Firewall allow

Efficient Networks® Router family	Chapter 18: Stateful Firewall Commands
Command Line Interface Guide

Creates a firewall rule that will be added to the firewall allow rules list. To view the current allow firewall rules, use the firewall list command.

NOTE:

If NAT is enabled on the router, then the outgoing firewall rules should be specified in terms of the private addresses. However, for inbound rules, the rules would need to use the router’s WAN address.

Mgmt Class

Security (R/W)

Input Format

firewall allow <protocol application> [<parameters>]

Parameters

The following parameters specify the <protocol> (-p) or <application> (-a) characteristics that a packet must have in order to match the firewall rule:

-p tcp udp icmp <protocol number>a

The packet must have the specified protocol.

-a imap telnet bootp nntp rpc tftp smtp dns ftp rexec rsh rlogin syslog winframe rdp http https ntp smb ras realaudio netmeeting aolim quicktime cuseeme netshow pptp nfs nis traceroute sqlnet ipsec

Packets must match the assigned application characteristics.

aInteger, numerical protocol ID.

The following <parameters> specify additional characteristics that an IP packet must have in order to match the firewall rule.

-sp <ICMP type> <first source port>[:<last source port>]

If the protocol is ICMP, the packet must match the specified ICMP type. If the pack- et is TCP or UDP, if only one source port is specified, the packet must have the specified port, or if a range is defined, a source port that is within the specified port range. If no source port is specified, the firewall rule matches any source port in the range 0 - 65535.

-dp <ICMP code> <first dest port>[:<last dest port>]

If the protocol is ICMP, the packet must match the specified ICMP code. If the pack- et is TCP or UDP, if only one port is specified, the packet must have the specified destination port, or if a range is defined, a port that is within the specified destina- tion port range. If no destination port is specified, the firewall rule matches any des- tination port in the range 0 - 65535.

-da <first dest ip addr>[:<last dest ip addr>]

Efficient Networks®

Page 18-3

Page 469

Image 469

Efficient Networks 107-0001-000 manual Firewall allow protocol application parameters

Contents

5RXWHUDPLO\ Efficient Networks Software License and Limited Warranty Limitations 001 12 Feb Revision HistoryRelease Contents File System Commands Contents Contents Eth ip directbcast Remote Commands Contents Contents WAN Interface Commands Dhcp Commands L2TP Commands L2tp set window -16 remote setl2tpclient -17 remote setlns Remote setpppoeservice -1 pppoe close -2 pppoe list Contents Voice Commands User Commands Stateful Firewall Commands Ssh set rekey -8 ssh set status -8 system sshport QoS Commands This page intentionally left blank How This Manual is Organized Introduction Accessing the Command Line Command ConventionsPassword Username Password change will be confirmed Re-enter the new password at the promptCommand line is now available for use Terminal Sessions Terminal Session under Windows HyperTerminal Data bits Parity None Stop bits Flow control Hardware Terminal Session for Macintosh or Unix Telnet Telnet Session for Remote Access Command Line via the Web Management Interface Resolution Protocol ARP table Lists the top-level commands and keywords and aMode is learning, listening, or forwarding Lists the contents of the bridge table Changes the current user password Lists the current services in the IPX SAPs tableInitiates a reboot of the system Enables Sntp requests Input Format ? or helpParameters Response Arp list Arp deleteMgmt Class Example Arp list Input Format ParametersVoice R Arp list Bi list Bi listBi list Voice R/W CallCall remotename Remotenamea Name of the target router Display when date is entered with parameters Display when date is entered with no parametersDate All R/W When entered with no parameters, same as erase all Admin R/WErase Ifs ExitAll R Voice R, Network R Typical response is shown below IpifsAn example of additional interfaces that may be displayed Ipifs Ipxroutes IproutesIproutes Ipxroutes Ipxsaps IpxsapsIpxroutes Ipxsaps Logout Logout System R, Debug R MemMem Mem Mlp summary Mlp summary Password old password new password PasswordAdmin101@console- password 1675309 lobster Ping Ping -I 192.168.254.254 Ping -c 2 -i 7 -s 34Ping -I 192.168.1.2 TID Name Bottom Current Size 1IDLE Reboot option Reboot Save User is prompted to verify the commandSave Disables Sntp requests Sntp disableSntp disable Sntp active When no parameter is entered, current offset is displayed Sntp enableSntp offset Itive number is east a negative number is west Sntp prefserver When entered with no number parameterSntp prefserver number Number of a server within the Sntp server list When entered while sntp function is currently disabled When entered with a number parameterWhen entered and no sntp preferred server is defined When entered and an sntp preferred server has been defined Requests the default server list Sntp server ipaddress default numberWhen entered with the default parameter Sntp server Tcp stats Tcp statsTypical response Tcp stats Time Network R/W, Debug R TracerouteDress as the source address Hop is listed in the output message Traceroute 172.17.20.1Traceroute -n Vers Vers Commands into the router This command loads batch files of configurationCopies a file from the source to the destination Deletes the specified file from the flash filesystem Examples CopyCopy srcfile dstfile Copy tftp@128.1.210.66kernelnw kernel.f2k Delete Admin R/W, System R/WRefer to examples for typical responses Delete filename Dir DirDir Execute filename Execute Format disk Following is an example of the format disk commandSystem R/W, Debug R/W Format disk Msfs fix MsfsMsfs Rename Following is an example rename commandSync Commits the changes made to the file system to Flash memory Lists the supported keywords Adds an address to the BootP server listRemaps a range of local-LAN IP addresses to a Range of public IP addresses on a system-wide ba Enables the Dial Backup option in the router Disables the Dial Backup option in the routerChanges the Dial Backup retry period Changes the Dial Backup stability period Removes an address from the BootP server list Lists the default modem settingsManages the system Http port access Lists the system settings for the target router Manages Snmp port access Enables and disables the secure mode functionManages SSH port access Manages Syslog port access System addbootpserver ipaddr System addbootpserverSystem ? System ? IP address of the server System addbootpserver System addhostmapping Security R/W System addhttpfilterSystem addhttpfilter first ip addr last ip addr lan Local Ethernet LAN System addiproutingtable Response Example System addserverSystem addiproutingtable 192.168.1.5 192.168.1.12 Rosa Rlogin port Action One of the following command actionsSelects the host with this IP address as server Discards the incoming server request System addsnmpfilter first ip addr last ip addr lan System addsnmpfilter System addsyslogfilter firstipaddr last ipaddr lan System addsyslogfilter System R/W System addsyslogserverSystem addsyslogserver ipaddr IP address to be added to the Syslog server address list System addtelnetfilter first ip addr last ip addr lan System addtelnetfilter Warded System addudprelayFirst port in the UDP port range to be created Incorporates all the available UDP ports in the new range System authen none pap chap System authenCally Chap is performed System backup add ipaddr gw dns group System backup addIP address to be added to the list Address Following command deletes the gateway address from group System backup deleteFollowing command deletes all addresses from group IP address to be deleted from the list Following command clears all addresses from the list System backup disableSystem backup disable System backup delete all all System backup enable System backup enable System backup pinginterval seconds group System backup pingintervalNumber of seconds in the ping interval for the group Optional, number of a group System backup pingsamples samples group System backup pingsamplesSystem backup pingsamples System backup pingsamples 0 System backup retry minutes System backup retryFollowing command changes the retry period to 60 minutes Following command changes the retry period to System backup successrate System backup stabilitySystem backup stability minutes Following command changes the stability period to 5 minutes System backup successrate percentage group System blocknetbiosdefaultSystem backup successrate System backup successrate 0 Sets the default to block all NetBIOS and NetBUI requests System blocknetbiosdefault yes noSystem community System community snmp community name System delbootpserver System default modemSystem defaultmodem System delbootpserver ipaddr all System delbootpserver Removes all addresses from the BootP server listSystem delbootpserver all System delhostmapping System deliproutingtable System delhttpfilterSystem delhttpfilter first ip addr last ip addr lan First IP address of the range Deletes an entry created by the system addserver command Following command deletes the virtual routing table RosaSystem delserver System deliproutingtable 192.168.1.5 192.168.1.6 Rosa Action One of the following command actions System delsnmpfilter first ip addr last ip addr lan System delsnmpfilterFirst IP address of the client range System delsyslogserver System delsyslogfilterSystem delsyslogfilter firstipaddr last ipaddr lan System delsyslogserver ipaddr System deltelnetfilter first ipaddr last ipaddr lan System deltelnetfilter System history System deludprelayDeletes all existing UDP ports Last port in the UDP port range to be deleted System history Following is a typical response This command sets the Http port to the default value System httpport default disabled portSystem httpport Cess System list System listFollowing is an example of a typical response System list System log start stop status System logInitiates monitoring activity Ture Following command selects pulse dialing Following command changes the string for the init settingSystem modem Enter one of the following options First ipaddra First IP address of the range to be moved System moveiproutingtable System msg System msg Configured on10/21/98System msg message Message a,b System name name System nameRouter name Name a,b System onewandialup on off System onewandialupTions Passworda,bAuthentication password of the target router System riptimerTimer value for RIP information exchange System passwd System securemode list System securemode set enable disableSystem securemode set Security R Typical response indicating the curent mode is displayed Disable Disables secure modeSystem securemode set cli System securemode set cli value System securemode set lan Mode is enabledSystem securemode set wan System securemode set lan trusted untrusted System securitytimer minutes System securitytimerSystem securemode set wan trusted untrusted Specifies the destination IP address to which the policy System selnat addpolicyWill be applied Policy will be applied System selnat list System selnat delpolicySystem selnat delpolicy policy number Number of the policy to be deleted System snmpport System snmpport default disabled port This command disables the existing Snmp port This command sets the Snmp port to the default valueThis command remaps the Snmp port to port System supporttrace System sshport System supporttrace Debug R/WSystem supporttrace === Processes === TID Name FL P Bottom Current Size 1IDLE DSP ATZ QA-LABPC === Interfaces === NW PRM Efficient Networks === END of Tech Support Data System syslogport System syslogport default disabled port This command disables the existing Syslog port This command sets the Syslog port to the default valueThis command remaps the syslog port to port System telnetport default disabled port Mote access Disables the existing Telnet portThis command sets the Telnet port to the default value This command disables the existing telnet port System wan2wanforwarding on System wan2wanforwardingLink Adds a logical interface onto an Ethernet port so That the router can provide service to multiple IPSubnets Deletes a logical interface from an Ethernet port Disables IP routing across the Ethernet LAN Removes a route from the default routing tableEnables IP routing across the Ethernet LAN Enables and disables Ethernet Firewall Filtering Enables IPX routing across the Ethernet LAN Disables IPX routing across the Ethernet LANClears the password in a Vrrp attribute record for Vrid Sets the IPX network number for the Ethernet LAN Connection Eth ? Eth ? Eth add port#logical# Eth addEth add Eth delete port#logical# Eth deleteEthernet interface from which logical port will be deleted Logical interface number to be deleted Typical usage Eth ip addhostmapping Eth ip addr ipaddr ipnetmask interface Eth ip addrEthernet LAN IP address IP network mask Eth ip addroute ipaddr ipnetmask gateway hops interface Eth ip addrouteIP address of the IP gateway Ethernet interface through which the packet is sent Eth ip addserver Eth ip bindroute Ethernet LAN IP address Eth ip defgateway ipaddr interface Eth ip defgateway Eth ip delhostmapping Eth ip addroute ipaddr ipnetmask interface Eth ip delrouteEth ip delroute 10.9.2.0 Eth ip delroute 10.1.3.0 255.255.255.0 Eth ip delserver Hypettext Transfer Protocol Http port Protocolid a Numerical protocol IDMP port Enables the forwarding of packets broadcast to a subnet Eth ip disableDisables the forwarding of packets broadcast to a subnet Eth ip directbcast Eth ip disable Eth ip enableEth ip enable Eth ip filter Eth ip filter command type action parameters interfaceEth ip filter append Eth ip filter insert Eth ip filter flush Eth ip filter deleteEth ip filter clear Eth ip filter delete type action parameters interface Eth ip filter list Eth ip filter checkEth ip filter watch Protocol TCP UDP Icmp Dp Icmp type first dest portlast dest port Eth ip filter flush input Eth ip firewall Disables the firewall filtering featureEth ip firewall on off list To be performed Ping -I 192.168.1.2 Eth ip mgmtEth ip mgmt ipaddr ipnetmask interface Eth ip options Eth ip mgmt 10.0.0.1 255.255.255.0 Save RebootEth ip options option on off interface OptionMust be one of the following Eth ip ripmulticastEth ip ripmulticast ipaddr Eth ip translate on off interface Eth ip translateEth ip translate on Eth ip translate off Eth ip unbindroute ipaddr tablename interface Eth ip unbindroute Eth ip vrid vrid interface Eth ip vrid Eth ipx addr Eth ipx disableEth ipx addr ipxnet port# Eth ip vrid 7 This command requires a reboot Eth ipx enableEth ipx disable port# Eth ipx enable port# Eth ipx frame Eth ipx enable typeEth list Eth list interface Eth list Global BRIDGING/ROUTING Settings Eth restart Eth mtuEth mtu size interface Eth restart interface Eth startInterfacea,b Logical Ethernet interface Eth start interface Interfacea,b Logical Ethernet interface Eth stop Eth vrrp add vrid port# Eth vrrp addEth vrrp add Eth vrrp add 2 Eth vrrp clear password vrid port# Eth vrrp clear passwordEth clear password Eth vrrp delete vrid port# Eth vrrp deleteEth vrrp delete Eth vrrp set multicast Eth vrrp listEth vrrp list port# Eth vrrp set multicast ipaddr Eth vrrp set optionEth vrrp multicast Tribute record was created by the command eth vrrp add Eth vrrp set passwordPreempt immediately Do not preempt a router with lower priority Password Eth vrrp set password password vrid port#Attribute record was created by the command eth vrrp add Eth vrrp set password AbCdEfGh Eth vrrp set priority priority vrid port# Eth vrrp set priority Eth vrrp set priority 255 Eth vrrp set timeintervalEth vrrp set priority 50 7 Time interval value in seconds Eth vrrp set timeinterval seconds vrid port#Virtual router ID of the Vrrp attribute record Eth vrrp set timeinterval 2 Removes the source routing option. Default value Eth ip remsrcrouteopt enable disableAdds the source routing option Remote Commands Remote bindipvirtualroute Remote disbridge Remote setcompression Remote setppppretrytimer Remote add Remote ?Adds a remote router entry into the remote router database Remotenamea Name of the tunnel. b Remote addbridge * macaddr remotename Remote addbridgeAll MAC addresses MAC address Remote addhostmapping Remote addiproute Examples Remote addIpxRoute ipxne# metric ticks remotename Remote addipxrouteIPX network number Network/station Remote addipxsap Name of serviceIPX node address Ers Remote addserver Sntp SmtpT120 Telnet Remote bindipvirtualroute Enter a gateway only if you are configuring a MER interfaceRoute Address of a router on the remote LAN Enables NetBIOS filtering Remote blocknetbiosDisables NetBIOS filtering Remote del Remote delbridge Remote delatmsnapATM forum encoding ITU E164 encoding Deletes encryption files associated with a remote router Remote delencryptionRemote delencryption remotename Remote deliproute Remote delhostmappingRemote deliproute ipaddr remotename Remote delIpxRoute ipxnet remotename Remote delipxroute Remote delipxsap Remote delipxSap servicename remotename Remote deloursysname Remote delourpasswdRemote delourpasswd remotename Remote deloursysname remotename Remote delserver Remote delphone Action One of the following command actions Remote disable remotename Remote disableRemote disauthen Remote disauthen remotename Remote disbridge remotename Remote disbridge Remote enable remotename Remote enableRemote enaauthen Remote enaAuthen remotename Remote enabridge Remote enablebridge remotename Remote ipfilter Remote ipfilter command type action parameters remotenameRemote ipfilter append Remote ipfilter insert Remote ipfilter flush Remote ipfilter deleteRemote ipfilter clear Remote ipfilter check Management Protocol error message For example, the commandRemote ipfilter list Remote ipfilter watch Protocol TCP UDP Icmp Tcp syn ack noflag rst Remote list remotename Remote listRemote ipfilter flush receive internet Remote ipfilter list input internet Are listed If entered with no parameters, all remote router entries Typical response when entered with no remotename parameter If entered with no parameters, bridge settings for all reRemote listbridge Mote routers entries are listed Remote listiproutes remotename Remote listiproutesDest Private Yes Remote listipxsaps Remote listipxroutesRemote listipxroutes remotename Remote listipxsaps remotename Remote listphones remotename Remote listphonesRem listipxsaps hq Rem listphones hq Remote setatmnsap Remote restartRemote restart remotename Remote setatmnasp atmf e164 partial full nsap remotename Remote setauthenNsap Remote setauthen protocol remotename Remote setBOD in out both remotename Remote setbod Any traffic, including PPPoE traffic. The default is off Default is onRemote setbroptions Remote setBrOptions option on off remotename Remote setbwthresh Default is 0, in which case, whenever data transmissionRemote setBWthresh threshold remotename Occurs, the maximum number of links is allocated Remote setcompression Disables compression negotiation. The default is offRemote setencryption They both share a common compression protocol Remote setEncryption DESE1KEYDESE2KEY filename remoteName Remote setipoptions option on off remotename Remote setipoptions Remote setipslaveppp Slave mode setting. The default is noUse periodic echo Remote setipslaveppp yes no remotename Remote setiptranslate Enables or disables NATRemote setipxaddr Remote setiptranslate on off remotename Remote setIpxOptions ripsap on off remotename Remote setipxoptions Remote setmaxline Default isRemote setmgmtipaddr Remote setMaxLine 1 2 remotename IP address Remote setmgmtipaddr ipaddr mask remotenameIP sub-network mask Remote setMinLine 0 PPPoEuser Remote settimer 600 PPPoEuser Is allocated for the connection only when needed.Remote setminline Remote setminline minlines remotename Remote setmtu size remotename Remote setmtuRemote setmtu 1400 HQ Remote setourpasswd Remote setourpasswd password remotenameRemote setoursysname Remote router Authentication password of the remote router Remote setpasswd password remotenameRemote setpasswd Remote setphone Remote setphone async 1 5552000&5554000 backup Remote setspeed 115200 async 2 backupRemote setPhone async isdn 1 2 phone# remotename Remote setpppoptions Desired setting for the optionRemote setpppoptions option on off remotename Use IPX RIP/SAP protocols Remote setpppretrytimer timervalue remotename Remote setppppretrytimerValue to Remote setprefer async fr hsd remotename Remote setpreferBers and bit rates in the remote profile Frame Relay Remote setPrefer async backup Remote list backup Remote setprotocol Remote setpvc vpi number*vci number remotename Remote setpvcVirtual Path ID number that identifies the link formed by Virtual path Remote setrmtipaddr ipaddr mask remotename Remote setrmtipaddrIP address of the remote router IP network mask of the remote router Remote setspeed Use the default speedBit rate to be used for the phone number Primary phone number Remote setsrcipaddr ipaddr mask remotename Remote setsrcipaddrTarget IP address of the WAN connection to the remote rout Remote settimer seconds remotename Remote settimerNumber of seconds in the timeout period Remote start remotename Remote start Remote stats remotename Remote statsTotal connect time +011148 Total bytes out 15896 Remote stop remotename Remote stop Remote unbindipvirtualroute ipaddr tablename remotename Remote unbindipvirtualrouteIP virtual routing table to which the route is removed Remote unbindIPVirtualRoute 10.1.2.0 Francisco HQ This page intentionally left blank WAN Interface Commands Adsl ? Adsl Commands Adsl speed Adsl restartAdsl restart Adsl speed Adsl stats clear Adsl statsStatistical information displayed Adsl speed Atm ? ATM CommandsAtm ? Typical response when entered with no parameter Following command requests the current speedAtm pcr Atm pcr cells/second Atm save Saves the ATM configuration settingsAtm speed Atm save Upstream speed requested in kilobits/second Remote setatmtrafficRemote setATMTraffic scr mbs remoteName Atm speed Remote setATMTraffic 0 0 HQ Sustained Cell Rate cells per secondRemote setATMtraffic 47 31 HQ Remote setATMtraffic 47 1 HQ Dmt ? DMT CommandsDmt ? Dmt link Dmt mode ansi notrellisansi uawg Dmt modeAnsi notrellisansi Selects the DMT mode used Dual-Ethernet Router ETH Commands Eth br disable Eth br enableEth br enable Eth br disable Eth br options option on off port# Eth br optionsEthernet port number Eth br options pppoeonly on Eth br options stp off Frame ? Frame CommandsFrame ? Selects bridging mode, default value Selects bridging modeFrame cmpplay Frame lmi Displays frame relay statistics Frame statsFrame stats Frame stats Displays the voice Dlci for voice routers Frame voiceFrame voice Gti ? GTI CommandsGti speed Gti speed Gti statsGti stats Gti speed GTI Adsl Version information is displayed Gti versionGti version Hdsl ? Hdsl CommandsHdsl ? Hdsl save Saves the HDSL-related changes across restarts and rebootsHdsl speed Hdsl save Sets the terminal operation mode to CO Sets the terminal operation mode to CPECommand example displaying current mode Hdsl terminal Idsl list Idsl CommandsIdsl list Typical response Idsl set speed Idsl saveIdsl save Idsl set speed 64 128 Remote setdlci Idsl set switchLink speed of 64 Kbps Link speed of 128 Kbps Frame Relay number identifying the data-link connection Remote setprotocolRemote setProtocol ppp fr mer remotename PPP protocol with no encapsulation Sdsl ? Sdsl CommandsSdsl ? Sdsl preact Disables pre-activationSdsl preact on off CPE end. a Sdsl speed Sdsl saveSdsl save Sdsl speed speed noauto See examples above This command example requests a line speed of 1152 Kb/sSdsl speed Sdsl terminal cpe co Sdsl terminalTerminal operation is displayed Sdsl terminal Shdsl Commands Shdsl ? Enables the selected annexShdsl annex Lists the supported Shdsl keywords Shdsl list Lists the current configuration of the G.shdsl interfaceShdsl list Shdsl list Shdsl margin Selects adaptive or fixed rate modeShdsl ratemode Noise margin in decibels Selects fixed mode Selects adaptive modeShdsl restart Current ratemode is displayed Shdsl speed Shdsl saveShdsl save Shdsl speed speed auto This command usage requests a line speed of 1096 Kb/sSpeed in Kbps Selects auto-speed detection Shdsl stats clear Shdsl statsShdsl stats Shdsl stats clear Shdsl terminal Shdsl terminal Displays the G.shdsl version level of the modem firmware Shdsl verShdsl ver Shdsl ver This page intentionally left blank Denies processing of a BootP request for a partic Allows a BootP request to be processed for a parSpecifies the boot file name kernel and the sub Lists the supported Dhcp keywords Disables a subnetwork or a client lease Specifies the Tftp server boot serverEnables a subnetwork or a client lease Clears the values from a pool of addresses Dhcp add Dhcp ?To define a subnetwork To define a client lease Command usage defining a client lease Command usage defining a subnetworkDhcp add Dhcp add 128 1 4 ipAddress Dhcp addrelay Command usage defining, then listing a Dhcp relay serverDhcp addrelay ipaddr Dhcp addrelay Dhcp bootp disallow Dhcp bootp allowIP address of the subnetwork lease IP address of the client lease Dhcp bootp file net ipaddr name Dhcp bootp fileName of the file to boot from Dhcp bootp tftpserver net ipaddr tftpserver ipaddr Dhcp bootp tftpserverDhcp clear addresses IP address of the Tftp server Dhcp clear all records Word records cannot be abbreviated in the commandDhcp clear expire Dhcp clear all records Ipaddra IP address of the subnetwork lease Dhcp clear valueoptionDhcp clear valueoption net ipaddr code User defined code c Example command usage deleting a client lease Example command to delete the defined subnetworkExample command deleting the user-defined option with code Dhcp del Dhcp disable all net ipaddr Dhcp disableDhcp delrelay Dhcp delrelay ipaddr all Disables all subnets Dhcp enableEnables all subnets IIP address of the subnetwork lease Dhcp list Following example command lists global informationLists global, subnetwork, and client lease information Dhcp list net ipaddr Gateway Following example command lists information for client Dhcp list definedoptions code string Dhcp list definedoptionsPredefined or user-defined number or keyword Character string Efficient Networks Dhcp list lease Dhcp list leaseDhcp list definedoptions ga Dhcp set expire ipaddr hours default infinite Default lease duration is displayedDhcp set addresses Dhcp set expire Dhcp set lease Example command sets lease time to infinite for this subnet Example command sets client lease time to the default valueDhcp set mask Dhcp set mask net mask Dhcp set otherserver net continue stop Dhcp set otherserver Lease Dhcp set valueoptionSubnetwork lease Code specifying the option to be set This page intentionally left blank Display of the current configuration settings for tun Configures the router to forward all incoming callsNels, except for the authentication password/se Lists the supported L2TP keywords Creates local router’s host name Creates a Chap secretCreates the host name of the remote tunnel Defines the type of L2TP support for the tunnel L2tp ? Example command adding the tunnel named PacingAtWorkL2tp add Tunnelnamea Name of the tunnel. b L2tp close L2tp callL2tp call tunnelname L2tp call PacingAtWork L2tp del Forward all incoming calls through the tunnel to an LNS L2tp forwardNo incoming calls are allowed to be forwarded through Tunnel to an LNS L2tp list tunnelname L2tp listTunnelname a Name of the tunnel. b L2tp list L2tp set address ipaddr tunnelname L2tp set addressIP address of the remote LAC or LNS Disables authentication Enables authenticationL2tp set authen L2tp set chapsecret L2tp set dialout Chap secret used to authenticate the creation of the tunnelL2tp set hiddenavp L2tp set dialout yes no tunnelname Disables hidden AVPs Allows the router hide AVPs. Default valueL2tp set ouraddress Source IP address used for this tunnel L2tp set oursysname L2tp set ourpasswordLenged by another router Name of the tunnel L2tp set remotename L2tp set ourtunnelnameName of the local router Tunnelnamea,b Name of the tunnel L2tp set type L2tp set wanif remote tunnelname L2tp set wanifLishing the L2TP tunnel L2tp set window Remote setl2tpclient tunnelnameremotename Remote setl2tpclientName of the remote entry Remote setLNS tunnelname remotename Remote setlns Lists the supported Bridge Filtering keywords Filter br ? Byte offset within a packet Filter br addHexadecimal number up to 6 bytes Allows forwarding of the packets Filter br del pos data allow deny Filter br delFilter br del 12 8035 deny Lists the bridging filters in the filtering database Filter br listFilter br list Filter br list Filter br use This page intentionally left blank Remote setpppoeservice Pppoe close ifsnumber Pppoe closeIfsnumber Session to be closed.a Lists information about the currently active PPPoE sessions Pppoe listPppoe list Pppoe list This page intentionally left blank IKE/IPSEC Commands Defines the pfs filtering parameter value for Policy Defines a peer filtering parameter value for the pol IcyDefines a proposal filtering parameter value for Defines a protocol filtering parameter value for Disables a defined IPSec security association SA Entry Message authentication doneLists the defined IKE peers Sets the local ID for the IKE peer connection Clears all IPSec definitions Enables a defined IPSec security association en TrySpecifies the identifier Spid for the IPSec tunnel Ike ipsec ? Ike commit Commit bit is not set. Default valueIke flush Displays help message Ike ipsec policies delete Ike ipsec policies addIke ipsec policies add policyname Policynamea New name for an IPsec policy.b Ike ipsec policies disable policyname Ike ipsec policies disableName of an existing IPsec policy. b Policynamea Name of an existing IPsec policy.b Ike ipsec policies enable policyname Ike ipsec policies enableIke ipsec policies enable mypolicy Ike ipsec policies list Ike ipsec policies list IKE IPSec policies mypolicy enabledIke ipsec policies list Ike ipsec policies set destport Ike ipsec policies set destIP address allowed to be the destination of the data Name of the IPsec policy to which the destination parameter Portnumber Telnet Http Snmp Tftp Policynamea Ike ipsec policies set interface interface all policyname Ike ipsec policies set interface Ike ipsec policies set mode tunnel transport policyname Ike ipsec policies set modeIke ipsec policies set interface backup corporate Ike ipsec policies set interface all mypolicy Ike ipsec policies set peer Name of the IPsec policy to which the encapsulation modeParameter value is added. a Ike ipsec policies set peer peerpame policyname Ike ipsec policies set pfs 1 2 none policyname Ike ipsec policies set pfsNegotiation Ike ipsec policies set pfs 2 mypolicy Ike ipsec policies set proposal proposalname policyname Ike ipsec policies set proposalIke ipsec policies set proposal myproposal mypolicy Ue is added. b Ike ipsec policies set protocol Ike ipsec policies set source ipaddress ipmask policyname Ike ipsec policies set sourceIP address allowed to be the source of the data Is added. c Ike ipsec policies set sourceport Ike ipsec policies set translate on off policyname Ike ipsec policies set translate Ike ipsec proposals add proposalname Ike ipsec proposals add Ike ipsec proposals delete proposalname Ike ipsec proposals deleteName of an existing IPsec proposal. b Ike ipsec proposals add myproposal Ike ipsec proposals list Ike ipsec proposals listIke ipsec proposals list Ike ipsec proposals set ahauth Use AH encapsulation and authenticate using hash algorithmIke ipsec proposals set ahauth md5 sha1 none proposalname Secure Hash Algorithm-1 No ESP encapsulation and no ESP message authentication. If Use ESP encapsulation and authenticate using hash algorithmAuth command Ike ipsec proposals set espauth Use ESP encapsulation and 56-bit encryption Ike ipsec proposals set espencUse ESP encapsulation and 168-bit encryption if 3DES is en Abled in the router Ike ipsec proposals set ipcomp Compress using the LZS algorithmIke ipsec proposals set lifedata Ike ipsec proposals set ipcomp none lzs proposalname Ike ipsec proposals set lifedata kbytes proposalname Ike ipsec proposals set lifetimeMeans unlimited Ike ipsec proposals set lifetime seconds proposalname Unlimited Ike peers addIke peers add peername Peernamea New name for an IKE peer.b Ike peers list Ike peers deleteIke peers delete peername Peernamea Name of the IKE peer to delete.b Ike peers set address ipaddress peername Ike peers set addressIke peers list IKE Peers Ike peers set localid aggressivemodeid peername Ike peers set localidIke peers set address 0.0.0.0 myaggressivepeer Example Response Ike peers set localidtypeName of the IKE peer whose local ID is specified. c Ike peers set localidtype ipaddr domainname email peername Ike peers set localidtype domainname myaggressivepeer Select main mode both ends constant Ike peers set modeSelects aggressive mode one end can change Name of the IKE peer whose mode is specified. b Ike peers set peeridtype Ike peers set peeridIke peers set peerid aggressivemodeid peername Name of the IKE peer whose peer ID is specified. c Ike peers set peeridtype ipaddr domainname email peername Ike peers set secretIke peers set secret secret peername Ike peers set peeridtype domainname myaggressivepeer Ike proposals delete Ike proposals addIke proposals add ProposalName Proposalnamea New name for an IKE proposal.b Proposalnamea Name of the IKE proposal to delete.b Ike proposals listIke proposals list Ike proposals delete myikeproposal Ike proposals set dhgroup none 1 2 proposalname Ike proposals set dhgroupNo DH group is used Use DH group Ike proposals set encryption Use 3DES 168-bit encryption if 3DES encryption is enabledIke proposals set lifetime Use DES 56-bit encryption Maximum number of seconds before renegotiation Ike proposals set messageauthIke proposals set messageauth none md5 sha1 proposalName Ike proposals set lifetime 86400 myikeproposal Ike proposals set sessionauth Ipsec add IPSec CommandsIpsec add saname Sanamea Name for the new IPSec SA.b Disables a defined IPSec security association entry Ipsec disableSanamea Name of the IPSec SA to be disabled.b Ipsec delete Ipsec enable saname Ipsec enableSanamea Name of the IPSec SA to be enabled.b Ipsec disable showrx Ipsec list Ipsec flushIpsec flush Ipsec list saname Ipsec list Ipsec set authentication md5 sha1 saname Ipsec set authenticationSpecifies the authentication key for the IPSec SA Ipsec set authkey Ipsec set direction Hexadecimal authentication keyDefines the direction of the IPSec SA Ipsec set direction inbound outbound saname Ipsec set enckey Ipsec set compressionIpsec set compression none lzs saname Specifies the encryption key for the IPSec SA Ipsec set encryption Ipsec set ident Ipsec set gatewayDefines the IP address of the IP gateway of the IPSec SA Ipaddressa IP address of the IP gateway Ipsec set mode tunnel transport saname Ipsec set modeSpid for the IPSec tunnel Name of the IPSec SA. b Ipsec set service esp ah both saname Ipsec set serviceAH authentication Use Both ESP encryption and authentication Keywords and a brief description of their function Lists the top-level voice or dsp commandsDisplays the current voice rate and encoding type Clears the L2 control channel statistics Dsp voice ? Dsp ? / voice ? Dsp ecode Typical response when entered with no parametersSelects the voice encoding method for all voice ports Sets encoding method to alaw Dsp jitter milliseconds Dsp jitterIs displayed Optional, Length of jitter buffer in milliseconds Dsp provision Dsp save Voice port to configureDsp vr Dsp save Voice l2stats Voice l2clearVoice profile profile Voice l2stats Voice profile Example response confirming the configuration changeVoice l2stats Voice profile Voice refreshcas active always Voice refreshcasMode An idle state This page intentionally left blank Deletes a configured radius server entry Lists the supported radius commands and keyAttempting the next radius server, if configured Words Rad deleteserver Rad ?Rad ? Rad deleteserver integer Rad list secret Rad list secretRad list secret Rad list server Rad list serverRad list server Radius set server Rad set retries Authentication secret for the specified radius server Radius set timeoutRadius set secret Number of seconds between retry attempts Configures the managements class with read-only Adds an access privilege to for the specified userDeletes an access path from the specified user ac Disables an existing user account Lists the characteristics of the pre-defined user Templates Displays the contents of the user account data BaseAdmin R User ? Adds user access through a LAN connection User add accessAdds user access through the WAN connection Adds user access through the console serial port User add class User add user User add user username password template enable disable User delete access lan wan console username User delete accessRemoves user access through a LAN connection Removes user access through the WAN connection User delete class Enabled for read-onlyUser delete class mgtclass read write username Must be one of the following User delete class voice read Admin1 User delete class admin write Admin1User delete user User delete user username1 username2 usernameN User disable username User disableUser delete user Admin1 staff001 User disable VoiceAdmin User enable username User enableUser enable Admin1 User list User list User list template User list lookupUser list lookup Displays the pre-defined user template information Efficient Networks User set lookup Changes the password of an existing user account User set passwordUser setpassword username newpassword Newpassworda New password for the user account This page intentionally left blank Validates and adds a key to the key-enabled fea Lists the supported key commandsDeletes a feature key from the key-enabled feature Ture database Revokes a key-enabled feature key Disables a key-enabled featureUnrevokes a revoked feature key Updates the expiration date of an expired feature Key Key add Example response when adding a key for L2TPKey add keystring Featurenamea Name of the feature to be deleted.b Key delete featurenameExample response when deleting the key for Radius Key delete Key disable featurename Key disableFeaturename Name of the feature to be disabled.a Key disable l2tp Key enable featurename Key enableFeaturenamea Name of the feature to be enabled.b Key list Typical response with the -lparameter is shown below Installed Featurenamea Name of the feature key to be revoked Key revoke featureKey revoke Key unrevoke Key update keystring Key updateKeystringa Key string for the feature Key unrevoke keystring This page intentionally left blank Enables Snmp access from the specified inter Disables Snmp access from the specified interEnables or disables transmission of unsolicited Sets an authentication password for an Snmp Snmp addsnmpfilter Snmp ?Snmp ? Snmp addsnmpfilter first ip addr last ip addr lan Snmp addtrapdestSnmp addstrapdest ip addr IP address of the trap manager Snmp community snmp community name Snmp communitySnmp community name Following example sets the Snmp community name to iads Snmp delsnmpfilter first ip addr last ip addr lan Snmp delsnmpfilter Snmp disablesnmpif wanlan Snmp disablesnmpifSnmp deltrapdest Snmp deltrapdest ip addr Wan lan Interface from which Snmp access will be disabled Snmp enablesnmpifSnmp enablesnmpif wanlan Wan lan Interface from which Snmp access will be enabled Snmp settrapenable on off Snmp settrapenableSnmp list Snmp list Current password Enables trap event message transmissionSnmp Manager authentication password Example response when a password parameter is entered Snmp snmpport Snmp snmpport default disabled port Configured rules Displays the current stateful firewall settingsEnables or disables the stateful firewall function Due to firewall rules that when exceeded, will log Sets the threshold value for the number of Icmp Firewall ?Sets the threshold value for the number of SYN Sets the threshold value for the number of UDP Firewall allow Packets must match the assigned application characteristicsFirewall allow protocol application parameters Packet must have the specified protocol Examples Firewall -a netmeeting -sa 192.168.1.23 -d out Firewall allow -a FTP -sa 192.168.1.34 -d out Indicates the specified rule is in the allow rules list Firewall clearcounterIndicates the specified rule is in the deny rules list Firewall clearcounter 13 allow Firewall delete Firewall clearcounter allFirewall clearcounter all Firewall delete all Example command deletes rule 3 from the deny rules listFirewall delete all allow deny Will delete all rules from the allow rules list Firewall deny protocol application parameters Firewall denyFirewall delete all allow Both Firewall list Command entered with no parametersFirewall list allow deny Optional parameter will display only allow rules list Firewall modify Command entered with the optional allow parameterFirewall modify allow deny number parameter Following identifies the firewall rule to be modified Modifies the firewall rule type Specifies the protocol a packet must haveModifies the source IP address or specified address range Modifies the specified source ip mask Disables the firewall Enables the firewall as currently configuredFirewall set Firewall setdroppktthreshold Firewall seticmpfloodthreshold number Firewall seticmpfloodthresholdThreshold value in packets per seconds Firewall setdroppkthreshold Firewall setsynfloodthreshold number Firewall setsynfloodthreshold Firewall viewdroppkts Firewall setudpfloodthresholdFirewall setudpfloodthreshold number Firewall viewdroppkts number Firewall viewdroppkts Typical response using the optional number parameter Firewall watch on off Firewall watchNo messages are printed to the console or Syslog server This page intentionally left blank Displays the current SSH configuration with the ex List the supported SSH sub-commandsConfigured SSH port Sets the idle timeout period for SSH connections Ssh keygen Ssh ?Ssh ? Generates the Private-Public key-pair for the local server Ssh load privatekey Ssh listSsh list Ssh load publickey tftp@server-addrpriv-key-file Ssh load publickey TFTP@server-addrpub-key-file Ssh load publickeyKey file to load Ssh load privatekey tftp@192.168.13.174mykey Ssh set encryption Multiple types are allowed on the command lineSets the types of encryption the SSH connections will use DES 56-bit encryption Ssh set idletimeout seconds Ssh set idletimeoutIdle timeout period in seconds Ssh set keepalive enable disable Ssh set mac Ssh set keepalive enableKeepalive messages are sent Ssh set mac md5 sha1 Ssh set status enable disable Enables and disables SSH server connectionsSsh set rekey Ssh set status Allows SSH connections Ssh set status enable This page intentionally left blank Enables and disables marking of the differentiated List the supported QoS commands and a brief deServices field Scription of their functions Qos ? Saves the current QoS configuration and QoS pol IciesQos append Defines a proposal filtering parameter value for Policy Qos del Specifies that all disabled QoS policies will be deletedPolicy namea Specifies the QoS policy name to be added Specifies the QoS policy to be deleted Example command that deletes all disabled QoS policies Qos disableQos diffserv QOS will mark Diffserv field in IP header Policy namea Specifies the QoS policy to be disabled Qos enableQos enable policy name Specifies the QoS policy to be enabled Qos list Qos insertQos del policy name insert before this policy Qos list policy name LOW Qos list mypolicy3 Qos movetoend Qos moveQos move policy name move to before this policy Specifies the QoS policy to be moved Qos off Qos off Qos on Saves the current QoS feature and policy configurationsQos save Qos on Qos set Specifies the priority, with normal the default valueQos set parameter policy name Specifies the outgoing code point Specifies the incoming code point Qos setweight highmeduimnormallow weight Qos setweightQueue This page intentionally left blank Specifies the aging time of the switch Lists the supported Switch sub-commandsDisables the specified Ethernet port Configures port traffic mirroring Switch agetime Switch ?Switch ? help Switch agetime seconds Switch block port Switch blockEthernet port to be disabled Switch block Switch mirror on off capture port map port unmap port Switch mirrorSwitch mirror capture 6 switch mirror map Switch mirror map Displays the current port states for the Ethernet switch Switch statusSwitch status Switch mirror capture Switch unblock port Switch unblockEthernet port to be enabled Switch status