Manuals / 3Com / Computer Equipment / Network Router

3Com OfficeConnect Remote 812 manual IP Source and Destination Network Filtering Using CLI

Models: OfficeConnect Remote 812

1 170

Download 170 pages 51.21 Kb

Page 88

6-52CHAPTER 6: MANUAL SETUP

IP Source and Destination Network Filtering Using CLI

Source and destination address filtering is generally used to limit permitted access to trusted hosts and networks only, to explicitly deny access to hosts and networks that are not trusted, or to limit external access to a given host (for example, a web server or a firewall).

Note that only the part of the IP address specified by the mask field is used in the comparison. If a match is found, the packet is forwarded (rules containing accept) or discarded (rules containing reject).

The following rule example allows forwarding of only IP packets with source addresses that match the first 16 bits of the given IP address (addresses beginning with 192.77):

IP:

1ACCEPT src-addr = 192.77.200.203/16;

999DENY;

The following rule example rejects IP packets with a source address: 144.133.20.1.

IP:

1 REJECT src-addr =144.133.20.1;

The following rule example allows forwarding of only IP packets with source address 192.77.100.32 and destination address 201.128.11.34:

IP:

1AND src-addr = 192.77.100.32;

2ACCEPT dst-addr = 201.128.11.34;

999DENY;

IP Source and Destination Port Filtering Using CLI

You can also filter against UDP and TCP ports. The following rule example rejects

IP packets with a TCP port number of 80.

IP:

1 REJECT tcp_dst_port = 80;

IP Protocol Filtering Using CLI

Filtering can be done on protocol as well. The protocols that can be filtered are

UDP, TCP and ICMP. The following rule example rejects TCP packets.

IP:

1 REJECT protocol = TCP;

IP RIP Packet Filtering Using CLI

Routing Information Protocol (RIP) packets are used to identify all attached networks as well as the number of router hops required to reach them. The responses are used to update a router's routing table

Image 88

3Com OfficeConnect Remote 812 manual IP Source and Destination Network Filtering Using CLI, IP Protocol Filtering Using CLI

Contents

OfficeConnect Remote ADSL Router CLI User’s Guide ReleasePart Number 10043337 AA 3Com Corporation 5400 Bayfront PlazaSanta Clara, California 95052-8145Table of Contents ACCESSING THE CONFIGURATION INTERFACECLI COMMAND CONVENTIONS AND TERMINOLOGY CONFIGURATION METHODSQUICKVC SETUP MANUAL SETUPStarting QuickVC Setup IPX Routing Network Service PPPSetting Up a Virtual Private Network VPN Tunnel Configuring IPX for Remote Site Connections Setting Date and Time Using Network Time Protocol NTPProviding TFTP Access Monitoring the DHCP RelayOFFICECONNECT REMOTE 812 SAMPLE CONFIGURATION CLI COMMAND DESCRIPTION disable securityoption snmp useraccess list ip addresses list accesslist processes list services B list snmp communities or list snmp trapcommunities B set system INPUT COUNTERS TCP COUNTERSTELNET 3COM CORPORATION LIMITED WARRANTY FCC CLASS A VERIFICATION STATEMENT FCC CLASS B STATEMENT FCC DECLARATION OF CONFORMITYPOSITIONAL HELP B Command Completion B Output PauseACCESSING THE CONFIGURATION 1 INTERFACE Establishing Communications with the OfficeConnect RemoteIBM-PC Compatible Computers Macintosh ComputersUNIX-Based Computers telnet ipaddressCLI COMMAND CONVENTIONS AND 2 TERMINOLOGY Command Structureadd ip network is the command ParametersCommand Abbreviation andCompletion HelpConventions Command Language Terminology Page Quick Setup Instructions CONFIGURATION METHODSQuickVC Setup Instructions Manual Setup Instructions 3-2 CHAPTER 3 CONFIGURATION METHODSQUICK SETUP CLI Quick Setup ScriptRestoring the OfficeConnect Remote 812 to an Unconfigured State ADSL Router Installation GuideQuick Setup Script Quick Setup Script InstructionsDo you want to continue Quick Setup? Password ProtectionQuick Setup Identification Information Quick Setup Management InformationTELNET information Quick Setup IP Information4-4 CHAPTER 4 QUICK SETUP Quick Setup IPX Information Quick Setup Bridge Information Sample Identification InformationManagement Information TELNET ManagementSample Output Display as Quick Setup Executes Page CLI QuickVC Setup Script QUICKVC SETUPStarting QuickVC Setup OCR-DSL quickvc Network Service PPP CLI QuickVC Setup Script Service PPP Service RFCIPX Routing Network BridgingSample Identification InformationSample Output Display as Quick Setup ExecutesPage MANUAL SETUP Configuration OverviewRemember to save your configuration using the save all command before Remote SiteManagement memoryset vc vc name networkservice ppp Configuring Network Service Informationset vc vc name networkservice pppoe set vc vc name networkservice pppoaCurrently, the SVC capability is disabled in the OCR set vc vc name dynamicipaddressing dhcpclientSetting Up a Virtual set vc vc name atm categoryofservice unspecifed pcr cell rateset vc vc name atm categoryofservice constant pcr cell rate when transmitting data to the remote siteOn the Remote Private Network “Server” Side VPN Tunneling Overview Before You Begin Initiating a VPN TunnelOn the 812 ADSL Router “Client” Side VPN Tunnel disable tunnel commandEnabling and Disabling a list tunnel Use this command to list the name and status of tunnels To learn how to set up encryption using the CLI, see Configuring Authentication and EncryptionValues Configuring Windows 2000 Server to Support CHAP Authentication EncryptionMICROSOFT56BIT NONE REQUIRED Router to Support Encryption for L2TP Tunnelsaaa authentication login cisco local Configuring a Cisco Router to Support Encryption for L2TP TunnelsValue Name ProhibitIpSec peer default ip address pool L2TP vpdn-group 1 accept-dialin protocol l2tp virtual-templateterminate-from hostname OfficeConnect local name c7200 interface Ethernet1/2ppp authentication pap RIP Configuration router rip ver network IP Pool for L2TP TunnelDebug vpdn command errorIP Routing 6-14 CHAPTER 6 MANUAL SETUPenable ip forwarding enable ip RIPdisable ip RIP show ip routing settingsnegotiate addressselectionset vc vc name The defaultrouteoption can only be enabled in one VC profileRemote Site Configuring Static and Framed IP Routes 6-18 CHAPTER 6 MANUAL SETUPAddress Translation continues to run until a NAT port frees up For a vc added using QuickVC, NAT is enabled by defaultused port 80, private port 80, and the private address of the LAN Server Use the following command to configure PAT in a vc profileIntelligent PAT 6-22 CHAPTER 6 MANUAL SETUPset vc vc name intelligentpatoption Enable/Disable Please also note the followingEnabling NAT set vc vc name natoption natConfiguring NAT Static and Dynamic Mappings 6-24 CHAPTER 6 MANUAL SETUPadd nat dynamic vc vc name publicpoolstart ip address count number list nat vc vc name port portlist nat vc vc name addr AND / ORRemote Configuring the DHCP Mode DHCPset dhcp server startaddress ip address endaddress ip address set dhcp server mask ip addressset dhcp server lease seconds set dhcp server router ip addressConfiguring the DHCP show dhcp server counterslist dhcp server leases Relayenable dns show dns settingstimeout set dnsIPX Routing Access Listslist dns servers Configuring IPX for Remote Site Connections Enabling IPX Routing Configuring IPX for the LAN6-32 CHAPTER 6 MANUAL SETUP Configuring IPX Static and Framed Routes add ipxroute vc vc name ipxnet ipx network address metric numberConfiguring IPX Static and Framed Services delete ipx service name type hex numberadd ipxservice vc vc name hops number 6-34 CHAPTER 6 MANUAL SETUPConfiguring IPX RIP and SAP Bridgingset ipx network network name set ipx network network nameConfiguring Bridging for the Remote Site Connections Bridging IP TrafficConfiguring Bridging for the LAN 6-36 CHAPTER 6 MANUAL SETUPshow ip settings Advanced Bridging Optionsset bridge agingtime seconds set bridge forwarddelay secondsSimultaneous Bridging and Routing set vc vcname macrouting enableset bridge firewall discardroutedprotocols Administration Setting Date and TimeSystem set bridge firewall fwdunicastonlyNetwork Time Protocol CLI Commands set enable ntpset disable ntp For example set date 01-JAN-1998set timeout seconds set secondaryserver ipnameoraddrset pollinginterval seconds set retransmissions numberNTP Servers clock.psu.edu show system set system name name location location contact contactlist users delete user nameSetting Password Protection list tftp clientsexit cli After logging in to the CLI, you can exit the CLI with the commandData Filtering Overview OfficeConnect Remote 812 Filtering Capabilities6-46 CHAPTER 6 MANUAL SETUP Filter Classes The OCR 812 supports three filter classes Creating Filters Using Command LineCreating Filters OverviewProtocol Rules The OR operation can be implemented by successive rules IP 1 ACCEPT src-addr=xxx 2 ACCEPT dst-addr=yyy 999 DENYLENGTH - The number of bytes in the packet to compare to the value IP Source and Destination Network Filtering Using CLI IP Source and Destination Port Filtering Using CLIIP Protocol Filtering Using CLI IP RIP Packet Filtering Using CLIIPX Source and Destination Host Filtering Using CLI IPX Source and Destination Network Filtering Using CLIIPX Source and Destination Socket Number Filtering Using CLI IPX RIP Packet Filtering Using CLI IPX SAP Packet Filtering Using CLIBridge / Generic Filtering Using CLI IPX 1 ACCEPT src-socket = 999 DENYCreating Filter Files Using CLImemory Assigning Filters Applying Filters Using Interface Using CLIby entering the CLI command set interface eth1 filteraccess off VC/Remote Site FiltersUsing CLI Filter List Using CLIManaging Filters VPN Tunnelan Interface Using CLI Removing a Filter fromVC/Remote Site Profile Deleting a Packet Filter6-60 CHAPTER 6 MANUAL SETUP OFFICECONNECT REMOTE 812 SAMPLE A CONFIGURATION Sample ConfigurationOCR 812 features OverviewConfiguring the Global Configurationenable securityoption remoteuser administration add user root password !rootadd dns server * vc Internet enable dns add ipx network ipx address 10 frame ethernetii enable yesdisable bridge spanningtree add bridge network bridge set dhcp server dns1 192.168.200.254 dns2set vc Internet defaultrouteoption enable enable vc Internet set vc Internet sendname internet-user sendpassword 1a2b3cset vc Internet iprouting listen set vc corp-net iprouting both set vc corp-net ipxaddress 0 ipxrouting all enable vc corp-netConfiguring the Sample Network A-5 Page CLI Command Description CLI Commandsadd access vcblknetbiosprimaryaddress ipaddress secondaryaddress ipaddress vcname vcname add ip defaultroute add framedroute vc nameiproute ipaddress metric number metricaddress ipxaddress interface eth1 enabled yes add ip network networknameaddress ipnetaddress frame ETHERNETII SNAP LOOPBACK interface eth1 gateway gatewayaddr metric hopcountadd ipx service servicename type servicetypeadd ipx route ipxnetaddress gateway ipxhostaddress metric metricnumber ticks ticknumberipxnet ipxaddress metric hopcount ticks ticknumber type servicetypeadd ipxservice vc name add ipxroute vc nameservertype servertype socket socketnumber enabled YES data “string” add network service servicename statusCLI Commands B-7 Add network service example add networkservice CLIaccess servertype TELNETD socketaddress ipaddress access RO RW closeactiveconnections TRUE FALSEadd snmp trapcommunity name ipnameoraddraddress ipaddress add tunneladd user name add vc namearp output outputfilename ipnameoraddr enabled yesdelete ipx route ipxnetaddress delete ipx service servicename delete pat tcp vcvcname type servicetypepublicaddress ipaddress publicpoolstart ipaddresstunnelname entriesDISABLE disable ip networkDIAL bridge forwardingdisable snmp interfacename interface settings commandauthentication traps output outputfileENABLE networksusing list network services HANGUPinterfacename interfacename interface settings commandHELP HISTORYKILL LISTmgmt - unknown, but filtering information exists Interface - eth1, DA1 or loopback If Name - eth1, DA1 or loopbackCLI Commands B-19 Prot - LOCAL or RIP trapcommunities not list access PAUSED COMMANDS More or CRContinue printing Quittimeout timeoutvalue PINGRENAME RESOLVEset command history numerical range idle timeout minutes SAVEset bridge agingtime secondsenabled YES NO set dhcp relay server1set dhcp relay server2 address IPaddressset dns cachesize number numberretries number timeout seconds set dhcp serverDNS1 IPaddress DNS2 IPaddressset interface interfacename filteraccess ON OFF inputfilter filtername outputfilter filternameroutingprotocol NONE RIPV1 RIPV2 B-28 APPENDIX B CLI COMMAND DESCRIPTION routerid routerid CLI Commands B-29rip BOTH DISABLE LISTEN RESPONDONLY SEND ripagemultiplier number rippacketsize number ripupdateinterval numbersap BOTH DISABLE LISTEN RESPONDONLY SEND sapagemultiplier number sapupdateinterval numberset network service adminname poolmembers numberSets parameters for configured network services Sets parameters for dynamic IPX networksAuthentication Options A VPN tunnel can only be configured for MSCHAPv1 by using the CLIFor in-depth information about CHAP and PAP, see RFC NONE REQUIRED address IPaddress access RO RWMPPE Options transmitauthenticationname name set systemname “name” location “location”password password sessiontimeout secondsset user username message “message”bridging enable disable defaultrouteoption enable disableidletimeout seconds ip enable disableCLI Commands B-37 categoryofservice Unspecified UBR Variable VBR set vc vcname atmset number pcr numberSets ATM parameters for VCs Total time since system reboot hours, minutes, seconds Errored seconds since last link downTotal errored seconds in 15 minutes Total errored seconds in previous 15 minutesBase Aging Time - time to age out a known MAC address, default FieldsHistory Depth Current Prompt OCR-DSL Local Prompt OCR-DSL settings SPECIFIC ERROR COUNTERS show dns counters show dns settings show filter filternameProblems with Name Server - internal server error INPUT COUNTERS ICMP COUNTERSOUTPUT COUNTERS show interface interfacename counters show interface DisplaysINPUT COUNTERS OUTPUT COUNTERSFragments Needing Reassembly - # of fragmented datagrams IP Dynamic Address Pool Begin - start of IP address rangeIP Dynamic Address Pool Size - size of IP address range settingsOUTPUT COUNTERS show ipx counters show ipx network networkname countersINPUT COUNTERS show ipx rip counterssettings settingsshow ipx sap Dynamic Address Pool Begin - starting IPX addresssettings Default Gateway - default IPX router addressvcname settings name settingsvcname counters name countersSETTINGS for PPP BUNDLE SETTINGS for PPP BUNDLE 1 COMPRESSIONSETTINGS for PPP LINK 1 Operational Status - opened or not openedshow snmp counters Displays many SNMP statistics INPUT COUNTERSSystem Contact - modify using set system System Location - modify using set systemSystem Descriptor - for example OUTPUT COUNTERSTCP SETTINGS TCP COUNTERSINPUT COUNTERS OUTPUT COUNTERSCommands TELNETVERIFY verify filterCLI Exit Commands Command FeaturesComments B-58 APPENDIX B CLI COMMAND DESCRIPTIONINDEX Server Input and Output filters contrasted Static Services Passwords Page Page Page 3Com Corporation LIMITED WARRANTY STANDARD WARRANTY SERVICEHARDWARE SOFTWAREFCC CLASS B STATEMENT FCC DECLARATION OF CONFORMITYThe Interference Handbook ModelDescription