Manuals / 3Com / Computer Equipment / Network Router

3Com OfficeConnect Remote 812 manual IPX Source and Destination Network Filtering Using CLI

Models: OfficeConnect Remote 812

1 170

Download 170 pages 51.21 Kb

Page 89

IPX Source and Destination Network Filtering Using CLI

Creating Filters Using Command Line Interface 6-53

If the router is listening for, or broadcasting RIP messages, you should allow them to pass in the appropriate direction(s). You define IP RIP filtering rules in the IP-RIP protocol section of the filter file.

For example, if you want to filter all routes except the one specified by the IP network address 195.12.254.45, you would create this rule:

IP-RIP:

1 ACCEPT network = 195.12.254.45;

999 DENY;

This filter only allows the route 195.12.254.45 into the route table. All other routes are rejected.

Spurious RIP messages can disrupt your routing tables. If you are listening for RIP messages on a given interface, you may wish to consider filtering out RIP updates from untrusted networks.

IPX Source and Destination Network Filtering Using CLI

IPX network numbers must be specified as an network number no greater than 8-digits in hexadecimal format. The following rule example rejects IPX packets with a source address: 00-03-42-BF.

IPX:

1 REJECT src-net = 00-03-42-BF;

IPX Source and Destination Host Filtering Using CLI

Host addresses must consist of the 8-digit network number, followed by the four digit node number in hexadecimal format.

The following rule example accepts IPX packets with a destination address of

04-0B-43-AA:

IPX:

1ACCEPT dest-host = 04-0B-43-AA;

999DENY;

IPX Source and Destination Socket Number Filtering Using CLI

Sockets numbers represent communications interfaces that let an application access a network protocol by opening a socket and declaring a destination. Sockets are useful because they provide a simple way to direct an application onto the network.

You can compare the source or destination IPX socket number contained in the packet to the socket number defined in the filter rules. You must specify the type of the comparison.

For example, the following rule example accepts IPX packets with the IPX source socket number 0x001:

Image 89

3Com OfficeConnect Remote 812 manual IPX Source and Destination Network Filtering Using CLI

Contents

Part Number 10043337 AA ReleaseOfficeConnect Remote ADSL Router CLI User’s Guide 5400 Bayfront Plaza 3Com CorporationSanta Clara, California 95052-8145ACCESSING THE CONFIGURATION INTERFACE Table of ContentsCLI COMMAND CONVENTIONS AND TERMINOLOGY CONFIGURATION METHODSMANUAL SETUP QUICKVC SETUPStarting QuickVC Setup IPX Routing Network Service PPPSetting Up a Virtual Private Network VPN Tunnel Setting Date and Time Using Network Time Protocol NTP Configuring IPX for Remote Site ConnectionsProviding TFTP Access Monitoring the DHCP RelayOFFICECONNECT REMOTE 812 SAMPLE CONFIGURATION CLI COMMAND DESCRIPTION disable securityoption snmp useraccess list processes list accesslist ip addresses list services B list snmp communities or list snmp trapcommunities B set system TELNET TCP COUNTERSINPUT COUNTERS FCC CLASS B STATEMENT FCC DECLARATION OF CONFORMITY 3COM CORPORATION LIMITED WARRANTY FCC CLASS A VERIFICATION STATEMENTPOSITIONAL HELP B Command Completion B Output PauseEstablishing Communications with the OfficeConnect Remote ACCESSING THE CONFIGURATION 1 INTERFACEIBM-PC Compatible Computers Macintosh Computerstelnet ipaddress UNIX-Based ComputersCommand Structure CLI COMMAND CONVENTIONS AND 2 TERMINOLOGYadd ip network is the command ParametersAbbreviation and CommandCompletion HelpConventions Command Language Terminology Page QuickVC Setup Instructions CONFIGURATION METHODSQuick Setup Instructions 3-2 CHAPTER 3 CONFIGURATION METHODS Manual Setup InstructionsCLI Quick Setup Script QUICK SETUPRestoring the OfficeConnect Remote 812 to an Unconfigured State ADSL Router Installation GuideQuick Setup Script Instructions Quick Setup ScriptDo you want to continue Quick Setup? Password ProtectionQuick Setup Management Information Quick Setup Identification Information4-4 CHAPTER 4 QUICK SETUP Quick Setup IP InformationTELNET information Quick Setup IPX Information Sample Identification Information Quick Setup Bridge InformationManagement Information TELNET ManagementSample Output Display as Quick Setup Executes Page Starting QuickVC Setup OCR-DSL quickvc QUICKVC SETUPCLI QuickVC Setup Script Network Service PPP CLI QuickVC Setup Script Service RFC Service PPPIPX Routing Network BridgingInformation Sample IdentificationSample Output Display as Quick Setup ExecutesPage Configuration Overview MANUAL SETUPRemote Site Remember to save your configuration using the save all command beforeManagement memoryConfiguring Network Service Information set vc vc name networkservice pppset vc vc name networkservice pppoa set vc vc name networkservice pppoeCurrently, the SVC capability is disabled in the OCR set vc vc name dynamicipaddressing dhcpclientset vc vc name atm categoryofservice unspecifed pcr cell rate Setting Up a Virtualset vc vc name atm categoryofservice constant pcr cell rate when transmitting data to the remote siteOn the 812 ADSL Router “Client” Side VPN Tunneling Overview Before You Begin Initiating a VPN TunnelOn the Remote Private Network “Server” Side Enabling and Disabling a disable tunnel commandVPN Tunnel list tunnel Use this command to list the name and status of tunnels Values Authentication and EncryptionTo learn how to set up encryption using the CLI, see Configuring Encryption Configuring Windows 2000 Server to Support CHAP AuthenticationMICROSOFT56BIT NONE REQUIRED Router to Support Encryption for L2TP TunnelsValue Name ProhibitIpSec Configuring a Cisco Router to Support Encryption for L2TP Tunnelsaaa authentication login cisco local vpdn-group 1 accept-dialin protocol l2tp virtual-template peer default ip address pool L2TPterminate-from hostname OfficeConnect local name c7200 interface Ethernet1/2RIP Configuration router rip ver network IP Pool for L2TP Tunnel ppp authentication papDebug vpdn command error6-14 CHAPTER 6 MANUAL SETUP IP Routingenable ip RIP enable ip forwardingdisable ip RIP show ip routing settingsaddressselection negotiateRemote Site The defaultrouteoption can only be enabled in one VC profileset vc vc name 6-18 CHAPTER 6 MANUAL SETUP Configuring Static and Framed IP RoutesAddress Translation used For a vc added using QuickVC, NAT is enabled by defaultcontinues to run until a NAT port frees up Use the following command to configure PAT in a vc profile port 80, private port 80, and the private address of the LAN Server6-22 CHAPTER 6 MANUAL SETUP Intelligent PATPlease also note the following set vc vc name intelligentpatoption Enable/DisableEnabling NAT set vc vc name natoption nat6-24 CHAPTER 6 MANUAL SETUP Configuring NAT Static and Dynamic Mappingslist nat vc vc name port port add nat dynamic vc vc name publicpoolstart ip address count numberlist nat vc vc name addr AND / ORRemote DHCP Configuring the DHCP Modeset dhcp server mask ip address set dhcp server startaddress ip address endaddress ip addressset dhcp server lease seconds set dhcp server router ip addressset dhcp mode relay Configuring the DHCPshow dhcp server counters list dhcp server leasesshow dns settings enable dnstimeout set dnslist dns servers Access ListsIPX Routing 6-32 CHAPTER 6 MANUAL SETUP Enabling IPX Routing Configuring IPX for the LANConfiguring IPX for Remote Site Connections add ipxroute vc vc name ipxnet ipx network address metric number Configuring IPX Static and Framed Routesdelete ipx service name type hex number Configuring IPX Static and Framed Servicesadd ipxservice vc vc name hops number 6-34 CHAPTER 6 MANUAL SETUPBridging Configuring IPX RIP and SAPset ipx network network name set ipx network network nameBridging IP Traffic Configuring Bridging for the Remote Site ConnectionsConfiguring Bridging for the LAN 6-36 CHAPTER 6 MANUAL SETUPset bridge forwarddelay seconds show ip settingsAdvanced Bridging Options set bridge agingtime secondsset bridge firewall discardroutedprotocols set vc vcname macrouting enableSimultaneous Bridging and Routing Setting Date and Time AdministrationSystem set bridge firewall fwdunicastonlyset enable ntp Network Time Protocol CLI Commandsset disable ntp For example set date 01-JAN-1998set secondaryserver ipnameoraddr set timeout secondsset pollinginterval seconds set retransmissions numberNTP Servers clock.psu.edu set system name name location location contact contact show systemlist users delete user namelist tftp clients Setting Password ProtectionAfter logging in to the CLI, you can exit the CLI with the command exit cli6-46 CHAPTER 6 MANUAL SETUP OfficeConnect Remote 812 Filtering CapabilitiesData Filtering Overview Filter Classes The OCR 812 supports three filter classes Command Line Creating Filters UsingCreating Filters OverviewProtocol Rules IP 1 ACCEPT src-addr=xxx 2 ACCEPT dst-addr=yyy 999 DENY The OR operation can be implemented by successive rulesLENGTH - The number of bytes in the packet to compare to the value IP Source and Destination Port Filtering Using CLI IP Source and Destination Network Filtering Using CLIIP Protocol Filtering Using CLI IP RIP Packet Filtering Using CLIIPX Source and Destination Socket Number Filtering Using CLI IPX Source and Destination Network Filtering Using CLIIPX Source and Destination Host Filtering Using CLI IPX SAP Packet Filtering Using CLI IPX RIP Packet Filtering Using CLIBridge / Generic Filtering Using CLI IPX 1 ACCEPT src-socket = 999 DENYmemory Using CLICreating Filter Files Assigning Filters Interface Using CLI Applying Filters Usingby entering the CLI command set interface eth1 filteraccess off VC/Remote Site FiltersFilter List Using CLI Using CLIManaging Filters VPN TunnelRemoving a Filter from an Interface Using CLIVC/Remote Site Profile Deleting a Packet Filter6-60 CHAPTER 6 MANUAL SETUP Sample Configuration OFFICECONNECT REMOTE 812 SAMPLE A CONFIGURATIONOCR 812 features OverviewGlobal Configuration Configuring theenable securityoption remoteuser administration add user root password !rootadd ipx network ipx address 10 frame ethernetii enable yes add dns server * vc Internet enable dnsdisable bridge spanningtree add bridge network bridge set dhcp server dns1 192.168.200.254 dns2set vc Internet iprouting listen set vc Internet sendname internet-user sendpassword 1a2b3cset vc Internet defaultrouteoption enable enable vc Internet Configuring the Sample Network A-5 set vc corp-net ipxaddress 0 ipxrouting all enable vc corp-netset vc corp-net iprouting both Page CLI Commands CLI Command Descriptionadd access vcblknetbiosprimaryaddress ipaddress secondaryaddress ipaddress vcname vcname add framedroute vc name add ip defaultrouteiproute ipaddress metric number metricadd ip network networkname address ipxaddress interface eth1 enabled yesaddress ipnetaddress frame ETHERNETII SNAP LOOPBACK interface eth1 gateway gatewayaddr metric hopcounttype servicetype add ipx service servicenameadd ipx route ipxnetaddress gateway ipxhostaddress metric metricnumber ticks ticknumbertype servicetype ipxnet ipxaddress metric hopcount ticks ticknumberadd ipxservice vc name add ipxroute vc nameCLI Commands B-7 add network service servicename statusservertype servertype socket socketnumber enabled YES data “string” add networkservice CLIaccess servertype TELNETD socket Add network service exampleaddress ipaddress access RO RW closeactiveconnections TRUE FALSEipnameoraddr add snmp trapcommunity nameaddress ipaddress add tunneladd vc name add user namearp output outputfilename ipnameoraddr enabled yesdelete pat tcp vc delete ipx route ipxnetaddress delete ipx service servicenamevcname type servicetypepublicpoolstart ipaddress publicaddress ipaddresstunnelname entriesdisable ip network DISABLEDIAL bridge forwardinginterfacename interface settings command disable snmpauthentication traps output outputfilenetworks ENABLEHANGUP using list network servicesinterfacename interfacename interface settings commandHISTORY HELPKILL LISTmgmt - unknown, but filtering information exists CLI Commands B-19 If Name - eth1, DA1 or loopbackInterface - eth1, DA1 or loopback Prot - LOCAL or RIP trapcommunities not list access More or CR PAUSED COMMANDSContinue printing QuitPING timeout timeoutvalueRENAME RESOLVEset command history numerical range idle timeout minutes forwarddelay secondsSAVE set bridgeset dhcp relay server1 enabled YES NOset dhcp relay server2 address IPaddressset dhcp server set dns cachesize number numberretries number timeout secondsDNS1 IPaddress DNS2 IPaddressroutingprotocol NONE RIPV1 RIPV2 filteraccess ON OFF inputfilter filtername outputfilter filternameset interface interfacename B-28 APPENDIX B CLI COMMAND DESCRIPTION CLI Commands B-29 routerid routeridrippacketsize number ripupdateinterval number rip BOTH DISABLE LISTEN RESPONDONLY SEND ripagemultiplier numbersap BOTH DISABLE LISTEN RESPONDONLY SEND sapagemultiplier number sapupdateinterval numberpoolmembers number set network service adminnameSets parameters for configured network services Sets parameters for dynamic IPX networksFor in-depth information about CHAP and PAP, see RFC A VPN tunnel can only be configured for MSCHAPv1 by using the CLIAuthentication Options MPPE Options address IPaddress access RO RWNONE REQUIRED set system transmitauthenticationname namename “name” location “location”sessiontimeout seconds password passwordset user username message “message”defaultrouteoption enable disable bridging enable disableidletimeout seconds ip enable disableCLI Commands B-37 set vc vcname atm categoryofservice Unspecified UBR Variable VBRset number pcr numberSets ATM parameters for VCs Errored seconds since last link down Total time since system reboot hours, minutes, secondsTotal errored seconds in 15 minutes Total errored seconds in previous 15 minutesFields Base Aging Time - time to age out a known MAC address, defaultHistory Depth Current Prompt OCR-DSL Local Prompt OCR-DSL settings Problems with Name Server - internal server error show dns counters show dns settings show filter filternameSPECIFIC ERROR COUNTERS OUTPUT COUNTERS ICMP COUNTERSINPUT COUNTERS show interface Displays show interface interfacename countersINPUT COUNTERS OUTPUT COUNTERSIP Dynamic Address Pool Begin - start of IP address range Fragments Needing Reassembly - # of fragmented datagramsIP Dynamic Address Pool Size - size of IP address range settingsINPUT COUNTERS show ipx counters show ipx network networkname countersOUTPUT COUNTERS counters show ipx ripsettings settingsDynamic Address Pool Begin - starting IPX address show ipx sapsettings Default Gateway - default IPX router addressname settings vcname settingsvcname counters name countersSETTINGS for PPP BUNDLE 1 COMPRESSION SETTINGS for PPP BUNDLESETTINGS for PPP LINK 1 Operational Status - opened or not openedINPUT COUNTERS show snmp counters Displays many SNMP statisticsSystem Location - modify using set system System Contact - modify using set systemSystem Descriptor - for example OUTPUT COUNTERSTCP COUNTERS TCP SETTINGSINPUT COUNTERS OUTPUT COUNTERSTELNET CommandsVERIFY verify filterCommand Features CLI Exit CommandsB-58 APPENDIX B CLI COMMAND DESCRIPTION CommentsINDEX Server Input and Output filters contrasted Static Services Passwords Page Page Page STANDARD WARRANTY SERVICE 3Com Corporation LIMITED WARRANTYHARDWARE SOFTWAREFCC DECLARATION OF CONFORMITY FCC CLASS B STATEMENTThe Interference Handbook ModelDescription