Paradyne 6301, 6302, 6341, 6342, 6351, 6371 Security

3. Configuring the DSL Router

6300-A2-GB20-10 November 2003 3-11

Security

The router offers security via the following:

Filtering. A filter consists of a set of rules applied to a specific in terface to

indicate whether a packet received or sent on that interface is forward ed or

discarded. Filters are applied to traffic in either the inbound (from the Ethernet

port) or outbound (from the DSL port) direction on that interface:

— IP Protocol Type: TCP, UDP, or ICMP

— ICMP Message Type, Code

— TCP/UDP Ports

— Source/Destination IP Address

— Ethernet Type

Always enabled:

— Land Bug Prevention

— Smurf Attack Prevention

NOTE:

All Hotwire DSL Router filters are configured on the Hotwire DSL card. Some

routing parameters that affect filtering, such as enabling bridging or routing,

can only be configured on the DSL router.

IP Protocol Type Filtering

By default, IP Protocol Type (IP) filtering is disabled on the Hotwire DSL card for

the DSL router. If enabled, filtering provides security advantages on LANs by

restricting traffic on the network and hosts based on the source and /or destination

IP addresses.

There is one filter per direction, with a maximum of 33 rules per filter. For IP filters,

all filter access rules with a source host IP address are applied fir st, with all rules

with a destination host IP address applied next. The remaining filters are applied in

the order in which they were configured.

For additional information about IP filtering, refer to the Hotwire MVL, ReachDSL,

RADSL, IDSL, and SDSL Cards, Models 8310, 8312/8314, 8510/8373/8374,

8303/8304, and 8343/8344, User’s Guide.

Contents

Main Page Contents About This Guide 1 Introduction to Hotwire DSL Routers 2 Accessing the DSL Router 3 Configuring the DSL Router 4 DSL Router Configuration Examples 5 Monitoring the DSL Router 6 Diagnostics and Troubleshooting A Command Line Interface iv B Configuration Defaults and Command Line Shortcuts C Traps and MIBs D DSL Router Terminal Emulation Page Page About This Guide Document Purpose and Intended Audience viii New Features for this Release Document Summary Section Description x Product-Related Documents Document Number Document Title Document Conventions | Page Introduction to Hotwire DSL Routers What is a Hotwire DSL Router? DSL Technologies Supported 1-2 Typical DSL Router System Hotwire DSL Router Features 1-4 Service Subscriber Accessing the DSL Router Access Control to the DSL Router Levels of Access 2-2 Local Console Access Changing Access Session Levels Setting Up the New Users Login 2-4 Telnet Access Determining the Current Access Level Determining the Available Commands 2-6 Using the List Command Changing the System Identity Exiting from the System Manually Logging Out 2-8 Automatically Logging Out Configuring the DSL Router DSL Router Configuration Overview The DSL Routers Interfaces 3-2 Interface Identifiers Service Domain IP Address Assignments Numbered DSL or Ethernet Interface Unnumbered DSL Interface 3-4 IP Routing IP Options Processing Network Considerations Address Resolution Protocol (ARP) 3-6 Proxy ARP Network Address Translation (NAT) Basic NAT Network Address Port Translation (NAPT/PAT) 3-8 Simultaneous Basic NAT and NAPT Applications Supported by NAT Dynamic Host Configuration Protocol (DHCP) Server 3-10 DHCP Relay Agent Security IP Protocol Type Filtering 3-12 Ethernet Type Filtering Land Bug/Smurf Attack Prevention Routed vs. Bridged PDUs 3-14 PPPoE Client Support Page 3-16 DSL Router Configuration Examples Configuration Examples 4-2 Basic Bridging Configuration Example Basic Routing Configuration Example 4-4 Basic NAT Configuration Example Page 4-6 NAPT Configuration Example Page 4-8 Simultaneous Basic NAT and NAPT Configuration Example Page 4-10 Unnumbered DSL Interface with Proxy ARP Configuration Example DHCP Relay with Proxy ARP Configuration Example 4-12 DHCP Server with Basic NAT Configuration Example PPPoE Client with NAPT and DHCP Server Configuration Example 4-14 Downstream Router Configuration Example IP Passthrough Configuration Example Page Monitoring the DSL Router Monitoring the Router 5-2 LED Status Interface Status Performance Statistics Clearing Statistics 5-4 Reasons for Discarded Data Page 5-6 Page 5-8 Diagnostics and Troubleshooting Diagnostics and Troubleshooting Overview Device Restart Alarms Inquiry 6-2 System Log syslog ip ip-addr {mgt | srvc } Table 6-1. SYSLOG Commands (2 of 2) syslog port [port-number] syslog level level show log [number] SYSLOG Events SYSLOG Message Display Ping 6-6 Ping Test Results TraceRoute 6-8 TraceRoute Test Results A Command Line Interface Command Line Interface Capability A-2 Navigating the Routers CLI Command Recall Syntax Conventions Convention Translation [ ] { } | CLI Commands A-4 Configuration Commands save RFC 1483 Encapsulation Command Ethernet Frame Format Command A-6 Interface and Service Domain IP Address Commands IP Routing Commands A-8 Bridge Commands ip route create upstream eth1[:ifn] next-hop-ip ip route delete upstream eth1[:ifn] ip route purge Table A-5. IP Routing Commands (2 of 2) ARP Commands A-10 Proxy ARP Command NAT Commands Table A-9. NAT Commands (1 of 4) nat basic {enable | disable} nat napt {enable | disable} nat basic address ip-addr [ip-mask] nat basic purge A-12 Table A-9. NAT Commands (2 of 4) nat napt purge nat timeout [time] nat napt map {udp | tcp} server-ip port nat basic map public-ip private-ip nat basic map lower-public-ip lower-private-ip upper-private-ip Table A-9. NAT Commands (3 of 4) nat basic delete private-ip nat basic delete lower-private-ip upper-private-ip nat napt delete {udp | tcp} port A-14 DHCP Server Commands dhcp server leasetime min-lease-time max-lease-time Table A-10. DHCP Server Commands (2 of 2) dhcp server router ip-address dhcp server name domain name dhcp server nameserver ip-address [ip-address2] DHCP Relay Agent Commands IP Packet Processing Commands Table A-12. IP Packet Processing Commands IP multicast {enable | disable} IP routing {enable | disable} packet processing {enable | disable} A-18 PPPoE Client Commands ppp ip {eth1 | dsl1 | passthrough} [mask] [no-dns] Table A-13. PPPoE Client Commands (2 of 3) ppp authentication {chap | pap | both | none} A-20 Table A-13. PPPoE Client Commands (3 of 3) ppp username [username] ppp password [password ] Telnet Commands telnet login {enable | disable} telnet name create {admin | operator} login-id password telnet name delete {admin | operator} login-id A-22 Table A-14. Telnet Commands (2 of 2) telnet timeout [time] telnet keep-alive {enable | disable} telnet keep-alive timeout [time] Traps Command Clearing Statistics Command A-24 Show Commands Table A-17. Show Commands (1 of 10) show alarms show arp show arp timeout show bridge Table A-17. Show Commands (2 of 10) show config show console A-26 Table A-17. Show Commands (3 of 10) show dhcp relay show dhcp server show interface {eth1 | dsl1} Table A-17. Show Commands (4 of 10) Status information displayed for show interface dsl1: show ip route [ip-address] A-28 Table A-17. Show Commands (5 of 10) show log [number] show nat basic show nat napt show pppoe Table A-17. Show Commands (6 of 10) show spanning-tree A-30 Table A-17. Show Commands (7 of 10) show statistics [eth1 | dsl1 | ip | bridge| pppoe | tftp] show statistics eth1 show statistics [eth1 | dsl1 | ip | bridge| pppoe | tftp] Table A-17. Show Commands (8 of 10) show statistics dsl1 show statistics ip show statistics bridge A-32 Table A-17. Show Commands (9 of 10) show statistics [eth1 | dsl1 | ip | bridge | pppoe | tftp] show statistics pppoe show statistics tftp show system Table A-17. Show Commands (10 of 10) show telnet show traps Page B Configuration Defaults and Command Line Shortcuts Configuration Default Settings B-2 Table B-1. Default Configuration Settings (2 of 3) Command Line Shortcuts Text in bold is the minimum input for each command line entry. Table B-1. Default Configuration Settings (3 of 3) Table B-2. Command Line Shortcuts (1 of 4) B-4 Table B-2. Command Line Shortcuts (2 of 4) Table B-2. Command Line Shortcuts (3 of 4) B-6 Table B-2. Command Line Shortcuts (4 of 4) C Traps and MIBs SNMP Overview Traps Overview C-2 DSL Router Traps MIBs Overview Standard MIBs MIB II (RFC 1213) C-4 System Group Interfaces Group (RFC 1573) C-6 Table C-3. Interfaces Group Objects (2 of 3) Extension to Interfaces Table (RFC 1573) Table C-3. Interfaces Group Objects (3 of 3) Table C-4. Extension to Interfaces Table C-8 IP Group (RFC 1213) IP CIDR Route Group (RFC 2096) C-10 Transmission Group SNMP Group Ethernet-Like MIB (RFC 2665) Paradyne Enterprise MIBs C-12 Device Control MIB Device Diagnostics MIB C-14 Table C-8. Application Test Group Objects (2 of 3) Table C-8. Application Test Group Objects (3 of 3) C-16 Health and Status MIB Table C-9. Device Status Group Objects Table Possible abort codes are: Configuration MIB The supported groups used with the DSL Configuration MIB, pdn_Config.mib, are: Table C-10. Device Configuration Copy Group Objects Table C-18 Interface Configuration MIB ARP MIB NAT MIB DHCP MIB C-20 DSL Endpoint MIB SYSLOG MIB Interface Configuration MIB D DSL Router Terminal Emulation DSL Router Terminal Emulation Accessing the List Command Output D-2 Terminal Emulation Programs E Firmware Upgrade Overview Firmware Upgrade Commands E-2 Firmware Upgrade Procedures Page Page Index Symbols Numerics A B D E F G H L M N O P R S T U V