1. Manuals
  2. Brands
  3. Solwise Manuals
  4. Network Router
  5. SAR110
  6. Advanced reference manual

Solwise SAR110 Advanced Reference Manual

Hide thumbs Also See for SAR110:
Table of Contents

Advertisement

Quick Links

Download this manual
Solwise
Ltd
.
Advanced Reference Guide for
Solwise SAR110

ADSL Router

Please Note: Incorrect usage of CLI commands
can seriously damage the firmware settings
and configuration of your router to the extent
where you might be unable to reset/restore to
an operable state. We reserve the right to
charge for any faulty router returned for repair
which has user corrupted firmware or settings.
April 11, 2003

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SAR110 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Solwise SAR110

Summary of Contents for Solwise SAR110

  • Page 1: Adsl Router

    Solwise Advanced Reference Guide for Solwise SAR110 ADSL Router Please Note: Incorrect usage of CLI commands can seriously damage the firmware settings and configuration of your router to the extent where you might be unable to reset/restore to an operable state. We reserve the right to charge for any faulty router returned for repair which has user corrupted firmware or settings.
  • Page 2 - 2 - Notification is hereby given that Solwise Ltd. reserves the right to modify, change, update or revise this document from time to time as required without the prior obligation to notify any person, company or organization. Further, Solwise makes no warranty or representation, either express or implied, with respect to merchantability, or fitness of its products for a particular purpose.

  • Page 3: Table Of Contents

    - 3 - Table of Contents Introduction............9 Quick Start............11 CLI Introduction..........12 Unit Configuration..........13 Default Configuration..........13 4.1.1 System Sizing Parameters ......17 Modifying the Unit’s MAC Address and Serial Number..............19 Modifying the Unit Configuration via Script Files..................19 4.3.1 Notes on Using Script File Configuration ............20 Managing Configuration Changes......20...
  • Page 4 Configuring DNS Relay........73 Overview of DNS Relay ...........73 Configuration Details ..........73 Configuring DHCP Server and DHCP Relay ..............74 10.1 Default DHCP Configuration on the SAR110 Reference Unit..........74 10.2 Configuring Unit as DHCP Server......74 10.2.1 Creating DHCP Pools ......75 10.2.2 Excluding Addresses from a Pool ..77...
  • Page 5 L2 Wall..............92 12.3.1 Overview .............92 12.3.2 Configuration Files ........93 12.3.3 AutoDetect Algorithm .......93 12.3.4 Assumptions ..........94 12.3.5 Sample Configuration Files ......94 Layer 3 Security ..........96 13.1 NAT .................96 13.1.1 Default NAT Configuration on the SAR110 Unit.............97 13.1.2 Configuring NAT Direction ......98...
  • Page 6 - 6 - 13.1.3 The napt rule ..........98 13.1.4 The rdr Rule ..........100 13.1.5 The basic and filter Rules ......102 13.1.6 The bimap Rule ........103 13.1.7 The pass Rule .........103 13.1.8 Configuring ALGs........103 13.1.9 Enabling NAT ..........106 13.2 Firewall ..............106 13.2.1 Attack protection ........106...
  • Page 7 - 7 - 16.2.1 Starting Auto- configuration through Default ............142 16.2.2 Starting auto- configuration at run time 16.2.3 Viewing auto- configured VCs ....144 16.2.4 Best effort configuration ......145 16.2.5 VCC change and Cold Start Trap ..146 16.2.6 Configuration Conflicts ......146 16.2.7 Configuration mismatch Traps .....146...
  • Page 8 - 8 - 18.5 Requesting Status and Statistical Information..............161 18.6 Viewing complete system configuration....163 18.7 Managing User Accounts ........164 18.7.1 Creating User Accounts ......164 18.7.2 Deleting User Accounts ......165 18.8 Changing the Login Password ......165 18.9 Modifying System Parameters ......166 18.10 Configuring Host Name and Domain Name on the Modem ............166...

  • Page 9: Introduction

    Introduction, provides basic information on this document. Chapter 2 shows how to set up, configure, and operate the SAR110. Chapter 3 gives a brief overview of the main features of the Command Line Interface (CLI). Chapter 4 defines and describes the reference unit’s default configuration, and explains how you can alter the current configuration using flat files.
  • Page 10 - 10 - to your advantage, and provides a tutorial on shell programming. A glossary of terms used in this document is also provided.

  • Page 11: Quick Start

    - 11 - 2 Quick Start See Setup documention supplied with your router...

  • Page 12: Cli Introduction

    - 12 - 3 CLI Introduction See full SAR110 CLI manual.

  • Page 13: Unit Configuration

    - 13 - 4 Unit Configuration This chapter describes the default configuration programmed into the flash memory, as well as how to modify the configuration after boot-up. Default Configuration The unit’s default configuration is established by the factory defaults file named TEFacs.txt. You customize the default configuration by modifying this file, then creating and loading a new flash image (a description of this process and sample factory defaults files are provided in the Image Handling User Manual).
  • Page 14 - 14 - IP Filter — enabled, with various rules configured for high, medium, and low security. Below lists the CLI commands in the factory defaults file that configures the unit as a router. create user name DSL passwd DSL root modify system logthresh 1 size maxvc 8 max1483vc 8 maxppe 8 modify nbsize maxipsess 192...
  • Page 15 - 15 - create ipf rule entry ruleid 40 ifname private dir out srcaddr self act accept storestate enable seclevel high medium low create ipf rule entry ruleid 50 ifname private dir out inifname dmz transprot eq udp destport eq num 53 act accept storestate enable seclevel high medium low create ipf rule entry ruleid 60 ifname private...
  • Page 16 - 16 - create ipf rule entry ruleid 170 ifname dmz dir out inifname public transprot eq tcp destport eq num 23 act deny seclevel high medium low create ipf rule entry ruleid 180 ifname dmz dir out inifname public transprot eq icmp act deny seclevel high medium create ipf rule entry ruleid 190 ifname public dir out transprot eq tcp destport eq num 23 act...

  • Page 17: System Sizing Parameters

    - 17 - num 53 act accept storestate enable seclevel medium low create ipf rule entry ruleid 330 ifname public dir in destaddr self transprot eq tcp destport eq num 53 act accept storestate enable seclevel medium low create ipf rule entry ruleid 340 ifname public dir in act deny isipopt yes seclevel high create ipf rule entry ruleid 350 ifname public dir in act deny isfrag yes seclevel high...
  • Page 18 - 18 - The size command This command sets upper limits on certain system properties. Its parameters are: maxvc and max1483vc – Maximum number of VCs (both: default 2) maxppe – Maximum number of PPPoE sessions (default maxmac – Maximum number of MAC addresses that are learned by the bridge forwarding table (default 256) maxpfrawrule –...

  • Page 19: Modifying The Unit's Mac Address And Serial Number

    - 19 - To modify the HTTP server port to 8000, enter: $ modify nbsize httpport 10000 The modify nbsize command does not take effect until the next system reboot occurs. To initiate a system reboot, enter the following pair of commands: $ commit $ reboot last Modifying the Unit’s MAC Address and Serial Number...

  • Page 20: Notes On Using Script File Configuration

    - 20 - Please refer to section in this document for details on CLI Scripting and Script Programming. The autoupdate flag indicates whether configuration files will be executed immediately or only upon issue of an apply command. For more details on the autoupdate flag and the commands related to its use, see the CLI Reference Manual.

  • Page 21: Using Ftp/Tftp To Upgrade And Retrieve The Flash Image

    - 21 - Using FTP/TFTP to Upgrade and Retrieve the Flash Image You can use FTP/TFTP to upload/download code to/from a unit’s flash memory, assuming that a functioning image is already loaded on the unit. Uploads and downloads can be performed from a computer connected to the device through an IP-enabled interface, such as its LAN interface.

  • Page 22: Data Configuration Upgrade

    - 22 - TFTP -i 192.168.1.1 get TECfg.bin If you later change the unit’s configuration and find that it the device is not working properly, you can upload this file to restore a known- good configuration. Data configuration Upgrade 4.5.1 Data configuration upgrade using TEpatch.bin will be required if you have committed certain CLI commands in a previous release, and want the same commands to work in an upgraded release.
  • Page 23 - 23 - You can also access this mode as a shortcut if you want to boot a board solely to perform an image upgrade via TFTP. To force a unit into this mode, begin booting the board and monitor the boot messages on your PC.

  • Page 24: Interfaces And Operating Mode

    - 24 - 5 Interfaces and Operating Mode This chapter briefly discusses the unit’s interfaces, and explains how to create and configure the interfaces needed for the bridge and router operating modes, as well as how to select each mode. Interfaces –...
  • Page 25 - 25 - When creating the Ethernet port, you may need to consider the following: IP address and subnet – To connect the unit to an existing LAN whose subnet differs from the Ethernet port’s default subnet (192.168.1.1, mask 255.255.255.0), assign the Ethernet port an IP address in the same subnet as your LAN.
  • Page 26 - 26 - Set any LAN host’s IP address to 192.168.1.3, mask 255.255.255.0. Using this host, Telnet to 192.168.1.1 and log in to the system. Enter the modify ethernet intf command (described above) to change the IP address and/or mask of the eth-0 interface. Enter commit to save the changes.

  • Page 27: Configuring Virtual Ethernet Interfaces

    - 27 - To see the IP address obtained from a DHCP server (plus the IP addresses for all configured IP-enabled interfaces), enter: $ get ip address Deleting an Ethernet Interface To delete an Ethernet interface, enter: $ delete ethernet intf ifname eth-0 Configuring Virtual Ethernet Interfaces Virtual Ethernet interfaces give the impression of multiple subnets on a single physical subnet, by dividing your LAN hosts into groups,...

  • Page 28: Configuring Permanent Virtual Circuits

    - 28 - Commands related to creating the ATM port are briefly described below. For a complete listing of these commands, including parameters and default values, refer to the CLI Reference Manual. Creating the ATM port To create the ATM port atm-0, enter: $ create atm port ifname atm-0 To display information on the ATM port, enter: $ get atm port...

  • Page 29: Aal5 Data Encapsulation Method

    - 29 - A UBR traffic descriptor usually exists as part of the default configuration. So a UBR VC can be created right away. For any other type of VC - GFR, NRTVBR, RTVBR, or CBR, you must also create a traffic descriptor of the same category if you have not yet done so.

  • Page 30: Atm Service Categories: Ubr, Cbr, Gfr, Nrtvbr And Rtvbr

    - 30 - LLC-muxed VC The allowed interfaces are: EoA 1 PPPoE PPPoA IPoA EoA + PPPoE EoA + PPPoE + PPPoA EoA + PPPoE + IPoA PPPoA + IPoA EoA + IPoA EoA + bridge port over EoA EoA + bridge port over EoA + PPPoE EoA + PPPoE + PPPoA + bridge port over EoA 2 EoA + bridge port over EoA + PPPoE + IPoA 3 EoA + PPPoA + IPoA...
  • Page 31 - 31 - time applications like voice and video. Constant Bit Rate (CBR) - ATM guarantees bandwidth up to a Peak Cell Rate (PCR). You specify a VC’s service category when you create the VC, using a traffic descriptor. Traffic descriptors are explained in detail in section .
  • Page 32 - 32 - Creating a GFR traffic descriptor To create traffic descriptor 1, for GFR VCs with MCR=50 and PCR=150: $ create atm trfdesc trfindx 1 GFR CLP_NOTAG_MCR mcr 50 pcr 150 The CLP_NOTAG_MCR flag indicates that if PCR is exceeded, the VC will drop extra cells without tagging the Cell Loss Priority (CLP) bit.

  • Page 33: Configuring Switched Virtual Circuits (Svcs)

    - 33 - To create traffic descriptor 3, for RTVBR VCs with PCR=150, SCR=75 and MBS=15: $ create atm trfdesc trfindx 3 RTVBR NOCLP_SCR pcr 150 scr 75 mbs 15 The NOCLP_SCR flag indicates that the traffic parameters are valid for the aggregate flow and that an SCR is required.
  • Page 34 - 34 - STATUS ALARM : SAAL UP Otherwise, the SAAL status is DOWN. SAAL may come up later when the signaling channel gets established with the remote host. The following trap is generated when SAAL goes down: STATUS ALARM : SAAL DOWN You can check the SAAL status at any time, using the command: get atm uni ifname aal5-0 With UNI configured, you can now initiate the creation of an SVC by giving the following...
  • Page 35 - 35 - To check out, at any time, if an SVC is established or not, its VPI and VCI value should be checked by issuing the "get atm svccfg" command. If it is not established, then, you see the printed value as "-"...

  • Page 36: Configuring Ppp Interfaces

    - 36 - SVC deletion fails if an upper layer, such as PPPoE, is bound over the VC. To verify SVC deletion, use the get atm svccfg command. It should not show an entry corresponding to the specified interface name. Deleting UNI To delete a configured UNI signaling channel, enter: delete atm uni ifname aal5-0...

  • Page 37: Creating A Login Name And Password For A Ppp Interface

    - 37 - To use the self IP address as the gateway address, enter: $ create ppp intf ifname ppp-0 start lowif aal5-0 PPOE droute true usedns true usegw local In this case, the PPP stack will always ignore the peer IP address obtained through IPCP negotiation from the other side, and will always use its own IP address as the gateway address in the default route.

  • Page 38: Pppoe Interfaces

    - 38 - PPPoE Interfaces 5.7.2 Use the following commands to create PPPoE interfaces. For a complete listing of these commands, including parameters and default values, refer to the CLI Reference Manual. Creating a PPPoE interface with a fixed IP address To configure a PPPoE interface with a fixed IP address, enter: $ create ppp intf ifname ppp-0 lowif aal5-0 ip 202.1.1.1 ppoe sname internet...

  • Page 39: Pppoa Interfaces

    - 39 - To create a mapping between the service called internet and AC ac-i: $ create ppe pconf srvname internet acname ac-i Changing the AC selection policy To configure the unit to use service-to-AC-name mapping, enter: $ modify ppe cfg serv-to-ac When a subsequent connection is made for a specific service, the unit will only accept responses from the AC specified in the mapping.

  • Page 40: Checking The Ip Address Of A Ppp Interface

    - 40 - To retrieve additional configuration information from the ISP’s DHCP server, use the usedhcp parameter. To do so, set the usedhcp parameter to true (this parameter is normally set to false). Checking the IP Address of a PPP Interface 5.7.4 Whenever you create a PPP interface, its IP address is negotiated using the IPCP protocol, even if you specify the IP address.
  • Page 41 - 41 - different subnet than the IP addresses assigned to the modem’s LAN interfaces, such as eth-0 and usb-0. The IP Unnumbered feature provides an alternative configuration that enables the PPP interface to be created with an IP address that is the same as that assigned to the modem’s Ethernet interface, eth- 0.
  • Page 42 - 42 - Only point-to-point interfaces can be IP Unnumbered. This feature is not relevant for EoA or IPoA interfaces. The interface from which the PPP interface borrows the IP address must be the modem’s Ethernet interface, eth-0 ; it cannot be usb-0 or any other LAN interface.

  • Page 43: Configuring The Operating Mode

    - 43 - create nat rule entry ruleid 1 napt lcladdrfrom 192.168.1.2 lcladdrto 192.168.1.254 modify nat global enable Configuring the Operating Mode The reference unit is preconfigured to boot up as a router. Once the unit is running, however, you can use CLI commands to interactively reconfigure the unit to run in either operating mode (router or bridge) or to configure special features of routing mode, such as simultaneous bridging and bridged IP.
  • Page 44 - 44 - To list all interfaces on which bridge ports have been created, enter: $ get bridge port intf Enabling bridging To enable bridging, enter: $ modify bridge mode enable To disable bridging, enter: $ modify bridge mode disable To see whether bridge mode is enabled or disabled, enter: $ get bridge mode 5.8.1.1...
  • Page 45 - 45 - To see the current value of the aging parameter, enter: $ get bridge info 5.8.1.2 Static Bridge Entries Because of the aging parameter, every entry is eventually deleted from the bridge forwarding table (and later relearned), except for static entries.

  • Page 46: Wan To Wan Bridging

    - 46 - By default, STP is enabled on all bridge ports. It is recommended that STP be enabled whenever three or more bridges are interconnected and at least one physical loop (multiple paths between two bridges) exists. Modifying STP on all ports To configure STP parameters applicable to all ports, use the command: $ modify stp global Modifying STP on a specific port...
  • Page 47 - 47 - create one or more WAN interfaces (PPPoE, PPPoA, EoA, or IPoA); and configure one of the WAN interfaces as the default route. Making the LAN interface the default gateway You can configure the IP properties on each LAN host to reflect the LAN interface IP address as their default gateway.
  • Page 48 - 48 - Refer to section Creating the Ethernet interface Refer to section Configuring bridge ports To enable bridging on the eth-0, usb-0, and the eoa-0 interfaces, enter: $ create bridge port intf ifname eth-0 $ create bridge port intf ifname usb-0 $ create bridge port intf ifname eoa-0 To list all interfaces on which bridge ports have been created, enter: $ get bridge port intf...

  • Page 49: Bridge Router Autosense (Bras)

    - 49 - Refer to section Creating the Ethernet interface Refer to section Configuring bridge ports To enable bridging on the eth-0, usb-0, and the eoa-0 interfaces, enter: $ create bridge port intf ifname eth-0 $ create bridge port intf ifname usb-0 $ create bridge port intf ifname eoa-0 To list all interfaces on which bridge ports have been created, enter: $ get bridge port intf...

  • Page 50: Zero Installation Pppoe Bridge (Zipb) Mode

    - 50 - 5.8.4.1 Configuration details When the unit boots, configured PPPs will try to come up as usual. If PPPoE traffic is detected from the LAN end, then the PPPoE client on the modem will get disabled. The PPPoE packet received from the LAN will get forwarded to the WAN side, because of the preconfigured bridge ports.
  • Page 51 - 51 - 5.8.5.2 ZIPB mode - operation details LAN PCs get their global addresses through the DHCP server functionality. If a PPP IP address is available to the unit, the LAN PC gets this address on a DHCP request. Initially, when PPP is not yet up, the IP address allocated to the LAN PC comes from the Ethernet pool, and PPP is triggered to come up.
  • Page 52 - 52 - LAN machines can access the modem in ZIPB mode, as they would, in non-ZIPB mode, using the Ethernet IP address. Instead of trying to access an IP address, the LAN side PC user should use the DNS relay capability of the modem.
  • Page 53 - 53 - You need to create and enable a DHCP server pool with poolId 0 and an Ethernet subnet with small lease time. For example, you can use the following syntax. create dhcp server pool poolid 0 start-ip 192.168.1.2 end- ip 192.168.1.5 mask 255.255.0.0 lease 60 mlease 120 Enable dhcp server, by entering, dhcp server cfg enable...

  • Page 54: Viewing And Modifying Dsl Information

    - 54 - 6 Viewing and Modifying DSL Information The CLI enables you to configure various parameters that control how data is transmitted on the DSL line. You can also view statistics relating to the DSL line performance. Modifying the DSL Configuration You may need to modify various DSL parameters to ensure proper operation of the reference design with your test equipment, or to prepare your customer units for operation in the particular...

  • Page 55: Viewing Dsl Parameters And Statistics

    - 55 - To view current DSL configuration information, enter: $ get dsl config Viewing DSL Parameters and Statistics You can use the following commands to view a variety of non- modifiable DSL parameters and performance statistics. For a complete list of all parameter values for all the following commands, see the CLI Reference Manual.
  • Page 56 - 56 - The output displays loss-of-signal defects (LOS), severely errored frame defects (SEF), no-cell delineation errors, and loss-of-cell delineation errors for the data stream. Resetting DSL statistics The DSL counters and failure statistics accumulate starting from the last reboot. You can use the following commands to reset these statistics to zero without rebooting: $ reset dsl stats flrs $ reset dsl stats cntrs...

  • Page 57: Configuring Ip And Routing Management

    - 57 - 7 Configuring IP and Routing Management This chapter shows you how to configure routes on the modem and on the LAN hosts. Before you begin this chapter, configure the WAN and LAN interfaces as described above. Configuring Routing on LAN Hosts In routing mode, because the unit acts as the gateway for the LAN hosts, the LAN hosts should be configured to use the LAN IP address as their default gateway.

  • Page 58: Routing Mode

    - 58 - Be sure to verify that your modem can reach the gateway. This can be done beforehand using the ping command, e.g., ping 10.2.1.1. A dynamic route is one created automatically by the modem, either when you create an IP-enabled interface, or by learning through RIP.

  • Page 59: Rip

    - 59 - To see the current state, type the command: $ get ip cfg Routing Information Protocol (RIP) is a dynamic routing protocol typically used inside the organization to exchange routes between various routers within the organization. The modem’s RIP is an implementation of RIPv2 with compatibility with RIPv1 and can be configured to run as either RIPv1, RIPv2, or RIPv2-with-RIPv1 compatibility mode.

  • Page 60: Igmp

    - 60 - sends out RIP updates to other routers on this interface. If no authentication is required, the auth parameter is set to none. In case of RIPv1, auth must be set to none. The metric is a kind of path cost associated with the interface. The higher the metric, the costlier it is to use that interface to get to a particular destination.
  • Page 61 - 61 - Creating IGMP interfaces is useful only when the unit is configured in routing or ZIPB mode. When the unit is configured for routing and bridging simultaneously, then all multicast packets will go through routing path —and not through the bridging path — if the IGMP interface is created as described in this section.
  • Page 62 - 62 - For any IGMPv2 router interface, if you set the last member query interval as 0 seconds, then as soon as an IGMP “leave group” message is received from any LAN side host, the group will be detached from that router interface.
  • Page 63 - 63 - Deleting IGMP interfaces To delete an IGMP host interface on eth-0, enter: delete igmp intf ifname eth-0 To delete an IGMP host interface on ppp-0, enter: delete igmp intf ifname ppp-0...

  • Page 64: Virtual Private Network

    - 64 - 8 Virtual Private Network An internet-based virtual private network (VPN) uses the open, distributed infrastructure of the Internet to transmit data between corporate sites. This chapter explains how the modem uses the Layer 2 Tunneling Protocol (L2TP) to provide the benefits of a VPN. Overview Why VPNs? Businesses today are faced with supporting a broader variety of...

  • Page 65: L2Tp

    - 65 - These connections or tunnels are set up between the remote client and the corporate network it is trying to access. The client initiates the creation of the tunnel in order to exchange traffic with the corporate network. To do so, the client uses special client software, which uses L2TP, to communicate with the gateway protecting the LAN.
  • Page 66 - 66 - link PPP-2 is first used to connect to the ISP. IPoA, EoA are interfaces that could also be used for this link. The link PPP-1, that connects the modem to the corporate server, uses L2TP. Client-Corporate Office Connection using L2TP L2TP Tunnel A tunnel exists between an LAC-LNS pair.

  • Page 67: Configuration Details

    - 67 - manner as a modem dial-up, except that the call is placed through the Internet (IP network) instead of the PSTN (telephone network). If the tunnel server is on the corporate LAN, all branch office LANs can connect to the centrally located server in order to talk to each other.
  • Page 68 - 68 - To get L2TP global information such as protocol Version and Vendor name, enter: get l2tp global info Creating L2TP tunnel To create an L2TP tunnel, enter: create l2tp tunnel config ifname l2t-0 localip 178.10.10.10 remoteip 178.10.11.10 start authtype simple secret passwd hellointerval 300 idletimeout num 100 crws 5 maxretx 10 maxretxtimeout 10 payloadseq...
  • Page 69 - 69 - To get information on one L2TP tunnel, or, all tunnels, enter: get l2tp tunnel config ifname l2t-0 Modifying L2TP tunnel configuration To modify L2TP tunnel configuration, enter: modify l2tp tunnel config ifname interface-name localip local-ip-address localhostname local-host-name remoteip remote-ip-address remotehostname remote-host-name start|stop...
  • Page 70 - 70 - Starting and Stopping Tunnels A Tunnel is created with two options START and STOP. When the tunnel is created using the start option, creation and establishment of tunnel happens simultaneously. If you create a tunnel using the stop option, you can decide to start the tunnel later. To stop an L2TP tunnel, issue the Stop Tunnel command.
  • Page 71 - 71 - sessions over those tunnels are also torn down. Whenever the link is restored, L2TP starts the process of establishment of all the tunnels, which are configured with that IP address. The process of establishment of all the sessions for those tunnels also begins once the tunnel is established.

  • Page 72: L2Tp Traps

    - 72 - L2TP Traps L2TP sends traps for: Tunnel establishment - This trap is generated when the tunnel establishment with the peer is successful. Tunnel down - This trap is generated when the tunnel goes down due to stop tunnel command from user, or , due to stop tunnel message from peer.

  • Page 73: Configuring Dns Relay

    PCs on a LAN can set the IP address of the unit as the DNS server. The SAR110 unit will thus act as a DNS relay server and forward the requests received from the PCs on the LAN to the actual DNS servers, whose addresses have been learned from PPP.

  • Page 74: Configuring Dhcp Server And Dhcp Relay

    10.1 Default DHCP Configuration on the SAR110 Reference Unit By default, the SAR110 reference unit is configured as a DHCP server, with two pools of IP addresses. The following commands are included in the default configuration file to set this configuration: $ create dhcp server pool start-ip 192.168.1.2 end-ip 192.168.1.13...

  • Page 75: Creating Dhcp Pools

    - 75 - Creating DHCP Pools 10.2.1 A DHCP pool is a range of IP addresses made available on a server for distribution to LAN hosts. Creating a Basic DHCP Pool To create a basic DHCP pool, enter: $ create dhcp server pool start-ip 192.168.1.2 end-ip 192.168.1.13 mask 255.255.255.0 This command configures a pool of 12 IP addresses, from 192.168.1.2 to 192.168.1.13.
  • Page 76 - 76 - Assigning a Pool ID You can configure multiple pools for assignment to different subnets on the LAN. Each pool is distinguished by a pool id. If the pool id is not specified in the create command, the pool is assigned the first available pool id.

  • Page 77: Excluding Addresses From A Pool

    - 77 - means that the trap will be generated only if you have specifically set the low threshold to a non-zero value. To specify the low threshold value, type: $ create dhcp server pool poolid 2 start-ip 192.168.1.2 end- ip 192.168.1.13 mask 255.255.255.0 lthres 3 Enabling and Disabling Pools By default, when you create a new pool it is enabled for use.

  • Page 78: Modifying And Deleting Pools

    - 78 - Modifying and Deleting Pools 10.2.3 You can modify the lease and other configurable parameters using the modify command or by giving the relevant parameters directly in the create command. Modifying Pools To modify a DHCP pool, use the command: modify dhcp server pool poolid 0 [parameter value] For example, to modify the DNS server assigned to DHCP clients, use: $ modify dhcp server pool poolid 0 dns 192.168.1.11...

  • Page 79: Enabling The Dhcp Server

    - 79 - To create an entry in the static hosts table that associates the MAC address 00:80:48:CB: B8: 83 with the fixed IP address 192.168.1.2, type the command: $ create dhcp server host ip 192.168.1.2 mask 255.255.255.0 hwaddr 00:80:48:CB:B8:83 dlease 4294967295 mlease 4294967295 The lease periods carry the same meaning as for a pool.

  • Page 80: Dhcp- Dns Relay Interaction

    - 80 - To see the current state of the server, type the command: $ get dhcp server cfg DHCP- DNS Relay Interaction 10.2.6 The DHCP server indicates the DNS Server addresses to DHCP clients in the following manner. If the primary/secondary DNS addresses are provided as part of the pool configuration (using the DNS and SDNS parameters in the create/ modify dhcp server pool commands), then these are indicated to the client.

  • Page 81: Specifying The Dhcp Server Ip Address

    - 81 - To receive responses from the ISP, the unit’s WAN interface must also be enabled for DHCP relay. The WAN interface could be a PPP, EoA, or an IPoA interface. Specifying the DHCP Relay Interfaces To specify that the unit will receive DHCP requests on the LAN (eth-0) interface and the WAN (ppp-0) interface, enter these commands: $ create dhcp relay intf ifname eth-0 $ create dhcp relay intf ifname ppp-0...

  • Page 82: Using A Dhcp Server On The Lan

    - 82 - 10.4 Using a DHCP Server on the LAN If the unit is connected to a LAN that uses one of its own hosts as the DHCP server, the unit’s LAN interface must be configured as a DHCP client so that it also gets its LAN-side IP address from the server.

  • Page 83: Forcerenew

    - 83 - instructions on setting the threshold value, please refer to the create dhcp server pool command. 10.6 ForceRenew ForceRenew is supported by the DHCP server configured at the modem, according to RFC 3203. If DHCP client(s) also support ForceRenew, it is possible to increase the lease time defined in the pool.

  • Page 84: Simple Network Time Protocol

    - 84 - 11 Simple Network Time Protocol 11.1 Overview The SAR110 software implements Simple Network Time Protocol (SNTP), Version 4, RFC 2030, to enable it to periodically synchronize its clock with a reference clock on the Internet. The firewall feature of the modem requires synchronized wall clock time.
  • Page 85 - 85 - Polling Interval and Packet Time-out The SNTP Polling Interval, or the time after which an SNTP request is sent, can be between 64 seconds to 1024 seconds, both inclusive. The polling interval adjusts automatically, depending on the clock drift. The maximum number of retries, in case of no response from server, is 2.

  • Page 86: Configuration Details

    - 86 - 11.3 Configuration details Enabling or Disabling SNTP service To modify the SNTP configuration, enter: modify sntp cfg [enable | disable] Configuring SNTP server address To configure the SNTP server address, enter: create sntp servaddr <ip-address> | dname <domain-name> To delete the SNTP server address you have configured, enter: delete sntp servaddr <...
  • Page 87 - 87 - the number of SNTP Requests sent to the SNTP server the number of valid SNTP responses received from the SNTP server the number of invalid SNTP responses received from the SNTP server the number of lost responses against the SNTP request the time at which the local clock was last set or corrected.

  • Page 88: Layer 2 Security

    The SAR110 unit’s raw filtering feature allows it to examine each packet traveling in either direction (incoming or outgoing) and to filter out packets based on rules and subrules that you define. Because the raw filter scans packets at the layer 2 level (e.g., Ethernet), it can...

  • Page 89: Using Raw Filtering Rules And Subrules

    - 89 - A rule is said to match the packet only if all of its subrules match the packet. This is true whether a rule has one or many subrules. If a subrule is found that does not match the packet, that rule is skipped. If none of the rules matches the packet, the default action is taken for that packet.
  • Page 90 - 90 - To delete a rule, enter: $ delete pfraw rule entry ruleid 1 In order to delete a rule, you must first delete all of its subrules. (For information on deleting a subrule, refer to the following section.) 12.1.1.2 Commands for subrules The basic commands used to create, modify and delete raw filter subrules are described below.

  • Page 91: Raw Filtering Global Configuration

    - 91 - incoming packets on a particular interface, such as eth- 0, enter: $ get pfraw rule info ifname eth-0 dir in To see the configuration of rules applicable to outgoing packets on a particular interface, such as eth-0, enter: $ get pfraw rule info ifname eth-0 dir out Example...

  • Page 92: L2 Wall

    $ modify pfraw block protocol ppe enable 12.3 L2 Wall The SAR110 software supports the L2 Wall security feature, which allows a LAN host to prevent accesses to it when the user is not using the Internet.

  • Page 93: Configuration Files

    - 93 - The timer counts down an interval called the activation time, which is set by the user and can vary from 1 minute up to 1 day. During this interval, traffic can pass in both directions. Configuration Files 12.3.2 L2 Wall filtering is controlled by three configuration files that are merged into the software image when you create it using the...

  • Page 94: Assumptions

    Assumptions 12.3.4 L2 Wall assumes the following to be true: The SAR110 unit is operating in bridging mode. 12.3.5 Sample Configuration Files Below shows an example of a factory defaults file that configures the L2wall feature in automatic mode, sets the timer to 5 minutes, and establishes rules for enabling transparent traffic.
  • Page 95 - 95 - Below shows an example l2wall_on.cfg file that globally denies all traffic, and then enables the raw filter rules in TEFacs.txt that allow specific types of transparent traffic. modify pfraw global deny modify pfraw rule entry ruleid 1 enable modify pfraw rule entry ruleid 2 enable modify pfraw rule entry ruleid 3 enable modify pfraw rule entry ruleid 4 enable...

  • Page 96: Layer 3 Security

    - 96 - 13 Layer 3 Security Layer 3 filtering at the IP layer enables easier configuration, as it allows working with various fields in the IP header. Also, as more information about the traffic flow is available at this layer, it allows you to provide increased protection.

  • Page 97: Default Nat Configuration On The Sar110 Unit

    Star Craft 13.1.1 Default NAT Configuration on the SAR110 Unit By default, NAT is enabled on the SAR110 reference unit, with an napt rule that translates all LAN side addresses to the public IP address assigned to the PPP-0 interface.

  • Page 98: Configuring Nat Direction

    - 98 - The first line creates a rule of type napt (Network Address Port Translation) and assigns it a rule ID of 1. The second line enables the NAT service. For more information about the default configuration, see Chapter . Configuring NAT Direction 13.1.2 NAT distinguishes between inside interfaces and outside interfaces.
  • Page 99 - 99 - Creating an napt Rule with a Rule ID To create a napt rule, type the command: $ create nat rule entry napt ruleid 1 Although the command takes quite a few parameters, the default values suffice in most cases. Note that the rule is assigned a rule ID.

  • Page 100: The Rdr Rule

    - 100 - 255.255.255.255 indicates that rule will be matched for all packets going out on the interface. Suppose you have two subnets on the LAN: 192.168.1 and 172.25, and you want NAT to work for only one of them - 192.168.1 (if for example, the other subnet never needs to access the Internet).
  • Page 101 - 101 - Creating an RDR Rule $ create nat rule entry ruleid 2 rdr destportfrom 80 destportto 80 lcladdrfrom 192.168.1.3 lcladdrto 192.168.1.3 This command indicates that in all connection requests from the WAN side for the port number 80, which is the well known port number for a web server, the destination address should be substituted by 192.168.1.3.

  • Page 102: The Basic And Filter Rules

    - 102 - To specify an interface and a fixed IP address, type the command: $ create nat rule entry ruleid 2 rdr ifname ppp-0 destaddrfrom 202.1.1.1 destaddrto 202.1.1.1 destportfrom 80 destportto 80 lcladdrfrom 192.168.1.3 lcladdrto 192.168.1.3 lclport 8080 This will translate the request only if it contains the destination address 202.1.1.1.

  • Page 103: The Bimap Rule

    - 103 - The bimap Rule 13.1.6 Suppose you want to provide a one-to-one mapping between one of the public IP addresses and one of the LAN hosts. All accesses to the public IP address should be forwarded to the particular LAN host, and all accesses from the host should appear to go out from that public IP address only.
  • Page 104 - 104 - To be able to access external ftp servers from the LAN, type the command: $ create alg port portno 21 algtype ftp This enables the FTP ALG on all connections having the port number 21. The port number would, in most cases be the well- known port number of the application.
  • Page 105 VPN server on the Internet. For example, a telecommuter accessing the corporate Network through VPN from home. Note: When SAR110 is in bridging or ZIPB mode, no extra configuration is required for any kind IPSec traffic to pass through (as NAT is not running on SAR110).

  • Page 106: Enabling Nat

    - 106 - transport mode, or with UDP encapsulated. The reason this traffic cannot pass through is because AH header authenticates IP address in IP header also. So, intermediate NAT routers cannot translate the IP address. Encapsulating Security Payload (ESP) in transport mode with TCP packets.
  • Page 107 - 107 - Usage of malicious IP address - These attacks exploit usage of source IP address that are illegal on a given interface. Some examples of illegal packets are, sending packets with source IP address as internal addresses on a public interface loopback address on any interface network broadcast address on any interface IP broadcast address on any interface...
  • Page 108 - 108 - 13.2.1.2 Denial of service (DOS) protection Flooding the modem with large number of packets, causing all the resources to be utilized causes denial of service to genuine connections. DOS protection works by enforcing limits on various types of IP sessions that can pass through the modem. They are, Half open TCP connections ICMP sessions Number of connections from a single host.
  • Page 109 - 109 - The same holds for Medium and Low levels. When the security level is set to None, no IP filter rules are active, implying zero protection. The default configuration provided with the modem contains IP filter rules to cater to typical user requirements. The private side of the network is the most secure.

  • Page 110: Firewall Features

    - 110 - to DMZ to Self to to DMZ Self Private Public Self Private Public Public Private HTTP telnet SMTP POP 3 ICMP Chargen Discard Echo Matrix for defining Low level Security Rules Service Private Private Private Public Public Public to DMZ to DMZ to...

  • Page 111: Configuration Details

    - 111 - lookups for the new session begin afresh. The session time outs depend on particular protocols and, in case of TCP, on the state of the TCP connection as well. 13.2.2.1 Logging The modem keeps track of TCP connections flowing from or through it.
  • Page 112 - 112 - name (FQDN) of his mail server. This mail server can be on the LAN or can be provided by the ISP. You need to check the IP Filter rules to ensure that the connectivity to the configured SMTP server exists. Use the modify smtp servaddr command to configure the IP address of the SMTP server.

  • Page 113: Ip Filtering And Ip Sessions

    This section provides details about the SAR110 unit’s IP filtering capability and how to configure the rules for IP filtering. The SAR110 unit's IP filtering feature allows it to examine each packet traveling in either direction (incoming or outgoing) on an interface and to filter out packets based on rules that you define.
  • Page 114 - 114 - To allow you to retain full control over the order of rule evaluation, do not number rules/subrules consecutively, e.g., 1, 2, 3, etc., but in increments, e.g., 10, 20, 30, etc. This will allow you to insert more rules between the existing ones at a later time.

  • Page 115: Using Ip Filtering Rules

    - 115 - The first response packet that comes from the server to the client will enable the unit to determine the remaining two rules for the session - one for the incoming direction on ppp-0 and one for the outgoing direction on eth-0.
  • Page 116 - 116 - $ create ipf rule entry ruleid 10 ifname ppp-0 dir out inifname eth-0 transprot eq icmp act deny enable Various options for matching allow you to look for addresses equal to a value, not equal to a value, within a given range of values, outside a given range of values and so on.

  • Page 117: Configuring Time-Of- Day Based Rules

    - 117 - 13.3.1.1 IP filter rule configuration for enhanced security Predefined IP Filter rules enable you to set the levels of security as High, medium, Low or None, for the modem. IP Filter rules are configurable such that they are enabled or disabled depending upon time of the day.
  • Page 118 - 118 - create ipf rule entry ruleid 20 transprot eq icmp deny todfrom "9:30:00" todto "18:30:00" todstatus enable The above rule will be active between 9:30 AM and 6:30 PM. Since it blocks all ICMP packets, it means that ICMP packets will be blocked between the given time values. If the the todstatus had instead been disable, then the rule would be inactive between the given times and active during the rest of the day, hence ICMP packets would be allowed between the given times and denied during the rest of the day.
  • Page 119 - 119 - {"UTC", +0000, "Universal (Coordinated)"}, {"WET", +0000, "Western European"}, {"CET", +100, "Central European"}, {"FWT", +100, "French Winter"}, {"MET", +100, "Middle European"}, {"MEWT", +100, "Middle European Winter"}, {"SWT", +100, "Swedish Winter"}, {"BST", +100, "British Summer"}, {"EET", +200, "Eastern Europe, Russia Zone 1"}, {"FST", +200, "French Summer"}, {"MEST",...

  • Page 120: Ip Sessions - Advanced Configuration Issues

    - 120 - {"NZDT", +1300, "New Zealand Daylight"} IP Sessions – Advanced Configuration Issues 13.3.3 For an IP session, the unit looks up its rules for each of the two interfaces, and for each direction on that interface, only once. The matched rules are then applicable for as long as the session is alive.
  • Page 121 LAN client doing a telnet to a WAN host. 13.3.3.1 Stateful Filtering The SAR110 unit's Stateful filtering feature allows you to permit packet flow in one direction only if a session has been initiated from the other direction.

  • Page 122: Ip Filtering Global Configuration

    - 122 - On the ethernet interface, rule id 10 and rule id 20 are the rules used. If a telnet is originated from a PC to the modem, then, ruleID 10 will be used in IN direction. When the response to PC is sent from the modem, ruleid 20 is used.
  • Page 123 - 123 - indicate it to be active. The current status of the rule is shown as the “Rule Oper Status” in the get ipf rule entry command. When the modem boots up, the time is set to the last committed time.

  • Page 124: Usage Control

    - 124 - 14 Usage Control 14.1 Overview The Usage Control feature of the unit provides a user authentication mechanism for allowing LAN to WAN access, only after a login/password have been provided by the LAN user. The mechanism gets activated when a new LAN user tries to connect to the WAN.

  • Page 125: User Authentication Process

    - 125 - 14.2 User Authentication process When the Usage Control feature is enabled, the unit interrupts WAN-side access by displaying some HTTP pages that force a user to create a new user id or authenticate himself before he is allowed to access the WAN side.
  • Page 126 - 126 - Data User Diagnostics Page Data User Login Page To begin authentication process, the data user uses the Login Name and Password fields of the Data User Login Page. Login Name Input Field The data user uses this field to provide an existing data user name for authentication purposes, or, create a new data user, subject to the maximum number of data users allowed in the system.
  • Page 127 - 127 - This checkbox is displayed ONLY when the usage control feature for PPP interface is enabled. Choosing the common login option is allowed only when the PPP security entry is not created. The checkbox is not displayed at all, if the WAN interface used is not a PPP interface.
  • Page 128 - 128 - Data User Maximum Connections Exceeded Page the Data User Connection-in-Use Page appears only after a data user has provided correct input of an existing data user login and password, active from some other machine. Data User Connection-in-Use Page Data User Connection-in-Use Page Release Other User Check Box This checkbox is checked by the data user when he wants to bump...
  • Page 129 - 129 - data user. The data user will automatically be redirected to the original IP address that he had typed in, to access the WAN side. Cancel Button Clicking on this button cancels the changes made in the page by the user, and refreshes the page.

  • Page 130: Configuration Using Cli

    - 130 - Modify PPP Security Information Option If this option is checked, the data user can modify his PPP security information. Submit Button On clicking this button, appropriate action will take place. On successful completion of the action, a success page is displayed, and on failure, an operation failure page is displayed with the option to go back to the Data User Session Management Page.
  • Page 131 - 131 - To delete all data users, enter: $ reset datauserslist It is mandatory to reboot your system after the reset datauserslist command.

  • Page 132: Application Security - Surfing Profile

    - 132 - 15 Application Security – Surfing Profile 15.1 Surfing Profile The surfing profile feature of the modem controls the HTTP traffic passing through it. With the help of this feature, the modem restricts users on private interfaces, by allowing access only to given URLs, or, by allowing access to everything but for the list of the URLs.

  • Page 133: Surfing Profile - Modes Of Operation

    - 133 - Example Sample format of a file: <Start of file> register/allow/deny url ["string"] url ["string"] <End of file > It is mandatory to specify the string only in case of registration. The other two file types contain only the URL and not the string. In case the file type is registration enforcement, and any one of the URLs is visited, and the corresponding string matches that in the response packet, the user will be allowed unrestricted access from next time...
  • Page 134 - 134 - If the file format is as mentioned above, the end-user will not be allowed to browse any site other than the sites mentioned in the list. If any one of the URLs is visited and the string is matched in the message body of the response packet, HTTP traffic will be allowed unconditionally, next time onwards.

  • Page 135: Surfing Profile - Feature Details

    - 135 - File format: deny url1 url2 url3 …… url n <File End> 15.4 Surfing profile – feature details Surfing profile operates only on the HTTP traffic going over the compile- time configured TCP port. TCP connection for the HTTP gets established and terminated as usual.

  • Page 136: Auto-Configuration

    Two auto-configuration features are described in this chapter: SAR110 AutoDetect feature, which enables the unit to dynamically configure its ATM virtual circuit (VC) at startup by attempting a connection using the first available VPI/VCI pair.

  • Page 137: Configuring The Modem To Work With Autodetect

    - 137 - connection are saved and used in the initial connection attempt if the modem is later rebooted or the WAN interface is restarted. 16.1.2 Configuring the Modem to Work with AutoDetect AutoDetect requires that the WAN and LAN interfaces be specially configured.

  • Page 138: Autodetect Configuration Options

    - 138 - AutoDetect Commands in TEFacs.txt—Bridge Mode Run the createfi utility to create the new image with the autocfg.txt file in the TEFilesys\adet directory. Load the new image into flash using the Loadfi utility, the Web- based interface, or an FTP/ TFTP client.
  • Page 139 - 139 - Specifying the PPPoE/ PPPoA detection method The following commands specify the criteria AutoDetect uses to determine whether to bring up a PPPoA interface or a PPPoE interface. modify autodetect cfg pppdetect padilcp modify autodetect cfg pppdetect fullblown When the parameter padilcp is specified, AutoDetect begins by sending PADI packets over the first available VC.

  • Page 140: Considerations

    - 140 - if no valid response is received after attempting connections using all available VCs, AutoDetect repeats the process, but this time checking for PPPoA. The process will repeat until a valid response is received. If AutoDetect is configured to obtain the possible VCs from autocfg.txt, then the process will repeat indefinitely, even if all VCs have been tried without success using all combinations of settings (PPPoE/LLC Mux, PPPoE/VC Mux, PPPoA/LLC Mux, PPPoA/VC Mux).

  • Page 141: Auto-Configuration Using Ilmi (Tr-037)

    - 141 - 16.2 Auto-configuration Using ILMI (TR-037) The auto-configuration procedure helps minimize end-user involvement in the setup and configuration of the unit. As defined in DSL Forum's TR-037, auto-configuration allows the unit to obtain information needed to configure ATM VCs for one or more network services, by communicating with the DSLAM, using the Integrated Local Management Interface (ILMI) protocol.

  • Page 142: Starting Auto- Configuration Through Default

    - 142 - $ modify ilmi intf ifname atm-0 enable As with the create command, disabling or enabling takes effect only after you save the changes using commit and reboot last. Starting ILMI auto- configuration The command to start ILMI auto-configuration is as follows: trigger ilmi This command is only used when you want to start auto- configuration through default, and is not required to be given at...
  • Page 143 - 143 - modify bridge mode enable create ilmi intf ifname atm-0 enable trigger ilmi The sizing parameters described in this document, must preferably be set to support the maximum number of VCs allowed. This means that the size command should contain the maxvc and max1483vc parameters set to the maximum.

  • Page 144: Starting Auto- Configuration At Run Time

    - 144 - Starting auto- configuration at run time 16.2.2 As mentioned in the previous section, the sizing parameters must preferably be set to support the maximum number of VCs allowed. default PPP security login and password should be set. bridging mode should be enabled and a bridge port should be created over eth-0 interface, if bridging is to be supported.

  • Page 145: Best Effort Configuration

    - 145 - interfaces that are created over the VC: PPPoA - PPPoA interface is created over this VC. Bridging - Only a non-IP enabled EoA interface is created over this VC. A bridge port is also created over this EoA interface.

  • Page 146: Vcc Change And Cold Start Trap

    - 146 - VCC change and Cold Start Trap 16.2.5 The network can change the unit configuration by sending a VCC Change trap. On receiving the trap, auto-configuration procedure retrieves the configuration information for the VC from the network and re-configures itself. Only the VC for which the trap is received, is affected.

  • Page 147: Recommended Parameters Required From Network

    - 147 - same sub-script. For example, if you create a VC through CLI or HTTP, with interface name aal5-1, and you want to create PPP over it, then the interface name of PPP should be ppp-1. Recommended parameters required from network 16.2.9 The following parameters, specified in TR-037, should be supported at the network side.

  • Page 148: Other Device Access Mechanisms

    System (NMS) and the network devices managed by it. This information is used to configure and manage the network devices. The SAR110 software provides SNMP access to the following Management Information Base (MIB): RFC 1213: Management Information Base for Network Management of TCP/IP-Based Internet: MIB-II.

  • Page 149: Snmp Traps

    - 149 - To run an SNMP Manager on 192.168.1.3 and access the modem’s SNMP Agent, enter: $ create snmp host community public ip 192.168.1.3 Since the public community was created for read-only access, this will allow you to read the modem’s MIB without allowing you to modify it.

  • Page 150: Web-Based Interface

    You can easily modify the functionality and look and feel of the web pages to create a customized interface for distribution with your own SAR110- based products. For detailed instructions on using the Web-based interface, refer to the SAR110 User Guide or to the embedded online help. Accessing the Web- based Interface 17.2.1...

  • Page 151: Accessing The Quick Configuration Page

    - 151 - System View Page Accessing the Quick Configuration Page 17.2.2 The interface also includes a Quick Configuration page. This helps you access the settings that you may need to configure when you install your own product. You can also access all Quick Configuration settings under their respective tabs.

  • Page 152: User Instructions

    - 152 - 17.2.3 User Instructions You can access all tasks by clicking the tabs that display horizontally at the top of the page. A menu of related tasks display at the top of each tab. Click these to display the specific tasks. All changes are effective when submitted.

  • Page 153: L2 Agent Module

    - 153 - 17.3 L2 Agent Module The L2Agent (L2AG) module is defined to provide access to the modem’s management information base through Ethernet. It provides a proprietary framework for exchange of messages between the L2-Manager and the GenAg module on the modem. This facilitates the L2-Manager to read the existing configuration information from the modem, and to set/modify the configuration on the modem.
  • Page 154 - 154 - from the Ethernet module, a message/event is sent to the L2AG task. This message is forwarded to GenAg and L2AG waits for a response from GenAg. After receiving the response from GenAg, L2AG creates the Ethernet packet to be sent to the L2-Manager, and hands it over to the EMac (functional interface) for transmitting the message over the Ethernet interface.

  • Page 155: System Maintenance

    - 155 - 18 System Maintenance This chapter describes information useful for general administration and maintenance of the -based unit. SAR110 18.1 Diagnostics Checking IP Connectivity 18.1.1 To check if a particular machine (router, PC, etc.) on the Internet is reachable (online),...

  • Page 156: Atm Traffic Diagnostics

    - 156 - Testing Ethernet connection to ATM that verifies if both the Ethernet and ATM interfaces are up. Testing Telco Connectivity This category has two diagnostics: Testing ATM OAM segment ping that verifies if the next node is reachable. Testing ATM OAM e2e ping that verifies if the other end is reachable.

  • Page 157: Oam F5 Cc

    - 157 - OAM F5 CC 18.3.1 ATM operation administration and maintenance (OAM) F5 continuity check (CC) cells enable network administrators to continuously monitor the continuity of VCC connections and detect misconfigurations in the ATM layer. Such misconfigurations can cause misdelivery of a cell stream to a third party or can cause unintended merging of cells from multiple sources.
  • Page 158 - 158 - Activation/Deactivation Continuity Check Activation/Deactivation For activation or deactivation of CC functionality in a standard manner The product supports end-to-end F5 CC procedure and F4 loopback response. The CC procedure can be activated simultaneously on all VCCs configured in the system. The CC procedure may be activated when a VCC is in AIS/RDI state.

  • Page 159: Oam Loopback

    The Loopback Location ID is a 16-byte identifier that uniquely identifies the unit. It is configured by the oamsrc parameter SAR110 in the command create atm port. If the ISP provides you with a loopback location ID, use it when you are creating the ATM port on...

  • Page 160: Traps

    Traps are informational or alarm messages that indicate specific events in the unit. A trap appears as a line of output on your SAR110 CLI session’s console. For instance, the unit displays the following trap when it boots up: Thu Jan 01 00:00:13 2001 : STATUS ALARM : System Up Refer to the CLI Reference Manual for a detailed list of traps.

  • Page 161: Requesting Status And Statistical Information

    - 161 - 18.5 Requesting Status and Statistical Information Certain get commands allow you to request status information and statistics for features such as DHCP and NAT, as well as for the unit’s interfaces. These get commands and the information they display are summarized in Table .
  • Page 162 - 162 - Current 15-minute interval, current day, and get dsl stats curr previous day performance counters for DSL 15-minute interval based current day get dsl stats hist performance counters for DSL DSL error counters get dsl stats cntrs Statistics for all Ethernet interfaces get ethernet stats Statistics for ICMP get icmp stats...

  • Page 163: Viewing Complete System Configuration

    - 163 - Global statistics for PPPoE get ppe stats global Statistics for each PPPoE session get ppe stats session IP status for all PPP interfaces get ppp ipstatus Link status for all PPP interfaces get ppp lstatus Statistics for RIP get rip stats Global statistics for SNMP get snmp stats...

  • Page 164: Managing User Accounts

    - 164 - 18.7 Managing User Accounts If you are a superuser (i.e., have root-level privileges), you can create and delete users. Determining Your Privilege Level To find out if you have root-level or user-level privileges, enter the following root-level command: $ get user If CLI displays Insufficient privileges for the command, you only have user-level or intermediate-level privileges.

  • Page 165: Deleting User Accounts

    - 165 - Creating a Superuser with Root-Level Privileges To create a superuser with root-level privileges, enter: $ create user name username passwd password root 18.7.2 Deleting User Accounts If you are a superuser, you can delete any account provided that there remains at least one superuser account.

  • Page 166: Modifying System Parameters

    IP address of the modem. For example, if you configure the host name as SAR110, the DNS resolution for hostname will return the IP address of SAR110 to the machine sending the DNS query.
  • Page 167 The screens given below will help to explain the Note above. The first screen shows Solwise configured as the domain name on a LAN machine. The second screen, that brings up the modify system screen on the modem, should have SOLWISE in the Domain name field.
  • Page 168 - 168 -...

  • Page 169: Debugging Using Memory Location

    - 169 - 18.11 Debugging using Memory Location To debug at the system level, you may require to view and modify the contents of the memory location. To debug by viewing contents of memory location, enter: $ rdm [VREG | NREG | NONE] addr addr [len len] [format <hex | dec>] Using this command, you can specify the base address.
  • Page 170 - 170 - To require serial port authentication, enter: $ modify nbsize serialauth enable To disable serial port authentication, enter: $ modify nbsize serialauth disable The modify nbsize command does not take effect until the next system reboot; i.e., you must also enter commit to save the information, and then reboot to reboot the system, in order to see the desired effect (enabled or disabled).

  • Page 171: Shell Tutorial

    - 171 - 19 Shell Tutorial This appendix helps you understand how to use shell scrips to your advantage, and provides a tutorial on shell programming. 19.1 Shell Tutorial - Overview Introduction To execute a number of CLI commands at one go, you use .cfg files that are provided.

  • Page 172: Shell Programming Tutorial

    - 172 - if $1 eq 3 <commands to create l2tp tunnel> goto end if $1 eq 4 <commands to create l2tp session> goto end end: 19.2 Shell Programming Tutorial This tutorial will help you understand the basics of shell script programming.

  • Page 173: A First Script

    - 173 - Code segments and shell scripts are displayed as italics. Output snapshots are displayed in gray background and italics text. Command- line entries will be preceded by the Dollar sign ($). A First Script 19.2.1 First.sh The first shell script you will create here, creates an atm port. Create a file (first.sh) as follows: # This is a comment ! create atm port ifname atm-0...

  • Page 174: Variables

    - 174 - Variables 19.2.2 Every programming language in existence has the concept of variables - a symbolic name for a chunk of memory. We can read this symbolic name, can assign values to it and manipulate its contents. Our shell is no exception, and this section discusses such variables.

  • Page 175: If-Else Construct

    - 175 - All Shell keywords such as IF, ELSE, EQ, =, should be white space separated. Please refer to the Keywords section in this document. No arithmetic operations are supported on variables in the present software release. Variables in the shell do not have to be declared, as we do in languages such as C programming.
  • Page 176 - 176 - get atm port ifname atm-0 else # atm port creation fails…may be "size" command not executed. size Precondition $ autoupdate false Transfer the file if_else.sh to the unit. You can ftp the file from the host OR use the "dncd" command at the CLI prompt. Execution $ apply fname if_else.sh Assumptions...

  • Page 177: Goto

    - 177 - Goto 19.2.4 Sometimes you may need to jump to some sequence of code. Like any other programming language, we need a Goto instruction to perform this task. Goto-s are implemented in Shell using GOTO and LABEL constructs. GOTO takes the control to the statement that starts with the <label-name>...
  • Page 178 - 178 - GotoLabel.sh # This is a comment ! a = create atm port ifname atm-0 if $a eq 0 # atm port creation succeeds. goto control1 else # atm port creation fails…may be "size" command not executed. goto control2 control1: get atm port ifname atm-0 goto control3...

  • Page 179: Readout And Search

    - 179 - Assumptions "size" command is already executed Creation of atm port interface succeeds. Output Caution A Label-name should be immediately followed by a colon. Any text on the line bearing <label-name> till '\n' (carriage return) is ignored. For example, Control2: get alg type.
  • Page 180 - 180 - > variable-name The syntax for Search is: <variable-name> = search $<variable-name1> '<regular- expression>' <variable-name> = findval $<variable-name1> Readout.sh # this a shell file to verify the readout functionality. a = get system > b if $a eq 0 c = search $b 'Name[ ]*:[ ]*[a-zA-Z]' d = findval if d eq iad...
  • Page 181 - 181 - string " Name : iad". The value stored in 'c' is searched using findval to get the string 'iad'. In this case, 'd' gets the value "iad". Precondition $ autoupdate false Transfer the file readout.sh to the unit. You can ftp the file from the host OR use the "dncd"...

  • Page 182: Return

    - 182 - Caution Any text after the initial variable-name, in a readout statement is ignored. A readout string of length more than 1024 will be truncated appropriately. In the above example, > b has to be on a separate line.
  • Page 183 - 183 - end: In case of failure of modify system name "iad1.38", $0 (which stores the result status of the previous command) is set to 0. This takes the control to the label "end". The value of '$a', which is 1/0, depending upon the success/failure of the command get system, is returned.
  • Page 184 - 184 -...

  • Page 185: Keywords

    - 185 - Caution The maximum length of the return string can be 50. A return value of length more than 50 will be truncated. Keywords 19.2.7 Following keywords hold special meaning as part of shell scripts: IF: This keyword is used in IF-ELSE construct ELSE: This keyword is used in IF-ELSE construct FI: This keyword is used in IF-ELSE construct SEARCH: This keyword is used to search a regular...

  • Page 186: Glossary

    A feature of routing mode in which the unit performs routing functions locally but SAR110 communicates with the ISP via a bridged connection. This allows the user to keep an existing (and less expensive) bridge-only connection while gaining the benefits of full router functionality on the local network, such as DHCP, NAT, raw filtering, etc.
  • Page 187 - 187 - DHCP server Dynamic Host Configuration Protocol server. A LAN host that is responsible for assigning IP addresses to the computers on a LAN. See also DHCP. Domain Name System. The DNS maps domain names to IP addresses. DNS information is distributed hierarchically throughout the Internet among computers called DNS servers.
  • Page 188 - 188 - ICMP Internet Control Message Protocol. An IP protocol used to transmit messages to report errors and other IP data-related information. The ping program uses ICMP packets. See also ping. ILMI Integrated Local Management Interface. A protocol used for autoconfiguration. image Code that has been converted from binary format into the final image that is ready to be loaded into the serial data flash memory.

  • Page 189: Simultaneous Bridging And Routing

    IP address and current network conditions. A device that performs routing is called a router. Simultaneous bridging and routing A feature of routing mode in which the software routes IP packets, while simultaneously SAR110 bridging packets for any other layer 3 protocol.
  • Page 190 - 190 - SNMP Simple Network Management Protocol. The TCP/IP protocol used to manage TCP/IP, Ethernet, or OSI networks. Spanning Tree Procotol. A protocol used to prevent loops among interconnected bridges. It ensures that there is only one path between any two computers in the network. subnet A portion of a network.
  • Page 191 - 191 - Weighted Fair Queuing. This algorithm is used to ensure fair and efficient allocation of bandwidth. This algorithm allocates higher bandwidth in proportion to the weights of the VCs—the higher the weight, the higher is the bandwidth allocated. This is applicable to both GFR and UBR service categories.

Table of Contents