIBUTE Disconnect Time 34 string Patton a ATTRIBUTE Disconnect Cause 35 integer Patton b ATTRIBUTE Disconnect Source 36 string Patton c ATTRIBUTE Called...

Страница 106: ...efine your newly created radius client as the AAA method to be used Note If you require redundancy you can create multi ple radius clients and add all of them to the AAA profile 6 node pf auth pf name...

Страница 107: ...pdate interval seconds Define the interval after which an interim update shall be sent if necessary The default is not to send periodic interim updates 14 node svc aaa svc name port name Create a port...

Страница 108: ...ndor data including Vendor Type and Vendor Length Vendor String Not null terminated String with the value console or Telnet Configuring the local database accounts The final step in configuring the au...

Страница 109: ...k cfg Note If you are creating an account that does not require a password type to indicate that no password is needed For example if you were configuring an account for an operator named James that d...

Страница 110: ...112 IP interface related information 112 Serial interface related information 113 QoS related information 113 Configuring Ethernet and serial ports 113 Creating and configuring IP interfaces 113 Conf...

Страница 111: ...router by default This IP context can contain interface static routes RIP parameters NAPT QoS and access control profiles In figure 17 on page 111 the IP context with all its related elements is conta...

Страница 112: ...Depending on your application scenario some tasks are mandatory or might be optional The following tasks use a bottom up approach starting from the ports followed by the interfaces up to the services...

Страница 113: ...at the device Signaling protocol required by the device must be X 21 or V 35 QoS related information Check with your access service provider if there are any QoS related requirements which you need t...

Страница 114: ...work addresses IP addresses to map multiple private network addresses to a single outside address NAPT enables small offices to save money by requiring only one official outside IP address to connect...

Страница 115: ...movement through the network Such control can help to limit net work traffic and to restrict network use by certain users or devices To permit or deny packets from crossing specified interfaces IPLin...

Страница 116: ...lity of service QoS 116 IPLink Software Configuration Guide 10 IP context overview IPLink software QoS features described in chapter 14 Link scheduler configuration on page 148 address these diverse a...

Страница 117: ...20 ICMP message processing 121 ICMP redirect messages 121 Router advertisement broadcast message 121 Defining the MTU and MSS of the interface 122 Configuring an interface as a point to point link 123...

Страница 118: ...list To configure interfaces perform the tasks in the following sections Creating an IP interface see page 118 Deleting an IP interface see page 119 Setting the IP address and netmask see page 120 ICM...

Страница 119: ...default Deleting an existing interface in the IP context is often necessary Mode Context IP Example Delete IP interfaces The procedure below assumes that you would like to delete an IP interface name...

Страница 120: ...anslations although their traffic is routed through an IP interface to which a NAPT profile is bound This configuration is usually neces sary for DMZ networks connected to an Ethernet port which uses...

Страница 121: ...ving this device at all The redirect message instructs the sender to remove the receiving device from the route and substitute a specified device representing a more direct path This feature is enable...

Страница 122: ...ll devices on a physical medium must have the same protocol MTU in order to operate accurately Procedure To set the MTU packet size or the MSS to size on the interface name Mode Interface Example Defi...

Страница 123: ...router interface lan IPLink if ip lan point to point Displaying IP interface information IPLink software contains the show ip interface command which displays IP information for all interfaces The com...

Страница 124: ...the path to host reliability delays over the path and whether the host can be accessed or is functioning Mode Either operator or administrator execution When using ping for fault isolation you should...

Страница 125: ...from 172 16 1 10 Time 10ms Ping statistics for 172 16 1 10 Packets Sent 5 Received 5 Lost 0 0 loss RTT Minimum 10ms Maximum 10ms Average 10ms Traceroute This procedure describes how to print the route...

Страница 126: ...1 Lost 0 0 loss RTT Minimum 10ms Maximum 10ms Average 10ms Example Display the ARP information IPLink cfg show arp IP Interface eth0 Remote IP Remote MAC State TTL TxReq RxRep Usage 69 138 216 1 00 01...

Страница 127: ...interface wan no longer exists IPLink ctx ip router interface interface New interface lan Existing interface Step Command Purpose 1 node ctx ip ctx name interface if name Go to the IP interface which...

Страница 128: ...NAPT traversal 131 NAT NAPT configuration task list 132 Creating a NAPT profile 132 Configuring a NAPT DMZ host 133 Defining NAPT port ranges 134 Preserving TCP UDP port numbers in NAPT 134 Defining t...

Страница 129: ...plies the terminology defined in RFC 2663 IPLink software provides four types of NAT NAPT Dynamic NAPT Cisco terminology NAT Overload Static NAPT Cisco terminology Port Static NAT Dynamic NAT Static N...

Страница 130: ...dress can either be the address of the global interface or a configured global NAPT address Usually the local and the global port of a static NAPT entry are the same however they may be different Figu...

Страница 131: ...makes local hosts globally accessible Static NAT entries map global addresses to local addresses The global address must be a configured global NAT address It cannot be the address of the global inter...

Страница 132: ...page 135 Creating a NAPT profile A NAPT profile defines the behavior of the NAT NAPT component comprising all four types of NAT NAPT this profile is called NAPT profile and not NAT NAPT profile for hi...

Страница 133: ...the device itself The following procedure shows how a DMZ host can be configured Mode profile napt pf name 4 optional node pf napt name range local ip range start local ip range stop global ip start...

Страница 134: ...ocedure The NAPT sup ports the UDP translation types shown in the following list The list is ordered by the security of the NAPT type starting with the highest security type symmetric port restricted...

Страница 135: ...an IPLink cfg context ip router IPLink ctx ip router interface lan IPLink if ip lan use profile napt access Displaying NAT NAPT configuration information Two commands are available to display an exist...

Страница 136: ...STATIC NAPT RANGE MAPPINGS Local IP Start Local IP Stop Global IP 192 168 1 10 192 168 1 19 131 1 1 15 STATIC NAT RANGE MAPPINGS Local IP Start Local IP Stop Global IP Start Global IP Stop 192 168 1 3...

Страница 137: ...139 Configuring Ethernet encapsulation type for an Ethernet port 140 Binding an Ethernet port to an IP interface 140 Multiple IP addresses on Ethernet ports 141 Configuring a VLAN 142 Configuring laye...

Страница 138: ...router for port Ethernet 0 1 and bind interface eth0 router for port Ethernet 0 0 Enabled The information in this chapter applies to all Ethernet ports on the system including the Ethernet manage ment...

Страница 139: ...nt on board interfaces of an IPLink are described as being on slot 0 Configuring medium for an Ethernet port All Ethernet ports are configured by default to auto sense both the port speed and the dupl...

Страница 140: ...Configure Example Configuring Ethernet encapsulation type for an Ethernet port The following example shows how to configure the encapsulation type to IP for the Ethernet port on slot 0 and port 0 of a...

Страница 141: ...PLink prt eth 0 0 bind interface lan router Multiple IP addresses on Ethernet ports It is possible to use multiple IP addresses on an Ethernet port by binding the port to multiple IP interfaces Each o...

Страница 142: ...hat is bound to this port is also closed All static routing entries that are using this interface change their state to invalid and all dynamic routing entries will be removed from the route table man...

Страница 143: ...ribes how to change layer 2 CoS to service class mapping Step Command Purpose 1 node config port ethernet slot port Enter Ethernet port configura tion 2 node prt eth slot port vlan id Create new VLAN...

Страница 144: ...nto a firm ware specific service class value Each conversion is stored as a mapping table entry so the receive mapping table consists of several mapping table entries This procedure describes how to a...

Страница 145: ...he shutdown command This command also disables and closes the IP interface that is bound to that port All static routing entries that are using this interface change their state to invalid and all dyn...

Страница 146: ...0 and port 0 gets also closed Checking the state of the IP interface wan indicates this with the CLOSED for parameter state IPLink prt eth 0 1 show ip interface Context router Name wan IP Address 172...

Страница 147: ...the capture buffer is full 2 Now the sniffer is active and will capture the datapackets on the specified ethernet port 3 name cfg no sniff ether net 0 1 Disable the sniffer on ethernet port 0 1 Note t...

Страница 148: ...ontrol list 155 Creating a service policy profile 156 Specifying the handling of traffic classes 158 Defining fair queuing weight 158 Defining the bit rate 159 Defining absolute priority 159 Defining...

Страница 149: ...een voice and data packets To improve QoS you can configure the IPLink to send no more data to the Internet than the modem can carry This keeps the modem s queue empty and gives the IPLink software co...

Страница 150: ...ecause they will not use up the entire bandwidth Weighted fair queuing WFQ This arbitration method assures a given minimal bandwidth for each source An example you specify that traf fic class A gets t...

Страница 151: ...urstiness needed for sources to catch up after collisions is implicitly allowed Future versions of IPLink software might allow setting the burst rate and bursting size if more control over its behavio...

Страница 152: ...igura tion Setting the modem rate To match the voice and data multiplexing to the capacity of the access link is the most common application of the IPLink software link scheduler 1 Create a minimal pr...

Страница 153: ...dministrators to straightforwardly configure IPLink devices In table 7 the Cisco IOS Release 12 2 QoS commands are in con trast with the respective IPLink software commands Link scheduler configuratio...

Страница 154: ...n IPLink software consists of a series of packet descriptions like addressed to xyz Those descriptions are called rules For each packet the list of descriptions is sequentially checked and the first r...

Страница 155: ...he necessary steps to tag any outbound traffic from a Web server The scenario is depicted in figure 26 The IP address of the Web server is used as source address in the permit statement of the IP filt...

Страница 156: ...control lists the link arbiter needs rules defining how to handle the different traffic classes For that purpose you create a service policy profile The service policy profile defines how the link ar...

Страница 157: ...ass local voice priority source traffic class Web share 30 source traffic class local default share 20 source traffic class default queue limit 40 share 50 The first line specifies the name of the lin...

Страница 158: ...g fair queuing weight The command share is used with wfq link arbitration to assign the weight to the selected traffic class When defining a number of source classes the values are relative to each ot...

Страница 159: ...he class name Excess pack ets are dropped Used in class mode queuing only happens at the leaf of the arbitration hierarchy tree The no form of this command reverts the queue limit to the internal defa...

Страница 160: ...ice RFC791 RFC1349 The precedence field is defined by the first three bits and supports eight levels of priority The low est priority is assigned to 0 and the highest priority is 7 The no form of this...

Страница 161: ...time critical data Under 802 1p a 4 byte Tag Control Info TCI field is inserted in the Layer 2 header between the Source Address and the MAC Client Type Length field of an Ethernet Frame Table 9 list...

Страница 162: ...packets that have to be included in the QoS process base upon their size In the service policy profile exists a command that allows mapping of a specific packet size or a range to a traffic class The...

Страница 163: ...d voice traffic will be pro cessed like local generated voice traffic 4 name pf srvp name out source traffic class local voice Enters traffic class configuration mode 5 name src local v priority Speci...

Страница 164: ...ers may use input shaping to improve downlink voice jitter in the absence of voice support The default setting no service policy sets the interface to FIFO queuing Mode Interface Example Devoting the...

Страница 165: ...eduling profile information The show profile service policy command displays link scheduling profile information of an existing ser vice policy profile This command is only available in the administra...

Страница 166: ...r all queues of a profile The following example shows how to enable statistic gathering for all traffic classes IPLink enable IPLink configure IPLink cfg profile service policy sample IPLink pf srvpl...

Страница 167: ...udrate 172 Enter Frame Relay mode 173 Configuring the LMI type 173 Configuring the keep alive interval 174 Enabling fragmentation 174 Entering Frame Relay PVC configuration mode 176 Configuring the PV...

Страница 168: ...ay protocol on the synchronous serial interface Frame Relay is an example of a packet switched technology Packet switched networks enable end stations to dynamically share the network medium and the a...

Страница 169: ...show port serial IPLink cfg port serial 0 0 IPLink prt ser 0 0 shutdown IPLink prt ser 0 0 show port serial Serial Interface Configuration Port serial 0 0 0 State CLOSED Hardware Port V 35 Transmit E...

Страница 170: ...se the encapsulation interface configuration command This procedure describes how to set the encapsulation type of the serial interface for Frame Relay Mode Administrator execution Example Configuring...

Страница 171: ...active clock edge of the serial interface Mode Port serial Example Configuring the active clock edge The following example enables to send data on the negative edge on slot 0 and port 0 of an IPLink...

Страница 172: ...00 bps on the serial interface Verify that the command show port serial detail 5 output displays the correct baudrate True baudrate in the Status section shows the baudrate of the selected hardware IP...

Страница 173: ...interface on slot 0 and port 0 of an IPLink IPLink cfg port serial 0 0 IPLink prt ser 0 0 framerelay IPLink frm rel 0 0 Configuring the LMI type For a Frame Relay network the line protocol is the per...

Страница 174: ...ives on networks that do not utilize LMI use the no keepalive interface configuration command Example Configuring the keep alive interval The following example sets the keepalive interval to 10 second...

Страница 175: ...e delay to the real time data The FRF 12 Implementation Agree ment defines FRF 12 fragmentation This standard was developed to allow long data frames to be fragmented into smaller pieces fragments and...

Страница 176: ...is for connections between stations attached to the same Frame Relay network The resulting set of interconnected devices forms a private Frame Relay group which may be either fully inter connected wit...

Страница 177: ...a Frame Relay network This procedure describes how to set the encapsulation type to comply with RFC 1490 Mode Frame Relay Example Configuring the PVC encapsulation type The following example sets the...

Страница 178: ...hich is related to the IP context router Mode PVC Example Binding the Frame Relay PVC to IP interface The following example binds the Frame Relay PVC 1 to the IP interface wan of IP context router to...

Страница 179: ...verify that the entry no shutdown occurs in the con figuration part responsible for this PVC IPLink pvc 1 show running config Running configuration pvc 1 encapsulation rfc1490 bind interface wan route...

Страница 180: ...y impact your system performance This procedure describes how to display the Frame Relay configuration settings for the serial interface Mode Administrator execution Command Purpose no debug framerela...

Страница 181: ...isplaying Frame Relay information Since Frame Relay configuration for the serial interface is complex and requires many commands it is helpful to list the frame relay configuration on screen This proc...

Страница 182: ...st PVC labeled as PVC 1 connects to the MSP access device The second PVC labeled PVC 2 connects to the VPN provider access device on the leased line network An IPLink is working as a DTE and accesses...

Страница 183: ...up the IP interface configuration first Be aware that not all of the necessary settings are listed below IPLink cfg context ip router IPLink ctx ip router interface external IPLink if ip external int...

Страница 184: ...ble fragmentation for PVC 1 The voice uses codec G 723 at a packet size of 30ms so the minimum fragment size must be 66 Bytes Setting the fragment size to 300 Bytes introduces an additional delay of a...

Страница 185: ...uring T1 E1 application mode 188 Configuring T1 E1 LOS threshold 189 Configuring T1 Loopback detection 189 Configuring T1 E1 encapsulation 190 Create a Channel Group 190 Configuring Channel Group Time...

Страница 186: ...Disable T1 E1 port Configuring the T1 E1 port type Configuring T1 E1 clock mode Configuring T1 E1 line code Configuring T1 E1 framing Configuring T1 line build out LBO T1 only Configuring E1 impedance...

Страница 187: ...the other case the data transmission will fail due to bit failures Mode port e1t1 slot port Configuring T1 E1 line code Three different line codes can be selected on the T1 E1 port whereas only ami is...

Страница 188: ...ching must be adapted RJ45 120 Ohm BNC 75 Ohm Mode port e1t1 slot port Configuring T1 E1 application mode The T1 E1 port can be configured to work in either short haul or in long haul mode Short haul...

Страница 189: ...the customer It sends the loopback up code to the customer device then subsequently starts for example a Pseudo Random Bit Sequence PRBS to determinate the quality of the connection Depending on the...

Страница 190: ...for channelized afterwards the channel group command is used to create the channel group In the channel group configura tion mode the user selects the specific timeslots and the encapsulation hdlc wil...

Страница 191: ...e channel group configuration mode only the encapsulation type hdlc is available For more details see Configuring T1 E1 Encapsulation Mode channel group group name Entering HDLC Configuration Mode The...

Страница 192: ...ing up framerelay or ppp is exactly the same as for an X 21 V 35 serial port For that reason see chapter 15 Serial port configuration on page 167 for more details about frame relay configu ration and...

Страница 193: ...1 E1 port configuration Example 1 Frame Relay without a channel group port e1t1 0 0 port type e1 framing crc4 encapsulation hdlc hdlc encapsulation framerelay framerelay lmi type itu pvc 100 encapsula...

Страница 194: ...itu pvc 100 encapsulation rfc1490 bind interface pvc100 router no shutdown port e1t1 0 0 no shutdown Example 3 PPP without a channel group port e1t1 0 0 port type e1 framing crc4 encapsulation hdlc h...

Страница 195: ...ing tables 196 Static routing 196 Basic IP routing configuration task list 196 Configuring static IP routes 196 Deleting static IP routes 197 Displaying IP route information 198 Examples 199 Basic sta...

Страница 196: ...address and outgoing interface Routing algorithms must converge rapidly i e all routers must agree on optimal routes When a network event causes routes either to go down or to become unavailable rout...

Страница 197: ...cifies the desirability of the route when compared against other routes The range is 0 through 15 where 0 is the preferred route If no metric is specified the static route is assumed to have a metric...

Страница 198: ...tric flags U up H host G Gateway L local D default and amount of use for each route in the routing table If there are multiple routes to the same destination the preferred route is indicated by an ast...

Страница 199: ...ers and four networks The necessary routing table entries for the scenario described are listed below IPLink enable IPLink configure IPLink cfg context ip router IPLink ctx ip router route 10 1 5 10 2...

Страница 200: ...uting configuration Changing the default UDP port range for RTP and RTCP The UDP port range to be used for RTP streams can be configured using the following procedure Mode context ip Step Command Purp...

Страница 201: ...pecifying the receive RIP version 205 Enabling RIP learning 205 Enabling an interface to receive RIP 206 Enabling RIP announcing 206 Enabling RIP auto summarization 207 Specifying the default route me...

Страница 202: ...running RIP or the router can source generate the default network itself with RIP In both cases the default network is advertised through RIP to other RIP neighbors IPLink software software will send...

Страница 203: ...commands have the character of a flag which is either enabled or disabled Enabling send RIP Enabling an interface to receive RIP see page 204 Specifying the send RIP version see page 204 Specifying t...

Страница 204: ...nd RIP version By default IPLink software application software sends RIP 1compatible packets The IPLink software applica tion software allows sending RIP version 1 version 1 compatible or version 2 pa...

Страница 205: ...ing update contains a route to a destination that does not already exist If the update describes a route whose destination is already in the local table the new route is used only if it has a lower co...

Страница 206: ...rip listen Enabling RIP announcing The RIP protocol supports announcing features which are used to proclaim specific routing information to other elements e g routers or IPLink devices in a network T...

Страница 207: ...le auto summarization on IP interface wan on an IPLink IPLink cfg context ip router IPLink ctx ip router interface wan IPLink if ip wan rip auto summary Specifying the default route metric RIP uses a...

Страница 208: ...ly when links are broken However with non broadcast networks such as Frame Relay situations can arise for which this behavior is less than ideal For these situations you might want to disable split ho...

Страница 209: ...rned Enabling this function enhances the stability of the RIP topology in the presence of transients This procedure describes how to enable holding down of aged routes on an interface Mode Interface E...

Страница 210: ...disabled announce static disabled announce default disabled announce self as default disabled route holddown enabled poison reverse disabled auto summary disabled split horizon disabled default route...

Страница 211: ...ccess control list 214 Creating an access control list profile and enter configuration mode 215 Adding a filter rule to the current access control list profile 215 Adding an ICMP filter rule to the cu...

Страница 212: ...ne whether to forward or drop the packet based on the criteria you specified within the access lists Access list criteria could be the source address of the traffic the destination address of the traf...

Страница 213: ...oned between two parts of your network to control traffic entering or exiting a specific part of your internal network To provide the security benefits of access lists you should configure access list...

Страница 214: ...matching the criteria to be dropped To delete an entire access control list enter configuration mode and use the no form of the profile acl com mand naming the access list to be deleted e g no profile...

Страница 215: ...ements that will make up the access control list Use the no form of this command to delete an access control list profile You cannot delete an access control list profile if it is currently linked to...

Страница 216: ...s of control list entry that denies access defined according to the command options Keyword Meaning src The source address to be included in the rule An IP address in dotted decimal format e g 64 231...

Страница 217: ...rocedure describes how to create an ICMP access control list entry that denies access Mode Profile access control list Step Command Purpose 1 node pf acl name permit icmp src src wildcard any host src...

Страница 218: ...included in the rule An IP address in dotted decimal format e g 64 231 1 10 dest wildcard A wildcard for the destination address See src wildcard host dest The address of a single destination host msg...

Страница 219: ...ess Mode Profile access control list This procedure describes how to create a TCP UDP or SCTP access control list entry that denies access Mode Profile access control list Step Command Purpose 1 node...

Страница 220: ...al Indicates that a packets port must be equal to the specified port in order to match the rule lt port Optional Indicates that a packets port must be less than the specified port in order to match th...

Страница 221: ...profile to incoming packets on the interface wan in the IP router context IPLink cfg context ip router IPLink cfg ip router interface wan IPLink cfg if wan use profile acl WanRx in Step Command Purpos...

Страница 222: ...rofile Mode Administrator execution or any other mode except the operator execution mode Example Displaying an access control list entries The following example shows how to display the access control...

Страница 223: ...le disables the debug monitor for access control lists globally IPLink no debug acl Step Command Purpose 1 node cfg context ip router Selects the IP router context 2 node ctx ip router interface if na...

Страница 224: ...hat have to be entered are listed below The commands access the IPLink device via a Telnet session running on a host with IP address 172 16 2 13 which accesses the IPLink via IP interface lan 172 16 2...

Страница 225: ...tification of the IPLink devices via SNMP 228 SNMP tools 228 SNMP configuration task list 228 Setting basic system information 229 Setting access community information 231 Setting allowed host informa...

Страница 226: ...v3 is pending This chap ter provides general descriptions of the SNMP version 1 and 2 protocol operations Be aware that the SNMP agent running in IPLink software is SNMP version 1 SNMPv1 compliant SNM...

Страница 227: ...ief overview of the current SNMP management framework An overall architecture is described in RFC 2571 An Architecture for Describing SNMP Management Frameworks The SNMP man agement framework has seve...

Страница 228: ...list To configure SNMP perform the tasks described in the following sections The tasks in the first three sections are required the tasks in the remaining sections are optional but might be required...

Страница 229: ...hyphens Names must be 63 characters or fewer For more information refer to RFC 1035 This procedure describes how to set these MIB II system group objects Mode Administrator execution If any of the com...

Страница 230: ...me of the System Group objects Example Setting the system group objects In the following example the system information is set for later access via SNMP See figure 35 for a typical MIB browser applica...

Страница 231: ...dividual MIB In the absence of additional configuration options to constrain access knowledge of the single community string for the device is all that is required to gain access to all objects both r...

Страница 232: ...of this system Mode Configure Use the no command option to remove a SNMP allowed host setting Example Setting allowed host information In the following example the host with IP address 172 16 224 45 s...

Страница 233: ...behavior of the SNMP agent running on an IPLink device This procedure describes how to display information and configuration settings for SNMP Mode Configure Example Displaying SNMP related informatio...

Страница 234: ...cryptic information which is not easily understandable to the users trap parsers are required to translate or parse traps into understandable information Using the MibBrowser Figure 36 depicts the pr...

Страница 235: ...sent from any host IPLink device send their traps to the SNMP standard port 162 Invoke the TrapViewer through the usage of the MibBrowser To get to know more about the MibBrowser refer to section Usin...

Страница 236: ...clicking this button TrapViewer begins to receive traps according to the as specified port and community Once received the traps are listed in the trap table of the TrapViewer By default the trap tabl...

Страница 237: ...sUpTime variable converted into hours minutes and seconds Enterprise This field shows the OID of the management enterprise that defines the trap message The value is represented as an OBJECT IDENTIFIE...

Страница 238: ...munication links represented in the agent s configuration has come up 3 Note The linkUp trap is not sent if any of the ISDN ports has come up authenticationFailure TRAP TYPE ENTERPRISE snmp DESCRIPTIO...

Страница 239: ...fy the Interface Traps These assign ments depend on the hardware and software configurations The command show snmp if alias mapping displays the relations between the indexes and the interfaces It als...

Страница 240: ...SNTP client poll interval 244 Defining SNTP client constant offset to GMT 244 Defining the SNTP client anycast address 245 Enabling and disabling local clock offset compensation 246 Showing SNTP clien...

Страница 241: ...nticate traffic although you can configure extended access lists to provide some protection An SNTP client is more vulnerable to misbe having servers than an NTP client and should only be used in situ...

Страница 242: ...relative to the server In anycast mode multipoint to point the client sends a request to a designated local broadcast or multicast group address and expects a reply from one or more anycast servers In...

Страница 243: ...nation port on SNTP time server fields in the UDP header The local port number which the SNTP client uses to contact the primary or secondary SNTP time server in unicast mode has to be defined Note Th...

Страница 244: ...ure Example Setting the SNTP client poll interval In the following example the SNTP client poll interval is set to 30 seconds IPLink cfg sntp client poll interval 30 Defining SNTP client constant offs...

Страница 245: ...used One or more anycast servers listen on the designated local broadcast address or multicast group address Each anycast server upon receiving a request sends a unicast reply message to the originat...

Страница 246: ...iseconds relative to the server In addition this provides a simple method to verify that the server reply is in fact a legitimate response to the specific client request and to avoid replays In multic...

Страница 247: ...ntp client SNTP client enabled Operating mode unicast Local port 123 Primary server 172 16 1 10 123 v4 Secondary server 128 138 140 44 123 v4 Anycast address 224 0 1 1 123 Poll interval 30sec Local cl...

Страница 248: ...mmended public SNTP time servers NIST Internet time service The National Institute of Standards and Technology NIST Internet Time Service allows users to synchronize computer clocks via the Internet T...

Страница 249: ...Service Area Switzerland Europe Access Policy open access Contact Christoph Wicki time iis ee ethz ch Germany DE ntp0 fau de 131 188 34 75 Location University Erlangen Nuernberg D 91058 Erlangen FRG...

Страница 250: ...many Europe Access Policy open access Contact Gerard Gschwind gg cs tu berlin de Additional information on NTP and a list of other NTP servers The University of Delaware hosts a World Wide Web site th...

Страница 251: ...an IP interface 253 Release or renew a DHCP lease manually advanced 255 Get debug output from DHCP client 255 DHCP server configuration tasks 256 Configure DHCP server profiles 256 Use DHCP server pro...

Страница 252: ...inistrator had to manually configure each new network device before it could be used on the network are past In addition to distributing IP addresses DHCP enables configuration information to be distr...

Страница 253: ...perform the steps mentioned below Enable DHCP client on an IP interface Release or renew a DHCP lease manually advanced see page 255 Get debug output from DHCP client see page 255 Configure DHCP agen...

Страница 254: ...rface IPLink cfg context ip IPLink ctx ip router interface eth0 IPLink if ip eth0 ipaddress dhcp IPLink if ip eth0 show dhcp client Context router Name eth0 IpAddress 172 16 224 102 255 255 0 0 Defaul...

Страница 255: ...mmand dhcp client release and dhcp client renew IPLink cfg context ip IPLink ctx ip router interface eth0 IPLink if ip eth0 debug dhcp client IPLink if ip eth0 dhcp client release 01 12 28 DHCPC route...

Страница 256: ...igure the IPLink as DHCP server perform the steps mentioned below Configure DHCP server profiles Use DHCP server profiles and enable the DHCP server and to clear lease database see page 258 Check DHCP...

Страница 257: ...f dhcps name lease time days hours minutes Defines the time a lease is valid DHCP Option 51 6 optional node pf dhcps name no domain name domain name A PC DHCP client may use this domain name to comple...

Страница 258: ...rver This example shows how to assign a profile to the DHCP server and to start the DHCP server IPLink ctx ip router dhcp server use LAN IPLink ctx ip router dhcp server 10 optional node pf dhcps name...

Страница 259: ...192 168 1 32 192 168 1 63 Lease Time 2 days Default Router 192 168 1 1 Domain Name Server 80 254 161 125 80 254 161 126 Bound leases 192 168 1 32 Dufour Address ethernet 00 10 A4 7C 7A F8 Client Id 0...

Страница 260: ...FFER to 192 168 1 32 via 255 255 255 255 68 21 41 29 DHCPS Deferring save of lease database 21 41 29 DHCPS Last saved at 2002 12 04T21 40 29 next at 2002 12 04T21 55 29 21 41 29 DHCPS Request from eth...

Страница 261: ...261 Chapter 23 DNS configuration Chapter contents Introduction 262 DNS configuration task list 262 Enabling the DNS resolver 262 Enabling the DNS relay 263...

Страница 262: ...ated the query This process enables the IPLink to provide answers more quickly to often queried DNS names reducing the number of DNS queries that must be sent across the access link DNS configuration...

Страница 263: ...covered IP 81 221 250 10 Not used Discovered IP 81 221 252 10 Not used IPLink cfg Configured IP indicates a domain name server that has been configured as shown at the beginning of this section Discov...

Страница 264: ...n be consulted from the IPLink The DNS resolver must be configured before you can use the DNS relay feature see section Enabling the DNS resolver on page 262 to enable the DNS resolver if you have not...

Страница 265: ...ion 266 DynDNS configuration task list 266 Creating a DynDNS account 266 Configuring the DNS resolver 266 Configuring basic DynDNS settings 267 Configuring advanced DynDNS settings optional 267 Defini...

Страница 266: ...ifferent levels of service The basic services are offered free of charge while the more advanced services are chargeable The IPLink supports the following DynDNS services Dynamic DNS Static DNS Custom...

Страница 267: ...name If required you can define a mail exchanger or a backup mail exchanger for your hostname on the DynDNS server Mode DynDNS Step Command Purpose 1 node dyndns authentication user pass word Defines...

Страница 268: ...64 Hostname test dyndns org You can also monitor current activities of the DynDNS client This includes ongoing DNS queries for DynDNS servers verification of the currently registered IP address and up...

Страница 269: ...ou can also force the DynDNS client to resume normal operation if the state of the DynDNS client is shown as blocked and the problem which led to the blocked state has been solved The DynDNS client wi...

Страница 270: ...able interface IP address auto configuration from PPP 276 Configuring a PPPoE session 276 Configuring a serial port for PPP 278 Creating a PPP profile 279 Displaying PPP configuration information 280...

Страница 271: ...overview Since the purpose of PPP is providing IP connectivity over different types of link layers all PPP configuration elements connect to the IP context through an IP interface This connection is r...

Страница 272: ...ort translation NAPT if the PPP service provider only offers a single IP address and not an IP sub net or if the IP addresses on the LAN shall be private and hidden behind a public IP address see 12 N...

Страница 273: ...address offered by the PPP remote peer The parameter netmask specifies the size of the subnet in case no point to point is configured 4 optional node if ip name no tcp adjust mss rx tx mtu mss Limits...

Страница 274: ...p Creating a PPP subscriber One or more PPP subscriber shall be configured if either PPP peer requires authentication This procedure describes how to create a PPP subscriber Mode Configure 5 optional...

Страница 275: ...tions if it happens during the day The timer allows to discon nect and reopen the PPP session at a predefined time such as 0200 hours 3 node subscr name no authentication chap pap chap pap Defines the...

Страница 276: ...protocol identifies the PPP remote peer on the Ether net and establishes a PPPoE session with it The PPPoE session provides a logical point to point link that to runs PPP as if it was a physical poin...

Страница 277: ...ion with the name name 7 node pppoe slot port no bind inter face name router or node pppoe slot port no bind sub scriber name Binds the PPPoE session directly to the IP inter face name in case no auth...

Страница 278: ...r profile above IPLink cfg port serial 0 0 IPLink prt ser 0 0 encapsulation ppp IPLink prt ser 0 0 bind subscriber joe_example Step Command Purpose 1 node cfg port serial slot port Enters the configur...

Страница 279: ...ame default Creates the new PPP profile name and enters the PPP profile configuration The profile default already exists 2 optional node pf ppp name mtu min min max max Defines the minimum and maximum...

Страница 280: ...ection dial out Authentication pap Identification inbound none Identification outbound patton patton Timeout for disconnect no absolute timeout no idle timeout Max sessions no limit IP address none Ca...

Страница 281: ...CP Configure Request interval 3000 ms max 10 LCP Configure Nak max 5 LCP Terminate Request interval 3000 ms max 2 LCP Echo Request interval 10000 ms max 3 MTU 68 1492 MRU 68 1492 Callback both CHAP al...

Страница 282: ...configuration information and sta tistics of PPPoE in general and of the PPPoE ses sion s Check whether state of the respective session is Opened level specifies to level of details displayed 1 4 defa...

Страница 283: ...Local ID 100000020390 Remote ID Local configured options Magic Number 0x00000000 MRU 1492 68 1492 ACCM 0xffffffff Local acknowledged options Remote configured options Magic Number 0xb89d9e6b MRU 1492...

Страница 284: ...ion Protocol VJC Max Slot Id 31 Comp Slot Id 1 Remote configured options IP Address 0 0 0 0 IP Compression Protocol VJC Max Slot Id 24 Comp Slot Id 1 Remote acknowledged options IP Address 10 10 10 1...

Страница 285: ...ipaddress 172 16 1 1 255 255 0 0 interface ppp_interface ipaddress unnumbered point to point tcp adjust mss rx mtu tcp adjust mss tx mtu use profile napt WAN context ip router route 0 0 0 0 0 0 0 0 p...

Страница 286: ...numbered interface context ip router interface ppp_interface ipaddress 172 17 1 1 255 255 255 252 point to point port serial 0 0 encapsulation ppp bind interface ppp_interface no shutdown With authen...

Страница 287: ...profile 296 Creating an ISAKMP transform profile 296 Creating an ISAKMP IPSEC policy profile 296 Creating modifying an outgoing ACL profile for IPSEC 298 Configuration of an IP interface and the IP ro...

Страница 288: ...96 is a combination of the keyed hashing for message authentication HMAC and the mes sage digest version 5 MD5 hash algorithm It requires an authenticator of 128 bit length and calculates a hash of 9...

Страница 289: ...hardware applied to reverse engineering a DES key it can take from 3 hours to 3 days to break the key Thus for maximum security DES keys must be manually updated regularly AES or 3DES keys because th...

Страница 290: ...e defines which IPsec transformation profile to apply and whether transport or tunnel mode shall be most effective The SPI identifies a secured communication channel The IPsec component needs the SPI...

Страница 291: ...section Authentication on page 288 and Encryption on page 288 or explicit specification Keys must be available for inbound and out bound directions They can be different for the two directions Make s...

Страница 292: ...affic passes an ACL if available twice once before and once after encryption authentication So the respective ACLs must permit the encrypted authenticated and the plain traffic For detailed informatio...

Страница 293: ...nformation This section shows how to display and verify the IPsec configuration information Procedure To display IPsec configuration information Mode Configure Step Command Purpose 1 node cfg context...

Страница 294: ...problems Procedure To debug IPsec connections Mode Configure Example IPsec Debug Output IPLink cfg debug ipsec IPSEC monitor on 23 11 04 ipsec Could not find security association for inbound ESP packe...

Страница 295: ...the ISPEC security associations To achieve all of this IKE is split into two phases called MAIN MODE and QUICK MODE In MAIN MODE IKE mutually authenticates the peers establishes a shared secret betwe...

Страница 296: ...ofile Mode Configure Creating an ISAKMP IPSEC policy profile You need to create an ISAKMP IPSEC policy profile to define all the settings and profiles needed to establish an IPSEC security association...

Страница 297: ...be established 4 node pf ipsik name use profile isakmp transform name Define one or more ISAKMP transform profiles to be used by this policy If more than one is defined IKE will negotiate a transform...

Страница 298: ...cy using the source ip address To solve this problem you specify the same protection group ID in the ISAKMP IPSEC policy profiles for all of the peers The peers should all use the same remote policy I...

Страница 299: ...w ike policy policy name Displays information about the configuration options of specific policy as well as an indication if the policy is valid or not A policy might be invalid if one or more configu...

Страница 300: ...64 profile ipsec policy manual VPN_DES use profile ipsec transform DES session key inbound esp encryption 1234567890ABCDEF session key outbound esp encryption FEDCBA0987654321 spi inbound esp 1111 sp...

Страница 301: ...ess 172 16 1 1 255 255 0 0 interface FastEthernet0 1 ip address 200 200 200 1 255 255 255 252 crypto map VPN_DES ip route 192 168 1 0 255 255 255 0 FastEthernet0 1 IPsec tunnel AES encryption at 256 b...

Страница 302: ...nge the name of the IPsec policy profile in the ACL profile VPN_Out IPsec tunnel 3DES encryption at 192 bit key length ESP authentication with HMAC MD5 96 IPLink configuration profile ipsec transform...

Страница 303: ...87654321 authenticator FEDCBA0987654321FEDCBA0987654321 set session key outbound esp 7777 cipher 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF authenticator 1234567890ABCDEF1234567890ABCDEF set tra...

Страница 304: ...304 Appendix A Terms and definitions Chapter contents Introduction 305 IPLink software architecture terms and definitions 305...

Страница 305: ...g the IPLink to be accessed and upgraded over the network even if the IPLink software application should not start The boot loader is installed in the factory and is in general never upgraded Bootload...

Страница 306: ...an IPLink Echo Canceller Some voice devices unfortunately have got an echo on their wire Echo cancellation provides near end echo compensation for this device Factory Configuration The factory config...

Страница 307: ...Highway A 30 channel interface connecting the switching engine with optional interface cards containing circuit ports PMC The optional interface cards for IPLink series which are compatible to the PC...

Страница 308: ...rsistent memory nvram and is always copied for execution to the running configuration in the volatile memory system after a system start up System Image A collective term for application images and in...

Страница 309: ...309 Appendix B Mode summary Chapter contents Introduction 310...

Страница 310: ...y on page 313 Figure 42 Mode overview 1 of 2 Operator Exec hostname Administrator Exec hostname Configure hostname cfg Execution Modes Configuration Modes Contexts and interfaces mode name enter comma...

Страница 311: ...et slot port port virtual slot port Profiles Profile ACL profile acl profile_name Gateway H323 gateway h323 name Profile Authentication profile authentication name host pf auth name Gateway H323 gatew...

Страница 312: ...Introduction 312 IPLink Software Configuration Guide B Mode summary...

Страница 313: ...profile_ppp 319 profile ipsec transform 320 ipsec manual policy 320 profile_dhcp server 320 profile_authentication 321 profile_provisioning 321 context_ip 321 interface 321 dyndns 322 subscriber_ppp 3...

Страница 314: ...arameters and arguments The command syntax is Extended Backus Naur Form EBNF and is described as follows Arguments where you must supply the value are surrounded by angle brackets Optional arguments w...

Страница 315: ...e_show resolve router show rip interface ip_interface_name_show router show port ethernet print slot print port show port serial print slot print port detail detail show framerelay pvc print dlci show...

Страница 316: ...x session rx session timer state machine control management error no debug serial no debug framerelay all error lmi packet management no debug ipsec no debug flashserver show accounts show nvram runni...

Страница 317: ...ent server primary server_address port sntp_port version version_number sntp client server secondary server_address port sntp_port version version_number sntp client operating mode unicast multicast a...

Страница 318: ...o permit deny index before after new index up down positions before after index ip ah esp gre igmp any host src host address src base address src wildcard any host dst host address dst base address ds...

Страница 319: ...ce policy arbiter name mode shaper wfq burst shaper burst wfq no rate limit rate_limit header length header_length atm modem voice margin voice_margin no map packet size routed voice routed voice encr...

Страница 320: ...name no esp encryption aes cbc 128 192 256 des cbc 64 3des cbc 128 192 null no esp authentication hmac md5 96 hmac sha1 96 no ah authentication hmac md5 96 hmac sha1 96 exit ipsec manual policy ipsec...

Страница 321: ...me no route destaddr destmask gwaddr interface metric interface interface no interface ip_interface_name ipaddress unnumbered dhcp ip_address ip_mask mtu mtu no point to point no icmp router discovery...

Страница 322: ...name dial in out no authentication chap no authentication pap no authentication chap pap no identification outbound id password password no identification inbound id password password no timeout absol...

Страница 323: ...lation framerelay ppp hardware port v35 x21 transmit data on edge positive negative crc type crc16 crc32 length length threshold threshold mask mask address address 1 address 2 address 3 address 4 add...

Страница 324: ...system Check network connection to remote system Step Command Purpose 1 help topic Shows command help Step Command Purpose 1 show history Shows command history Step Command Purpose 1 show version Show...

Страница 325: ...325 Appendix D Internetworking terms acronyms Chapter contents Abbreviations 326...

Страница 326: ...CBR Constant Bit Rate CD ROM Compact Disc Read Only Memory CDR Call Detail Record CFP Call Forwarding Procedure CLEC Competitive Local Exchange Carriers CLI Command Line Interface CLIP Calling Line I...

Страница 327: ...Hybrid Fiber Coax HTTP HyperText Transport Protocol HW Hardware I IAD Integrated Access Device ICMP Internet Control Message Protocol ILEC Incumbent Local Exchange Carriers IP Internet Protocol IPLink...

Страница 328: ...l Equipment Manufacturer OSF Open Software Foundation OSPF Open Shortest Path First P PBR Policy Based Routing principles PBX Private Branch Exchange PC Personal Computer PMC Production Technology Man...

Страница 329: ...Initiation Protocol SME Small and Medium Enterprises SNMP Simple Network Management Protocol SOHO Small Office Home Office SONET Synchronous Optical Network SS7 Signaling System No 7 STM SDH Transmiss...

Страница 330: ...330 Appendix E Used IP ports in the IPLink software Chapter contents Used IP ports in the IPLink software 331...

Страница 331: ...Used IP ports in the IPLink software Component Port Description NAPT TCP 8000 15999 NAPT port range Telnet TCP 23 TCP server port Webserver TCP 80 TCP server port DHCP UDP 67 Source port DHCP Server U...

Отзывы:

Нет отзывов