manualshive.com logo in svg

Patton OnSite 3210 Series, Руководство пользователя, Страница: 67 / 110

Поделиться
Скачать
Patton OnSite 3210 Series Скачать руководство пользователя страница 67

Examples

67

OnSite Model 3210 User Manual 

6 • Access control list configuration

Examples

Denying a specific subnet

Figure 15

 shows an example in which a server attached to network 172.16.1.0 shall not be accessible from outside 

networks connected to IP interface 

lan

 of the OnSite device. To prevent access, an incoming filter rule named 

Jamming

 is defined, which blocks any IP traffic from network 172.16.2.0 and has to be bound to IP interface 

lan

.

Figure 15. Deny a specific subnet on an interface

The commands that have to be entered are listed below. The commands access the OnSite device via a Telnet 
session running on a host with IP address 172.16.2.13, which accesses the OnSite via IP interface 

lan

.

172.16.2.1>enable
172.16.2.1#configure
172.16.2.1(cfg)#profile acl Jamming
172.16.2.1(pf-acl)[Jamming]#deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
172.16.2.1(pf-acl)[Jamming]#permit ip any any
172.16.2.1(pf-acl)[Jamming]#exit
172.16.2.1(cfg)#context ip router
172.16.2.1(cfg-ip)[router]#interface lan
172.16.2.1(if-ip)[lan]#use profile acl Jamming in
172.16.2.1(if-ip)[lan]#exit
172.16.2.1(cfg-ip)#copy running-config startup-config

Host

Server

Node

Node

172.16.2.1/24

172.16.1.1/24

secure

lan

172.16.1.0

172.16.2.0

172.16.2.13/24

Содержание OnSite 3210 Series

Страница 1: ...e 3210 Series G SHDSL VPN Router User Manual Sales Office 1 301 975 1000 Technical Support 1 301 975 1007 E mail support patton com WWW www patton com Part Number 07M3210 GS Rev B Revised February 23...

Страница 2: ...h license Patton Electronics warrants all OnSite router components to be free from defects and will at our option repair or replace the product should it fail within one year from the first date of th...

Страница 3: ...iguration 37 5 VPN configuration 42 6 Access control list configuration 54 7 Link scheduler configuration 68 8 LEDs status and monitoring 87 9 Contacting Patton for assistance 89 A Compliance informat...

Страница 4: ...iptions 19 Applications overview 20 Branch Office virtual private network over Frame Relay service 20 Corporate multi function virtual private network 21 2 Hardware installation 23 Planning the instal...

Страница 5: ...figuration task list 44 Creating an IPsec transformation profile 44 Creating an IPsec policy profile 45 Creating modifying an outgoing ACL profile for IPsec 47 Configuration of an IP interface and the...

Страница 6: ...r configuration 68 Introduction 69 Configuring access control lists 69 Configuring quality of service QoS 70 Applying scheduling at the bottleneck 70 Using traffic classes 70 Introduction to Schedulin...

Страница 7: ...ty Service and Returned Merchandise Authorizations RMAs 90 Warranty coverage 90 Out of warranty service 91 Returns for credit 91 Return for credit policy 91 RMA numbers 91 Shipping instructions 91 A C...

Страница 8: ...Adapter 99 C Cabling 100 Introduction 101 Serial console 101 Ethernet 10Base T and 100Base T 102 D Port pin outs 104 Introduction 105 Console port RJ 45 EIA 561 RS 232 105 Ethernet 10Base T and 100Bas...

Страница 9: ...e terminal 33 12 Connecting the OnSite VPN Router to the network 35 13 Configuring the G SHDSL card for PPPoE 38 14 Using traffic filters to prevent traffic from being routed to a network 56 15 Deny a...

Страница 10: ...mmands 40 8 PVC channels in bridged Ethernet mode 40 9 PVC channels in PPPoE mode 40 10 Diagnostics commans 41 11 Command cross reference 74 12 TOS values and their meaning 81 13 Traffic control info...

Страница 11: ...evice Chapter 6 on page 54 provides an overview of IP access control lists and describes the tasks involved in their configuration through the OnSite router Chapter 7 on page 68 describes how to use a...

Страница 12: ...T heading calls attention to important information The alert symbol and CAUTION heading indicate a potential hazard Strictly follow the instructions to avoid property damage The shock hazard symbol an...

Страница 13: ...ith an external power adapter the adapter shall be a listed Lim ited Power Source For AC powered units ensure that the power cable used with this device meets all applicable standards for the country...

Страница 14: ...the proper voltage is present before plugging the power cord into the receptacle Failure to do so could result in equipment damage The interconnecting cables shall be acceptable for external use and s...

Страница 15: ...type Parts of commands which are related to elements already named by the user are in boldface italic font Italicized Futura type Variables for which you supply values are in italic font Futura type...

Страница 16: ...el 3210 Series overview 17 OnSite 3210 Series detailed description 18 Model code extensions 18 Ports descriptions 19 Applications overview 20 Branch Office virtual private network over Frame Relay ser...

Страница 17: ...against unauthorized users while encryption and anti replay capa bilities preserve data confidentiality Patton s powerful CoS and QoS mechanisms provide traffic shaping and prioritization to guarantee...

Страница 18: ...et LAN connectivity and a G SHDSL WAN interface see figure 2 Figure 2 OnSite 3210 Series G SHDSL connector Figure 3 OnSite 3210 Series power input connectors Model code extensions A model code extensi...

Страница 19: ...ghput supporting ATM QoS Supports multiple PVC and DSLAM interoperability The DSL LEDs are located on either side of the DSL port ACT when lit or blinking shows activity and Link when lit shoes that t...

Страница 20: ...ervices The G SHDSL port pro vides WAN access by means of a leased line connection to the network The following sections show some typical applications for the OnSite 3210 Series This chapter describe...

Страница 21: ...ng OnSite s multiple frame relay PVC support see figure 6 The enterprise enjoys the benefits of secure multi office virtual private networking with QoS for prioritized traffic flow for mission critica...

Страница 22: ...f corporation and Internet traffic is managed by using an ACL using IP addresses as the watershed To configure this application you must configure the following features A serial Frame Relay link as t...

Страница 23: ...Network information 26 Network Diagram 26 IP related information 26 Software tools 26 Power source 26 Location and mounting requirements 27 Installing the VPN router 27 Mounting the VPN router 27 Con...

Страница 24: ...d by the applicable local and international regulations Ensure that your site is properly prepared before beginning installation Before installing the VPN Router device the following tasks should be c...

Страница 25: ...r site log Table 3 Installation checklist Task Verified by Date Network information available recorded in site log Environmental specifications verified Site power voltages verified Installation site...

Страница 26: ...addresses and subnet masks used for the V 35 or X 21 serial WAN port IP addresses and subnet masks used for the T1 E1 WAN port IP addresses of central TFTP Server used for configuration upload and do...

Страница 27: ...uter should be installed in a dry environment with sufficient space to allow air circulation for cooling Note For proper ventilation leave at least 2 inches 5 cm to the left right front and rear of th...

Страница 28: ...e terminated with RJ 45 plugs Note Pins not listed are not used Figure 7 Connecting an OnSite 3210 Series device to a hub Installing the DSL cable The OnSite 3210 comes with a G SHDSL interface Use a...

Страница 29: ...cribes installing the power cord into the VPN Router Do the following Note Do not connect the power cord to the power outlet at this time 1 If your unit is equipped with an internal power supply go to...

Страница 30: ...9 Congratulations you have finished installing the OnSite VPN Router Now go to chapter 3 Getting started with the OnSite on page 31 The UI and EUI power supplies automatically adjust to accept an inp...

Страница 31: ...pter contents Introduction 32 1 Configure IP address 33 Power connection and default configuration 33 Connect with the serial interface 33 Login 34 Changing the IP address 34 2 Connect the OnSite VPN...

Страница 32: ...to the network 3 Load configuration Console port Serial interface PC or workstation with VT 100 emulation terminal Ethernet interface ETH0 Network interface PC or workstation or VT 100 emulation term...

Страница 33: ...le port is wired as an EIA 561 RS 232 port Use the included Model 16F 561 adapter and cable see figure 11 between the OnSite VPN Router s Console port and a PC or workstation s RS 232 serial interface...

Страница 34: ...context IP mode to configure an IP interface 172 16 40 1 cfg context ip router 172 16 40 1 ctx ip router Now you can set your IP address and network mask for the interface eth0 Within this example a c...

Страница 35: ...on that you can use it to speed up configuring the OnSite router Simply download the configuration note that matches your application to your PC Adapt the configu ration as described in the configurat...

Страница 36: ...Router has been rebooted the new start up configuration will be activated 172 16 1 99 if ip eth0 reload Running configuration has been changed Do you want to copy the running config to the startup co...

Страница 37: ...nts Introduction 38 Line Setup 38 Configuring PPPoE 38 Configuration Summary 39 Setting up permanent virtual circuits PVC 40 Using PVC channels in bridged Ethernet mode 40 Using PVC channels with PPPo...

Страница 38: ...the back of the device is blinking while the modem attempts to connect and lit when the link is established If the modem keeps blinking check the cabling Configuring PPPoE Figure 13 explains how to co...

Страница 39: ...uthentication which is why you bind to a subscriber You can use authentication chap or authentication pap The line bind sub scriber MySubscriber binds the PPPoE session to the PPP subscriber in case a...

Страница 40: ...the PVC was a regular Ethernet port Note The bridged PVC connections are internally mapped to VLANs on a virtual Ethernet port 0 2 You will therefore see references to this third Ethernet port when di...

Страница 41: ...orking there is probably no compatible authentication protocol configured Make sure authentication chap and authentication pap are included in the subscriber setup If only CHAP failed there may be an...

Страница 42: ...an IP interface and the IP router for IPsec 48 Displaying IPsec configuration information 48 Debugging IPsec 49 Sample configurations 50 IPsec tunnel DES encryption 50 OnSite configuration 50 Cisco r...

Страница 43: ...combination of the keyed hashing for message authentication HMAC and the message digest version 5 MD5 hash algorithm It requires an authenticator of 128 bit length and calculates a hash of 96 bits ove...

Страница 44: ...laying IPsec configuration information Debugging IPsec Creating an IPsec transformation profile The IPsec transformation profile defines which authentication and or encryption protocols which authenti...

Страница 45: ...communication Furthermore the profile defines which IPsec transformation profile to apply and whether transport or tunnel mode shall be most effective The SPI identifies a secured communication chann...

Страница 46: ...ction Authentication on page 43 and Encryption on page 43 or explicit specification Keys must be available for inbound and out bound directions They can be different for the two directions Make sure t...

Страница 47: ...s an ACL if available twice once before and once after encryption authentication So the respective ACLs must permit the encrypted authenticated and the plain traffic For detailed information on how to...

Страница 48: ...n This section shows how to display and verify the IPsec configuration information Procedure To display IPsec configuration information Mode Configure Step Command Purpose 1 node cfg context ip router...

Страница 49: ...Procedure To debug IPsec connections Mode Configure Example IPsec Debug Output 3210 cfg debug ipsec IPSEC monitor on 23 11 04 ipsec Could not find security association for inbound ESP packet SPI 1201...

Страница 50: ...s in the ACL profiles Adjust the IP addresses of the LAN and WAN interfaces Adjust the route for the remote network IPsec tunnel DES encryption OnSite configuration profile ipsec transform DES esp enc...

Страница 51: ...1 1 255 255 0 0 interface FastEthernet0 1 ip address 200 200 200 1 255 255 255 252 crypto map VPN_DES ip route 192 168 1 0 255 255 255 0 FastEthernet0 1 IPsec tunnel AES encryption at 256 bit key leng...

Страница 52: ...the name of the IPsec policy profile in the ACL profile VPN_Out IPsec tunnel 3DES encryption at 192 bit key length ESP authentication with HMAC MD5 96 OnSite configuration profile ipsec transform TDES...

Страница 53: ...4321 authenticator FEDCBA0987654321FEDCBA0987654321 set session key outbound esp 7777 cipher 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF authenticator 1234567890ABCDEF1234567890ABCDEF set transfo...

Страница 54: ...ccess control list 57 Creating an access control list profile and enter configuration mode 58 Adding a filter rule to the current access control list profile 58 Adding an ICMP filter rule to the curre...

Страница 55: ...hether to forward or drop the packet based on the criteria you specified within the access lists Access list criteria could be the source address of the traffic the destination address of the traffic...

Страница 56: ...d between two parts of your network to control traffic entering or exiting a specific part of your internal network To provide the security benefits of access lists you should configure access lists a...

Страница 57: ...matching the criteria to be dropped To delete an entire access control list enter configuration mode and use the no form of the profile acl com mand naming the access list to be deleted e g no profile...

Страница 58: ...ments that will make up the access control list Use the no form of this command to delete an access control list profile You cannot delete an access control list profile if it is currently linked to a...

Страница 59: ...ol list entry that denies access defined according to the command options Keyword Meaning src The source address to be included in the rule An IP address in dotted decimal format e g 64 231 1 10 src w...

Страница 60: ...dure describes how to create an ICMP access control list entry that denies access Mode Profile access control list Step Command Purpose 1 node pf acl name permit icmp src src wildcard any host src des...

Страница 61: ...d in the rule An IP address in dotted decimal format e g 64 231 1 10 dest wildcard A wildcard for the destination address See src wildcard host dest The address of a single destination host msg name T...

Страница 62: ...Profile access control list This procedure describes how to create a TCP UDP or SCTP access control list entry that denies access Mode Profile access control list Step Command Purpose 1 node pf acl n...

Страница 63: ...es that a packets port must be equal to the specified port in order to match the rule lt port Optional Indicates that a packets port must be less than the specified port in order to match the rule gt...

Страница 64: ...rofile to incoming packets on the interface wan in the IP router context 3210 cfg context ip router 3210 cfg ip router interface wan 3210 cfg if wan use profile acl WanRx in Step Command Purpose 1 nod...

Страница 65: ...Mode Administrator execution or any other mode except the operator execution mode Example Displaying an access control list entries The following example shows how to display the access control list...

Страница 66: ...bles the debug monitor for access control lists globally 3210 no debug acl Step Command Purpose 1 node cfg context ip router Selects the IP router context 2 node ctx ip router interface if name Select...

Страница 67: ...have to be entered are listed below The commands access the OnSite device via a Telnet session running on a host with IP address 172 16 2 13 which accesses the OnSite via IP interface lan 172 16 2 1...

Страница 68: ...ist profile 75 Packet classification 75 Creating an access control list 76 Creating a service policy profile 77 Specifying the handling of traffic classes 79 Defining fair queuing weight 79 Defining t...

Страница 69: ...apply a rate limit to reduce delay and what a traffic class means Configuring access control lists Packet filtering helps to control packet movement through the network Such control can help to limit...

Страница 70: ...e resources really makes a difference Frequently the access link modem is outside of the OnSite and the queueing would happen in the modem which does not distinguish between packet types To improve Qo...

Страница 71: ...ter to define the arbitration mode and the order in which packets of different classes are served Introduction to Scheduling Scheduling essentially means to determine the order in which packets of the...

Страница 72: ...urce had to strictly obey its limit all following packets would also have to be delayed by the same amount and further collisions would reduce the achieved rate even further To avoid this effect the O...

Страница 73: ...n Setting the modem rate To match the data multiplexing of different traffic types to the capacity of the access link is the most common application of the OnSite link scheduler 1 Create a minimal pro...

Страница 74: ...to straight forwardly configure OnSite devices In table 11 the Cisco IOS Release 12 2 QoS commands are in contrast with the respective OnSite commands Link scheduler configuration task list To config...

Страница 75: ...of packet descriptions like addressed to xyz Those descrip tions are called rules For each packet the list of descriptions is sequentially checked and the first rule that matches decides what happens...

Страница 76: ...ic from a Web server The scenario is depicted in figure 20 The IP address of the Web server is used as source address in the permit statement of the IP filter rule for the access control list Figure 2...

Страница 77: ...l lists the link arbiter needs rules defining how to handle the different traffic classes For that purpose you create a service policy profile The service policy profile defines how the link arbiter h...

Страница 78: ...e name of the link arbiter profile to configure On the second line the global band width limit is set The value defining the bandwidth is given in kilobits per second Each service policy profile must...

Страница 79: ...ses the values are relative to each other It is recommended to split 100 which can be read as 100 among all available source classes e g with 20 30 and 50 as value for the respec tive share commands w...

Страница 80: ...lass name Excess pack ets are dropped Used in class mode queuing only happens at the leaf of the arbitration hierarchy tree The no form of this command reverts the queue limit to the internal default...

Страница 81: ...C791 RFC1349 The precedence field is defined by the first three bits and supports eight levels of priority The low est priority is assigned to 0 and the highest priority is 7 The no form of this comma...

Страница 82: ...ritical data Under 802 1p a 4 byte Tag Control Info TCI field is inserted in the Layer 2 header between the Source Address and the MAC Client Type Length field of an Ethernet Frame Table 13 lists the...

Страница 83: ...ment aver age kilobits defines the average permitted rate in kbps the value of the second argument kilobits ahead defines the tolerated burst size in kbps ahead of schedule Excess packets are dropped...

Страница 84: ...smit direction Providers may use input shaping to improve downlink voice jitter in the absence of voice support The default setting no service policy sets the interface to FIFO queuing Mode Interface...

Страница 85: ...0 Displaying link scheduling profile information The show profile service policy command displays link scheduling profile information of an existing ser vice policy profile This command is only availa...

Страница 86: ...queues of a profile The following example shows how to enable statistic gathering for all traffic classes 3210 enable 3210 configure 3210 cfg profile service policy sample 3210 pf srvpl sample debug q...

Страница 87: ...87 Chapter 8 LEDs status and monitoring Chapter contents Status LEDs 88...

Страница 88: ...Off indicates no power applied Run When lit indicates normal operation Flashes once per second during boot startup Ethernet each port Link Lit when Ethernet link is up 100M On when 100 Mbps Ethernet...

Страница 89: ...n Support Headquarters in the USA 90 Alternate Patton support for Europe Middle Ease and Africa EMEA 90 Warranty Service and Returned Merchandise Authorizations RMAs 90 Warranty coverage 90 Out of war...

Страница 90: ...7 Fax 1 253 663 5693 Alternate Patton support for Europe Middle Ease and Africa EMEA Online support available at http www patton inalp com E mail support email sent to support patton inalp com will be...

Страница 91: ...e issued upon receipt and inspection of the equipment 30 to 60 days We will add a 20 restocking charge crediting your account with 80 of the purchase price Over 60 days Products will be accepted for r...

Страница 92: ...n Chapter contents Compliance 93 EMC 93 Safety 93 PSTN Regulatory 93 Radio and TV Interference FCC Part 15 93 CE Declaration of Conformity 93 Authorized European Representative 94 FCC Part 68 ACTA Sta...

Страница 93: ...not occur in a particular installation If the OnSite router does cause interference to radio or television reception which can be determined by disconnecting the unit the user is encouraged to try to...

Страница 94: ...sible Also you will be advised of your right to file a complaint with the FCC if you believe it is necessary The telephone company may make changes in its facilities equipment operations or procedures...

Страница 95: ...6 IP services 96 Management 96 Operating environment 96 Operating temperature 96 Operating humidity 96 System 97 Dimensions 97 G SHDSL Daughter Card 98 Power supply 99 Internal AC version 99 12VDC ver...

Страница 96: ...FC 1058 and 2453 Programmable static routes ICMP redirect RFC 792 Packet fragmentation DiffServe ToS set or queue per header bits Packet Policing discards excess traffic 802 1p VLAN tagging IPSEC AH E...

Страница 97: ...System 97 OnSite Model 3210 User Manual B Specifications System CPU Motorola MPC875 operating at 66 MHz Memory 32 Mbytes SDRAM 8 Mbytes Flash Dimensions 7 3W x 1 6H x 6 1D in 18 5H x 4 1W x 15 5D cm...

Страница 98: ...2 Section E 9 TPS TC for ATM transport ITU T G 991 2 Section E 11 TPS TC for PTM transport DSL Connection RJ 11 12 2 wire Management I 610 OAM F4 F5 Management interfaces GUI and Telnet Software upgra...

Страница 99: ...ternal SELV source which provides reinforced insulation from the AC mains power and where the DC connector is the disconnect device The source must have a rating of 12 VDC 1 25 A 5VDC Version with Ext...

Страница 100: ...100 Appendix C Cabling Chapter contents Introduction 101 Serial console 101 Ethernet 10Base T and 100Base T 102...

Страница 101: ...ing a serial terminal Note See section Console port RJ 45 EIA 561 RS 232 on page 105 for console port pin outs The interconnecting cables must be acceptable for external use and must be rated for the...

Страница 102: ...are connected to the OnSite over a cable with RJ 45 plugs Use a cross over cable to a host or a straight cable to a hub See figure 25 host and figure 26 on page 103 hub for the different connections...

Страница 103: ...Ethernet 10Base T and 100Base T 103 OnSite Model 3210 User Manual C Cabling Figure 26 Ethernet straight through Hub Straight through cable RJ 45 male Tx Tx Rx Rx 1 2 3 6 RJ 45 male 1 Rx 2 Rx 3 Tx 6 Tx...

Страница 104: ...104 Appendix D Port pin outs Chapter contents Introduction 105 Console port RJ 45 EIA 561 RS 232 105 Ethernet 10Base T and 100Base T port 106 DSL 106...

Страница 105: ...re 27 showing the RJ 45 receptacle with the numerical identification of the pin numbers and functions Figure 27 EIA 561 RJ 45 8 pin port Refer to table 17 which tabulates the pin number signal name an...

Страница 106: ...Base T port The Ethernet ports are auto detect MDI X Note Pins not listed are not used DSL Note Pins not listed are not used Table 18 RJ 45 socket Pin Signal Direction 1 TX from OnSite 2 TX from OnSit...

Страница 107: ...107 Appendix E OnSite 3210 Series factory configuration Chapter contents Introduction 108...

Страница 108: ...rofile dhcp server DHCP network 192 168 1 0 255 255 255 0 include 192 168 1 10 192 168 1 19 lease 2 hours default router 192 168 1 1 context ip router interface eth0 ipaddress 172 16 40 1 255 255 0 0...

Страница 109: ...109 Appendix F Installation checklist Chapter contents Introduction 110...

Страница 110: ...e 20 Installation checklist Task Verified by Date Network information available recorded in site log Environmental specifications verified Site power voltages verified Installation site pre power chec...

Отзывы:

Нет отзывов