Firewall ?

Chapter 18: Stateful Firewall Commands			Efficient Networks® Router family
			Command Line Interface Guide

	Table 18-1: Firewall Command Listing (Cont.)

	Command		Function


	firewall seticmpflood-	Sets the threshold value for the number of ICMP
	threshold	packets per second, which when exceeded, will
		cause the firewall to block any subsequent ICMP
		packets until the ICMP traffic drops below the
		threshold value.

	firewall setsynflood-	Sets the threshold value for the number of SYN
	threshold	packets per second, which when exceeded, will
		cause the firewall to block any subsequent SYN
		packets until the SYN traffic drops below the
		threshold value.

	firewall setudpflood-	Sets the threshold value for the number of UDP
	threshold	packets per second, which when exceeded, will
		cause the firewall to block any subsequent UDP
		packets until the UDP traffic drops below the
		threshold value.

	firewall viewdroppkts	Displays a listing of up to 200 of the most recent
		dropped packets.

	firewall watch	Enables and disables the console watch for firewall
		messages.

Lists the supported firewall keywords. To see the syntax for a command, enter the command followed by a ?.

Mgmt Class

Security (R)

Input Format

firewall ?

Parameters

None

Response

A listing of all the supported firewall commands and keywords with a brief description of their function.

Page 18-2

Efficient Networks®

Page 468

Image 468

Efficient Networks 107-0001-000 manual Firewall ?, Sets the threshold value for the number of Icmp

Contents

5RXWHUDPLO\ Efficient Networks Software License and Limited Warranty Limitations Revision History 001 12 FebRelease Contents File System Commands Contents Contents Remote Commands Eth ip directbcast Contents Contents WAN Interface Commands Dhcp Commands L2TP Commands Remote setpppoeservice -1 pppoe close -2 pppoe list L2tp set window -16 remote setl2tpclient -17 remote setlns Contents Voice Commands User Commands Stateful Firewall Commands QoS Commands Ssh set rekey -8 ssh set status -8 system sshport This page intentionally left blank Introduction How This Manual is Organized Command Conventions Accessing the Command LinePassword Username Re-enter the new password at the prompt Password change will be confirmedCommand line is now available for use Terminal Sessions Terminal Session under Windows HyperTerminal Data bits Parity None Stop bits Flow control Hardware Terminal Session for Macintosh or Unix Telnet Session for Remote Access Telnet Command Line via the Web Management Interface Lists the top-level commands and keywords and a Resolution Protocol ARP tableMode is learning, listening, or forwarding Lists the contents of the bridge table Lists the current services in the IPX SAPs table Changes the current user passwordInitiates a reboot of the system Enables Sntp requests ? or help Input FormatParameters Response Arp delete Arp listMgmt Class Example Input Format Parameters Arp listVoice R Arp list Bi list Bi listBi list Call Voice R/WCall remotename Remotenamea Name of the target router Display when date is entered with no parameters Display when date is entered with parametersDate All R/W Admin R/W When entered with no parameters, same as erase allErase Exit IfsAll R Voice R, Network R Ipifs Typical response is shown belowAn example of additional interfaces that may be displayed Ipifs Iproutes IpxroutesIproutes Ipxroutes Ipxsaps IpxsapsIpxroutes Ipxsaps Logout Logout Mem System R, Debug RMem Mem Mlp summary Mlp summary Password Password old password new passwordAdmin101@console- password 1675309 lobster Ping Ping -c 2 -i 7 -s 34 Ping -I 192.168.254.254Ping -I 192.168.1.2 TID Name Bottom Current Size 1IDLE Reboot Reboot option User is prompted to verify the command SaveSave Sntp disable Disables Sntp requestsSntp disable Sntp active Sntp enable When no parameter is entered, current offset is displayedSntp offset Itive number is east a negative number is west When entered with no number parameter Sntp prefserverSntp prefserver number Number of a server within the Sntp server list When entered with a number parameter When entered while sntp function is currently disabledWhen entered and no sntp preferred server is defined When entered and an sntp preferred server has been defined Sntp server ipaddress default number Requests the default server listWhen entered with the default parameter Sntp server Tcp stats Tcp statsTypical response Tcp stats Time Traceroute Network R/W, Debug RDress as the source address Hop is listed in the output message 172.17.20.1 TracerouteTraceroute -n Vers Vers This command loads batch files of configuration Commands into the routerCopies a file from the source to the destination Deletes the specified file from the flash filesystem Copy ExamplesCopy srcfile dstfile Copy tftp@128.1.210.66kernelnw kernel.f2k Admin R/W, System R/W DeleteRefer to examples for typical responses Delete filename Dir DirDir Execute Execute filename Following is an example of the format disk command Format diskSystem R/W, Debug R/W Format disk Msfs Msfs fixMsfs Following is an example rename command RenameSync Commits the changes made to the file system to Flash memory Adds an address to the BootP server list Lists the supported keywordsRemaps a range of local-LAN IP addresses to a Range of public IP addresses on a system-wide ba Disables the Dial Backup option in the router Enables the Dial Backup option in the routerChanges the Dial Backup retry period Changes the Dial Backup stability period Lists the default modem settings Removes an address from the BootP server listManages the system Http port access Lists the system settings for the target router Enables and disables the secure mode function Manages Snmp port accessManages SSH port access Manages Syslog port access System addbootpserver System addbootpserver ipaddrSystem ? System ? System addbootpserver IP address of the server System addhostmapping System addhttpfilter Security R/WSystem addhttpfilter first ip addr last ip addr lan Local Ethernet LAN System addiproutingtable System addserver Response ExampleSystem addiproutingtable 192.168.1.5 192.168.1.12 Rosa Action One of the following command actions Rlogin portSelects the host with this IP address as server Discards the incoming server request System addsnmpfilter System addsnmpfilter first ip addr last ip addr lan System addsyslogfilter System addsyslogfilter firstipaddr last ipaddr lan System addsyslogserver System R/WSystem addsyslogserver ipaddr IP address to be added to the Syslog server address list System addtelnetfilter System addtelnetfilter first ip addr last ip addr lan System addudprelay WardedFirst port in the UDP port range to be created Incorporates all the available UDP ports in the new range System authen System authen none pap chapCally Chap is performed System backup add System backup add ipaddr gw dns groupIP address to be added to the list Address System backup delete Following command deletes the gateway address from groupFollowing command deletes all addresses from group IP address to be deleted from the list System backup disable Following command clears all addresses from the listSystem backup disable System backup delete all all System backup enable System backup enable System backup pinginterval System backup pinginterval seconds groupNumber of seconds in the ping interval for the group Optional, number of a group System backup pingsamples System backup pingsamples samples groupSystem backup pingsamples System backup pingsamples 0 System backup retry System backup retry minutesFollowing command changes the retry period to 60 minutes Following command changes the retry period to System backup stability System backup successrateSystem backup stability minutes Following command changes the stability period to 5 minutes System blocknetbiosdefault System backup successrate percentage groupSystem backup successrate System backup successrate 0 System blocknetbiosdefault yes no Sets the default to block all NetBIOS and NetBUI requestsSystem community System community snmp community name System default modem System delbootpserverSystem defaultmodem System delbootpserver ipaddr all Removes all addresses from the BootP server list System delbootpserverSystem delbootpserver all System delhostmapping System delhttpfilter System deliproutingtableSystem delhttpfilter first ip addr last ip addr lan First IP address of the range Following command deletes the virtual routing table Rosa Deletes an entry created by the system addserver commandSystem delserver System deliproutingtable 192.168.1.5 192.168.1.6 Rosa Action One of the following command actions System delsnmpfilter System delsnmpfilter first ip addr last ip addr lanFirst IP address of the client range System delsyslogfilter System delsyslogserverSystem delsyslogfilter firstipaddr last ipaddr lan System delsyslogserver ipaddr System deltelnetfilter System deltelnetfilter first ipaddr last ipaddr lan System deludprelay System historyDeletes all existing UDP ports Last port in the UDP port range to be deleted Following is a typical response System history System httpport default disabled port This command sets the Http port to the default valueSystem httpport Cess System list System listFollowing is an example of a typical response System list System log System log start stop statusInitiates monitoring activity Ture Following command changes the string for the init setting Following command selects pulse dialingSystem modem Enter one of the following options System moveiproutingtable First ipaddra First IP address of the range to be moved System msg Configured on10/21/98 System msgSystem msg message Message a,b System name System name nameRouter name Name a,b System onewandialup System onewandialup on offTions System riptimer Passworda,bAuthentication password of the target routerTimer value for RIP information exchange System passwd System securemode set enable disable System securemode listSystem securemode set Security R Disable Disables secure mode Typical response indicating the curent mode is displayedSystem securemode set cli System securemode set cli value Mode is enabled System securemode set lanSystem securemode set wan System securemode set lan trusted untrusted System securitytimer System securitytimer minutesSystem securemode set wan trusted untrusted System selnat addpolicy Specifies the destination IP address to which the policyWill be applied Policy will be applied System selnat delpolicy System selnat listSystem selnat delpolicy policy number Number of the policy to be deleted System snmpport default disabled port System snmpport This command sets the Snmp port to the default value This command disables the existing Snmp portThis command remaps the Snmp port to port System sshport System supporttrace Debug R/W System supporttraceSystem supporttrace === Processes === TID Name FL P Bottom Current Size 1IDLE DSP ATZ QA-LABPC === Interfaces === NW PRM Efficient Networks === END of Tech Support Data System syslogport default disabled port System syslogport This command sets the Syslog port to the default value This command disables the existing Syslog portThis command remaps the syslog port to port System telnetport default disabled port Disables the existing Telnet port Mote accessThis command sets the Telnet port to the default value This command disables the existing telnet port System wan2wanforwarding System wan2wanforwarding onLink That the router can provide service to multiple IP Adds a logical interface onto an Ethernet port soSubnets Deletes a logical interface from an Ethernet port Removes a route from the default routing table Disables IP routing across the Ethernet LANEnables IP routing across the Ethernet LAN Enables and disables Ethernet Firewall Filtering Disables IPX routing across the Ethernet LAN Enables IPX routing across the Ethernet LANClears the password in a Vrrp attribute record for Vrid Sets the IPX network number for the Ethernet LAN Connection Eth ? Eth ? Eth add Eth add port#logical#Eth add Eth delete Eth delete port#logical#Ethernet interface from which logical port will be deleted Logical interface number to be deleted Eth ip addhostmapping Typical usage Eth ip addr Eth ip addr ipaddr ipnetmask interfaceEthernet LAN IP address IP network mask Eth ip addroute Eth ip addroute ipaddr ipnetmask gateway hops interfaceIP address of the IP gateway Ethernet interface through which the packet is sent Eth ip addserver Eth ip bindroute Ethernet LAN IP address Eth ip defgateway Eth ip defgateway ipaddr interface Eth ip delhostmapping Eth ip delroute Eth ip addroute ipaddr ipnetmask interfaceEth ip delroute 10.9.2.0 Eth ip delroute 10.1.3.0 255.255.255.0 Eth ip delserver Protocolid a Numerical protocol ID Hypettext Transfer Protocol Http portMP port Eth ip disable Enables the forwarding of packets broadcast to a subnetDisables the forwarding of packets broadcast to a subnet Eth ip directbcast Eth ip enable Eth ip disableEth ip enable Eth ip filter command type action parameters interface Eth ip filterEth ip filter append Eth ip filter insert Eth ip filter delete Eth ip filter flushEth ip filter clear Eth ip filter delete type action parameters interface Eth ip filter check Eth ip filter listEth ip filter watch Protocol TCP UDP Icmp Dp Icmp type first dest portlast dest port Eth ip filter flush input Disables the firewall filtering feature Eth ip firewallEth ip firewall on off list To be performed Eth ip mgmt Ping -I 192.168.1.2Eth ip mgmt ipaddr ipnetmask interface Eth ip mgmt 10.0.0.1 255.255.255.0 Save Reboot Eth ip optionsEth ip options option on off interface Eth ip ripmulticast OptionMust be one of the followingEth ip ripmulticast ipaddr Eth ip translate Eth ip translate on off interfaceEth ip translate on Eth ip translate off Eth ip unbindroute Eth ip unbindroute ipaddr tablename interface Eth ip vrid Eth ip vrid vrid interface Eth ipx disable Eth ipx addrEth ipx addr ipxnet port# Eth ip vrid 7 Eth ipx enable This command requires a rebootEth ipx disable port# Eth ipx enable port# Eth ipx enable type Eth ipx frameEth list Eth list interface Global BRIDGING/ROUTING Settings Eth list Eth mtu Eth restartEth mtu size interface Eth start Eth restart interfaceInterfacea,b Logical Ethernet interface Eth start interface Eth stop Interfacea,b Logical Ethernet interface Eth vrrp add Eth vrrp add vrid port#Eth vrrp add Eth vrrp add 2 Eth vrrp clear password Eth vrrp clear password vrid port#Eth clear password Eth vrrp delete Eth vrrp delete vrid port#Eth vrrp delete Eth vrrp list Eth vrrp set multicastEth vrrp list port# Eth vrrp set option Eth vrrp set multicast ipaddrEth vrrp multicast Eth vrrp set password Tribute record was created by the command eth vrrp addPreempt immediately Do not preempt a router with lower priority Eth vrrp set password password vrid port# PasswordAttribute record was created by the command eth vrrp add Eth vrrp set password AbCdEfGh Eth vrrp set priority Eth vrrp set priority priority vrid port# Eth vrrp set timeinterval Eth vrrp set priority 255Eth vrrp set priority 50 7 Eth vrrp set timeinterval seconds vrid port# Time interval value in secondsVirtual router ID of the Vrrp attribute record Eth vrrp set timeinterval 2 Eth ip remsrcrouteopt enable disable Removes the source routing option. Default valueAdds the source routing option Remote Commands Remote bindipvirtualroute Remote disbridge Remote setcompression Remote setppppretrytimer Remote ? Remote addAdds a remote router entry into the remote router database Remotenamea Name of the tunnel. b Remote addbridge Remote addbridge * macaddr remotenameAll MAC addresses MAC address Remote addhostmapping Remote addiproute Examples Remote addipxroute Remote addIpxRoute ipxne# metric ticks remotenameIPX network number Network/station Name of service Remote addipxsapIPX node address Ers Remote addserver Smtp SntpT120 Telnet Enter a gateway only if you are configuring a MER interface Remote bindipvirtualrouteRoute Address of a router on the remote LAN Remote blocknetbios Enables NetBIOS filteringDisables NetBIOS filtering Remote del Remote delatmsnap Remote delbridgeATM forum encoding ITU E164 encoding Remote delencryption Deletes encryption files associated with a remote routerRemote delencryption remotename Remote delhostmapping Remote deliprouteRemote deliproute ipaddr remotename Remote delipxroute Remote delIpxRoute ipxnet remotename Remote delipxSap servicename remotename Remote delipxsap Remote delourpasswd Remote deloursysnameRemote delourpasswd remotename Remote deloursysname remotename Remote delphone Remote delserver Action One of the following command actions Remote disable Remote disable remotenameRemote disauthen Remote disauthen remotename Remote disbridge Remote disbridge remotename Remote enable Remote enable remotenameRemote enaauthen Remote enaAuthen remotename Remote enablebridge remotename Remote enabridge Remote ipfilter command type action parameters remotename Remote ipfilterRemote ipfilter append Remote ipfilter insert Remote ipfilter delete Remote ipfilter flushRemote ipfilter clear Remote ipfilter check For example, the command Management Protocol error messageRemote ipfilter list Remote ipfilter watch Protocol TCP UDP Icmp Tcp syn ack noflag rst Remote list Remote list remotenameRemote ipfilter flush receive internet Remote ipfilter list input internet If entered with no parameters, all remote router entries Are listed If entered with no parameters, bridge settings for all re Typical response when entered with no remotename parameterRemote listbridge Mote routers entries are listed Remote listiproutes Remote listiproutes remotenameDest Private Yes Remote listipxroutes Remote listipxsapsRemote listipxroutes remotename Remote listipxsaps remotename Remote listphones Remote listphones remotenameRem listipxsaps hq Rem listphones hq Remote restart Remote setatmnsapRemote restart remotename Remote setauthen Remote setatmnasp atmf e164 partial full nsap remotenameNsap Remote setauthen protocol remotename Remote setbod Remote setBOD in out both remotename Default is on Any traffic, including PPPoE traffic. The default is offRemote setbroptions Remote setBrOptions option on off remotename Default is 0, in which case, whenever data transmission Remote setbwthreshRemote setBWthresh threshold remotename Occurs, the maximum number of links is allocated Disables compression negotiation. The default is off Remote setcompressionRemote setencryption They both share a common compression protocol Remote setEncryption DESE1KEYDESE2KEY filename remoteName Remote setipoptions Remote setipoptions option on off remotename Slave mode setting. The default is no Remote setipslavepppUse periodic echo Remote setipslaveppp yes no remotename Enables or disables NAT Remote setiptranslateRemote setipxaddr Remote setiptranslate on off remotename Remote setipxoptions Remote setIpxOptions ripsap on off remotename Default is Remote setmaxlineRemote setmgmtipaddr Remote setMaxLine 1 2 remotename Remote setmgmtipaddr ipaddr mask remotename IP addressIP sub-network mask Is allocated for the connection only when needed. Remote setMinLine 0 PPPoEuser Remote settimer 600 PPPoEuserRemote setminline Remote setminline minlines remotename Remote setmtu Remote setmtu size remotenameRemote setmtu 1400 HQ Remote setourpasswd password remotename Remote setourpasswdRemote setoursysname Remote router Remote setpasswd password remotename Authentication password of the remote routerRemote setpasswd Remote setphone Remote setspeed 115200 async 2 backup Remote setphone async 1 5552000&5554000 backupRemote setPhone async isdn 1 2 phone# remotename Desired setting for the option Remote setpppoptionsRemote setpppoptions option on off remotename Use IPX RIP/SAP protocols Remote setppppretrytimer Remote setpppretrytimer timervalue remotenameValue to Remote setprefer Remote setprefer async fr hsd remotenameBers and bit rates in the remote profile Frame Relay Remote setPrefer async backup Remote list backup Remote setprotocol Remote setpvc Remote setpvc vpi number*vci number remotenameVirtual Path ID number that identifies the link formed by Virtual path Remote setrmtipaddr Remote setrmtipaddr ipaddr mask remotenameIP address of the remote router IP network mask of the remote router Use the default speed Remote setspeedBit rate to be used for the phone number Primary phone number Remote setsrcipaddr Remote setsrcipaddr ipaddr mask remotenameTarget IP address of the WAN connection to the remote rout Remote settimer Remote settimer seconds remotenameNumber of seconds in the timeout period Remote start Remote start remotename Remote stats Remote stats remotenameTotal connect time +011148 Total bytes out 15896 Remote stop Remote stop remotename Remote unbindipvirtualroute Remote unbindipvirtualroute ipaddr tablename remotenameIP virtual routing table to which the route is removed Remote unbindIPVirtualRoute 10.1.2.0 Francisco HQ This page intentionally left blank WAN Interface Commands Adsl Commands Adsl ? Adsl restart Adsl speedAdsl restart Adsl speed Adsl stats Adsl stats clearStatistical information displayed Adsl speed ATM Commands Atm ?Atm ? Following command requests the current speed Typical response when entered with no parameterAtm pcr Atm pcr cells/second Saves the ATM configuration settings Atm saveAtm speed Atm save Remote setatmtraffic Upstream speed requested in kilobits/secondRemote setATMTraffic scr mbs remoteName Atm speed Sustained Cell Rate cells per second Remote setATMTraffic 0 0 HQRemote setATMtraffic 47 31 HQ Remote setATMtraffic 47 1 HQ DMT Commands Dmt ?Dmt ? Dmt link Dmt mode Dmt mode ansi notrellisansi uawgAnsi notrellisansi Selects the DMT mode used Dual-Ethernet Router ETH Commands Eth br enable Eth br disableEth br enable Eth br disable Eth br options Eth br options option on off port#Ethernet port number Eth br options stp off Eth br options pppoeonly on Frame Commands Frame ?Frame ? Selects bridging mode Selects bridging mode, default valueFrame cmpplay Frame lmi Frame stats Displays frame relay statisticsFrame stats Frame stats Frame voice Displays the voice Dlci for voice routersFrame voice GTI Commands Gti ?Gti speed Gti stats Gti speedGti stats Gti speed Gti version GTI Adsl Version information is displayedGti version Hdsl Commands Hdsl ?Hdsl ? Saves the HDSL-related changes across restarts and reboots Hdsl saveHdsl speed Hdsl save Sets the terminal operation mode to CPE Sets the terminal operation mode to COCommand example displaying current mode Hdsl terminal Idsl Commands Idsl listIdsl list Typical response Idsl save Idsl set speedIdsl save Idsl set speed 64 128 Idsl set switch Remote setdlciLink speed of 64 Kbps Link speed of 128 Kbps Remote setprotocol Frame Relay number identifying the data-link connectionRemote setProtocol ppp fr mer remotename PPP protocol with no encapsulation Sdsl Commands Sdsl ?Sdsl ? Disables pre-activation Sdsl preactSdsl preact on off CPE end. a Sdsl save Sdsl speedSdsl save Sdsl speed speed noauto This command example requests a line speed of 1152 Kb/s See examples aboveSdsl speed Sdsl terminal Sdsl terminal cpe coTerminal operation is displayed Sdsl terminal Shdsl Commands Enables the selected annex Shdsl ?Shdsl annex Lists the supported Shdsl keywords Lists the current configuration of the G.shdsl interface Shdsl listShdsl list Shdsl list Selects adaptive or fixed rate mode Shdsl marginShdsl ratemode Noise margin in decibels Selects adaptive mode Selects fixed modeShdsl restart Current ratemode is displayed Shdsl save Shdsl speedShdsl save This command usage requests a line speed of 1096 Kb/s Shdsl speed speed autoSpeed in Kbps Selects auto-speed detection Shdsl stats Shdsl stats clearShdsl stats Shdsl stats clear Shdsl terminal Shdsl terminal Shdsl ver Displays the G.shdsl version level of the modem firmwareShdsl ver Shdsl ver This page intentionally left blank Allows a BootP request to be processed for a par Denies processing of a BootP request for a particSpecifies the boot file name kernel and the sub Lists the supported Dhcp keywords Specifies the Tftp server boot server Disables a subnetwork or a client leaseEnables a subnetwork or a client lease Clears the values from a pool of addresses Dhcp ? Dhcp addTo define a subnetwork To define a client lease Command usage defining a subnetwork Command usage defining a client leaseDhcp add Dhcp add 128 1 4 ipAddress Command usage defining, then listing a Dhcp relay server Dhcp addrelayDhcp addrelay ipaddr Dhcp addrelay Dhcp bootp allow Dhcp bootp disallowIP address of the subnetwork lease IP address of the client lease Dhcp bootp file Dhcp bootp file net ipaddr nameName of the file to boot from Dhcp bootp tftpserver Dhcp bootp tftpserver net ipaddr tftpserver ipaddrDhcp clear addresses IP address of the Tftp server Word records cannot be abbreviated in the command Dhcp clear all recordsDhcp clear expire Dhcp clear all records Dhcp clear valueoption Ipaddra IP address of the subnetwork leaseDhcp clear valueoption net ipaddr code User defined code c Example command to delete the defined subnetwork Example command usage deleting a client leaseExample command deleting the user-defined option with code Dhcp del Dhcp disable Dhcp disable all net ipaddrDhcp delrelay Dhcp delrelay ipaddr all Dhcp enable Disables all subnetsEnables all subnets IIP address of the subnetwork lease Following example command lists global information Dhcp listLists global, subnetwork, and client lease information Dhcp list net ipaddr Following example command lists information for client Gateway Dhcp list definedoptions Dhcp list definedoptions code stringPredefined or user-defined number or keyword Character string Efficient Networks Dhcp list lease Dhcp list leaseDhcp list definedoptions ga Default lease duration is displayed Dhcp set expire ipaddr hours default infiniteDhcp set addresses Dhcp set expire Dhcp set lease Example command sets client lease time to the default value Example command sets lease time to infinite for this subnetDhcp set mask Dhcp set mask net mask Dhcp set otherserver Dhcp set otherserver net continue stop Dhcp set valueoption LeaseSubnetwork lease Code specifying the option to be set This page intentionally left blank Configures the router to forward all incoming calls Display of the current configuration settings for tunNels, except for the authentication password/se Lists the supported L2TP keywords Creates a Chap secret Creates local router’s host nameCreates the host name of the remote tunnel Defines the type of L2TP support for the tunnel Example command adding the tunnel named PacingAtWork L2tp ?L2tp add Tunnelnamea Name of the tunnel. b L2tp call L2tp closeL2tp call tunnelname L2tp call PacingAtWork L2tp del L2tp forward Forward all incoming calls through the tunnel to an LNSNo incoming calls are allowed to be forwarded through Tunnel to an LNS L2tp list L2tp list tunnelnameTunnelname a Name of the tunnel. b L2tp list L2tp set address L2tp set address ipaddr tunnelnameIP address of the remote LAC or LNS Enables authentication Disables authenticationL2tp set authen L2tp set chapsecret Chap secret used to authenticate the creation of the tunnel L2tp set dialoutL2tp set hiddenavp L2tp set dialout yes no tunnelname Allows the router hide AVPs. Default value Disables hidden AVPsL2tp set ouraddress Source IP address used for this tunnel L2tp set ourpassword L2tp set oursysnameLenged by another router Name of the tunnel L2tp set ourtunnelname L2tp set remotenameName of the local router Tunnelnamea,b Name of the tunnel L2tp set type L2tp set wanif L2tp set wanif remote tunnelnameLishing the L2TP tunnel L2tp set window Remote setl2tpclient Remote setl2tpclient tunnelnameremotenameName of the remote entry Remote setlns Remote setLNS tunnelname remotename Filter br ? Lists the supported Bridge Filtering keywords Filter br add Byte offset within a packetHexadecimal number up to 6 bytes Allows forwarding of the packets Filter br del Filter br del pos data allow denyFilter br del 12 8035 deny Filter br list Lists the bridging filters in the filtering databaseFilter br list Filter br list Filter br use This page intentionally left blank Remote setpppoeservice Pppoe close Pppoe close ifsnumberIfsnumber Session to be closed.a Pppoe list Lists information about the currently active PPPoE sessionsPppoe list Pppoe list This page intentionally left blank IKE/IPSEC Commands Defines a peer filtering parameter value for the pol Icy Defines the pfs filtering parameter value for PolicyDefines a proposal filtering parameter value for Defines a protocol filtering parameter value for Message authentication done Disables a defined IPSec security association SA EntryLists the defined IKE peers Sets the local ID for the IKE peer connection Enables a defined IPSec security association en Try Clears all IPSec definitionsSpecifies the identifier Spid for the IPSec tunnel Ike ipsec ? Commit bit is not set. Default value Ike commitIke flush Displays help message Ike ipsec policies add Ike ipsec policies deleteIke ipsec policies add policyname Policynamea New name for an IPsec policy.b Ike ipsec policies disable Ike ipsec policies disable policynameName of an existing IPsec policy. b Policynamea Name of an existing IPsec policy.b Ike ipsec policies enable Ike ipsec policies enable policynameIke ipsec policies enable mypolicy Ike ipsec policies list IKE IPSec policies mypolicy enabled Ike ipsec policies listIke ipsec policies list Ike ipsec policies set dest Ike ipsec policies set destportIP address allowed to be the destination of the data Name of the IPsec policy to which the destination parameter Portnumber Telnet Http Snmp Tftp Policynamea Ike ipsec policies set interface Ike ipsec policies set interface interface all policyname Ike ipsec policies set mode Ike ipsec policies set mode tunnel transport policynameIke ipsec policies set interface backup corporate Ike ipsec policies set interface all mypolicy Name of the IPsec policy to which the encapsulation mode Ike ipsec policies set peerParameter value is added. a Ike ipsec policies set peer peerpame policyname Ike ipsec policies set pfs Ike ipsec policies set pfs 1 2 none policynameNegotiation Ike ipsec policies set pfs 2 mypolicy Ike ipsec policies set proposal Ike ipsec policies set proposal proposalname policynameIke ipsec policies set proposal myproposal mypolicy Ike ipsec policies set protocol Ue is added. b Ike ipsec policies set source Ike ipsec policies set source ipaddress ipmask policynameIP address allowed to be the source of the data Is added. c Ike ipsec policies set sourceport Ike ipsec policies set translate Ike ipsec policies set translate on off policyname Ike ipsec proposals add Ike ipsec proposals add proposalname Ike ipsec proposals delete Ike ipsec proposals delete proposalnameName of an existing IPsec proposal. b Ike ipsec proposals add myproposal Ike ipsec proposals list Ike ipsec proposals listIke ipsec proposals list Use AH encapsulation and authenticate using hash algorithm Ike ipsec proposals set ahauthIke ipsec proposals set ahauth md5 sha1 none proposalname Secure Hash Algorithm-1 Use ESP encapsulation and authenticate using hash algorithm No ESP encapsulation and no ESP message authentication. IfAuth command Ike ipsec proposals set espauth Ike ipsec proposals set espenc Use ESP encapsulation and 56-bit encryptionUse ESP encapsulation and 168-bit encryption if 3DES is en Abled in the router Compress using the LZS algorithm Ike ipsec proposals set ipcompIke ipsec proposals set lifedata Ike ipsec proposals set ipcomp none lzs proposalname Ike ipsec proposals set lifetime Ike ipsec proposals set lifedata kbytes proposalnameMeans unlimited Ike ipsec proposals set lifetime seconds proposalname Ike peers add UnlimitedIke peers add peername Peernamea New name for an IKE peer.b Ike peers delete Ike peers listIke peers delete peername Peernamea Name of the IKE peer to delete.b Ike peers set address Ike peers set address ipaddress peernameIke peers list IKE Peers Ike peers set localid Ike peers set localid aggressivemodeid peernameIke peers set address 0.0.0.0 myaggressivepeer Ike peers set localidtype Example ResponseName of the IKE peer whose local ID is specified. c Ike peers set localidtype ipaddr domainname email peername Ike peers set localidtype domainname myaggressivepeer Ike peers set mode Select main mode both ends constantSelects aggressive mode one end can change Name of the IKE peer whose mode is specified. b Ike peers set peerid Ike peers set peeridtypeIke peers set peerid aggressivemodeid peername Name of the IKE peer whose peer ID is specified. c Ike peers set secret Ike peers set peeridtype ipaddr domainname email peernameIke peers set secret secret peername Ike peers set peeridtype domainname myaggressivepeer Ike proposals add Ike proposals deleteIke proposals add ProposalName Proposalnamea New name for an IKE proposal.b Ike proposals list Proposalnamea Name of the IKE proposal to delete.bIke proposals list Ike proposals delete myikeproposal Ike proposals set dhgroup Ike proposals set dhgroup none 1 2 proposalnameNo DH group is used Use DH group Use 3DES 168-bit encryption if 3DES encryption is enabled Ike proposals set encryptionIke proposals set lifetime Use DES 56-bit encryption Ike proposals set messageauth Maximum number of seconds before renegotiationIke proposals set messageauth none md5 sha1 proposalName Ike proposals set lifetime 86400 myikeproposal Ike proposals set sessionauth IPSec Commands Ipsec addIpsec add saname Sanamea Name for the new IPSec SA.b Ipsec disable Disables a defined IPSec security association entrySanamea Name of the IPSec SA to be disabled.b Ipsec delete Ipsec enable Ipsec enable sanameSanamea Name of the IPSec SA to be enabled.b Ipsec disable showrx Ipsec flush Ipsec listIpsec flush Ipsec list saname Ipsec list Ipsec set authentication Ipsec set authentication md5 sha1 sanameSpecifies the authentication key for the IPSec SA Ipsec set authkey Hexadecimal authentication key Ipsec set directionDefines the direction of the IPSec SA Ipsec set direction inbound outbound saname Ipsec set compression Ipsec set enckeyIpsec set compression none lzs saname Specifies the encryption key for the IPSec SA Ipsec set encryption Ipsec set gateway Ipsec set identDefines the IP address of the IP gateway of the IPSec SA Ipaddressa IP address of the IP gateway Ipsec set mode Ipsec set mode tunnel transport sanameSpid for the IPSec tunnel Name of the IPSec SA. b Ipsec set service Ipsec set service esp ah both sanameAH authentication Use Both ESP encryption and authentication Lists the top-level voice or dsp commands Keywords and a brief description of their functionDisplays the current voice rate and encoding type Clears the L2 control channel statistics Dsp ? / voice ? Dsp voice ? Typical response when entered with no parameters Dsp ecodeSelects the voice encoding method for all voice ports Sets encoding method to alaw Dsp jitter Dsp jitter millisecondsIs displayed Optional, Length of jitter buffer in milliseconds Dsp provision Voice port to configure Dsp saveDsp vr Dsp save Voice l2clear Voice l2statsVoice profile profile Voice l2stats Example response confirming the configuration change Voice profileVoice l2stats Voice profile Voice refreshcas Voice refreshcas active alwaysMode An idle state This page intentionally left blank Lists the supported radius commands and key Deletes a configured radius server entryAttempting the next radius server, if configured Words Rad ? Rad deleteserverRad ? Rad deleteserver integer Rad list secret Rad list secretRad list secret Rad list server Rad list serverRad list server Rad set retries Radius set server Radius set timeout Authentication secret for the specified radius serverRadius set secret Number of seconds between retry attempts Adds an access privilege to for the specified user Configures the managements class with read-onlyDeletes an access path from the specified user ac Disables an existing user account Displays the contents of the user account data Base Lists the characteristics of the pre-defined user TemplatesAdmin R User ? User add access Adds user access through a LAN connectionAdds user access through the WAN connection Adds user access through the console serial port User add class User add user username password template enable disable User add user User delete access User delete access lan wan console usernameRemoves user access through a LAN connection Removes user access through the WAN connection Enabled for read-only User delete classUser delete class mgtclass read write username Must be one of the following User delete class admin write Admin1 User delete class voice read Admin1User delete user User delete user username1 username2 usernameN User disable User disable usernameUser delete user Admin1 staff001 User disable VoiceAdmin User enable User enable usernameUser enable Admin1 User list User list User list lookup User list templateUser list lookup Displays the pre-defined user template information Efficient Networks User set lookup User set password Changes the password of an existing user accountUser setpassword username newpassword Newpassworda New password for the user account This page intentionally left blank Lists the supported key commands Validates and adds a key to the key-enabled feaDeletes a feature key from the key-enabled feature Ture database Disables a key-enabled feature Revokes a key-enabled feature keyUnrevokes a revoked feature key Updates the expiration date of an expired feature Key Example response when adding a key for L2TP Key addKey add keystring Key delete featurename Featurenamea Name of the feature to be deleted.bExample response when deleting the key for Radius Key delete Key disable Key disable featurenameFeaturename Name of the feature to be disabled.a Key disable l2tp Key enable Key enable featurenameFeaturenamea Name of the feature to be enabled.b Key list Installed Typical response with the -lparameter is shown below Key revoke feature Featurenamea Name of the feature key to be revokedKey revoke Key unrevoke Key update Key update keystringKeystringa Key string for the feature Key unrevoke keystring This page intentionally left blank Disables Snmp access from the specified inter Enables Snmp access from the specified interEnables or disables transmission of unsolicited Sets an authentication password for an Snmp Snmp ? Snmp addsnmpfilterSnmp ? Snmp addtrapdest Snmp addsnmpfilter first ip addr last ip addr lanSnmp addstrapdest ip addr IP address of the trap manager Snmp community Snmp community snmp community nameSnmp community name Following example sets the Snmp community name to iads Snmp delsnmpfilter Snmp delsnmpfilter first ip addr last ip addr lan Snmp disablesnmpif Snmp disablesnmpif wanlanSnmp deltrapdest Snmp deltrapdest ip addr Snmp enablesnmpif Wan lan Interface from which Snmp access will be disabledSnmp enablesnmpif wanlan Wan lan Interface from which Snmp access will be enabled Snmp settrapenable Snmp settrapenable on offSnmp list Snmp list Enables trap event message transmission Current passwordSnmp Manager authentication password Example response when a password parameter is entered Snmp snmpport default disabled port Snmp snmpport Displays the current stateful firewall settings Configured rulesEnables or disables the stateful firewall function Due to firewall rules that when exceeded, will log Firewall ? Sets the threshold value for the number of IcmpSets the threshold value for the number of SYN Sets the threshold value for the number of UDP Packets must match the assigned application characteristics Firewall allowFirewall allow protocol application parameters Packet must have the specified protocol Examples Firewall allow -a FTP -sa 192.168.1.34 -d out Firewall -a netmeeting -sa 192.168.1.23 -d out Firewall clearcounter Indicates the specified rule is in the allow rules listIndicates the specified rule is in the deny rules list Firewall clearcounter 13 allow Firewall clearcounter all Firewall deleteFirewall clearcounter all Example command deletes rule 3 from the deny rules list Firewall delete allFirewall delete all allow deny Will delete all rules from the allow rules list Firewall deny Firewall deny protocol application parametersFirewall delete all allow Both Command entered with no parameters Firewall listFirewall list allow deny Optional parameter will display only allow rules list Command entered with the optional allow parameter Firewall modifyFirewall modify allow deny number parameter Following identifies the firewall rule to be modified Specifies the protocol a packet must have Modifies the firewall rule typeModifies the source IP address or specified address range Modifies the specified source ip mask Enables the firewall as currently configured Disables the firewallFirewall set Firewall setdroppktthreshold Firewall seticmpfloodthreshold Firewall seticmpfloodthreshold numberThreshold value in packets per seconds Firewall setdroppkthreshold Firewall setsynfloodthreshold Firewall setsynfloodthreshold number Firewall setudpfloodthreshold Firewall viewdroppktsFirewall setudpfloodthreshold number Firewall viewdroppkts number Typical response using the optional number parameter Firewall viewdroppkts Firewall watch Firewall watch on offNo messages are printed to the console or Syslog server This page intentionally left blank List the supported SSH sub-commands Displays the current SSH configuration with the exConfigured SSH port Sets the idle timeout period for SSH connections Ssh ? Ssh keygenSsh ? Generates the Private-Public key-pair for the local server Ssh list Ssh load privatekeySsh list Ssh load publickey tftp@server-addrpriv-key-file Ssh load publickey Ssh load publickey TFTP@server-addrpub-key-fileKey file to load Ssh load privatekey tftp@192.168.13.174mykey Multiple types are allowed on the command line Ssh set encryptionSets the types of encryption the SSH connections will use DES 56-bit encryption Ssh set idletimeout Ssh set idletimeout secondsIdle timeout period in seconds Ssh set keepalive enable disable Ssh set keepalive enable Ssh set macKeepalive messages are sent Ssh set mac md5 sha1 Enables and disables SSH server connections Ssh set status enable disableSsh set rekey Ssh set status Ssh set status enable Allows SSH connections This page intentionally left blank List the supported QoS commands and a brief de Enables and disables marking of the differentiatedServices field Scription of their functions Saves the current QoS configuration and QoS pol Icies Qos ?Qos append Defines a proposal filtering parameter value for Policy Specifies that all disabled QoS policies will be deleted Qos delPolicy namea Specifies the QoS policy name to be added Specifies the QoS policy to be deleted Qos disable Example command that deletes all disabled QoS policiesQos diffserv QOS will mark Diffserv field in IP header Qos enable Policy namea Specifies the QoS policy to be disabledQos enable policy name Specifies the QoS policy to be enabled Qos insert Qos listQos del policy name insert before this policy Qos list policy name Qos list mypolicy3 LOW Qos move Qos movetoendQos move policy name move to before this policy Specifies the QoS policy to be moved Qos off Qos off Saves the current QoS feature and policy configurations Qos onQos save Qos on Specifies the priority, with normal the default value Qos setQos set parameter policy name Specifies the incoming code point Specifies the outgoing code point Qos setweight Qos setweight highmeduimnormallow weightQueue This page intentionally left blank Lists the supported Switch sub-commands Specifies the aging time of the switchDisables the specified Ethernet port Configures port traffic mirroring Switch ? Switch agetimeSwitch ? help Switch agetime seconds Switch block Switch block portEthernet port to be disabled Switch block Switch mirror Switch mirror on off capture port map port unmap portSwitch mirror capture 6 switch mirror map Switch mirror map Switch status Displays the current port states for the Ethernet switchSwitch status Switch mirror capture Switch unblock Switch unblock portEthernet port to be enabled Switch status

Sets the threshold value for the number of ICMP

Sets the threshold value for the number of SYN

Sets the threshold value for the number of UDP

firewall ?

Mgmt Class

Security (R)

Input Format

firewall ?

Parameters

Response

Efficient Networks®