Firewall deny

Efficient Networks® Router family	Chapter 18: Stateful Firewall Commands
Command Line Interface Guide

Example

Example command deletes all firewall rules from the allow rules list.

-> firewall delete all allow

Response

Command prompt.

Creates a firewall rule that will be added to the firewall deny rules list. To view the current deny firewall rules, use the firewall list command.

NOTE:

If NAT is enabled on the router, then the outgoing firewall rules should be specified in terms of the private addresses. However, for inbound rules, the rules would need to use the router’s WAN address.

Mgmt Class

Security (R/W)

Input Format

firewall deny <protocol application> [<parameters>]

Parameters

The following parameters specify the <protocol> (-p) or <application> (-a) characteristics that a packet must have in order to match the firewall rule:

-p tcp udp icmp <protocol number>a

The packet must have the specified protocol.

-a imap telnet bootp nntp rpc tftp smtp dns ftp rexec rsh rlogin syslog winframe rdp http htps ntp smb ras realaudio netmeeting aolim quicktime cuseme netshow pptp nfs nis traceroute sqlnet ipsec

Packets must match the assigned application characteristics.

aInteger, numerical protocol ID.

Efficient Networks®

Page 18-9

Page 475

Image 475

Efficient Networks 107-0001-000 manual Firewall deny protocol application parameters, Firewall delete all allow

Contents

5RXWHUDPLO\ Efficient Networks Software License and Limited Warranty Limitations 001 12 Feb Revision HistoryRelease Contents File System Commands Contents Contents Eth ip directbcast Remote Commands Contents Contents WAN Interface Commands Dhcp Commands L2TP Commands L2tp set window -16 remote setl2tpclient -17 remote setlns Remote setpppoeservice -1 pppoe close -2 pppoe list Contents Voice Commands User Commands Stateful Firewall Commands Ssh set rekey -8 ssh set status -8 system sshport QoS Commands This page intentionally left blank How This Manual is Organized Introduction Username Command ConventionsAccessing the Command Line Password Terminal Sessions Re-enter the new password at the promptPassword change will be confirmed Command line is now available for use Terminal Session under Windows HyperTerminal Data bits Parity None Stop bits Flow control Hardware Terminal Session for Macintosh or Unix Telnet Telnet Session for Remote Access Command Line via the Web Management Interface Lists the contents of the bridge table Lists the top-level commands and keywords and aResolution Protocol ARP table Mode is learning, listening, or forwarding Enables Sntp requests Lists the current services in the IPX SAPs tableChanges the current user password Initiates a reboot of the system Response ? or helpInput Format Parameters Example Arp deleteArp list Mgmt Class Arp list Input Format ParametersArp list Voice R Bi list Bi listBi list Remotenamea Name of the target router CallVoice R/W Call remotename All R/W Display when date is entered with no parametersDisplay when date is entered with parameters Date When entered with no parameters, same as erase all Admin R/WErase Voice R, Network R ExitIfs All R Ipifs IpifsTypical response is shown below An example of additional interfaces that may be displayed Ipxroutes IproutesIpxroutes Iproutes Ipxsaps IpxsapsIpxsaps Ipxroutes Logout Logout Mem MemSystem R, Debug R Mem Mlp summary Mlp summary Password old password new password PasswordAdmin101@console- password 1675309 lobster Ping Ping -I 192.168.254.254 Ping -c 2 -i 7 -s 34Ping -I 192.168.1.2 TID Name Bottom Current Size 1IDLE Reboot option Reboot Save User is prompted to verify the commandSave Sntp active Sntp disableDisables Sntp requests Sntp disable Itive number is east a negative number is west Sntp enableWhen no parameter is entered, current offset is displayed Sntp offset Number of a server within the Sntp server list When entered with no number parameterSntp prefserver Sntp prefserver number When entered and an sntp preferred server has been defined When entered with a number parameterWhen entered while sntp function is currently disabled When entered and no sntp preferred server is defined Sntp server Sntp server ipaddress default numberRequests the default server list When entered with the default parameter Tcp stats Tcp statsTcp stats Typical response Time Hop is listed in the output message TracerouteNetwork R/W, Debug R Dress as the source address Traceroute 172.17.20.1Traceroute -n Vers Vers Deletes the specified file from the flash filesystem This command loads batch files of configurationCommands into the router Copies a file from the source to the destination Copy tftp@128.1.210.66kernelnw kernel.f2k CopyExamples Copy srcfile dstfile Delete filename Admin R/W, System R/WDelete Refer to examples for typical responses Dir DirDir Execute filename Execute Format disk Following is an example of the format disk commandFormat disk System R/W, Debug R/W Msfs fix MsfsMsfs Commits the changes made to the file system to Flash memory Following is an example rename commandRename Sync Range of public IP addresses on a system-wide ba Adds an address to the BootP server listLists the supported keywords Remaps a range of local-LAN IP addresses to a Changes the Dial Backup stability period Disables the Dial Backup option in the routerEnables the Dial Backup option in the router Changes the Dial Backup retry period Lists the system settings for the target router Lists the default modem settingsRemoves an address from the BootP server list Manages the system Http port access Manages Syslog port access Enables and disables the secure mode functionManages Snmp port access Manages SSH port access System ? System addbootpserverSystem addbootpserver ipaddr System ? IP address of the server System addbootpserver System addhostmapping Local Ethernet LAN System addhttpfilterSecurity R/W System addhttpfilter first ip addr last ip addr lan System addiproutingtable Response Example System addserverSystem addiproutingtable 192.168.1.5 192.168.1.12 Rosa Discards the incoming server request Action One of the following command actionsRlogin port Selects the host with this IP address as server System addsnmpfilter first ip addr last ip addr lan System addsnmpfilter System addsyslogfilter firstipaddr last ipaddr lan System addsyslogfilter IP address to be added to the Syslog server address list System addsyslogserverSystem R/W System addsyslogserver ipaddr System addtelnetfilter first ip addr last ip addr lan System addtelnetfilter Incorporates all the available UDP ports in the new range System addudprelayWarded First port in the UDP port range to be created Chap is performed System authenSystem authen none pap chap Cally Address System backup addSystem backup add ipaddr gw dns group IP address to be added to the list IP address to be deleted from the list System backup deleteFollowing command deletes the gateway address from group Following command deletes all addresses from group System backup delete all all System backup disableFollowing command clears all addresses from the list System backup disable System backup enable System backup enable Optional, number of a group System backup pingintervalSystem backup pinginterval seconds group Number of seconds in the ping interval for the group System backup pingsamples 0 System backup pingsamplesSystem backup pingsamples samples group System backup pingsamples Following command changes the retry period to System backup retrySystem backup retry minutes Following command changes the retry period to 60 minutes Following command changes the stability period to 5 minutes System backup stabilitySystem backup successrate System backup stability minutes System backup successrate 0 System blocknetbiosdefaultSystem backup successrate percentage group System backup successrate System community snmp community name System blocknetbiosdefault yes noSets the default to block all NetBIOS and NetBUI requests System community System delbootpserver ipaddr all System default modemSystem delbootpserver System defaultmodem System delhostmapping Removes all addresses from the BootP server listSystem delbootpserver System delbootpserver all First IP address of the range System delhttpfilterSystem deliproutingtable System delhttpfilter first ip addr last ip addr lan System deliproutingtable 192.168.1.5 192.168.1.6 Rosa Following command deletes the virtual routing table RosaDeletes an entry created by the system addserver command System delserver Action One of the following command actions System delsnmpfilter first ip addr last ip addr lan System delsnmpfilterFirst IP address of the client range System delsyslogserver ipaddr System delsyslogfilterSystem delsyslogserver System delsyslogfilter firstipaddr last ipaddr lan System deltelnetfilter first ipaddr last ipaddr lan System deltelnetfilter Last port in the UDP port range to be deleted System deludprelaySystem history Deletes all existing UDP ports System history Following is a typical response Cess System httpport default disabled portThis command sets the Http port to the default value System httpport System list System listSystem list Following is an example of a typical response Ture System logSystem log start stop status Initiates monitoring activity Enter one of the following options Following command changes the string for the init settingFollowing command selects pulse dialing System modem First ipaddra First IP address of the range to be moved System moveiproutingtable Message a,b System msg Configured on10/21/98System msg System msg message Name a,b System nameSystem name name Router name System onewandialup on off System onewandialupTions System passwd System riptimerPassworda,bAuthentication password of the target router Timer value for RIP information exchange Security R System securemode set enable disableSystem securemode list System securemode set System securemode set cli value Disable Disables secure modeTypical response indicating the curent mode is displayed System securemode set cli System securemode set lan trusted untrusted Mode is enabledSystem securemode set lan System securemode set wan System securitytimer minutes System securitytimerSystem securemode set wan trusted untrusted Policy will be applied System selnat addpolicySpecifies the destination IP address to which the policy Will be applied Number of the policy to be deleted System selnat delpolicySystem selnat list System selnat delpolicy policy number System snmpport System snmpport default disabled port This command disables the existing Snmp port This command sets the Snmp port to the default valueThis command remaps the Snmp port to port System supporttrace System sshport System supporttrace Debug R/WSystem supporttrace === Processes === TID Name FL P Bottom Current Size 1IDLE DSP ATZ QA-LABPC === Interfaces === NW PRM Efficient Networks === END of Tech Support Data System syslogport System syslogport default disabled port System telnetport default disabled port This command sets the Syslog port to the default valueThis command disables the existing Syslog port This command remaps the syslog port to port This command disables the existing telnet port Disables the existing Telnet portMote access This command sets the Telnet port to the default value System wan2wanforwarding on System wan2wanforwardingLink Deletes a logical interface from an Ethernet port That the router can provide service to multiple IPAdds a logical interface onto an Ethernet port so Subnets Enables and disables Ethernet Firewall Filtering Removes a route from the default routing tableDisables IP routing across the Ethernet LAN Enables IP routing across the Ethernet LAN Sets the IPX network number for the Ethernet LAN Connection Disables IPX routing across the Ethernet LANEnables IPX routing across the Ethernet LAN Clears the password in a Vrrp attribute record for Vrid Eth ? Eth ? Eth add port#logical# Eth addEth add Logical interface number to be deleted Eth deleteEth delete port#logical# Ethernet interface from which logical port will be deleted Typical usage Eth ip addhostmapping IP network mask Eth ip addrEth ip addr ipaddr ipnetmask interface Ethernet LAN IP address Ethernet interface through which the packet is sent Eth ip addrouteEth ip addroute ipaddr ipnetmask gateway hops interface IP address of the IP gateway Eth ip addserver Eth ip bindroute Ethernet LAN IP address Eth ip defgateway ipaddr interface Eth ip defgateway Eth ip delhostmapping Eth ip delroute 10.1.3.0 255.255.255.0 Eth ip delrouteEth ip addroute ipaddr ipnetmask interface Eth ip delroute 10.9.2.0 Eth ip delserver Hypettext Transfer Protocol Http port Protocolid a Numerical protocol IDMP port Eth ip directbcast Eth ip disableEnables the forwarding of packets broadcast to a subnet Disables the forwarding of packets broadcast to a subnet Eth ip disable Eth ip enableEth ip enable Eth ip filter insert Eth ip filter command type action parameters interfaceEth ip filter Eth ip filter append Eth ip filter delete type action parameters interface Eth ip filter deleteEth ip filter flush Eth ip filter clear Eth ip filter list Eth ip filter checkEth ip filter watch Protocol TCP UDP Icmp Dp Icmp type first dest portlast dest port Eth ip filter flush input To be performed Disables the firewall filtering featureEth ip firewall Eth ip firewall on off list Ping -I 192.168.1.2 Eth ip mgmtEth ip mgmt ipaddr ipnetmask interface Eth ip options Eth ip mgmt 10.0.0.1 255.255.255.0 Save RebootEth ip options option on off interface OptionMust be one of the following Eth ip ripmulticastEth ip ripmulticast ipaddr Eth ip translate off Eth ip translateEth ip translate on off interface Eth ip translate on Eth ip unbindroute ipaddr tablename interface Eth ip unbindroute Eth ip vrid vrid interface Eth ip vrid Eth ip vrid 7 Eth ipx disableEth ipx addr Eth ipx addr ipxnet port# Eth ipx enable port# Eth ipx enableThis command requires a reboot Eth ipx disable port# Eth list interface Eth ipx enable typeEth ipx frame Eth list Eth list Global BRIDGING/ROUTING Settings Eth restart Eth mtuEth mtu size interface Eth start interface Eth startEth restart interface Interfacea,b Logical Ethernet interface Interfacea,b Logical Ethernet interface Eth stop Eth vrrp add 2 Eth vrrp addEth vrrp add vrid port# Eth vrrp add Eth vrrp clear password vrid port# Eth vrrp clear passwordEth clear password Eth vrrp delete vrid port# Eth vrrp deleteEth vrrp delete Eth vrrp set multicast Eth vrrp listEth vrrp list port# Eth vrrp set multicast ipaddr Eth vrrp set optionEth vrrp multicast Do not preempt a router with lower priority Eth vrrp set passwordTribute record was created by the command eth vrrp add Preempt immediately Eth vrrp set password AbCdEfGh Eth vrrp set password password vrid port#Password Attribute record was created by the command eth vrrp add Eth vrrp set priority priority vrid port# Eth vrrp set priority Eth vrrp set priority 255 Eth vrrp set timeintervalEth vrrp set priority 50 7 Eth vrrp set timeinterval 2 Eth vrrp set timeinterval seconds vrid port#Time interval value in seconds Virtual router ID of the Vrrp attribute record Removes the source routing option. Default value Eth ip remsrcrouteopt enable disableAdds the source routing option Remote Commands Remote bindipvirtualroute Remote disbridge Remote setcompression Remote setppppretrytimer Remotenamea Name of the tunnel. b Remote ?Remote add Adds a remote router entry into the remote router database MAC address Remote addbridgeRemote addbridge * macaddr remotename All MAC addresses Remote addhostmapping Remote addiproute Examples Network/station Remote addipxrouteRemote addIpxRoute ipxne# metric ticks remotename IPX network number Ers Name of serviceRemote addipxsap IPX node address Remote addserver Telnet SmtpSntp T120 Address of a router on the remote LAN Enter a gateway only if you are configuring a MER interfaceRemote bindipvirtualroute Route Remote del Remote blocknetbiosEnables NetBIOS filtering Disables NetBIOS filtering ITU E164 encoding Remote delatmsnapRemote delbridge ATM forum encoding Deletes encryption files associated with a remote router Remote delencryptionRemote delencryption remotename Remote deliproute Remote delhostmappingRemote deliproute ipaddr remotename Remote delIpxRoute ipxnet remotename Remote delipxroute Remote delipxsap Remote delipxSap servicename remotename Remote deloursysname remotename Remote delourpasswdRemote deloursysname Remote delourpasswd remotename Remote delserver Remote delphone Action One of the following command actions Remote disauthen remotename Remote disableRemote disable remotename Remote disauthen Remote disbridge remotename Remote disbridge Remote enaAuthen remotename Remote enableRemote enable remotename Remote enaauthen Remote enabridge Remote enablebridge remotename Remote ipfilter insert Remote ipfilter command type action parameters remotenameRemote ipfilter Remote ipfilter append Remote ipfilter check Remote ipfilter deleteRemote ipfilter flush Remote ipfilter clear Remote ipfilter watch For example, the commandManagement Protocol error message Remote ipfilter list Protocol TCP UDP Icmp Tcp syn ack noflag rst Remote ipfilter list input internet Remote listRemote list remotename Remote ipfilter flush receive internet Are listed If entered with no parameters, all remote router entries Mote routers entries are listed If entered with no parameters, bridge settings for all reTypical response when entered with no remotename parameter Remote listbridge Private Yes Remote listiproutesRemote listiproutes remotename Dest Remote listipxsaps remotename Remote listipxroutesRemote listipxsaps Remote listipxroutes remotename Rem listphones hq Remote listphonesRemote listphones remotename Rem listipxsaps hq Remote setatmnsap Remote restartRemote restart remotename Remote setauthen protocol remotename Remote setauthenRemote setatmnasp atmf e164 partial full nsap remotename Nsap Remote setBOD in out both remotename Remote setbod Remote setBrOptions option on off remotename Default is onAny traffic, including PPPoE traffic. The default is off Remote setbroptions Occurs, the maximum number of links is allocated Default is 0, in which case, whenever data transmissionRemote setbwthresh Remote setBWthresh threshold remotename They both share a common compression protocol Disables compression negotiation. The default is offRemote setcompression Remote setencryption Remote setEncryption DESE1KEYDESE2KEY filename remoteName Remote setipoptions option on off remotename Remote setipoptions Remote setipslaveppp yes no remotename Slave mode setting. The default is noRemote setipslaveppp Use periodic echo Remote setiptranslate on off remotename Enables or disables NATRemote setiptranslate Remote setipxaddr Remote setIpxOptions ripsap on off remotename Remote setipxoptions Remote setMaxLine 1 2 remotename Default isRemote setmaxline Remote setmgmtipaddr IP address Remote setmgmtipaddr ipaddr mask remotenameIP sub-network mask Remote setminline minlines remotename Is allocated for the connection only when needed.Remote setMinLine 0 PPPoEuser Remote settimer 600 PPPoEuser Remote setminline Remote setmtu size remotename Remote setmtuRemote setmtu 1400 HQ Remote router Remote setourpasswd password remotenameRemote setourpasswd Remote setoursysname Remote setphone Remote setpasswd password remotenameAuthentication password of the remote router Remote setpasswd Remote setphone async 1 5552000&5554000 backup Remote setspeed 115200 async 2 backupRemote setPhone async isdn 1 2 phone# remotename Use IPX RIP/SAP protocols Desired setting for the optionRemote setpppoptions Remote setpppoptions option on off remotename Remote setpppretrytimer timervalue remotename Remote setppppretrytimerValue to Frame Relay Remote setpreferRemote setprefer async fr hsd remotename Bers and bit rates in the remote profile Remote setPrefer async backup Remote list backup Remote setprotocol Virtual path Remote setpvcRemote setpvc vpi number*vci number remotename Virtual Path ID number that identifies the link formed by IP network mask of the remote router Remote setrmtipaddrRemote setrmtipaddr ipaddr mask remotename IP address of the remote router Primary phone number Use the default speedRemote setspeed Bit rate to be used for the phone number Remote setsrcipaddr ipaddr mask remotename Remote setsrcipaddrTarget IP address of the WAN connection to the remote rout Remote settimer seconds remotename Remote settimerNumber of seconds in the timeout period Remote start remotename Remote start Remote stats remotename Remote statsTotal connect time +011148 Total bytes out 15896 Remote stop remotename Remote stop Remote unbindIPVirtualRoute 10.1.2.0 Francisco HQ Remote unbindipvirtualrouteRemote unbindipvirtualroute ipaddr tablename remotename IP virtual routing table to which the route is removed This page intentionally left blank WAN Interface Commands Adsl ? Adsl Commands Adsl speed Adsl restartAdsl speed Adsl restart Adsl speed Adsl statsAdsl stats clear Statistical information displayed Atm ? ATM CommandsAtm ? Atm pcr cells/second Following command requests the current speedTypical response when entered with no parameter Atm pcr Atm save Saves the ATM configuration settingsAtm save Atm speed Atm speed Remote setatmtrafficUpstream speed requested in kilobits/second Remote setATMTraffic scr mbs remoteName Remote setATMtraffic 47 1 HQ Sustained Cell Rate cells per secondRemote setATMTraffic 0 0 HQ Remote setATMtraffic 47 31 HQ Dmt ? DMT CommandsDmt ? Dmt link Dmt mode ansi notrellisansi uawg Dmt modeAnsi notrellisansi Selects the DMT mode used Dual-Ethernet Router ETH Commands Eth br disable Eth br enableEth br disable Eth br enable Eth br options option on off port# Eth br optionsEthernet port number Eth br options pppoeonly on Eth br options stp off Frame ? Frame CommandsFrame ? Frame lmi Selects bridging modeSelects bridging mode, default value Frame cmpplay Frame stats Frame statsDisplays frame relay statistics Frame stats Displays the voice Dlci for voice routers Frame voiceFrame voice Gti ? GTI CommandsGti speed Gti speed Gti statsGti speed Gti stats GTI Adsl Version information is displayed Gti versionGti version Hdsl ? Hdsl CommandsHdsl ? Hdsl save Saves the HDSL-related changes across restarts and rebootsHdsl save Hdsl speed Hdsl terminal Sets the terminal operation mode to CPESets the terminal operation mode to CO Command example displaying current mode Typical response Idsl CommandsIdsl list Idsl list Idsl set speed 64 128 Idsl saveIdsl set speed Idsl save Link speed of 128 Kbps Idsl set switchRemote setdlci Link speed of 64 Kbps PPP protocol with no encapsulation Remote setprotocolFrame Relay number identifying the data-link connection Remote setProtocol ppp fr mer remotename Sdsl ? Sdsl CommandsSdsl ? CPE end. a Disables pre-activationSdsl preact Sdsl preact on off Sdsl speed speed noauto Sdsl saveSdsl speed Sdsl save See examples above This command example requests a line speed of 1152 Kb/sSdsl speed Sdsl terminal Sdsl terminalSdsl terminal cpe co Terminal operation is displayed Shdsl Commands Lists the supported Shdsl keywords Enables the selected annexShdsl ? Shdsl annex Shdsl list Lists the current configuration of the G.shdsl interfaceShdsl list Shdsl list Noise margin in decibels Selects adaptive or fixed rate modeShdsl margin Shdsl ratemode Current ratemode is displayed Selects adaptive modeSelects fixed mode Shdsl restart Shdsl speed Shdsl saveShdsl save Selects auto-speed detection This command usage requests a line speed of 1096 Kb/sShdsl speed speed auto Speed in Kbps Shdsl stats clear Shdsl statsShdsl stats clear Shdsl stats Shdsl terminal Shdsl terminal Shdsl ver Shdsl verDisplays the G.shdsl version level of the modem firmware Shdsl ver This page intentionally left blank Lists the supported Dhcp keywords Allows a BootP request to be processed for a parDenies processing of a BootP request for a partic Specifies the boot file name kernel and the sub Clears the values from a pool of addresses Specifies the Tftp server boot serverDisables a subnetwork or a client lease Enables a subnetwork or a client lease To define a client lease Dhcp ?Dhcp add To define a subnetwork Dhcp add 128 1 4 ipAddress Command usage defining a subnetworkCommand usage defining a client lease Dhcp add Dhcp addrelay Command usage defining, then listing a Dhcp relay serverDhcp addrelay Dhcp addrelay ipaddr IP address of the client lease Dhcp bootp allowDhcp bootp disallow IP address of the subnetwork lease Dhcp bootp file net ipaddr name Dhcp bootp fileName of the file to boot from IP address of the Tftp server Dhcp bootp tftpserverDhcp bootp tftpserver net ipaddr tftpserver ipaddr Dhcp clear addresses Dhcp clear all records Word records cannot be abbreviated in the commandDhcp clear all records Dhcp clear expire User defined code c Dhcp clear valueoptionIpaddra IP address of the subnetwork lease Dhcp clear valueoption net ipaddr code Dhcp del Example command to delete the defined subnetworkExample command usage deleting a client lease Example command deleting the user-defined option with code Dhcp delrelay ipaddr all Dhcp disableDhcp disable all net ipaddr Dhcp delrelay IIP address of the subnetwork lease Dhcp enableDisables all subnets Enables all subnets Dhcp list net ipaddr Following example command lists global informationDhcp list Lists global, subnetwork, and client lease information Gateway Following example command lists information for client Character string Dhcp list definedoptionsDhcp list definedoptions code string Predefined or user-defined number or keyword Efficient Networks Dhcp list lease Dhcp list leaseDhcp list definedoptions ga Dhcp set expire Default lease duration is displayedDhcp set expire ipaddr hours default infinite Dhcp set addresses Dhcp set lease Dhcp set mask net mask Example command sets client lease time to the default valueExample command sets lease time to infinite for this subnet Dhcp set mask Dhcp set otherserver net continue stop Dhcp set otherserver Code specifying the option to be set Dhcp set valueoptionLease Subnetwork lease This page intentionally left blank Lists the supported L2TP keywords Configures the router to forward all incoming callsDisplay of the current configuration settings for tun Nels, except for the authentication password/se Defines the type of L2TP support for the tunnel Creates a Chap secretCreates local router’s host name Creates the host name of the remote tunnel Tunnelnamea Name of the tunnel. b Example command adding the tunnel named PacingAtWorkL2tp ? L2tp add L2tp call PacingAtWork L2tp callL2tp close L2tp call tunnelname L2tp del Tunnel to an LNS L2tp forwardForward all incoming calls through the tunnel to an LNS No incoming calls are allowed to be forwarded through L2tp list L2tp listL2tp list tunnelname Tunnelname a Name of the tunnel. b L2tp set address ipaddr tunnelname L2tp set addressIP address of the remote LAC or LNS L2tp set chapsecret Enables authenticationDisables authentication L2tp set authen L2tp set dialout yes no tunnelname Chap secret used to authenticate the creation of the tunnelL2tp set dialout L2tp set hiddenavp Source IP address used for this tunnel Allows the router hide AVPs. Default valueDisables hidden AVPs L2tp set ouraddress Name of the tunnel L2tp set ourpasswordL2tp set oursysname Lenged by another router Tunnelnamea,b Name of the tunnel L2tp set ourtunnelnameL2tp set remotename Name of the local router L2tp set type L2tp set wanif remote tunnelname L2tp set wanifLishing the L2TP tunnel L2tp set window Remote setl2tpclient tunnelnameremotename Remote setl2tpclientName of the remote entry Remote setLNS tunnelname remotename Remote setlns Lists the supported Bridge Filtering keywords Filter br ? Allows forwarding of the packets Filter br addByte offset within a packet Hexadecimal number up to 6 bytes Filter br del pos data allow deny Filter br delFilter br del 12 8035 deny Filter br list Filter br listLists the bridging filters in the filtering database Filter br list Filter br use This page intentionally left blank Remote setpppoeservice Pppoe close ifsnumber Pppoe closeIfsnumber Session to be closed.a Pppoe list Pppoe listLists information about the currently active PPPoE sessions Pppoe list This page intentionally left blank IKE/IPSEC Commands Defines a protocol filtering parameter value for Defines a peer filtering parameter value for the pol IcyDefines the pfs filtering parameter value for Policy Defines a proposal filtering parameter value for Sets the local ID for the IKE peer connection Message authentication doneDisables a defined IPSec security association SA Entry Lists the defined IKE peers Clears all IPSec definitions Enables a defined IPSec security association en TrySpecifies the identifier Spid for the IPSec tunnel Ike ipsec ? Displays help message Commit bit is not set. Default valueIke commit Ike flush Policynamea New name for an IPsec policy.b Ike ipsec policies addIke ipsec policies delete Ike ipsec policies add policyname Policynamea Name of an existing IPsec policy.b Ike ipsec policies disableIke ipsec policies disable policyname Name of an existing IPsec policy. b Ike ipsec policies enable policyname Ike ipsec policies enableIke ipsec policies enable mypolicy Ike ipsec policies list Ike ipsec policies list IKE IPSec policies mypolicy enabledIke ipsec policies list Name of the IPsec policy to which the destination parameter Ike ipsec policies set destIke ipsec policies set destport IP address allowed to be the destination of the data Portnumber Telnet Http Snmp Tftp Policynamea Ike ipsec policies set interface interface all policyname Ike ipsec policies set interface Ike ipsec policies set interface all mypolicy Ike ipsec policies set modeIke ipsec policies set mode tunnel transport policyname Ike ipsec policies set interface backup corporate Ike ipsec policies set peer peerpame policyname Name of the IPsec policy to which the encapsulation modeIke ipsec policies set peer Parameter value is added. a Ike ipsec policies set pfs 2 mypolicy Ike ipsec policies set pfsIke ipsec policies set pfs 1 2 none policyname Negotiation Ike ipsec policies set proposal proposalname policyname Ike ipsec policies set proposalIke ipsec policies set proposal myproposal mypolicy Ue is added. b Ike ipsec policies set protocol Is added. c Ike ipsec policies set sourceIke ipsec policies set source ipaddress ipmask policyname IP address allowed to be the source of the data Ike ipsec policies set sourceport Ike ipsec policies set translate on off policyname Ike ipsec policies set translate Ike ipsec proposals add proposalname Ike ipsec proposals add Ike ipsec proposals add myproposal Ike ipsec proposals deleteIke ipsec proposals delete proposalname Name of an existing IPsec proposal. b Ike ipsec proposals list Ike ipsec proposals listIke ipsec proposals list Secure Hash Algorithm-1 Use AH encapsulation and authenticate using hash algorithmIke ipsec proposals set ahauth Ike ipsec proposals set ahauth md5 sha1 none proposalname Ike ipsec proposals set espauth Use ESP encapsulation and authenticate using hash algorithmNo ESP encapsulation and no ESP message authentication. If Auth command Abled in the router Ike ipsec proposals set espencUse ESP encapsulation and 56-bit encryption Use ESP encapsulation and 168-bit encryption if 3DES is en Ike ipsec proposals set ipcomp none lzs proposalname Compress using the LZS algorithmIke ipsec proposals set ipcomp Ike ipsec proposals set lifedata Ike ipsec proposals set lifetime seconds proposalname Ike ipsec proposals set lifetimeIke ipsec proposals set lifedata kbytes proposalname Means unlimited Peernamea New name for an IKE peer.b Ike peers addUnlimited Ike peers add peername Peernamea Name of the IKE peer to delete.b Ike peers deleteIke peers list Ike peers delete peername Ike peers set address ipaddress peername Ike peers set addressIke peers list IKE Peers Ike peers set localid aggressivemodeid peername Ike peers set localidIke peers set address 0.0.0.0 myaggressivepeer Ike peers set localidtype ipaddr domainname email peername Ike peers set localidtypeExample Response Name of the IKE peer whose local ID is specified. c Ike peers set localidtype domainname myaggressivepeer Name of the IKE peer whose mode is specified. b Ike peers set modeSelect main mode both ends constant Selects aggressive mode one end can change Name of the IKE peer whose peer ID is specified. c Ike peers set peeridIke peers set peeridtype Ike peers set peerid aggressivemodeid peername Ike peers set peeridtype domainname myaggressivepeer Ike peers set secretIke peers set peeridtype ipaddr domainname email peername Ike peers set secret secret peername Proposalnamea New name for an IKE proposal.b Ike proposals addIke proposals delete Ike proposals add ProposalName Ike proposals delete myikeproposal Ike proposals listProposalnamea Name of the IKE proposal to delete.b Ike proposals list Use DH group Ike proposals set dhgroupIke proposals set dhgroup none 1 2 proposalname No DH group is used Use DES 56-bit encryption Use 3DES 168-bit encryption if 3DES encryption is enabledIke proposals set encryption Ike proposals set lifetime Ike proposals set lifetime 86400 myikeproposal Ike proposals set messageauthMaximum number of seconds before renegotiation Ike proposals set messageauth none md5 sha1 proposalName Ike proposals set sessionauth Sanamea Name for the new IPSec SA.b IPSec CommandsIpsec add Ipsec add saname Ipsec delete Ipsec disableDisables a defined IPSec security association entry Sanamea Name of the IPSec SA to be disabled.b Ipsec disable showrx Ipsec enableIpsec enable saname Sanamea Name of the IPSec SA to be enabled.b Ipsec list saname Ipsec flushIpsec list Ipsec flush Ipsec list Ipsec set authkey Ipsec set authenticationIpsec set authentication md5 sha1 saname Specifies the authentication key for the IPSec SA Ipsec set direction inbound outbound saname Hexadecimal authentication keyIpsec set direction Defines the direction of the IPSec SA Specifies the encryption key for the IPSec SA Ipsec set compressionIpsec set enckey Ipsec set compression none lzs saname Ipsec set encryption Ipaddressa IP address of the IP gateway Ipsec set gatewayIpsec set ident Defines the IP address of the IP gateway of the IPSec SA Name of the IPSec SA. b Ipsec set modeIpsec set mode tunnel transport saname Spid for the IPSec tunnel Use Both ESP encryption and authentication Ipsec set serviceIpsec set service esp ah both saname AH authentication Clears the L2 control channel statistics Lists the top-level voice or dsp commandsKeywords and a brief description of their function Displays the current voice rate and encoding type Dsp voice ? Dsp ? / voice ? Sets encoding method to alaw Typical response when entered with no parametersDsp ecode Selects the voice encoding method for all voice ports Optional, Length of jitter buffer in milliseconds Dsp jitterDsp jitter milliseconds Is displayed Dsp provision Dsp save Voice port to configureDsp save Dsp vr Voice l2stats Voice l2clearVoice l2stats Voice profile profile Voice profile Example response confirming the configuration changeVoice profile Voice l2stats An idle state Voice refreshcasVoice refreshcas active always Mode This page intentionally left blank Words Lists the supported radius commands and keyDeletes a configured radius server entry Attempting the next radius server, if configured Rad deleteserver integer Rad ?Rad deleteserver Rad ? Rad list secret Rad list secretRad list secret Rad list server Rad list serverRad list server Radius set server Rad set retries Number of seconds between retry attempts Radius set timeoutAuthentication secret for the specified radius server Radius set secret Disables an existing user account Adds an access privilege to for the specified userConfigures the managements class with read-only Deletes an access path from the specified user ac User ? Displays the contents of the user account data BaseLists the characteristics of the pre-defined user Templates Admin R Adds user access through the console serial port User add accessAdds user access through a LAN connection Adds user access through the WAN connection User add class User add user User add user username password template enable disable Removes user access through the WAN connection User delete accessUser delete access lan wan console username Removes user access through a LAN connection Must be one of the following Enabled for read-onlyUser delete class User delete class mgtclass read write username User delete user username1 username2 usernameN User delete class admin write Admin1User delete class voice read Admin1 User delete user User disable VoiceAdmin User disableUser disable username User delete user Admin1 staff001 User list User enableUser enable username User enable Admin1 User list Displays the pre-defined user template information User list lookupUser list template User list lookup Efficient Networks User set lookup Newpassworda New password for the user account User set passwordChanges the password of an existing user account User setpassword username newpassword This page intentionally left blank Ture database Lists the supported key commandsValidates and adds a key to the key-enabled fea Deletes a feature key from the key-enabled feature Updates the expiration date of an expired feature Key Disables a key-enabled featureRevokes a key-enabled feature key Unrevokes a revoked feature key Key add Example response when adding a key for L2TPKey add keystring Key delete Key delete featurenameFeaturenamea Name of the feature to be deleted.b Example response when deleting the key for Radius Key disable l2tp Key disableKey disable featurename Featurename Name of the feature to be disabled.a Key list Key enableKey enable featurename Featurenamea Name of the feature to be enabled.b Typical response with the -lparameter is shown below Installed Key unrevoke Key revoke featureFeaturenamea Name of the feature key to be revoked Key revoke Key unrevoke keystring Key updateKey update keystring Keystringa Key string for the feature This page intentionally left blank Sets an authentication password for an Snmp Disables Snmp access from the specified interEnables Snmp access from the specified inter Enables or disables transmission of unsolicited Snmp addsnmpfilter Snmp ?Snmp ? IP address of the trap manager Snmp addtrapdestSnmp addsnmpfilter first ip addr last ip addr lan Snmp addstrapdest ip addr Following example sets the Snmp community name to iads Snmp communitySnmp community snmp community name Snmp community name Snmp delsnmpfilter first ip addr last ip addr lan Snmp delsnmpfilter Snmp deltrapdest ip addr Snmp disablesnmpifSnmp disablesnmpif wanlan Snmp deltrapdest Wan lan Interface from which Snmp access will be enabled Snmp enablesnmpifWan lan Interface from which Snmp access will be disabled Snmp enablesnmpif wanlan Snmp list Snmp settrapenableSnmp settrapenable on off Snmp list Example response when a password parameter is entered Enables trap event message transmissionCurrent password Snmp Manager authentication password Snmp snmpport Snmp snmpport default disabled port Due to firewall rules that when exceeded, will log Displays the current stateful firewall settingsConfigured rules Enables or disables the stateful firewall function Sets the threshold value for the number of UDP Firewall ?Sets the threshold value for the number of Icmp Sets the threshold value for the number of SYN Packet must have the specified protocol Packets must match the assigned application characteristicsFirewall allow Firewall allow protocol application parameters Examples Firewall -a netmeeting -sa 192.168.1.23 -d out Firewall allow -a FTP -sa 192.168.1.34 -d out Firewall clearcounter 13 allow Firewall clearcounterIndicates the specified rule is in the allow rules list Indicates the specified rule is in the deny rules list Firewall delete Firewall clearcounter allFirewall clearcounter all Will delete all rules from the allow rules list Example command deletes rule 3 from the deny rules listFirewall delete all Firewall delete all allow deny Firewall deny protocol application parameters Firewall denyFirewall delete all allow Both Optional parameter will display only allow rules list Command entered with no parametersFirewall list Firewall list allow deny Following identifies the firewall rule to be modified Command entered with the optional allow parameterFirewall modify Firewall modify allow deny number parameter Modifies the specified source ip mask Specifies the protocol a packet must haveModifies the firewall rule type Modifies the source IP address or specified address range Firewall setdroppktthreshold Enables the firewall as currently configuredDisables the firewall Firewall set Firewall setdroppkthreshold Firewall seticmpfloodthresholdFirewall seticmpfloodthreshold number Threshold value in packets per seconds Firewall setsynfloodthreshold number Firewall setsynfloodthreshold Firewall viewdroppkts number Firewall setudpfloodthresholdFirewall viewdroppkts Firewall setudpfloodthreshold number Firewall viewdroppkts Typical response using the optional number parameter Firewall watch on off Firewall watchNo messages are printed to the console or Syslog server This page intentionally left blank Sets the idle timeout period for SSH connections List the supported SSH sub-commandsDisplays the current SSH configuration with the ex Configured SSH port Generates the Private-Public key-pair for the local server Ssh ?Ssh keygen Ssh ? Ssh load publickey tftp@server-addrpriv-key-file Ssh listSsh load privatekey Ssh list Ssh load privatekey tftp@192.168.13.174mykey Ssh load publickeySsh load publickey TFTP@server-addrpub-key-file Key file to load DES 56-bit encryption Multiple types are allowed on the command lineSsh set encryption Sets the types of encryption the SSH connections will use Ssh set keepalive enable disable Ssh set idletimeoutSsh set idletimeout seconds Idle timeout period in seconds Ssh set mac md5 sha1 Ssh set keepalive enableSsh set mac Keepalive messages are sent Ssh set status Enables and disables SSH server connectionsSsh set status enable disable Ssh set rekey Allows SSH connections Ssh set status enable This page intentionally left blank Scription of their functions List the supported QoS commands and a brief deEnables and disables marking of the differentiated Services field Defines a proposal filtering parameter value for Policy Saves the current QoS configuration and QoS pol IciesQos ? Qos append Specifies the QoS policy to be deleted Specifies that all disabled QoS policies will be deletedQos del Policy namea Specifies the QoS policy name to be added QOS will mark Diffserv field in IP header Qos disableExample command that deletes all disabled QoS policies Qos diffserv Specifies the QoS policy to be enabled Qos enablePolicy namea Specifies the QoS policy to be disabled Qos enable policy name Qos list policy name Qos insertQos list Qos del policy name insert before this policy LOW Qos list mypolicy3 Specifies the QoS policy to be moved Qos moveQos movetoend Qos move policy name move to before this policy Qos off Qos off Qos on Saves the current QoS feature and policy configurationsQos on Qos save Qos set Specifies the priority, with normal the default valueQos set parameter policy name Specifies the outgoing code point Specifies the incoming code point Qos setweight highmeduimnormallow weight Qos setweightQueue This page intentionally left blank Configures port traffic mirroring Lists the supported Switch sub-commandsSpecifies the aging time of the switch Disables the specified Ethernet port Switch agetime seconds Switch ?Switch agetime Switch ? help Switch block Switch blockSwitch block port Ethernet port to be disabled Switch mirror on off capture port map port unmap port Switch mirrorSwitch mirror capture 6 switch mirror map Switch mirror map Switch mirror capture Switch statusDisplays the current port states for the Ethernet switch Switch status Switch status Switch unblockSwitch unblock port Ethernet port to be enabled