Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for FireBrick FB6602
Summary of Contents for FireBrick FB6602
-
Page 1: User Manual
FireBrick FB6602 User Manual FB6000 Versatile Network Appliance... - Page 3 FireBrick FB6602 User Manual This User Manual documents Software version V1.46.100 Copyright © 2012-2017 FireBrick Ltd.
-
Page 4: Table Of Contents
1.1. The FB6000 ....................... 1 1.1.1. Where do I start? ....................1 1.1.2. What can it do? ....................1 1.1.2.1. FB6602 Mobile GTPv1 GGSN/L2TP gateway ..........2 1.1.3. Ethernet port capabilities ..................2 1.1.4. Product variants in the FB6000 series ..............2 1.2. - Page 5 FireBrick FB6602 User Manual 4.1.4.2. Logged in IP address ................22 4.1.4.3. Restrict by profile ................. 22 4.1.5. Password change ..................... 22 4.1.6. One Time Password (OTP) ................22 4.2. General System settings ....................23 4.2.1. System name (hostname) .................. 23 4.2.2.
- Page 6 FireBrick FB6602 User Manual 7.2. Routing targets ......................41 7.2.1. Subnet routes ....................41 7.2.2. Routing to an IP address (gateway route) ............. 41 7.2.3. Special targets ....................42 7.3. Dynamic route creation / deletion ................. 42 7.4. Routing tables ......................42 7.5.
- Page 7 FireBrick FB6602 User Manual 13.2. Packet Dumping ...................... 60 13.2.1. Dump parameters ................... 60 13.2.2. Security settings required ................61 13.2.3. IP address matching ..................61 13.2.4. Packet types ....................61 13.2.5. Snaplen specification ..................62 13.2.6. Using the web interface .................. 62 13.2.7.
- Page 8 A. CIDR and CIDR Notation ..................... 79 B. MAC Addresses usage ......................81 B.1. Multiple MAC addresses? ................... 81 B.2. How the FireBrick allocates MAC addresses ..............82 B.2.1. Interface ......................82 B.2.2. Subnet ......................82 B.2.3. PPPoE ......................82 B.2.4.
- Page 9 FireBrick FB6602 User Manual F.3. L2TP information ....................102 G. Command line reference ..................... 103 G.1. General commands ....................103 G.1.1. Trace off ..................... 103 G.1.2. Trace on ...................... 103 G.1.3. Uptime ......................103 G.1.4. General status ....................103 G.1.5. Memory usage ....................103 G.1.6.
- Page 10 FireBrick FB6602 User Manual H.3.2. Additional text ..................... 112 H.3.3. Other colours and spacing ................112 H.4. Overnight archiving ....................113 H.4.1. Full URL format ................... 113 H.4.2. load handling ....................114 H.5. Graph scores ......................114 H.6. Creating graphs, and graph names ................114 I.
- Page 11 FireBrick FB6602 User Manual J.2.42. cqm: Constant Quality Monitoring settings ............144 J.2.43. l2tp: L2TP settings ..................146 J.2.44. l2tp-incoming: L2TP settings for incoming L2TP connections ......146 J.2.45. l2tp-relay: Relay and local authentication rules for L2TP ........148 J.2.46. profile: Control profile .................. 148 J.2.47.
- Page 12 List of Figures 2.1. Initial web page in factory reset state ..................7 2.2. Initial "Users" page ......................7 2.3. Setting up a new user ......................8 2.4. Configuration being stored ....................8 3.1. Main menu ........................11 3.2. Icons for layout controls ..................... 12 3.3.
- Page 13 List of Tables 2.1. IP addresses for computer ..................... 6 2.2. IP addresses to access the FireBrick ..................6 2.3. IP addresses to access the FireBrick ..................6 3.1. Special character sequences ....................17 4.1. User login levels ....................... 21 4.2.
- Page 14 FireBrick FB6602 User Manual J.4. system: Elements ......................120 J.5. link: Attributes ......................... 120 J.6. user: Attributes ........................ 120 J.7. eap: Attributes ......................... 121 J.8. log: Attributes ........................121 J.9. log: Elements ........................121 J.10. log-syslog: Attributes ....................... 121 J.11. log-email: Attributes ......................122 J.12.
- Page 15 FireBrick FB6602 User Manual J.60. l2tp-relay: Attributes ....................... 148 J.61. profile: Attributes ......................148 J.62. profile: Elements ......................149 J.63. profile-date: Attributes ..................... 150 J.64. profile-time: Attributes ..................... 150 J.65. profile-ping: Attributes ..................... 150 J.66. shaper: Attributes ......................150 J.67. shaper: Elements ......................151 J.68.
-
Page 16: Preface
IPv6-capable networking software, written from scratch in-house by the FireBrick team. Custom designed hardware, manufactured in the UK, hosts the new software, and ensures FireBrick are able to maximise performance from the hardware, and maintain exceptional levels of quality and reliability. -
Page 17: Introduction
The remainder of this chapter provides an overview of the FB6000's capabilities, and covers your product support options. The latest version of the QuickStart guide for the FB6000 can be obtained from the FireBrick website at : http://www.firebrick.co.uk/pdfs/quickstart-6000.pdf 1.1.2. What can it do? The FB6000 series of products is a family of high speed ISP/telco grade routers and firewalls providing a range of specific functions. -
Page 18: Fb6602 Mobile Gtpv1 Ggsn/L2Tp Gateway
Introduction • Gigabit performance The FB600 series are provided in a number of variants. This manual is for the FB6602. This variant includes: • Layer 2 Tunnelling Protocol (L2TP) to terminate PPP connections (e.g. broadband lines) • Border Gateway Protocol, to allow routes to be announced and accepted from peering BGP routers. -
Page 19: Intended Audience
1.2.4. Document style At FireBrick, we appreciate that different people learn in different ways - some like to dive in, hands-on, working with examples and tweaking them until they work the way they want, referring to documentation as required. -
Page 20: Comments And Feedback
FireBrick are building a library of Application Note documents that you can refer to - each Application Note describes how to use and configure a FireBrick in specific scenarios, such as using the device in a multi-tenant Serviced Office environment, or using the FireBrick to bond multiple WAN connections together. -
Page 21: Training Courses
Introduction 1.3.5. Training Courses FireBrick provide training courses for the FB2x00 series products, and also training course on general IP networking that are useful if you are new to networking with IP. obtain information about upcoming courses, please contact e-mail... -
Page 22: Getting Started
• Method 3 - use an existing DHCP server to configure the FireBrick. If your LAN already has a DHCP server, you can connect port 4 of your FireBrick to your LAN, and it will get an address. Port 4 is configured, by default, not to give out any addresses and as such it should not interfere with your existing network. -
Page 23: Add A New User
2.2.1. Add a new user You now need to add a new user with a password in order to gain full access to the FireBrick's user interface. Click on the "Users" icon, then click on the "Add" link to add a user. The "Users" page is shown below, with the "Add"... -
Page 24: Setting Up A New User
Getting Started Figure 2.3. Setting up a new user You may also want to increase the login-session idle time-out from the default of 5 minutes, especially if you are unfamiliar with the user-interface. To do that, tick the checkbox next to timeout, and enter an appropriate value as minutes, colon, and seconds, e.g. -
Page 25: Configuration
Chapter 3. Configuration 3.1. The Object Hierarchy The FB6000 has, at its core, a configuration based on a hierarchy of objects, with each object having one or more attributes. An object has a type, which determines its role in the operation of the FB6000. The values of the attributes determine how that object affects operation. -
Page 26: Formal Definition Of The Object Model
XML. If the User Interface does not generate valid XML - i.e. when saving changes to the configuration the FireBrick reports XML errors, then this may be a bug - please check this via the appropriate support channel(s). -
Page 27: User Interface Layout
The User Interface has the following general layout :- • a 'banner' area at the top of the page, containing the FireBrick logo, model number and system name • a main-menu, with sub-menus that access various parts of the user interface ; the main-menu can be shown vertically or horizontally - sub-menu appearance depends on this display style : if the main-menu is vertical, sub-menus are shown by 'expanding' the menu vertically ;... -
Page 28: Config Pages And The Object Hierarchy
FB6000 will automatically be recalled next time you use the same computer/browser to connect to that FB6000. It is also possible to configure an external CSS to use with the FireBrick web control pages which allows a great deal of control over the overall layout and appearance. This can be usful for dealers or IT support companies to set up FireBricks in a style and branding of their choice. -
Page 29: Object Settings
Erase. Simply going back "Up" or moving to another part of the config will leave this newly created empty object and that could have undesirable effects on the operation of your FireBrick if saved. 3.4.2.2. Object settings The details of an object are displayed as a matrix of boxes (giving the appearance of a wall of bricks), one for each attribute associated with that object type. -
Page 30: Editing An "Interface" Object
Configuration Figure 3.5. Editing an "Interface" object By default, more advanced or less frequently used attributes are hidden - if this applies to the object being edited, you will see the text shown in Figure 3.6. The hidden attributes can be displayed by clicking on the link "Show all". -
Page 31: Navigating Around The User Interface
FB6000. All changes are initially held in-memory (in the web browser itself), and are committed back to the FireBrick only when you press the Save button. -
Page 32: Backing Up / Restoring The Configuration
You should be careful that you don't inadvertently add incompletely setup objects this way, as they may affect operation of the FireBrick, possibly with a detrimental effect. If you have added an object, perhaps for the purposes of looking at what attributes can be set on it, remember to delete the object before you navigate away -- the "Erase"... -
Page 33: The Root Element -
'read-only', and so is 'safe' in as much as you can't accidentally change the configuration. 3.5.4. Example XML configuration An example of a simple, but complete XML configuration is shown below, with annotations pointing out the main elements <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://firebrick.ltd.uk/xml/fb2700/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://firebrick.ltd.uk/xml/fb2700/ timestamp="2011-10-14T12:24:07Z" patch="8882">... - Page 34 </system> <user name="peter" full-name="Peter Smith" password="FB105#4D42454D26F8BF5480F07DFA1E41AE47410154F6" timeout="PT3H20M" config="full" level="DEBUG"/> <log name="default"/> <log name="fb-support"> <email to="crashlog@firebrick.ltd.uk" comment="Crash logs emailed to FireBrick Support"/> </log> <services> <ntp timeserver="pool.ntp.org"/> <telnet log="default"/> <http /> <dns domain="watchfront.co.uk" resolvers="81.187.42.42 81.187.96.96"/> </services> <port name="WAN" ports="1"/> <port name="LAN"...
-
Page 35: Downloading/Uploading The Configuration
3.6. Downloading/Uploading the configuration The XML file may be retrieved from the FireBrick, or uploaded to the FireBrick using HTTP transfers done via tools such as curl. Using these methods, configuration of the FB6000 can be integrated with existing administrative systems. -
Page 36: System Administration
Chapter 4. System Administration 4.1. User Management You will have created your first user as part of the initial setup of your FB6000, as detailed in either the QuickStart Guide or in Chapter 2 in this manual. To create, edit or delete users, browse to the config pages by clicking the "Edit" item in the sub-menu under the "Config"... -
Page 37: Configuration Access Level
System Administration Table 4.1. User login levels Level Description No access to any menu items, but can access control NOBODY switches for which the user has access. Guest user, access to some menu items GUEST Normal unprivileged user USER System administrator ADMIN System debugging user DEBUG... -
Page 38: Logged In Ip Address
This can be useful for firewall rules where you may have to log in to the FireBrick, even as a NOBODY level user, just to get your IP address in an access list to allow further access to a network from that IP. -
Page 39: General System Settings
System Administration If OTP is configured you can leave the pasword blank (which is not normally allowed) and hence use the authenticator code as the entire password, though this is not recommended for secuiry reasons as it also means the TOTP seed is recoverable from the config.. Note Technical details to allow you to create configs with password and OTP seed hashes are described in Appendix I. -
Page 40: Software Upgrades
As a matter of policy, FireBrick software upgrades are always free to download for all FireBrick customers. To complement the responsive UK-based development process, the FB6000 is capable of downloading and installing new software directly from Firebrick's servers, providing the unit has Internet access. -
Page 41: Identifying Current Software Version
System Administration a replacement attribute should be used instead. A release where such an change has been made, and existing configurations will need modifying, are termed Breakpoint software releases. Breakpoint releases are special as they are able to automatically update an existing configuration - used with the previous software release - so that it is compatible with the new release, and functionality is retained where- ever possible. -
Page 42: Controlling Automatic Software Updates
This method is entirely manual, in the sense that the brick itself does not download new software from the FireBrick servers, and responsibilty for loading breakpoint releases as required lies with the user. In order to do this, you will first need to download the required software image file (which has the file extension .img) from the FB6000 software downloads website [http://www.firebrick.co.uk/software.php? -
Page 43: Boot Process
System Administration 4.4. Boot Process The FB6000 contains internal Flash memory storage that holds two types of software :- • main application software (generally referred to as the app) • a bootloader - runs immediately on power-up, initialises system, and then loads the app It is possible for only one of these types of software, or neither of them, to be present in the Flash, but when shipped from the factory the unit will contain a bootloader and the latest factory-release application software. -
Page 44: Event Logging
5.1. Overview Many events in the operation of the FireBrick create a log entry. These are a one-line string of text saying what happened. This could be normal events such as someone logging in to the web interface, or unusual events such as a wrong password used, or DHCP not being able to find any free addresses to allocate. -
Page 45: Logging To The Console
Event Logging 5.1.1.2. Logging to the Console The console is the command line environment described in Chapter 17. You can cause log entries to be displayed as soon as possible on the console (assuming an active console session) by setting console="true" on the log target. -
Page 46: Email
XML is shown below, from which you can see that in many cases, you only need to specify the to attribute (the comment attribute is an optional, general comment field) :- <log name="fb-support" comment="Log target for sending logs to FireBrick support team"> <email to="crashlog@firebrick.ltd.uk" comment="Crash logs emailed to FireBrick Support team"/>... -
Page 47: E-Mail Process Logging
5.5. Performance The FireBrick can log a lot of information, and adding logs can causes things to slow down a little. The controls in the config allow you to say what you log in some detail. However, logging to flash will always slow things down a lot and should only be used where absolutely necessary. -
Page 48: Viewing Logs In The Cli Environment
Event Logging All log targets can be viewed via the web User Interface, regardless of whether they specify any external logging (or logging to Flash memory). 5.6.2. Viewing logs in the CLI environment The command line allows logs to be viewed, and you can select which log target, or all targets. The logging continues on screen until you press a key such as RETURN. -
Page 49: Interfaces And Subnets
Chapter 6. Interfaces and Subnets This chapter covers the setup of Ethernet interfaces and the definition of subnets that are present on those interfaces. For information about other types of 'interfaces', refer to the following chapters :- • Point-to-Point Protocol over Ethernet (PPPoE) - Chapter 10 •... -
Page 50: Defining An Interface
Interfaces and Subnets 6.2. Defining an interface To create or edit interfaces, select the Interface category in the top-level icons - under the section headed "Ethernet interface (port-group/vlan) and subnets", you will see the list of existing interface top-level objects (if any), and an "Add" link. The primary attributes that define an interface are the name of the physical port group it uses, an optional VLAN ID, and an optional name. -
Page 51: Source Filtering
Interfaces and Subnets the FB6000 can initially be accessed on, regardless of whether the FB6000 has been able to obtain an address from an existing DHCP server on the network. Once you have added new subnets to suit your requirements, and tested that they work as expected, these temporary definitions should be removed. To create a new subnet, click on the Add link to take you to a new subnet object defintion. -
Page 52: Fixed/Static Dhcp Allocations
Not all devices cope with this so it is recommended that an explicit range is used, e.g. 192.168.1.100-199. You do not, however, have to be careful of either the FireBrick's own addresses or subnet broadcast addresses as they are automatically excluded. When using the default (0.0.0.0/0) range network addresses are also omitted, as are any other addresses not within a subnet... -
Page 53: Restricted Allocations
Interfaces and Subnets similar). See the show dhcp and clear dhcp CLI commands in Appendix G for details on how to clear the allocation. Chapter 17 covers the CLI in general. You can also lock an existing dynamic allocation to prevent it being re-used for a different MAC address even if it has expired. -
Page 54: Special Dhcp Options
The top level dhcp-relay configuration allows you to configure the FireBrick to be the remote server for a DHCP/BOOTP Relay Agent. The relay attribute allows specific pools to be set up for specific relays. The table and allow allow you to limit the use of the DHCP Remote server to requests from specific sources - note that renewal requests come from the allocated IP, or NAT IP if behind NAT and not necessarily from the relay IP. -
Page 55: Setting Duplex Mode
Interfaces and Subnets The FB6000 configuration contains a number of port settings which are not possible and will not save, e.g. 10M and 100M modes. These are included for compatibility with FB2500 and FB2700 products. The FB6000 only operates at gigabit port speeds. 6.3.1. -
Page 56: Routing
Chapter 7. Routing 7.1. Routing logic The routing logic in the FB6000 operates primarily using a conventional routing system of most specific prefix, which is commonly found in many IP stacks in general purpose computers and routers. Conventional routing determines where to send a packet based only on the packet's destination IP address, and is applied on a 'per packet' basis - i.e. -
Page 57: Routing Targets
Routing 7.2. Routing targets A route can specify various targets for the packet :- Table 7.1. Example route targets Target Notes an Ethernet interface (locally-atached subnet) requires ARP or ND to find the device on the LAN to which the traffic is to be sent. a specific IP address (a "gateway") the packet is forwarded to another router (gateway) ;... -
Page 58: Special Targets
Routing 7.2.3. Special targets It is possible to define two special targets :- • 'black-hole' : packets routed to a black-hole are silently dropped. 'Silent' refers to the lack of any ICMP response back to the sender. • 'nowhere' (also called Dead End) : packets routed to 'nowhere' are also dropped but the FB6000 generates ICMP error responses back to the sender. - Page 59 Routing However, where the two (or more) routes are the same type of interface, and there are shapers applied to those routes, then a decisions is made on a per packet basis as to which interface to used. The shapers are used to decide which link is least far ahead.
-
Page 60: Profiles
Chapter 8. Profiles Profiles allow you to enable/disable various aspects of the FB6000's configuration (and thus functionality) based on things such as time-of-day or presence/absence of Ping responses from a specified device. 8.1. Overview A profile is a two-state control entity - it is either Active or Inactive ("On" or "Off", like a switch). Once a profile is defined, it can be referenced in various configuration objects where the profile state will control the behaviour of that object. -
Page 61: Tests
Profiles • recover : the duration that the overall test must have been passing for before the profile state changes to Active The timeout and recover parameters do not apply to manually set profiles (see Section 8.2.4) and those based on time-of-day (see Section 8.2.2.2). 8.2.2. -
Page 62: Manual Override
Profiles attribute to true, the overall result is inverted (Pass changed to Fail and vice-versa) first before applying the mapping. 8.2.4. Manual override You can manually override all tests, and force the profile state using the set attribute - a value of true forces the state to Active, and false forces it to Inactive. -
Page 63: Traffic Shaping
Chapter 9. Traffic Shaping The FB6000 includes traffic shaping functionality that allows you to control the speed of specific traffic flows through the FB6000. The FB6000 also provides graphing functionality, allowing specific traffic flows to be plotted on a graph image (PNG format) that the FB6000 generates. Within the FB6000, traffic shaping and graphing are closely associated, and this is reflected in how you configure traffic shaping - in order to be able to perform traffic shaping, you must first graph the traffic flow. -
Page 64: Shapers
Traffic Shaping 9.1.2. Shapers Once you have graphed a (possibly bi-directional) traffic flow, you can then also define speed restrictions on those flows. These can be simple "Tx" and "Rx" speed limits or more complex settings allowing maximum average speeds over time. You define the speed controls associated with the graphed traffic flow(s) by creating a shaper top-level object. -
Page 65: Multiple Shapers
Traffic Shaping 9.2. Multiple shapers A packet that passes through the FB6000 can pass through multiple shapers, for example • The ingress interface can have a defined shaper • If the packet is carrier via an L2TP tunnel of any sort, there can be an aggregate shaper for the tunnel (e.g. the broadband carrier). -
Page 66: Pppoe
VLANs (see Appendix C if you are not familiar with VLANs) so that each router can be logically connected to a different interface on the FireBrick. It is also a good idea to have a switch that supports jumbo frames where the endpoint supports them (FTTC, FTTP, and via suitable modems BT 21CN and TalkTalk). -
Page 67: Definining Pppoe Links
PPPoE A significant benefit of the Vigor V-120 is that it works with no configuration on BT 20CN and 21CN lines as well as Be/O2 PPPoA lines and TalkTalk lines - you just plug it in to the line and the FB6000 and it just works. -
Page 68: Service And Ac-Name
PPPoE Testing has been done which confirms setting mtu="1500" works correctly on BT FTTC and FTTP lines, as well as BT 21CN and TalkTalk lines via a suitable bridging modem (Dlink 320B). Note Testing using a Zyxel P660R in bridge mode confirms that BT 21CN ADSL lines will negotiate 1500 byte MTU, but it seems the Zyxel will not bridge more than 1496 bytes of PPP payload. -
Page 69: Tunnels
Chapter 11. Tunnels The FB6000 supports the following tunnelling protocols :- • L2TP L2TP client functionality enables tunnelled connections to be made to an L2TP server... -
Page 70: System Services
Chapter 12. System Services A system service provides general functionality, and runs as a separate concurrent process alongside normal traffic handling. Table 12.1 lists the services that the FB6000 can provide :- Table 12.1. List of system services Service Function SNMP server provides clients with access to management information using the Simple Network Management Protocol... -
Page 71: Http Server Configuration
System Services Table 12.2. List of system services Attribute Function If specified, then the service only accepts requests/connections on the specified table routing table. If not specified then the service works on any routing table. Where the service is also a client then this specifies the routing table to use (default 0). If specified then this is a list of ranges of IP addresses and ip group names from allow which connections are allowed. -
Page 72: Telnet Server Configuration
DNS typically means converting a name, like www.firebrick.co.uk to one or more IP addresses, but it can also be used for reverse DNS finding the name of an IP address. DNS service is normally provided by your ISP. -
Page 73: Auto Dhcp Dns
LAN. This is done by telling the FireBrick the domain for your local network. Any name that is within that domain which matches a client name of a DHCP allocation that the FireBrick has made will return the IP address assigned by DHCP. This is applied in reverse for reverse DNS mapping an IP address back to a name. -
Page 74: Radius Client Settings
However, it is quite possible for a server to go away when there are no current RADIUS requests, or even come back when not being used for current requests. To allow for this the FireBrick sends status-server requests to the server periodically, and records the responses in the 64 bit response queue. This means a blacklisted server will be recorded as usable again once it starts answering such requests. -
Page 75: Network Diagnostic Tools
Chapter 13. Network Diagnostic Tools Various network diagnostic tools are provided by the FB6000, accessible through either the web user interface or the CLI :- • Packet dump : low level diagnostics to for detailed examination of network traffic passing through the FB6000 •... -
Page 76: Packet Dumping
This address is not on a local Ethernet subnet and so not allowed access. 13.2. Packet Dumping The FireBrick includes the ability to capture packet dumps for diagnostic purposes. This might typically be used where the behaviour of the FB6000 is not as expected, and can help identify whether other devices are correctly implementing network protocols - if they are, then you should be able to determine whether the FB6000 is responding appropriately. -
Page 77: Security Settings Required
Network Diagnostic Tools IP address (2-off) Up to two IPs can be specified to filter packets self Include my IP By default any traffic to or from the IP which is connecting to the web interface to access pcap is excluded. This option allows such traffic. -
Page 78: Snaplen Specification
Linebreaks are shown in the example for clarity only - they must not be entered on the command-line In this example we have used username name and password pass to log-in to a FireBrick on address 1.2.3.4 - obviously you would change the IP address (or host name) and credentials to something suitable for your FB6000. -
Page 79: Vrrp
Note You can disable the use of the special MAC if you wish, and use a normal FireBrick MAC. However, this can lead to problems in some cases. -
Page 80: Configuring Vrrp
VRRP 14.2. Configuring VRRP VRRP operates within a layer 2 broadcast domain, so VRRP configuration on the FB6000 comes under the scope of an interface definition. As such, to set-up your FB6000 to participate in a Virtual Router group, you need to create a vrrp object, as a child object of the interface that is in the layer 2 domain where the VRRP operates. -
Page 81: Vrrp Version 3
Note that the FB6000 has non-standard support for some specific packets sent to the VRRP virtual addresses. This includes answering pings (configurable) and handling DNS traffic. Other VRRP devices may not operate in the same way and so may not work in the same way if they take over from the FireBrick. -
Page 82: Bgp
Chapter 15. BGP 15.1. What is BGP? BGP (Border Gateway Protocol) is the protocol used between ISPs to advise peers of routes that are available. Each ISP tells its peers the routes it can see, being the routes it knows itself and those that it has been advised by other peers. -
Page 83: Simple Example Setup
• RFC1997 Community tagging, with in-build support of well-known communities • RFC2385 TCP MD5 protection • RFC2796 Route reflector peers • RFC3392 Capabilities negotiation • RFC3065 Confederation peers • RFC5082 TTL Security • Multiple independent routing tables allowing independent BGP operations •... -
Page 84: Route Filtering
reflector For IBGP links that are a route-reflector. Route reflector rules apply Peers only with same AS allow-own-as defaults to true confederate For EBGP that is part of a confederation. Confederation rules apply Peers only with different Must be EBGP, and sets default of no-fib and not add-own-as. Routes from this peer are marked as IXP routes which affects filtering on route announcements. -
Page 85: Well Known Community Tags
15.2.7. Announcing black hole routes The FireBrick allows black hole routes to be defined using the the blackhole object. Routing for such addresses is simply dropped with no ICMP error. Such routes can be marked for BGP announcement just like any other routes. -
Page 86: Announcing Dead End Routes
Any route installed as network are announced with this community. Note, this is not set automatically on a nowhere route, allowing a route to be announced to get to this FireBrick to be propagated via IBGP. The effect of this is that your network can include one (or more) source of top level network routes which, within your network, are installed as dead ends at each point. -
Page 87: Route Feasibility Testing
15.2.15. TTL security The FireBrick supports RFC5082 standard TTL security. Simply setting ttl-security="1" on the peer settings causes all of the BGP control packets to have a TTL of 255 and expects all received packets to be TTL 255 as well. -
Page 88: Internet Service Providers
Chapter 16. Internet Service Providers The FireBrick can be used by Internet Service Providers (ISPs) to provide Internet connectivity by acting as a gateway between a carrier network (e.g. Broadband or mobile carrier) and the Internet. This chapter covers the ISP use of a FireBrick including L2TP , GGSN , and PPPoE. -
Page 89: Broadband
16.2. Incoming L2TP connections To allow a connection to the FireBrick you have to decide on a hostname. This is not a DNS hostname and is more like a login or username. It can be anything you like. You can pre-agree with your carrier the hostname they will use and the IP address of your LNS. -
Page 90: The Importance Of Cqm Graphs
L2TP connection. This can also be set in the RADIUS response. This limits the speed of traffic to the line. This is usually done so that the LNS is in control of the speed of the line as the FireBrick will drop larger packets before smaller packets, which helps VoIP and many other protocols work well even on a full link. -
Page 91: Accounting
16.7. PPPoE In addition to working as a conventional LNS, the FireBrick can also be configured to operate as a PPPoE endpoint as a BRAS. The PPPoE connections appear as if they has arrived via L2TP, so can have local IP termination or relay via L2TP to another LNS. -
Page 92: Interlink Subnet
LNS. The connection details include the target (IP address) which will be one of the FireBrick's address, and a pre-agreed hostname which identifies the tunnel level connection, along with a secret to authentication the connection. Obviously these details have to match what the FireBrick is expecting in its L2TP configuration. -
Page 93: L2Tp Endpoints
Internet Service Providers Session steering also allows specific configurations to be based on username, and circuit and so on, so allowing different responses for different carriers and different end users to be customised if necessary. It is also possible to send a copy of the session steering RADIUS to your own RADIUS server for logging. 16.9.4. -
Page 94: Command Line Interface
Chapter 17. Command Line Interface The FB6000 provides a traditional command-line interface (CLI) environment that can be used to check status information, and control some aspects of the unit's operation. The CLI is accessed via the 'telnet' protocol - the FB6000 implements a telnet server, which you can connect to using any common telnet client program. -
Page 95: Cidr And Cidr Notation
Appendix A. CIDR and CIDR Notation Classless Inter-Domain Routing (CIDR) is a strategy for IP address assignment originally specified in 1993 that had the aims of "conserving the address space and limiting the growth rate of global routing state". The current specification for CIDR is in RFC4632 [http://tools.ietf.org/html/rfc4632]. - Page 96 CIDR and CIDR Notation routing table entry - 10.1.2.0/24 and 10.1.3.0/24 - routing table entries for these subnets would appear in a downstream router. Note that in either a network/subnet or routing destination specification, the address will be the starting address of the IP address range being expressed, such that there will be M least significant bits of the address set to zero, where M = 32 - prefix_length Combined interface IP address and subnet definitions...
-
Page 97: Mac Addresses Usage
In principle the FireBrick could have a single MAC address for all operations. However, practical experience has led to the use of multiple MAC addresses on the FireBrick. A unique block of addresses is assigned to each FireBrick, with the size of the block dependent on the model. -
Page 98: How The Firebrick Allocates Mac Addresses
ISP links as above where ports are locked to only accept one MAC. The way the FireBrick manages MAC addresses is designed to be a bit sticky so that a config change will not usually cause a MAC address assigned to a subnet or interface to change. -
Page 99: Running Out Of Macs
MAC Addresses usage B.2.5. Running out of MACs The allocations are recorded in persistent data, so if an object is removed from the config and later put back it should get the same MAC address. If however there are not enough MAC addresses when loading a config, then previous assignments are re-used. -
Page 100: Using With A Dhcp Server
MAC Addresses usage • the first address in the range has zero for the remaining digits (00) • the last address in the range has F for the remaining digits (FF) Therefore this range spans 00:03:97:14:7C:00 to 00:03:97:14:7C:FF inclusive (256 addresses). B.4. -
Page 101: Vlans : A Primer
Appendix C. VLANs : A primer An Ethernet (Layer 2) broadcast domain consists of a group of Ethernet devices that are interconnected, typically via switches, such that an Ethernet broadcast packet (which specifies a reserved broadcast address as the destination Ethernet address of the packet) sent by one of the devices is always received by all the other devices in the group. -
Page 102: Supported L2Tp Attribute/Value Pairs
Framing Capabilities 3 Ignored Value 3 Bearer Capabilities 4 Ignored Not sent Tie Breaker 5 Ignored as FireBrick only accepts Not sent connections for inbound calls Firmware Revision 6 Ignored FireBrick s/w version string Host Name 7 Used to select which incoming L2TP As per config/RADIUS request configuration applies. -
Page 103: Start-Control-Connection-Connected
Supported L2TP Attribute/Value Pairs Challenge 11 Accepted if a configured secret is Not sent at present defined, a response is sent in the SCCCN Challenge Response 13 Not expected at present Sent if SCCRQ contained a challenge and we have a secret defined D.3. -
Page 104: Incoming-Call-Reply
Supported L2TP Attribute/Value Pairs Calling Number 22 Accepted, used in RADIUS and passed Passed on incoming value on if relaying Sub-Address 23 Ignored Not sent Physical Channel ID 25 Ignored Not sent D.7. Incoming-Call-Reply Table D.7. ICRP No. Incoming Outgoing Message Type 0 Value 11 Value 11... -
Page 105: Outgoing-Call-Reply
Supported L2TP Attribute/Value Pairs Message Type 0 Value 7 Value 7 Not supported, ignored. D.10. Outgoing-Call-Reply Table D.10. OCRP No. Incoming Outgoing Message Type 0 Value 8 Value 8 Not supported, ignored. D.11. Outgoing-Call-Connected Table D.11. OCCN No. Incoming Outgoing Message Type 0 Value 9 Value 9... -
Page 106: Notes
IPv4 (0021) or IPv6 (0057) code. The first byte which would normally be the LCP type is 0x4X (IPv4) or 0x6X (IPv6). The FireBrick assumes any such LCP codes are IPv4/IPv6 when received, and using a RADIUS response can send IP packets using LCP. This is specifically to bypass any carrier IP specific shaping... -
Page 107: Supported Radius Attribute/Value Pairs For L2Tp Operation
31 Calling number as received on L2TP Acct-Session-Id 44 Unique ID for session as used on all following accounting records NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6... -
Page 108: Authentication Response
Supported RADIUS Attribute/ Value Pairs for L2TP operation often more useful. If the remote Ip is used the NAS-Port is set to the far end L2TP session ID rather than the local end session ID. The NAS-Identified remains the name of the FB6000. This option is separately available for accounting messages. -
Page 109: Prefix Delegation
The client can send a Router solicitation to which the FireBrick will reply advising to use DHCPv6 for addressing. Once a router solicitation is sent, periodic Router Advertisements will then be sent on the connection by the Firebrick. -
Page 110: Rejected Authentication
41 Seconds since session started Acct-Event- 55 Session start time (unix timestamp) Timestamp Acct-Session-Id 44 Unique ID for session NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6... -
Page 111: Accounting Interim
89 Graph name that applies, sanitised to comply with CQM graph name rules.. Identity Connect-Info 77 Text Tx speed/Rx speed in use NAS-Identifier 32 Configured hostname of FireBrick NAS-IP-Address 4 NAS IPv4 address if using IPv4 NAS-IPv6-Address 95 NAS IPv6 address if using IPv6... -
Page 112: Accounting Stop
Supported RADIUS Attribute/ Value Pairs for L2TP operation Tunnel-Client- 66 Present for relayed L2TP, text IPv4 or IPv6 address of our address on the Endpoint outbound tunnel Tunnel-Server- 67 Present for relayed L2TP, text IPv4 or IPv6 address of the far end address of Endpoint the outbound tunnel Tunnel-Assignment-... -
Page 113: Filter Id
Supported RADIUS Attribute/ Value Pairs for L2TP operation Chargeable-User- 89 This is used as CQM graph name. Identity Framed-Route 22 May appear more than once. Text format is IPv4-Address/Bits 0.0.0.0 metric. The target IP is ignored but must be valid IPv4 syntax. The metric is used as localpref in routing. -
Page 114: Notes
X Pad packets to 74 bytes if length fields appears to be less - needed to work around bug in BT 20CN BRAS for IPv6 in IP over LCP mode C Send all IPv4 and IPv6 using the LCP type code (only works if FireBrick doing PPP at far end) O Mark session as low-priority (see shaper and damping) -
Page 115: Lcp Echo And Cqm Graphs
RADIUS reply sets the LCP rate/timeout and provides tunnel relay, then the incoming side of the relayed connection will use LCP echos from the FireBrick in the middle of the connection and not pass these through - this means on the o/g connection the FireBrick answers LCP echos from the relayed LNS. -
Page 116: Routing Table
E.9.5. Routing table The FireBrick operates independent routing cores allowing a totally independent routing table to be used for L2TP wrapper traffic and payload traffic. It is also possible to set the payload table in use on a per session basis... -
Page 117: Firebrick Specific Snmp Objects
Appendix F. FireBrick specific SNMP objects This appendix details the SNMP objects that are specific to the FireBrick. F.1. Monitoring information General monitoring information. Table F.1. iso.3.6.1.4.1.24693.1 ...OID Type Meaning Integer (mV) Voltage: "A" power supply. Should be around 12V. May show a few volts when no... -
Page 118: L2Tp Information
FireBrick specific SNMP objects IP.4 Integer Received IPv4 prefixes IP.5 Integer Seconds since last state change IP.6 Integer Received IPv6 prefixes F.3. L2TP information Information about specific L2TP peers. Note The OID contains the IP. This is coded as either 4.a.b.c.d for IPv4 address a.b.c.d, or 6 followed by 32 entries each 0 to 15 for each hex character in the IPv6 address. -
Page 119: Command Line Reference
Shows how long since the FB6000 restarted. G.1.4. General status show status Shows general status information, including uptime, who owns the FireBrick, etc. This is the same as the Status on the web control pages. G.1.5. Memory usage show memory Shows memory usage summary. -
Page 120: Logout
Command line reference G.1.8. Logout logout quit exit You can also use Ctrl-D to exit, or close the connection (if using telnet) G.1.9. See XML configuration show run show configuration Dumps the full XML configuration to the screen G.1.10. Load XML configuration import configuration You then send the XML configuration, ending with a blank line. -
Page 121: Networking Commands
Command line reference Shows current DNS resolver list and status. G.2. Networking commands G.2.1. Subnets show subnets show subnet <integer> You can list all current subnets, or details of a specific subnet. This shows the same information as the web status pages for subnets. -
Page 122: See Dhcp Allocations
Command line reference G.2.6. See DHCP allocations show dhcp [<IP4Addr>] [table=<routetable>] Shows DHCP allocations, with option to show details for specific allocation. G.2.7. Clear DHCP allocations clear dhcp [ip=<IP4Range>] [table=<routetable>] Allows you to remove one or more DHCP allocations. G.2.8. Lock DHCP allocations lock dhcp ip=<IP4Addr>... -
Page 123: Check Access To Services
This can be useful to test fallback scenarios by simulating a fatal error. Note that panic crash logs are emailed to the FireBrick support by default, so please use a meaningful string. e.g. panic "testing fallback" confirm=yes G.7.2. -
Page 124: Screen Width
This allows a reverse telnet connection to be made. A TCP connection is made to the IP address (and port) where a user can login. This can be useful where a firewall policy prevents incoming access to allow someone to have access from outside, e.g. the FireBrick support team. G.7.5. Show command sessions show command sessions The FB6000 can have multiple telnet connections at the same time. -
Page 125: Flash Log
Command line reference G.7.10. Flash log show flash log [<unsignedInt>] The logging system can log to flash for a permanent record. This is done automatically for some system events and when booting. You can specify the number of bytes of recent log to show.. -
Page 126: Constant Quality Monitoring - Technical Details
Appendix H. Constant Quality Monitoring - technical details The FireBrick provides constant quality monitoring. The main purpose of this is to provide a graphical representation of the performance of an interface or traffic shaper - typically used for broadband lines on L2TP. -
Page 127: Dated Information
Constant Quality Monitoring - technical details H.2.2. Dated information Without any date the data returned is the latest. This includes the last 24 to 25 hours. You can display data for a specific date. This only makes sense for today, and during the first couple of hours of the day you can get yesterday in full. -
Page 128: Additional Text
Constant Quality Monitoring - technical details Defines colour for rejected echos Defines colour for failed (no response) echos Defines colour for off-line H.3.2. Additional text Additional text is shown on the graph based on the values in the configuration if not specified. There are 4 lines on the top left in small text and two heading lines top right in large text. -
Page 129: Overnight Archiving
Constant Quality Monitoring - technical details Defines colour for writing (text) Mouseover title text in svg (depending on browser, this may only work if you embed the svg in a page rather than as img tag) No mouseover title text in svg H.4. -
Page 130: Load Handling
Constant Quality Monitoring - technical details H.4.2. load handling The graphs and csv files are generated on the fly, and only one is generated at a time. Connection requests are queued. As part of the normal web management system, the trusted IPs queue is always processed first so constant access from untrusted sources will not stop access from trusted sources. -
Page 131: Hashed Passwords
It is still important to keep the configuration hashes safe, as someone could use the hashes to try millions of passwords off-line before trying to log in to a FireBrick. For this reason it is also important to use good passwords that cannot be guessed, and are not simply made from normal dictionary words. -
Page 132: One Time Password Seed Hashing
OTP sequence to be generated, not simply checked (as is the case with a password hash). The issue with encrypting the OTP seed is that the FireBrick has to be able to decrypt it so as to check the OTP sequence used. - Page 133 Hashed passwords • N bytes: The OTP seed XOR with the hash made from the password with salt appended. If seed is longer than hash then only initial hash length bytes are XOR'd. • S bytes: Seed bytes, should be random. •...
-
Page 134: Configuration Objects
Appendix J. Configuration Objects This appendix defines the object definitions used in the FireBrick FB6602 GGSN configuration. Copyright © 2008-16 FireBrick Ltd. J.1. Top level J.1.1. config: Top level config The top level config element contains all of the FireBrick configuration data. -
Page 135: Objects
Configuration Objects services services Optional General system services shaper shaper Optional, unlimited Named traffic shapers system system Optional System settings user user Optional, unlimited Admin users J.2. Objects J.2.1. system: System settings The system settings are the top level attributes of the system which apply globally. Table J.3. -
Page 136: Link: Web Links
Configuration Objects sw-update-profile NMTOKEN Profile name for when to load new s/w table (unsignedByte 0-99) Routing table number for system functions routetable (s/w updates, etc) Table J.4. system: Elements Element Type Instances Description link link Optional, unlimited Home page links J.2.2. -
Page 137: Eap: User Access Controlled By Eap
Configuration Objects J.2.4. eap: User access controlled by EAP Identities, passwords and access methods for access controlled with EAP Table J.7. eap: Attributes Attribute Type Default Description comment string Comment full-name string Full name methods Set of eap-method Not optional Allowed methods name string... -
Page 138: Log-Email: Email Logger Settings
Configuration Objects comment string Comment facility syslog-facility LOCAL0 Facility setting port unsignedShort Server port profile NMTOKEN Profile name server IPNameAddr Not optional Syslog server severity syslog-severity NOTICE Severity setting source string Source of data, used in automated config management source-ip IPAddr Use specific source IP system-logs... -
Page 139: Snmp-Service: Snmp Service Settings
Configuration Objects Table J.12. services: Elements Element Type Instances Description dns-service Optional DNS service settings http http-service Optional HTTP server settings ntp-service Optional client settings (server implemented yet) radius radius-service Optional RADIUS server/proxy settings snmp snmp-service Optional SNMP server settings telnet telnet-service Optional... -
Page 140: Telnet-Service: Telnet Service Settings
NMTOKEN Not logging Log debug log-error NMTOKEN Log as event Log errors ntpserver List of IPNameAddr ntp.firebrick.ltd.uk List of time servers (IP or hostname) from which time may be set by ntp poll duration 1:00:00 NTP poll rate profile NMTOKEN... -
Page 141: Http-Service: Http Service Settings
Configuration Objects J.2.12. http-service: HTTP service settings Web management pages Table J.16. http-service: Attributes Attribute Type Default Description access-control- string Additional header for cross site javascript allow-origin allow List Allow from List of IP ranges from which service can be IPNameRange anywhere accessed... -
Page 142: Dns-Host: Fixed Local Dns Host Settings
Configuration Objects log-error NMTOKEN Log as event Log errors profile NMTOKEN Profile name resolvers List of IPAddr Recursive DNS resolvers to use resolvers-table (unsignedByte 0-99) as table / 0 Routing table for specified resolvers routetable source string Source of data, used in automated config management table (unsignedByte 0-99) -
Page 143: Radius-Service: Radius Service Definition
Configuration Objects restrict-to List List of IP ranges to which this is served IPNameRange source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table applicable routetable unsignedInt Time to live J.2.16. radius-service: RADIUS service definition RADIUS server and proxy definitions Table J.21. -
Page 144: Radius-Service-Match: Matching Rules For Radius Service
Configuration Objects secret Secret Shared secret for RADIUS requests (needed for replies) source string Source of data, used in automated config management tagged boolean Tag all attributes that can be target-hostname string Hostname for L2TP connection target-ip List of IPNameAddr - Target IP(s) or hostname for primary L2TP connection target-secret... -
Page 145: Radius-Server: Radius Server Settings
Configuration Objects List Match target IP address of RADIUS IPNameRange request name string Name nas-ip List Match NAS-IP address in RADIUS request IPNameRange nsn-conditional boolean Only send NSN settings if username is not same as calling station id nsn-tunnel-override- unsignedByte Additional response for GGSN usage username nsn-tunnel-user-... -
Page 146: Ethernet: Physical Port Controls
Configuration Objects name string Name port unsignedShort From services/radius UDP port settings profile NMTOKEN Profile name queue unsignedInt Concurrent requests over all of these servers (per type) scale-timeout unsignedByte Timeout scaling factor secret Secret Not optional Shared secret for RADIUS requests source string Source of data, used in automated config... -
Page 147: Portdef: Port Grouping And Naming
Configuration Objects collector-ip IPAddr Not optional IP address of collector collector-port unsignedShort 6343 sFlow, UDP port which collector listens on 4739 for IPFIX comment string Comment (unsignedShort 1500 576-2000) mtu name string Name profile NMTOKEN Profile name protocol sampling-protocol sflow Protocol used to export sampling data sample-flush duration... -
Page 148: Subnet: Subnet Settings
Optional, unlimited IP subnet on the interface vrrp vrrp Optional, unlimited VRRP settings J.2.23. subnet: Subnet settings Subnet settings define the IP address(es) of the FireBrick, and also allow default routes to be set. Table J.30. subnet: Attributes Attribute Type Default... -
Page 149: Vrrp: Vrrp Settings
Test link state using ARP/ND for this IP unsignedByte TTL for originating traffic via subnet J.2.24. vrrp: VRRP settings VRRP settings provide virtual router redundancy for the FireBrick. Profile inactive does not disable vrrp but forces vrrp low priority. Table J.31. vrrp: Attributes Attribute... -
Page 150: Dhcps: Dhcp Server Settings
Configuration Objects NMTOKEN Not logging Log events log-error NMTOKEN log as event Log errors low-priority unsignedByte Lower priority applicable until routing established name NMTOKEN Name preempt boolean true Whether pre-empt allowed priority unsignedByte Normal priority profile NMTOKEN Profile name source string Source of data, used in automated config management... -
Page 151: Dhcp-Attr-Hex: Dhcp Server Attributes (Hex)
Configuration Objects source string Source of data, used in automated config management syslog List of IP4Addr Syslog server time List of IP4Addr Our IP Time server Table J.33. dhcps: Elements Element Type Instances Description send dhcp-attr-hex Optional, unlimited Additional attributes to send (hex) send-ip dhcp-attr-ip Optional, unlimited Additional attributes to send (IP) -
Page 152: Dhcp-Attr-Ip: Dhcp Server Attributes (Ip)
Configuration Objects Table J.36. dhcp-attr-number: Attributes Attribute Type Default Description comment string Comment force boolean Send even if not requested unsignedByte Not optional Attribute type code/tag name string Name value unsignedInt Not optional Value vendor boolean Add as vendor specific option (under option 43) J.2.29. -
Page 153: Ppp-Route: Ppp Routes
Configuration Objects lcp-rate unsignedByte LCP interval (seconds) lcp-timeout unsignedByte LCP timeout (seconds) local IP4Addr Local IPv4 address localpref unsignedInt 4294967295 Localpref for route (highest wins) NMTOKEN Not logging Log events log-debug NMTOKEN Not logging Log debug log-error NMTOKEN Not logging Log as events mode pppoe-mode... -
Page 154: Ggsn: Gtp Ggsn Settings
Configuration Objects localpref unsignedInt 4294967295 Localpref of network (highest wins) name string Name profile NMTOKEN Profile name source string Source of data, used in automated config management J.2.32. ggsn: GTP GGSN settings GTP GGSN settings Table J.41. ggsn: Attributes Attribute Type Default Description... -
Page 155: Network: Locally Originated Networks
Configuration Objects List of IPPrefix Not optional One or more network prefixes localpref unsignedInt 4294967295 Localpref of network (highest wins) name string Name profile NMTOKEN Profile name source string Source of data, used in automated config management speed unsignedInt Egress rate limit (b/s) table (unsignedByte 0-99) Routing table number... -
Page 156: Loopback: Locally Originated Networks
Configuration Objects no-fib boolean Route not in forwarding, only for EBGP profile NMTOKEN Profile name source string Source of data, used in automated config management table (unsignedByte 0-99) Routing table number routetable List of Community - List of community tags J.2.36. -
Page 157: Bgprule: Individual Mapping/Filtering Rule
Configuration Objects J.2.38. bgprule: Individual mapping/filtering rule An individual rule for BGP mapping/filtering Table J.48. bgprule: Attributes Attribute Type Default Description comment string Comment community Community Community that must be present to match detag List of Community - List of community tags to remove drop boolean Do not import/export this prefix... -
Page 158: Bgppeer: Bgp Peer Definitions
Configuration Objects peer bgppeer Optional, up to 500 List of peers/neighbours J.2.40. bgppeer: BGP peer definitions The peer definition specifies the attributes of an individual peer. Multiple IP addresses can be specified, typically for IPv4 and IPv6 addresses for the same peer, but this can be used for a group of similar peers. Table J.51. -
Page 159: Bgpmap: Mapping And Filtering Rules Of Bgp Prefixes
Configuration Objects max-prefix unsignedInt Limit prefixes (IPv4+IPv6) Secret MD5 signing secret name string Name next-hop-self boolean false Force us as next hop outbound no-fib boolean Don't include received routes in packet forwarding unsignedByte Pad (prefix stuff) our AS on export by this many profile NMTOKEN... -
Page 160: Cqm: Constant Quality Monitoring Settings
Configuration Objects detag List of Community - List of community tags to remove drop boolean Do not import/export this prefix localpref unsignedInt Set localpref (highest wins) unsignedInt Set MED prefix List of IPFilter Drop all that are not in this prefix list source string Source of data, used in automated config... -
Page 161: Text
Configuration Objects label-max string Label for maximum latency label-min string Label for minimum latency label-off string Label for off line seconds label-period string Period Label for period label-poll string Polls Label for polls label-rej string %Reject Label for rejected seconds label-rx string Label for Rx traffic level... -
Page 162: L2Tp: L2Tp Settings
Configuration Objects text2 string Text line 2 text3 string Text line 3 text4 string Text line 4 timeformat string %Y-%m-%d Time format %M:%S unsignedByte Pixels space at top of graph Colour #080 Colour for Tx traffic level J.2.43. l2tp: L2TP settings L2TP settings for incoming L2TP connections Table J.56. -
Page 163: J.59. L2Tp-Incoming: Elements
Configuration Objects lcp-data-len unsignedByte LCP data field length lcp-mru-fix boolean false Restart LCP if RAS negotiated MRU is too high lcp-rate unsignedByte LCP interval (seconds) lcp-timeout unsignedByte LCP timeout (seconds) local-hostname string System name Hostname quoted on reply NMTOKEN Not logging Log events log-debug NMTOKEN... -
Page 164: L2Tp-Relay: Relay And Local Authentication Rules For L2Tp
Configuration Objects match l2tp-relay Optional, unlimited Rules for relaying connections and local authentication J.2.45. l2tp-relay: Relay and local authentication rules for L2TP Rules for relaying L2TP or local authentication Table J.60. l2tp-relay: Attributes Attribute Type Default Description called-station-id List of string One or more patterns to match called- station-id calling-station-id... -
Page 165: Profile-Date: Test Passes If Within Any Of The Time Ranges Specified
Configuration Objects comment string Comment control-switch-users List of NMTOKEN Any users Restrict users that have access to control switch expect boolean true Defines state considered 'Good' and shown green on status page initial boolean true Defines state at system startup if not using set, or initial state of a new control switch interval duration... -
Page 166: Profile-Time: Test Passes If Within Any Of The Date/Time Ranges Specified
Configuration Objects Table J.63. profile-date: Attributes Attribute Type Default Description comment string Comment source string Source of data, used in automated config management start dateTime Start (YYYY-MM-DDTHH:MM:SS) stop dateTime End (YYYY-MM-DDTHH:MM:SS) J.2.48. profile-time: Test passes if within any of the date/time ranges specified Time range test in profiles Table J.64. -
Page 167: Shaper-Override: Traffic Shaper Override Based On Profile
Configuration Objects comment string Comment name (token) graphname Not optional Graph name unsignedInt Rx rate limit/target (b/s) rx-max unsignedInt Rx rate limit max rx-min unsignedInt Rx rate limit min rx-min-burst duration Rx minimum allowed burst time rx-step unsignedInt Rx rate reduction per hour share boolean If shaper is shared with other devices... -
Page 168: Ip-Group: Ip Group
Configuration Objects J.2.52. ip-group: IP Group Named IP group Table J.69. ip-group: Attributes Attribute Type Default Description comment string Comment List of IPRange One or more IP ranges or IP/len name string Not optional Name source string Source of data, used in automated config management users List of NMTOKEN -... -
Page 169: Config-Access: Type Of Access User Has To Config
Configuration Objects beta Load beta test releases alpha Load test releases J.3.2. config-access: Type of access user has to config Table J.73. config-access: Type of access user has to config Value Description none No access unless explicitly listed view View only access (no passwords) read Read only access (with passwords) full... -
Page 170: Syslog-Facility: Syslog Facility
Configuration Objects Table J.77. syslog-severity: Syslog severity Value Description EMERG System is unstable ALERT Action must be taken immediately CRIT Critical conditions Error conditions WARNING Warning conditions NOTICE Normal but significant events INFO Informational DEBUG Debug level messages NO-LOGGING No logging J.3.7. -
Page 171: Month: Month Name (3 Letter)
Configuration Objects J.3.8. month: Month name (3 letter) Table J.79. month: Month name (3 letter) Value Description January February March April June July August September October November December J.3.9. day: Day name (3 letter) Table J.80. day: Day name (3 letter) Value Description Sunday... -
Page 172: Radiustype: Type Of Radius Server
Configuration Objects user Hashed on username before @ realm Hashed on username after @ prefix Hashed on username initial letters and numbers only J.3.11. radiustype: Type of RADIUS server Table J.82. radiustype: Type of RADIUS server Value Description authentication Authentication server accounting Accounting server control... -
Page 173: Linkflow: Physical Port Flow Control Setting
Configuration Objects auto Duplex determined by autonegotiation J.3.16. LinkFlow: Physical port flow control setting Table J.87. LinkFlow: Physical port flow control setting Value Description none No flow control symmetric Can support two-way flow control send-pauses Can send pauses but does not support pause reception Can receive pauses and may send pauses if required J.3.17. -
Page 174: Linkpower: Phy Power Saving Options
Configuration Objects J.3.20. LinkPower: PHY power saving options Table J.91. LinkPower: PHY power saving options Value Description none No power saving full Full power saving J.3.21. LinkFault: Link fault type to send Table J.92. LinkFault: Link fault type to send Value Description false... -
Page 175: Dhcpv6Control: Control For Ra And Dhcpv6 Bits
Configuration Objects true Announce as default (medium) priority J.3.25. dhcpv6control: Control for RA and DHCPv6 bits Table J.96. dhcpv6control: Control for RA and DHCPv6 bits Value Description false Don't set bit or answer on DHCPv6 true Set bit but do not answer on DHCPv6 dhcpv6 Set bit and do answer on DHCPv6 J.3.26. -
Page 176: Ggsn-Calling: Calling Number Options For Ggsn
Configuration Objects client Normal PPPoE client connects to access controller bras-l2tp PPPoE server mode linked to L2TP operation J.3.30. ggsn-calling: Calling number options for GGSN Table J.101. ggsn-calling: Calling number options for GGSN Value Description imsi IMSI msisdn MSISDN (or IMSI) imei IMEI (or IMSI or MSISDN) J.3.31. -
Page 177: Radius-Nas: Nas Ip To Report
Configuration Objects reflector IBGP allowing own AS and working in route reflector mode confederate EBGP confederate Internet exchange point peer on route server, soft routes EBGP only J.3.34. radius-nas: NAS IP to report Table J.105. radius-nas: NAS IP to report Value Description false... - Page 178 Configuration Objects IPNameAddr IP address or name IP4Addr IPv4 address IP6Addr IPv6 address IPPrefix IP address / bitlen IPRange IP address / bitlen or range IPNameRange IP address / bitlen or range or name IP4Range IPv4 address / bitlen or range IP4Prefix IPv4 address / bitlen IPSubnet...
- Page 179 Configuration Objects unsignedIntList List of integers (unsignedInt) communitylist List of BGP communities (Community) filterlist List of IP Prefix filters (IPFilter) iprangelist List of IPranges (IPRange) userlist List of user names (username) prefix4list List of IPv4 Prefixes (IP4Prefix) portlist List of protocol port ranges (PortRange) protolist List of IP protocols (unsignedByte) routetableset...
-
Page 180: Index
defining, 34 Index Ethernet, 33 relationship with physical ports, 33 Internet Service Providers overview, 72 overview, 66 Boot process, 27 LEDs Breadcrumbs, 12 Power LED - status indications, 27 Log targets, 28 Logging (see Event logging) Configuration backing up and restoring, 16 categories (user interface), 12 Navigation buttons methods, 10... - Page 181 Index System name (see Hostname) System services checking access to, 59 configuring, 54 definition of, 54 list of, 54 Telnet service configuration, 55 Time-out login sessions, 21 Traffic shaping overview, 47 User Interface customising layout, 11 general layout, 11 navigation, 15 overview, 10 Users creating / configuring, 20...
Need help?
Do you have a question about the FB6602 and is the answer not in the manual?
Questions and answers