Manuals / Efficient Networks / Computer Equipment / Network Router

Efficient Networks 107-0001-000 manual Ike ipsec policies set pfs, Negotiation

Models: 107-0001-000

1 516

Page 374

Chapter 12: IKE/IPsec Commands	Efficient Networks® Router family
	Command Line Interface Guide

ike ipsec policies set pfs

Defines the pfs filtering parameter value for the policy. The pfs parameter specifies the Perfect Forward Secrecy negotiation used for the connection.

If you specify 1 or 2, Perfect Forward Secrecy is performed using the specified Diffie- Hellman group (1 or 2). If you specify none, then Perfect Forward Secrecy is not required for this connection and no Diffie-Hellman group is used to encrypt the keys during rekey. To read more about PFS, see “IKE Management” on page 5-52.

Mgmt Class

Security (R/W)

Input Format

ike ipsec policies set pfs <1 2 none > <policyname>

Parameters

1	Use Diffie-Hellman group 1 for the Perfect Forward Secrecy
	negotiation.
2	Use Diffie-Hellman group 2 for the Perfect Forward Secrecy
	negotiation.
none	Perfect Forward Secrecy negotiation is not required for this
	connection.

<policyname>a Name of the IPsec policy to which the pfs parameter value is added.b

aASCII string

bTo see the policy names, use the ike ipsec policies list command.

Example

-> ike ipsec policies set pfs 2 mypolicy

Response

Command prompt.

Page 12-16

Efficient Networks®

Page 374

Image 374

Efficient Networks 107-0001-000 manual Ike ipsec policies set pfs 1 2 none policyname, Negotiation

Contents

5RXWHUDPLO\ Efficient Networks Software License and Limited Warranty Limitations Release Revision History001 12 Feb Contents File System Commands Contents Contents Remote Commands Eth ip directbcastContents Contents WAN Interface Commands Dhcp Commands L2TP Commands Remote setpppoeservice -1 pppoe close -2 pppoe list L2tp set window -16 remote setl2tpclient -17 remote setlnsContents Voice Commands User Commands Stateful Firewall Commands QoS Commands Ssh set rekey -8 ssh set status -8 system sshportThis page intentionally left blank Introduction How This Manual is OrganizedPassword Command ConventionsAccessing the Command Line UsernameCommand line is now available for use Re-enter the new password at the promptPassword change will be confirmed Terminal SessionsTerminal Session under Windows HyperTerminal Data bits Parity None Stop bits Flow control Hardware Terminal Session for Macintosh or Unix Telnet Session for Remote Access TelnetCommand Line via the Web Management Interface Mode is learning, listening, or forwarding Lists the top-level commands and keywords and aResolution Protocol ARP table Lists the contents of the bridge tableInitiates a reboot of the system Lists the current services in the IPX SAPs tableChanges the current user password Enables Sntp requestsParameters ? or helpInput Format ResponseMgmt Class Arp deleteArp list ExampleVoice R Input Format ParametersArp list Arp listBi list Bi listBi list Call remotename CallVoice R/W Remotenamea Name of the target routerDate Display when date is entered with no parametersDisplay when date is entered with parameters All R/WErase Admin R/WWhen entered with no parameters, same as erase all All R ExitIfs Voice R, Network RAn example of additional interfaces that may be displayed IpifsTypical response is shown below IpifsIproutes IproutesIpxroutes IpxroutesIpxroutes IpxsapsIpxsaps IpxsapsLogout LogoutMem MemSystem R, Debug R MemMlp summary Mlp summaryAdmin101@console- password 1675309 lobster PasswordPassword old password new password Ping Ping -I 192.168.1.2 Ping -c 2 -i 7 -s 34Ping -I 192.168.254.254 TID Name Bottom Current Size 1IDLE Reboot Reboot optionSave User is prompted to verify the commandSave Sntp disable Sntp disableDisables Sntp requests Sntp activeSntp offset Sntp enableWhen no parameter is entered, current offset is displayed Itive number is east a negative number is westSntp prefserver number When entered with no number parameterSntp prefserver Number of a server within the Sntp server listWhen entered and no sntp preferred server is defined When entered with a number parameterWhen entered while sntp function is currently disabled When entered and an sntp preferred server has been definedWhen entered with the default parameter Sntp server ipaddress default numberRequests the default server list Sntp serverTypical response Tcp statsTcp stats Tcp statsTime Dress as the source address TracerouteNetwork R/W, Debug R Hop is listed in the output messageTraceroute -n 172.17.20.1Traceroute Vers VersCopies a file from the source to the destination This command loads batch files of configurationCommands into the router Deletes the specified file from the flash filesystemCopy srcfile dstfile CopyExamples Copy tftp@128.1.210.66kernelnw kernel.f2kRefer to examples for typical responses Admin R/W, System R/WDelete Delete filenameDir DirDir Execute Execute filenameSystem R/W, Debug R/W Following is an example of the format disk commandFormat disk Format diskMsfs MsfsMsfs fix Sync Following is an example rename commandRename Commits the changes made to the file system to Flash memoryRemaps a range of local-LAN IP addresses to a Adds an address to the BootP server listLists the supported keywords Range of public IP addresses on a system-wide baChanges the Dial Backup retry period Disables the Dial Backup option in the routerEnables the Dial Backup option in the router Changes the Dial Backup stability periodManages the system Http port access Lists the default modem settingsRemoves an address from the BootP server list Lists the system settings for the target routerManages SSH port access Enables and disables the secure mode functionManages Snmp port access Manages Syslog port accessSystem ? System addbootpserverSystem addbootpserver ipaddr System ?System addbootpserver IP address of the serverSystem addhostmapping System addhttpfilter first ip addr last ip addr lan System addhttpfilterSecurity R/W Local Ethernet LANSystem addiproutingtable System addiproutingtable 192.168.1.5 192.168.1.12 Rosa System addserverResponse Example Selects the host with this IP address as server Action One of the following command actionsRlogin port Discards the incoming server requestSystem addsnmpfilter System addsnmpfilter first ip addr last ip addr lanSystem addsyslogfilter System addsyslogfilter firstipaddr last ipaddr lanSystem addsyslogserver ipaddr System addsyslogserverSystem R/W IP address to be added to the Syslog server address listSystem addtelnetfilter System addtelnetfilter first ip addr last ip addr lanFirst port in the UDP port range to be created System addudprelayWarded Incorporates all the available UDP ports in the new rangeCally System authenSystem authen none pap chap Chap is performedIP address to be added to the list System backup addSystem backup add ipaddr gw dns group AddressFollowing command deletes all addresses from group System backup deleteFollowing command deletes the gateway address from group IP address to be deleted from the listSystem backup disable System backup disableFollowing command clears all addresses from the list System backup delete all allSystem backup enable System backup enableNumber of seconds in the ping interval for the group System backup pingintervalSystem backup pinginterval seconds group Optional, number of a groupSystem backup pingsamples System backup pingsamplesSystem backup pingsamples samples group System backup pingsamples 0Following command changes the retry period to 60 minutes System backup retrySystem backup retry minutes Following command changes the retry period toSystem backup stability minutes System backup stabilitySystem backup successrate Following command changes the stability period to 5 minutesSystem backup successrate System blocknetbiosdefaultSystem backup successrate percentage group System backup successrate 0System community System blocknetbiosdefault yes noSets the default to block all NetBIOS and NetBUI requests System community snmp community nameSystem defaultmodem System default modemSystem delbootpserver System delbootpserver ipaddr allSystem delbootpserver all Removes all addresses from the BootP server listSystem delbootpserver System delhostmappingSystem delhttpfilter first ip addr last ip addr lan System delhttpfilterSystem deliproutingtable First IP address of the rangeSystem delserver Following command deletes the virtual routing table RosaDeletes an entry created by the system addserver command System deliproutingtable 192.168.1.5 192.168.1.6 RosaAction One of the following command actions First IP address of the client range System delsnmpfilterSystem delsnmpfilter first ip addr last ip addr lan System delsyslogfilter firstipaddr last ipaddr lan System delsyslogfilterSystem delsyslogserver System delsyslogserver ipaddrSystem deltelnetfilter System deltelnetfilter first ipaddr last ipaddr lanDeletes all existing UDP ports System deludprelaySystem history Last port in the UDP port range to be deletedFollowing is a typical response System historySystem httpport System httpport default disabled portThis command sets the Http port to the default value CessFollowing is an example of a typical response System listSystem list System listInitiates monitoring activity System logSystem log start stop status TureSystem modem Following command changes the string for the init settingFollowing command selects pulse dialing Enter one of the following optionsSystem moveiproutingtable First ipaddra First IP address of the range to be movedSystem msg message System msg Configured on10/21/98System msg Message a,bRouter name System nameSystem name name Name a,bTions System onewandialupSystem onewandialup on off Timer value for RIP information exchange System riptimerPassworda,bAuthentication password of the target router System passwdSystem securemode set System securemode set enable disableSystem securemode list Security RSystem securemode set cli Disable Disables secure modeTypical response indicating the curent mode is displayed System securemode set cli valueSystem securemode set wan Mode is enabledSystem securemode set lan System securemode set lan trusted untrustedSystem securemode set wan trusted untrusted System securitytimerSystem securitytimer minutes Will be applied System selnat addpolicySpecifies the destination IP address to which the policy Policy will be appliedSystem selnat delpolicy policy number System selnat delpolicySystem selnat list Number of the policy to be deletedSystem snmpport default disabled port System snmpportThis command remaps the Snmp port to port This command sets the Snmp port to the default valueThis command disables the existing Snmp port System sshport System supporttraceSystem supporttrace Debug R/WSystem supporttrace === Processes === TID Name FL P Bottom Current Size 1IDLE DSP ATZ QA-LABPC === Interfaces === NW PRM Efficient Networks === END of Tech Support Data System syslogport default disabled port System syslogportThis command remaps the syslog port to port This command sets the Syslog port to the default valueThis command disables the existing Syslog port System telnetport default disabled portThis command sets the Telnet port to the default value Disables the existing Telnet portMote access This command disables the existing telnet portLink System wan2wanforwardingSystem wan2wanforwarding on Subnets That the router can provide service to multiple IPAdds a logical interface onto an Ethernet port so Deletes a logical interface from an Ethernet portEnables IP routing across the Ethernet LAN Removes a route from the default routing tableDisables IP routing across the Ethernet LAN Enables and disables Ethernet Firewall FilteringClears the password in a Vrrp attribute record for Vrid Disables IPX routing across the Ethernet LANEnables IPX routing across the Ethernet LAN Sets the IPX network number for the Ethernet LAN ConnectionEth ? Eth ?Eth add Eth addEth add port#logical# Ethernet interface from which logical port will be deleted Eth deleteEth delete port#logical# Logical interface number to be deletedEth ip addhostmapping Typical usageEthernet LAN IP address Eth ip addrEth ip addr ipaddr ipnetmask interface IP network maskIP address of the IP gateway Eth ip addrouteEth ip addroute ipaddr ipnetmask gateway hops interface Ethernet interface through which the packet is sentEth ip addserver Eth ip bindroute Ethernet LAN IP address Eth ip defgateway Eth ip defgateway ipaddr interfaceEth ip delhostmapping Eth ip delroute 10.9.2.0 Eth ip delrouteEth ip addroute ipaddr ipnetmask interface Eth ip delroute 10.1.3.0 255.255.255.0Eth ip delserver MP port Protocolid a Numerical protocol IDHypettext Transfer Protocol Http port Disables the forwarding of packets broadcast to a subnet Eth ip disableEnables the forwarding of packets broadcast to a subnet Eth ip directbcastEth ip enable Eth ip enableEth ip disable Eth ip filter append Eth ip filter command type action parameters interfaceEth ip filter Eth ip filter insertEth ip filter clear Eth ip filter deleteEth ip filter flush Eth ip filter delete type action parameters interfaceEth ip filter watch Eth ip filter checkEth ip filter list Protocol TCP UDP Icmp Dp Icmp type first dest portlast dest port Eth ip filter flush input Eth ip firewall on off list Disables the firewall filtering featureEth ip firewall To be performedEth ip mgmt ipaddr ipnetmask interface Eth ip mgmtPing -I 192.168.1.2 Eth ip options option on off interface Eth ip mgmt 10.0.0.1 255.255.255.0 Save RebootEth ip options Eth ip ripmulticast ipaddr Eth ip ripmulticastOptionMust be one of the following Eth ip translate on Eth ip translateEth ip translate on off interface Eth ip translate offEth ip unbindroute Eth ip unbindroute ipaddr tablename interfaceEth ip vrid Eth ip vrid vrid interfaceEth ipx addr ipxnet port# Eth ipx disableEth ipx addr Eth ip vrid 7Eth ipx disable port# Eth ipx enableThis command requires a reboot Eth ipx enable port#Eth list Eth ipx enable typeEth ipx frame Eth list interfaceGlobal BRIDGING/ROUTING Settings Eth listEth mtu size interface Eth mtuEth restart Interfacea,b Logical Ethernet interface Eth startEth restart interface Eth start interfaceEth stop Interfacea,b Logical Ethernet interfaceEth vrrp add Eth vrrp addEth vrrp add vrid port# Eth vrrp add 2Eth clear password Eth vrrp clear passwordEth vrrp clear password vrid port# Eth vrrp delete Eth vrrp deleteEth vrrp delete vrid port# Eth vrrp list port# Eth vrrp listEth vrrp set multicast Eth vrrp multicast Eth vrrp set optionEth vrrp set multicast ipaddr Preempt immediately Eth vrrp set passwordTribute record was created by the command eth vrrp add Do not preempt a router with lower priorityAttribute record was created by the command eth vrrp add Eth vrrp set password password vrid port#Password Eth vrrp set password AbCdEfGhEth vrrp set priority Eth vrrp set priority priority vrid port#Eth vrrp set priority 50 7 Eth vrrp set timeintervalEth vrrp set priority 255 Virtual router ID of the Vrrp attribute record Eth vrrp set timeinterval seconds vrid port#Time interval value in seconds Eth vrrp set timeinterval 2Adds the source routing option Eth ip remsrcrouteopt enable disableRemoves the source routing option. Default value Remote Commands Remote bindipvirtualroute Remote disbridge Remote setcompression Remote setppppretrytimer Adds a remote router entry into the remote router database Remote ?Remote add Remotenamea Name of the tunnel. bAll MAC addresses Remote addbridgeRemote addbridge * macaddr remotename MAC addressRemote addhostmapping Remote addiproute Examples IPX network number Remote addipxrouteRemote addIpxRoute ipxne# metric ticks remotename Network/stationIPX node address Name of serviceRemote addipxsap ErsRemote addserver T120 SmtpSntp TelnetRoute Enter a gateway only if you are configuring a MER interfaceRemote bindipvirtualroute Address of a router on the remote LANDisables NetBIOS filtering Remote blocknetbiosEnables NetBIOS filtering Remote delATM forum encoding Remote delatmsnapRemote delbridge ITU E164 encodingRemote delencryption remotename Remote delencryptionDeletes encryption files associated with a remote router Remote deliproute ipaddr remotename Remote delhostmappingRemote deliproute Remote delipxroute Remote delIpxRoute ipxnet remotenameRemote delipxSap servicename remotename Remote delipxsapRemote delourpasswd remotename Remote delourpasswdRemote deloursysname Remote deloursysname remotenameRemote delphone Remote delserverAction One of the following command actions Remote disauthen Remote disableRemote disable remotename Remote disauthen remotenameRemote disbridge Remote disbridge remotenameRemote enaauthen Remote enableRemote enable remotename Remote enaAuthen remotenameRemote enablebridge remotename Remote enabridgeRemote ipfilter append Remote ipfilter command type action parameters remotenameRemote ipfilter Remote ipfilter insertRemote ipfilter clear Remote ipfilter deleteRemote ipfilter flush Remote ipfilter checkRemote ipfilter list For example, the commandManagement Protocol error message Remote ipfilter watchProtocol TCP UDP Icmp Tcp syn ack noflag rst Remote ipfilter flush receive internet Remote listRemote list remotename Remote ipfilter list input internetIf entered with no parameters, all remote router entries Are listedRemote listbridge If entered with no parameters, bridge settings for all reTypical response when entered with no remotename parameter Mote routers entries are listedDest Remote listiproutesRemote listiproutes remotename Private YesRemote listipxroutes remotename Remote listipxroutesRemote listipxsaps Remote listipxsaps remotenameRem listipxsaps hq Remote listphonesRemote listphones remotename Rem listphones hqRemote restart remotename Remote restartRemote setatmnsap Nsap Remote setauthenRemote setatmnasp atmf e164 partial full nsap remotename Remote setauthen protocol remotenameRemote setbod Remote setBOD in out both remotenameRemote setbroptions Default is onAny traffic, including PPPoE traffic. The default is off Remote setBrOptions option on off remotenameRemote setBWthresh threshold remotename Default is 0, in which case, whenever data transmissionRemote setbwthresh Occurs, the maximum number of links is allocatedRemote setencryption Disables compression negotiation. The default is offRemote setcompression They both share a common compression protocolRemote setEncryption DESE1KEYDESE2KEY filename remoteName Remote setipoptions Remote setipoptions option on off remotenameUse periodic echo Slave mode setting. The default is noRemote setipslaveppp Remote setipslaveppp yes no remotenameRemote setipxaddr Enables or disables NATRemote setiptranslate Remote setiptranslate on off remotenameRemote setipxoptions Remote setIpxOptions ripsap on off remotenameRemote setmgmtipaddr Default isRemote setmaxline Remote setMaxLine 1 2 remotenameIP sub-network mask Remote setmgmtipaddr ipaddr mask remotenameIP address Remote setminline Is allocated for the connection only when needed.Remote setMinLine 0 PPPoEuser Remote settimer 600 PPPoEuser Remote setminline minlines remotenameRemote setmtu 1400 HQ Remote setmtuRemote setmtu size remotename Remote setoursysname Remote setourpasswd password remotenameRemote setourpasswd Remote routerRemote setpasswd Remote setpasswd password remotenameAuthentication password of the remote router Remote setphoneRemote setPhone async isdn 1 2 phone# remotename Remote setspeed 115200 async 2 backupRemote setphone async 1 5552000&5554000 backup Remote setpppoptions option on off remotename Desired setting for the optionRemote setpppoptions Use IPX RIP/SAP protocolsValue to Remote setppppretrytimerRemote setpppretrytimer timervalue remotename Bers and bit rates in the remote profile Remote setpreferRemote setprefer async fr hsd remotename Frame RelayRemote setPrefer async backup Remote list backup Remote setprotocol Virtual Path ID number that identifies the link formed by Remote setpvcRemote setpvc vpi number*vci number remotename Virtual pathIP address of the remote router Remote setrmtipaddrRemote setrmtipaddr ipaddr mask remotename IP network mask of the remote routerBit rate to be used for the phone number Use the default speedRemote setspeed Primary phone numberTarget IP address of the WAN connection to the remote rout Remote setsrcipaddrRemote setsrcipaddr ipaddr mask remotename Number of seconds in the timeout period Remote settimerRemote settimer seconds remotename Remote start Remote start remotenameTotal connect time +011148 Total bytes out 15896 Remote statsRemote stats remotename Remote stop Remote stop remotenameIP virtual routing table to which the route is removed Remote unbindipvirtualrouteRemote unbindipvirtualroute ipaddr tablename remotename Remote unbindIPVirtualRoute 10.1.2.0 Francisco HQThis page intentionally left blank WAN Interface Commands Adsl Commands Adsl ?Adsl restart Adsl restartAdsl speed Adsl speedStatistical information displayed Adsl statsAdsl stats clear Adsl speedAtm ? ATM CommandsAtm ? Atm pcr Following command requests the current speedTypical response when entered with no parameter Atm pcr cells/secondAtm speed Saves the ATM configuration settingsAtm save Atm saveRemote setATMTraffic scr mbs remoteName Remote setatmtrafficUpstream speed requested in kilobits/second Atm speedRemote setATMtraffic 47 31 HQ Sustained Cell Rate cells per secondRemote setATMTraffic 0 0 HQ Remote setATMtraffic 47 1 HQDmt ? DMT CommandsDmt ? Dmt link Ansi notrellisansi Selects the DMT mode used Dmt modeDmt mode ansi notrellisansi uawg Dual-Ethernet Router ETH Commands Eth br enable Eth br enableEth br disable Eth br disableEthernet port number Eth br optionsEth br options option on off port# Eth br options stp off Eth br options pppoeonly onFrame ? Frame CommandsFrame ? Frame cmpplay Selects bridging modeSelects bridging mode, default value Frame lmiFrame stats Frame statsDisplays frame relay statistics Frame statsFrame voice Frame voiceDisplays the voice Dlci for voice routers Gti speed GTI CommandsGti ? Gti stats Gti statsGti speed Gti speedGti version Gti versionGTI Adsl Version information is displayed Hdsl ? Hdsl CommandsHdsl ? Hdsl speed Saves the HDSL-related changes across restarts and rebootsHdsl save Hdsl saveCommand example displaying current mode Sets the terminal operation mode to CPESets the terminal operation mode to CO Hdsl terminalIdsl list Idsl CommandsIdsl list Typical responseIdsl save Idsl saveIdsl set speed Idsl set speed 64 128Link speed of 64 Kbps Idsl set switchRemote setdlci Link speed of 128 KbpsRemote setProtocol ppp fr mer remotename Remote setprotocolFrame Relay number identifying the data-link connection PPP protocol with no encapsulationSdsl ? Sdsl CommandsSdsl ? Sdsl preact on off Disables pre-activationSdsl preact CPE end. aSdsl save Sdsl saveSdsl speed Sdsl speed speed noautoSdsl speed This command example requests a line speed of 1152 Kb/sSee examples above Terminal operation is displayed Sdsl terminalSdsl terminal cpe co Sdsl terminalShdsl Commands Shdsl annex Enables the selected annexShdsl ? Lists the supported Shdsl keywordsShdsl list Lists the current configuration of the G.shdsl interfaceShdsl list Shdsl listShdsl ratemode Selects adaptive or fixed rate modeShdsl margin Noise margin in decibelsShdsl restart Selects adaptive modeSelects fixed mode Current ratemode is displayedShdsl save Shdsl saveShdsl speed Speed in Kbps This command usage requests a line speed of 1096 Kb/sShdsl speed speed auto Selects auto-speed detectionShdsl stats Shdsl statsShdsl stats clear Shdsl stats clearShdsl terminal Shdsl terminalShdsl ver Shdsl verDisplays the G.shdsl version level of the modem firmware Shdsl verThis page intentionally left blank Specifies the boot file name kernel and the sub Allows a BootP request to be processed for a parDenies processing of a BootP request for a partic Lists the supported Dhcp keywordsEnables a subnetwork or a client lease Specifies the Tftp server boot serverDisables a subnetwork or a client lease Clears the values from a pool of addressesTo define a subnetwork Dhcp ?Dhcp add To define a client leaseDhcp add Command usage defining a subnetworkCommand usage defining a client lease Dhcp add 128 1 4 ipAddressDhcp addrelay ipaddr Command usage defining, then listing a Dhcp relay serverDhcp addrelay Dhcp addrelayIP address of the subnetwork lease Dhcp bootp allowDhcp bootp disallow IP address of the client leaseName of the file to boot from Dhcp bootp fileDhcp bootp file net ipaddr name Dhcp clear addresses Dhcp bootp tftpserverDhcp bootp tftpserver net ipaddr tftpserver ipaddr IP address of the Tftp serverDhcp clear expire Word records cannot be abbreviated in the commandDhcp clear all records Dhcp clear all recordsDhcp clear valueoption net ipaddr code Dhcp clear valueoptionIpaddra IP address of the subnetwork lease User defined code cExample command deleting the user-defined option with code Example command to delete the defined subnetworkExample command usage deleting a client lease Dhcp delDhcp delrelay Dhcp disableDhcp disable all net ipaddr Dhcp delrelay ipaddr allEnables all subnets Dhcp enableDisables all subnets IIP address of the subnetwork leaseLists global, subnetwork, and client lease information Following example command lists global informationDhcp list Dhcp list net ipaddrFollowing example command lists information for client GatewayPredefined or user-defined number or keyword Dhcp list definedoptionsDhcp list definedoptions code string Character stringEfficient Networks Dhcp list definedoptions ga Dhcp list leaseDhcp list lease Dhcp set addresses Default lease duration is displayedDhcp set expire ipaddr hours default infinite Dhcp set expireDhcp set lease Dhcp set mask Example command sets client lease time to the default valueExample command sets lease time to infinite for this subnet Dhcp set mask net maskDhcp set otherserver Dhcp set otherserver net continue stopSubnetwork lease Dhcp set valueoptionLease Code specifying the option to be setThis page intentionally left blank Nels, except for the authentication password/se Configures the router to forward all incoming callsDisplay of the current configuration settings for tun Lists the supported L2TP keywordsCreates the host name of the remote tunnel Creates a Chap secretCreates local router’s host name Defines the type of L2TP support for the tunnelL2tp add Example command adding the tunnel named PacingAtWorkL2tp ? Tunnelnamea Name of the tunnel. bL2tp call tunnelname L2tp callL2tp close L2tp call PacingAtWorkL2tp del No incoming calls are allowed to be forwarded through L2tp forwardForward all incoming calls through the tunnel to an LNS Tunnel to an LNSTunnelname a Name of the tunnel. b L2tp listL2tp list tunnelname L2tp listIP address of the remote LAC or LNS L2tp set addressL2tp set address ipaddr tunnelname L2tp set authen Enables authenticationDisables authentication L2tp set chapsecretL2tp set hiddenavp Chap secret used to authenticate the creation of the tunnelL2tp set dialout L2tp set dialout yes no tunnelnameL2tp set ouraddress Allows the router hide AVPs. Default valueDisables hidden AVPs Source IP address used for this tunnelLenged by another router L2tp set ourpasswordL2tp set oursysname Name of the tunnelName of the local router L2tp set ourtunnelnameL2tp set remotename Tunnelnamea,b Name of the tunnelL2tp set type Lishing the L2TP tunnel L2tp set wanifL2tp set wanif remote tunnelname L2tp set window Name of the remote entry Remote setl2tpclientRemote setl2tpclient tunnelnameremotename Remote setlns Remote setLNS tunnelname remotenameFilter br ? Lists the supported Bridge Filtering keywordsHexadecimal number up to 6 bytes Filter br addByte offset within a packet Allows forwarding of the packetsFilter br del 12 8035 deny Filter br delFilter br del pos data allow deny Filter br list Filter br listLists the bridging filters in the filtering database Filter br listFilter br use This page intentionally left blank Remote setpppoeservice Ifsnumber Session to be closed.a Pppoe closePppoe close ifsnumber Pppoe list Pppoe listLists information about the currently active PPPoE sessions Pppoe listThis page intentionally left blank IKE/IPSEC Commands Defines a proposal filtering parameter value for Defines a peer filtering parameter value for the pol IcyDefines the pfs filtering parameter value for Policy Defines a protocol filtering parameter value forLists the defined IKE peers Message authentication doneDisables a defined IPSec security association SA Entry Sets the local ID for the IKE peer connectionSpecifies the identifier Spid for the IPSec tunnel Enables a defined IPSec security association en TryClears all IPSec definitions Ike ipsec ? Ike flush Commit bit is not set. Default valueIke commit Displays help messageIke ipsec policies add policyname Ike ipsec policies addIke ipsec policies delete Policynamea New name for an IPsec policy.bName of an existing IPsec policy. b Ike ipsec policies disableIke ipsec policies disable policyname Policynamea Name of an existing IPsec policy.bIke ipsec policies enable mypolicy Ike ipsec policies enableIke ipsec policies enable policyname Ike ipsec policies list Ike ipsec policies list IKE IPSec policies mypolicy enabledIke ipsec policies list IP address allowed to be the destination of the data Ike ipsec policies set destIke ipsec policies set destport Name of the IPsec policy to which the destination parameterPortnumber Telnet Http Snmp Tftp Policynamea Ike ipsec policies set interface Ike ipsec policies set interface interface all policynameIke ipsec policies set interface backup corporate Ike ipsec policies set modeIke ipsec policies set mode tunnel transport policyname Ike ipsec policies set interface all mypolicyParameter value is added. a Name of the IPsec policy to which the encapsulation modeIke ipsec policies set peer Ike ipsec policies set peer peerpame policynameNegotiation Ike ipsec policies set pfsIke ipsec policies set pfs 1 2 none policyname Ike ipsec policies set pfs 2 mypolicyIke ipsec policies set proposal myproposal mypolicy Ike ipsec policies set proposalIke ipsec policies set proposal proposalname policyname Ike ipsec policies set protocol Ue is added. bIP address allowed to be the source of the data Ike ipsec policies set sourceIke ipsec policies set source ipaddress ipmask policyname Is added. cIke ipsec policies set sourceport Ike ipsec policies set translate Ike ipsec policies set translate on off policynameIke ipsec proposals add Ike ipsec proposals add proposalnameName of an existing IPsec proposal. b Ike ipsec proposals deleteIke ipsec proposals delete proposalname Ike ipsec proposals add myproposalIke ipsec proposals list Ike ipsec proposals listIke ipsec proposals list Ike ipsec proposals set ahauth md5 sha1 none proposalname Use AH encapsulation and authenticate using hash algorithmIke ipsec proposals set ahauth Secure Hash Algorithm-1Auth command Use ESP encapsulation and authenticate using hash algorithmNo ESP encapsulation and no ESP message authentication. If Ike ipsec proposals set espauthUse ESP encapsulation and 168-bit encryption if 3DES is en Ike ipsec proposals set espencUse ESP encapsulation and 56-bit encryption Abled in the routerIke ipsec proposals set lifedata Compress using the LZS algorithmIke ipsec proposals set ipcomp Ike ipsec proposals set ipcomp none lzs proposalnameMeans unlimited Ike ipsec proposals set lifetimeIke ipsec proposals set lifedata kbytes proposalname Ike ipsec proposals set lifetime seconds proposalnameIke peers add peername Ike peers addUnlimited Peernamea New name for an IKE peer.bIke peers delete peername Ike peers deleteIke peers list Peernamea Name of the IKE peer to delete.bIke peers list IKE Peers Ike peers set addressIke peers set address ipaddress peername Ike peers set address 0.0.0.0 myaggressivepeer Ike peers set localidIke peers set localid aggressivemodeid peername Name of the IKE peer whose local ID is specified. c Ike peers set localidtypeExample Response Ike peers set localidtype ipaddr domainname email peernameIke peers set localidtype domainname myaggressivepeer Selects aggressive mode one end can change Ike peers set modeSelect main mode both ends constant Name of the IKE peer whose mode is specified. bIke peers set peerid aggressivemodeid peername Ike peers set peeridIke peers set peeridtype Name of the IKE peer whose peer ID is specified. cIke peers set secret secret peername Ike peers set secretIke peers set peeridtype ipaddr domainname email peername Ike peers set peeridtype domainname myaggressivepeerIke proposals add ProposalName Ike proposals addIke proposals delete Proposalnamea New name for an IKE proposal.bIke proposals list Ike proposals listProposalnamea Name of the IKE proposal to delete.b Ike proposals delete myikeproposalNo DH group is used Ike proposals set dhgroupIke proposals set dhgroup none 1 2 proposalname Use DH groupIke proposals set lifetime Use 3DES 168-bit encryption if 3DES encryption is enabledIke proposals set encryption Use DES 56-bit encryptionIke proposals set messageauth none md5 sha1 proposalName Ike proposals set messageauthMaximum number of seconds before renegotiation Ike proposals set lifetime 86400 myikeproposalIke proposals set sessionauth Ipsec add saname IPSec CommandsIpsec add Sanamea Name for the new IPSec SA.bSanamea Name of the IPSec SA to be disabled.b Ipsec disableDisables a defined IPSec security association entry Ipsec deleteSanamea Name of the IPSec SA to be enabled.b Ipsec enableIpsec enable saname Ipsec disable showrxIpsec flush Ipsec flushIpsec list Ipsec list sanameIpsec list Specifies the authentication key for the IPSec SA Ipsec set authenticationIpsec set authentication md5 sha1 saname Ipsec set authkeyDefines the direction of the IPSec SA Hexadecimal authentication keyIpsec set direction Ipsec set direction inbound outbound sanameIpsec set compression none lzs saname Ipsec set compressionIpsec set enckey Specifies the encryption key for the IPSec SAIpsec set encryption Defines the IP address of the IP gateway of the IPSec SA Ipsec set gatewayIpsec set ident Ipaddressa IP address of the IP gatewaySpid for the IPSec tunnel Ipsec set modeIpsec set mode tunnel transport saname Name of the IPSec SA. bAH authentication Ipsec set serviceIpsec set service esp ah both saname Use Both ESP encryption and authenticationDisplays the current voice rate and encoding type Lists the top-level voice or dsp commandsKeywords and a brief description of their function Clears the L2 control channel statisticsDsp ? / voice ? Dsp voice ?Selects the voice encoding method for all voice ports Typical response when entered with no parametersDsp ecode Sets encoding method to alawIs displayed Dsp jitterDsp jitter milliseconds Optional, Length of jitter buffer in millisecondsDsp provision Dsp vr Voice port to configureDsp save Dsp saveVoice profile profile Voice l2clearVoice l2stats Voice l2statsVoice l2stats Example response confirming the configuration changeVoice profile Voice profileMode Voice refreshcasVoice refreshcas active always An idle stateThis page intentionally left blank Attempting the next radius server, if configured Lists the supported radius commands and keyDeletes a configured radius server entry WordsRad ? Rad ?Rad deleteserver Rad deleteserver integerRad list secret Rad list secretRad list secret Rad list server Rad list serverRad list server Rad set retries Radius set serverRadius set secret Radius set timeoutAuthentication secret for the specified radius server Number of seconds between retry attemptsDeletes an access path from the specified user ac Adds an access privilege to for the specified userConfigures the managements class with read-only Disables an existing user accountAdmin R Displays the contents of the user account data BaseLists the characteristics of the pre-defined user Templates User ?Adds user access through the WAN connection User add accessAdds user access through a LAN connection Adds user access through the console serial portUser add class User add user username password template enable disable User add userRemoves user access through a LAN connection User delete accessUser delete access lan wan console username Removes user access through the WAN connectionUser delete class mgtclass read write username Enabled for read-onlyUser delete class Must be one of the followingUser delete user User delete class admin write Admin1User delete class voice read Admin1 User delete user username1 username2 usernameNUser delete user Admin1 staff001 User disableUser disable username User disable VoiceAdminUser enable Admin1 User enableUser enable username User listUser list User list lookup User list lookupUser list template Displays the pre-defined user template informationEfficient Networks User set lookup User setpassword username newpassword User set passwordChanges the password of an existing user account Newpassworda New password for the user accountThis page intentionally left blank Deletes a feature key from the key-enabled feature Lists the supported key commandsValidates and adds a key to the key-enabled fea Ture databaseUnrevokes a revoked feature key Disables a key-enabled featureRevokes a key-enabled feature key Updates the expiration date of an expired feature KeyKey add keystring Example response when adding a key for L2TPKey add Example response when deleting the key for Radius Key delete featurenameFeaturenamea Name of the feature to be deleted.b Key deleteFeaturename Name of the feature to be disabled.a Key disableKey disable featurename Key disable l2tpFeaturenamea Name of the feature to be enabled.b Key enableKey enable featurename Key listInstalled Typical response with the -lparameter is shown belowKey revoke Key revoke featureFeaturenamea Name of the feature key to be revoked Key unrevokeKeystringa Key string for the feature Key updateKey update keystring Key unrevoke keystringThis page intentionally left blank Enables or disables transmission of unsolicited Disables Snmp access from the specified interEnables Snmp access from the specified inter Sets an authentication password for an SnmpSnmp ? Snmp ?Snmp addsnmpfilter Snmp addstrapdest ip addr Snmp addtrapdestSnmp addsnmpfilter first ip addr last ip addr lan IP address of the trap managerSnmp community name Snmp communitySnmp community snmp community name Following example sets the Snmp community name to iadsSnmp delsnmpfilter Snmp delsnmpfilter first ip addr last ip addr lanSnmp deltrapdest Snmp disablesnmpifSnmp disablesnmpif wanlan Snmp deltrapdest ip addrSnmp enablesnmpif wanlan Snmp enablesnmpifWan lan Interface from which Snmp access will be disabled Wan lan Interface from which Snmp access will be enabledSnmp list Snmp settrapenableSnmp settrapenable on off Snmp listSnmp Manager authentication password Enables trap event message transmissionCurrent password Example response when a password parameter is enteredSnmp snmpport default disabled port Snmp snmpportEnables or disables the stateful firewall function Displays the current stateful firewall settingsConfigured rules Due to firewall rules that when exceeded, will logSets the threshold value for the number of SYN Firewall ?Sets the threshold value for the number of Icmp Sets the threshold value for the number of UDPFirewall allow protocol application parameters Packets must match the assigned application characteristicsFirewall allow Packet must have the specified protocolExamples Firewall allow -a FTP -sa 192.168.1.34 -d out Firewall -a netmeeting -sa 192.168.1.23 -d outIndicates the specified rule is in the deny rules list Firewall clearcounterIndicates the specified rule is in the allow rules list Firewall clearcounter 13 allowFirewall clearcounter all Firewall clearcounter allFirewall delete Firewall delete all allow deny Example command deletes rule 3 from the deny rules listFirewall delete all Will delete all rules from the allow rules listFirewall delete all allow Firewall denyFirewall deny protocol application parameters Both Firewall list allow deny Command entered with no parametersFirewall list Optional parameter will display only allow rules listFirewall modify allow deny number parameter Command entered with the optional allow parameterFirewall modify Following identifies the firewall rule to be modifiedModifies the source IP address or specified address range Specifies the protocol a packet must haveModifies the firewall rule type Modifies the specified source ip maskFirewall set Enables the firewall as currently configuredDisables the firewall Firewall setdroppktthresholdThreshold value in packets per seconds Firewall seticmpfloodthresholdFirewall seticmpfloodthreshold number Firewall setdroppkthresholdFirewall setsynfloodthreshold Firewall setsynfloodthreshold numberFirewall setudpfloodthreshold number Firewall setudpfloodthresholdFirewall viewdroppkts Firewall viewdroppkts numberTypical response using the optional number parameter Firewall viewdroppktsNo messages are printed to the console or Syslog server Firewall watchFirewall watch on off This page intentionally left blank Configured SSH port List the supported SSH sub-commandsDisplays the current SSH configuration with the ex Sets the idle timeout period for SSH connectionsSsh ? Ssh ?Ssh keygen Generates the Private-Public key-pair for the local serverSsh list Ssh listSsh load privatekey Ssh load publickey tftp@server-addrpriv-key-fileKey file to load Ssh load publickeySsh load publickey TFTP@server-addrpub-key-file Ssh load privatekey tftp@192.168.13.174mykeySets the types of encryption the SSH connections will use Multiple types are allowed on the command lineSsh set encryption DES 56-bit encryptionIdle timeout period in seconds Ssh set idletimeoutSsh set idletimeout seconds Ssh set keepalive enable disableKeepalive messages are sent Ssh set keepalive enableSsh set mac Ssh set mac md5 sha1Ssh set rekey Enables and disables SSH server connectionsSsh set status enable disable Ssh set statusSsh set status enable Allows SSH connectionsThis page intentionally left blank Services field List the supported QoS commands and a brief deEnables and disables marking of the differentiated Scription of their functionsQos append Saves the current QoS configuration and QoS pol IciesQos ? Defines a proposal filtering parameter value for PolicyPolicy namea Specifies the QoS policy name to be added Specifies that all disabled QoS policies will be deletedQos del Specifies the QoS policy to be deletedQos diffserv Qos disableExample command that deletes all disabled QoS policies QOS will mark Diffserv field in IP headerQos enable policy name Qos enablePolicy namea Specifies the QoS policy to be disabled Specifies the QoS policy to be enabledQos del policy name insert before this policy Qos insertQos list Qos list policy nameQos list mypolicy3 LOWQos move policy name move to before this policy Qos moveQos movetoend Specifies the QoS policy to be movedQos off Qos offQos save Saves the current QoS feature and policy configurationsQos on Qos onQos set parameter policy name Specifies the priority, with normal the default valueQos set Specifies the incoming code point Specifies the outgoing code pointQueue Qos setweightQos setweight highmeduimnormallow weight This page intentionally left blank Disables the specified Ethernet port Lists the supported Switch sub-commandsSpecifies the aging time of the switch Configures port traffic mirroringSwitch ? help Switch ?Switch agetime Switch agetime secondsEthernet port to be disabled Switch blockSwitch block port Switch blockSwitch mirror capture 6 switch mirror map Switch mirror map Switch mirrorSwitch mirror on off capture port map port unmap port Switch status Switch statusDisplays the current port states for the Ethernet switch Switch mirror captureEthernet port to be enabled Switch unblockSwitch unblock port Switch status