Manuals / 3Com / Computer Equipment / Network Router

3Com OfficeConnect Remote 812 manual IPX RIP Packet Filtering Using CLI, BR-ETH # Allow IP traffic

Models: OfficeConnect Remote 812

1 170

Download 170 pages 51.21 Kb

Page 90

6-54CHAPTER 6: MANUAL SETUP

IPX:

1ACCEPT src-socket = 0x001;

999DENY;

IPX RIP Packet Filtering Using CLI

Routing Information Protocol (RIP) packets are used to identify all attached networks as well as the number of router hops required to reach them. The responses are used to update a router's routing table.

You define IPX RIP packet filtering rules in the IPX-RIP protocol section of the filter file. You can filter IPX RIP packets by network only.

The following rule example filters the route specified by the IPX network address

00-03-55-BF:

IPX-RIP:

1 REJECT network = 00-03-55-BF;

IPX SAP Packet Filtering Using CLI

SAP packets are used to identify the services and addresses of servers attached to the network. The responses are used to update a table in the router known as the Server Information Table.

You define IPX SAP packet filtering rules in the IPX-SAP protocol section of the filter file. You can filter SAP packets by network, node, server, service-type, and socket.

The following rule example accepts SAP services from the server name sales_1, with a socket number is less than 32:

IPX-SAP:

1 AND server = sales_1;

2 ACCEPT socket < 32;

999 DENY;

Bridge / Generic Filtering Using CLI

The rules in this filter file section are setup to allow bridging of only IP and IPX packets (assuming that all traffic is being bridged and that the IPX protocol is using Ethernet_II framing). To stop traffic in both directions, you can apply the filter as an input_filter on both the Ethernet and the WAN or User Profile interfaces. However, to improve efficiency over the WAN interface, it would be better to have the same type of filter applied on the equipment at the other side of the WAN to keep non-IP and IPX traffic off the WAN completely.

BR-ETH:

# Allow IP traffic

1 ACCEPT generic=>origin=FRAME/offset=12/length=2/mask=0xFFFF/value=0x0800;

# Allow ARP traffic

2 ACCEPT generic=>origin=FRAME/offset=12/length=2/mask=0xFFFF/value=0x0806;

# Allow IPX traffic

Image 90

3Com OfficeConnect Remote 812 IPX RIP Packet Filtering Using CLI, IPX SAP Packet Filtering Using CLI, # Allow ARP traffic

Contents

Release OfficeConnect Remote ADSL Router CLI User’s GuidePart Number 10043337 AA Santa Clara, California 3Com Corporation5400 Bayfront Plaza 95052-8145CLI COMMAND CONVENTIONS AND TERMINOLOGY Table of ContentsACCESSING THE CONFIGURATION INTERFACE CONFIGURATION METHODSStarting QuickVC Setup QUICKVC SETUPMANUAL SETUP IPX Routing Network Service PPPSetting Up a Virtual Private Network VPN Tunnel Providing TFTP Access Configuring IPX for Remote Site ConnectionsSetting Date and Time Using Network Time Protocol NTP Monitoring the DHCP RelayOFFICECONNECT REMOTE 812 SAMPLE CONFIGURATION CLI COMMAND DESCRIPTION disable securityoption snmp useraccess list access list ip addresseslist processes list services B list snmp communities or list snmp trapcommunities B set system TCP COUNTERS INPUT COUNTERSTELNET POSITIONAL HELP B Command Completion B 3COM CORPORATION LIMITED WARRANTY FCC CLASS A VERIFICATION STATEMENTFCC CLASS B STATEMENT FCC DECLARATION OF CONFORMITY Output PauseIBM-PC Compatible Computers ACCESSING THE CONFIGURATION 1 INTERFACEEstablishing Communications with the OfficeConnect Remote Macintosh ComputersUNIX-Based Computers telnet ipaddressadd ip network is the command CLI COMMAND CONVENTIONS AND 2 TERMINOLOGYCommand Structure ParametersCompletion CommandAbbreviation and HelpConventions Command Language Terminology Page CONFIGURATION METHODS Quick Setup InstructionsQuickVC Setup Instructions Manual Setup Instructions 3-2 CHAPTER 3 CONFIGURATION METHODSRestoring the OfficeConnect Remote 812 to an Unconfigured State QUICK SETUPCLI Quick Setup Script ADSL Router Installation GuideDo you want to continue Quick Setup? Quick Setup ScriptQuick Setup Script Instructions Password ProtectionQuick Setup Identification Information Quick Setup Management InformationQuick Setup IP Information TELNET information4-4 CHAPTER 4 QUICK SETUP Quick Setup IPX Information Management Information Quick Setup Bridge InformationSample Identification Information TELNET ManagementSample Output Display as Quick Setup Executes Page QUICKVC SETUP CLI QuickVC Setup ScriptStarting QuickVC Setup OCR-DSL quickvc Network Service PPP CLI QuickVC Setup Script IPX Routing Network Service PPPService RFC BridgingSample Output Display Sample IdentificationInformation as Quick Setup ExecutesPage MANUAL SETUP Configuration OverviewManagement Remember to save your configuration using the save all command beforeRemote Site memoryset vc vc name networkservice ppp Configuring Network Service InformationCurrently, the SVC capability is disabled in the OCR set vc vc name networkservice pppoeset vc vc name networkservice pppoa set vc vc name dynamicipaddressing dhcpclientset vc vc name atm categoryofservice constant pcr cell rate Setting Up a Virtualset vc vc name atm categoryofservice unspecifed pcr cell rate when transmitting data to the remote siteVPN Tunneling Overview Before You Begin Initiating a VPN Tunnel On the Remote Private Network “Server” SideOn the 812 ADSL Router “Client” Side disable tunnel command VPN TunnelEnabling and Disabling a list tunnel Use this command to list the name and status of tunnels Authentication and Encryption To learn how to set up encryption using the CLI, see ConfiguringValues MICROSOFT56BIT NONE REQUIRED Configuring Windows 2000 Server to Support CHAP AuthenticationEncryption Router to Support Encryption for L2TP TunnelsConfiguring a Cisco Router to Support Encryption for L2TP Tunnels aaa authentication login cisco localValue Name ProhibitIpSec terminate-from hostname OfficeConnect local name c7200 peer default ip address pool L2TPvpdn-group 1 accept-dialin protocol l2tp virtual-template interface Ethernet1/2Debug vpdn command ppp authentication papRIP Configuration router rip ver network IP Pool for L2TP Tunnel errorIP Routing 6-14 CHAPTER 6 MANUAL SETUPdisable ip RIP enable ip forwardingenable ip RIP show ip routing settingsnegotiate addressselectionThe defaultrouteoption can only be enabled in one VC profile set vc vc nameRemote Site Configuring Static and Framed IP Routes 6-18 CHAPTER 6 MANUAL SETUPAddress Translation For a vc added using QuickVC, NAT is enabled by default continues to run until a NAT port frees upused port 80, private port 80, and the private address of the LAN Server Use the following command to configure PAT in a vc profileIntelligent PAT 6-22 CHAPTER 6 MANUAL SETUPEnabling NAT set vc vc name intelligentpatoption Enable/DisablePlease also note the following set vc vc name natoption natConfiguring NAT Static and Dynamic Mappings 6-24 CHAPTER 6 MANUAL SETUPlist nat vc vc name addr add nat dynamic vc vc name publicpoolstart ip address count numberlist nat vc vc name port port AND / ORRemote Configuring the DHCP Mode DHCPset dhcp server lease seconds set dhcp server startaddress ip address endaddress ip addressset dhcp server mask ip address set dhcp server router ip addressshow dhcp server counters Configuring the DHCPset dhcp mode relay list dhcp server leasestimeout enable dnsshow dns settings set dnsAccess Lists IPX Routinglist dns servers Enabling IPX Routing Configuring IPX for the LAN Configuring IPX for Remote Site Connections6-32 CHAPTER 6 MANUAL SETUP Configuring IPX Static and Framed Routes add ipxroute vc vc name ipxnet ipx network address metric numberadd ipxservice vc vc name hops number Configuring IPX Static and Framed Servicesdelete ipx service name type hex number 6-34 CHAPTER 6 MANUAL SETUPset ipx network network name Configuring IPX RIP and SAPBridging set ipx network network nameConfiguring Bridging for the LAN Configuring Bridging for the Remote Site ConnectionsBridging IP Traffic 6-36 CHAPTER 6 MANUAL SETUPAdvanced Bridging Options show ip settingsset bridge forwarddelay seconds set bridge agingtime secondsset vc vcname macrouting enable Simultaneous Bridging and Routingset bridge firewall discardroutedprotocols System AdministrationSetting Date and Time set bridge firewall fwdunicastonlyset disable ntp Network Time Protocol CLI Commandsset enable ntp For example set date 01-JAN-1998set pollinginterval seconds set timeout secondsset secondaryserver ipnameoraddr set retransmissions numberNTP Servers clock.psu.edu list users show systemset system name name location location contact contact delete user nameSetting Password Protection list tftp clientsexit cli After logging in to the CLI, you can exit the CLI with the commandOfficeConnect Remote 812 Filtering Capabilities Data Filtering Overview6-46 CHAPTER 6 MANUAL SETUP Filter Classes The OCR 812 supports three filter classes Creating Filters Creating Filters UsingCommand Line OverviewProtocol Rules The OR operation can be implemented by successive rules IP 1 ACCEPT src-addr=xxx 2 ACCEPT dst-addr=yyy 999 DENYLENGTH - The number of bytes in the packet to compare to the value IP Protocol Filtering Using CLI IP Source and Destination Network Filtering Using CLIIP Source and Destination Port Filtering Using CLI IP RIP Packet Filtering Using CLIIPX Source and Destination Network Filtering Using CLI IPX Source and Destination Host Filtering Using CLIIPX Source and Destination Socket Number Filtering Using CLI Bridge / Generic Filtering Using CLI IPX RIP Packet Filtering Using CLIIPX SAP Packet Filtering Using CLI IPX 1 ACCEPT src-socket = 999 DENYUsing CLI Creating Filter Filesmemory Assigning Filters by entering the CLI command set interface eth1 filteraccess off Applying Filters UsingInterface Using CLI VC/Remote Site FiltersManaging Filters Using CLIFilter List Using CLI VPN TunnelVC/Remote Site Profile an Interface Using CLIRemoving a Filter from Deleting a Packet Filter6-60 CHAPTER 6 MANUAL SETUP OCR 812 features OFFICECONNECT REMOTE 812 SAMPLE A CONFIGURATIONSample Configuration Overviewenable securityoption remoteuser administration Configuring theGlobal Configuration add user root password !rootdisable bridge spanningtree add bridge network bridge add dns server * vc Internet enable dnsadd ipx network ipx address 10 frame ethernetii enable yes set dhcp server dns1 192.168.200.254 dns2set vc Internet sendname internet-user sendpassword 1a2b3c set vc Internet defaultrouteoption enable enable vc Internetset vc Internet iprouting listen set vc corp-net ipxaddress 0 ipxrouting all enable vc corp-net set vc corp-net iprouting bothConfiguring the Sample Network A-5 Page add access CLI Command DescriptionCLI Commands vcblknetbiosprimaryaddress ipaddress secondaryaddress ipaddress vcname vcname iproute ipaddress metric number add ip defaultrouteadd framedroute vc name metricaddress ipnetaddress frame ETHERNETII SNAP LOOPBACK interface eth1 address ipxaddress interface eth1 enabled yesadd ip network networkname gateway gatewayaddr metric hopcountadd ipx route ipxnetaddress add ipx service servicenametype servicetype gateway ipxhostaddress metric metricnumber ticks ticknumberadd ipxservice vc name ipxnet ipxaddress metric hopcount ticks ticknumbertype servicetype add ipxroute vc nameadd network service servicename status servertype servertype socket socketnumber enabled YES data “string”CLI Commands B-7 address ipaddress access RO RW Add network service exampleadd networkservice CLIaccess servertype TELNETD socket closeactiveconnections TRUE FALSEaddress ipaddress add snmp trapcommunity nameipnameoraddr add tunnelarp output outputfilename ipnameoraddr add user nameadd vc name enabled yesvcname delete ipx route ipxnetaddress delete ipx service servicenamedelete pat tcp vc type servicetypetunnelname publicaddress ipaddresspublicpoolstart ipaddress entriesDIAL DISABLEdisable ip network bridge forwardingauthentication traps disable snmpinterfacename interface settings command output outputfileENABLE networksinterfacename using list network servicesHANGUP interfacename interface settings commandKILL HELPHISTORY LISTmgmt - unknown, but filtering information exists If Name - eth1, DA1 or loopback Interface - eth1, DA1 or loopbackCLI Commands B-19 Prot - LOCAL or RIP trapcommunities not list access Continue printing PAUSED COMMANDSMore or CR QuitRENAME timeout timeoutvaluePING RESOLVESAVE forwarddelay secondsset command history numerical range idle timeout minutes set bridgeset dhcp relay server2 enabled YES NOset dhcp relay server1 address IPaddressDNS1 IPaddress set dns cachesize number numberretries number timeout secondsset dhcp server DNS2 IPaddressfilteraccess ON OFF inputfilter filtername outputfilter filtername set interface interfacenameroutingprotocol NONE RIPV1 RIPV2 B-28 APPENDIX B CLI COMMAND DESCRIPTION routerid routerid CLI Commands B-29sap BOTH DISABLE LISTEN RESPONDONLY SEND sapagemultiplier number rip BOTH DISABLE LISTEN RESPONDONLY SEND ripagemultiplier numberrippacketsize number ripupdateinterval number sapupdateinterval numberSets parameters for configured network services set network service adminnamepoolmembers number Sets parameters for dynamic IPX networksA VPN tunnel can only be configured for MSCHAPv1 by using the CLI Authentication OptionsFor in-depth information about CHAP and PAP, see RFC address IPaddress access RO RW NONE REQUIREDMPPE Options name “name” transmitauthenticationname nameset system location “location”set user username password passwordsessiontimeout seconds message “message”idletimeout seconds bridging enable disabledefaultrouteoption enable disable ip enable disableCLI Commands B-37 set number categoryofservice Unspecified UBR Variable VBRset vc vcname atm pcr numberSets ATM parameters for VCs Total errored seconds in 15 minutes Total time since system reboot hours, minutes, secondsErrored seconds since last link down Total errored seconds in previous 15 minutesBase Aging Time - time to age out a known MAC address, default FieldsHistory Depth Current Prompt OCR-DSL Local Prompt OCR-DSL settings show dns counters show dns settings show filter filtername SPECIFIC ERROR COUNTERSProblems with Name Server - internal server error ICMP COUNTERS INPUT COUNTERSOUTPUT COUNTERS INPUT COUNTERS show interface interfacename countersshow interface Displays OUTPUT COUNTERSIP Dynamic Address Pool Size - size of IP address range Fragments Needing Reassembly - # of fragmented datagramsIP Dynamic Address Pool Begin - start of IP address range settingsshow ipx counters show ipx network networkname counters OUTPUT COUNTERSINPUT COUNTERS settings show ipx ripcounters settingssettings show ipx sapDynamic Address Pool Begin - starting IPX address Default Gateway - default IPX router addressvcname counters vcname settingsname settings name countersSETTINGS for PPP LINK 1 SETTINGS for PPP BUNDLESETTINGS for PPP BUNDLE 1 COMPRESSION Operational Status - opened or not openedshow snmp counters Displays many SNMP statistics INPUT COUNTERSSystem Descriptor - for example System Contact - modify using set systemSystem Location - modify using set system OUTPUT COUNTERSINPUT COUNTERS TCP SETTINGSTCP COUNTERS OUTPUT COUNTERSVERIFY CommandsTELNET verify filterCLI Exit Commands Command FeaturesComments B-58 APPENDIX B CLI COMMAND DESCRIPTIONINDEX Server Input and Output filters contrasted Static Services Passwords Page Page Page HARDWARE 3Com Corporation LIMITED WARRANTYSTANDARD WARRANTY SERVICE SOFTWAREThe Interference Handbook FCC CLASS B STATEMENTFCC DECLARATION OF CONFORMITY ModelDescription