Cisco RV260 series Administration Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Router
  5. RV260 series
  6. Administration manual

Cisco RV260 series Administration Manual

Vpn routers
Hide thumbs Also See for RV260 series:
Table of Contents

Advertisement

Quick Links

RV260x Administration Guide
First Published: 2018-10-23
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the RV260 series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Cisco RV260 series

Summary of Contents for Cisco RV260 series

  • Page 1 RV260x Administration Guide First Published: 2018-10-23 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com trademarks.

  • Page 3: Table Of Contents

    C O N T E N T S C H A P T E R 1 Getting Started RV260X Product Features Getting Started Launch Setup Wizard User Interface C H A P T E R 2 Status and Statistics System Summary TCP/IP Services Port Traffic WAN QoS Statistics...
  • Page 4 Contents Diagnostic Certificate Import Certificate Generate CSR/Certificate Show Built-in 3rd Party CA Certificates Configuration Management Copy/Save Configuration C H A P T E R 4 System Configuration Initial Router Setup System Time Email Server Remote Syslog Servers Email User Accounts Remote Authentication Service User Groups IP Address Groups...
  • Page 5 Contents Mobile Network Mobile Network Setup Bandwidth Cap Setting Dynamic DNS Hardware DMZ IPv6 Transition IPv6 in IPv4 Tunnel (6in4) IPv6 Rapid Deployment (6rd) C H A P T E R 6 Port Settings PoE Settings (RV260P) VLAN Settings Option82 Settings Static DHCP 802.1X Configuration Router Advertisement...
  • Page 6 C H A P T E R 1 1 Security Content Filtering Web Filtering Cisco Small Business Web Filtering Service Supplemental End User License Agreement C H A P T E R 1 2 Traffic Classes WAN Queuing WAN Policing...
  • Page 7 Contents Switch Classification Switch Queuing C H A P T E R 1 3 Where To Go Where To Go From Here RV260x Administration Guide...
  • Page 8 Contents RV260x Administration Guide viii...

  • Page 9: Getting Started

    User Interface, on page 7 RV260X Product Features Thank you for purchasing the Cisco RV260 VPN Series routers. The Cisco RV260 VPN routers are high-performance models that combine business-class features with performance, security, reliability and overall value at a great price point. These models are perfect for the small business, small enterprise, branch, or small home office network.
  • Page 10 Getting Started RV260X Product Features • FindIT Network Management Support Product Specifications Description Specification Ethernet WAN 1 RJ45 SFP Gigabit Combination Port Ethernet LAN 8 RJ45 Gigabit Ethernet RV260P has 4 PoE ports with a 60w power budget Console Port 1 RJ45 Switch Power On/Off...
  • Page 11 Getting Started RV260X Product Features Description Specification Network Protocols • Dynamic Host Configuration Protocol (DHCP) server • Point-to-Point Protocol over Ethernet (PPPoE) • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Tunneling Protocol (L2TP) • DNS proxy • DHCP relay agent •...
  • Page 12 FindIT Support for Monitoring and Management Event Logging Local, Syslog, email alerts Network Diagnostics Ping, Traceroute, DNS Lookup Upgradeability Firmware upgradeable via browser UI, imported/exported file, USB, Cisco FindIT System Time NTP, Daylight Savings, Manual Entry Environmental RV260x Administration Guide...

  • Page 13: Getting Started

    Getting Started Getting Started Description Specification Power RV260: 12VDC/2A RV260P: 54VDC/1.67A RV260W: 12VDC/2.5A Operating Temperature 0° to 40°C (32° to 104°F) Storage Temperature -20° to 70°C (-4° to 158°F) Operating Humidity 10% to 85% noncondensing Storage Humidity 5% to 90% noncondensing Certifications Safety: •...

  • Page 14: Launch Setup Wizard

    Continue to the website. Step 4 When the sign-in page appears, enter the default username cisco and the default password cisco (lowercase). Step 5 Click Login. The Getting Started page appears. You can use the various links available on this page and follow the on-screen instructions to quickly configure your network device.

  • Page 15: User Interface

    Getting Started User Interface To open this page, select Launch Setup Wizard in the navigation pane and follow the on-screen instructions to proceed. Refer to your ISP for the information required to setup your Internet connection. Launch Setup Wizard Initial Router Setup Link to the Initial Router Setup.
  • Page 16 Getting Started User Interface Table 1: Header Toolbar Options Icon Description Toggle button – Located on the top left of the header – This toggle button helps to expand or collapse the navigation pane. Language Selection – This drop-down list allows you to select the language for the user interface.
  • Page 17 Getting Started User Interface Export – Click to export the configurations. Import – Click to import the configurations. Popup Windows Some links and buttons launch popup windows that display more information or related configuration pages. If the web browser displays a warning message about the popup window, allow the blocked content. RV260x Administration Guide...
  • Page 18 Getting Started User Interface RV260x Administration Guide...

  • Page 19: Status And Statistics

    C H A P T E R Status and Statistics This section describes the device's status and statistics and contains the following topics: • System Summary, on page 11 • TCP/IP Services, on page 13 • Port Traffic, on page 14 •...
  • Page 20 Status and Statistics System Summary Firmware Information • Firmware Version – The firmware version number installed on the router. • Firmware MD5 Checksum – A value used for file validation. • Locale – Defined localization support. • Language Version – Language version. •...

  • Page 21: Tcp/Ip Services

    Status and Statistics TCP/IP Services Wireless Status This section displays the status of the Wireless. • Radio 1 (2.4G), Radio 2 (5G), and Enabled – Bands displaying the MAC address, mode, channel, and operation bandwidth and their details. VPN Status This section displays the status of the VPN tunnels.

  • Page 22: Port Traffic

    Status and Statistics Port Traffic Port Listen Status This section displays the status of which ports are open to receiving data (listening). • Protocol – Type of protocol used for communication. • Listen IP Address – The listening IP address displays the interface it is listening on. •...

  • Page 23: Wan Qos Statistics

    Status and Statistics WAN QoS Statistics • Number of Associated Clients – The number of associated clients on wireless. • RX Packets – Number of RX packets. • RX Bytes – Number of RX bytes. • TX Packets – Number of TX packets. •...

  • Page 24: Switch Qos Statistics

    Status and Statistics Switch QoS Statistics • Packets Dropped – Number of outbound packets dropped. Inbound QoS Statistics • Queue – Number of inbound queues. • Traffic Class – Name of traffic class assigned to queue. • Packets Passed – Number of traffic class inbound packets that have passed. •...

  • Page 25: Routing Table

    Status and Statistics Routing Table • SSID – The primary name assigned to a wireless network. IPv6 • Hostname – Name of the connected device. • IPv6 Address – The IPv6 address of the connected device. • MAC Address – MAC address of the connected device. •...

  • Page 26: Mobile Network

    Status and Statistics Mobile Network • Type – Connection status (Static or Dynamic). • Action – Action status of the DHCP bindings. Mobile Network Mobile networks enable routers and its subnets to maintain transparent IP connectivity, via the mobile router. To view the router's mobile network, click Status and Statistics >...
  • Page 27 Status and Statistics VPN Status In the Connection Table, you can add, edit, delete, or refresh a tunnel. You can also click on Column Display Selection to select the column headers displayed in the Connection Table. GRE Tunnel Status The Connection Table displays the following: •...

  • Page 28: View Logs

    Status and Statistics View Logs • Connect Time – Amount of time connected. • Action –Action status. PPTP Tunnel Status Point-to-Point Tunneling Protocol has the capability to encrypt data with 128-bit. It is used to ensure that messages sent from one VPN node to another are secure. •...

  • Page 29: Captive Portal Status

    Status and Statistics Captive Portal Status • Clear Logs – Click to clear logs. • Export Logs to PC – Click to export logs to PC. • Export Logs to USB – Click to export logs on to a USB storage device. Captive Portal Status The captive portal feature requires wireless users to accept the terms and conditions prior to joining a public internet access network.
  • Page 30 Status and Statistics Captive Portal Status RV260x Administration Guide...

  • Page 31: Administration

    • Current Dongle Driver Version – Current version of the USB dongle driver. • Last Update – Date of the last update. • Latest Version Available on Cisco.com – Latest version available on Cisco.com. • Last Checked – Last date checked.

  • Page 32: Manual Upgrade

    Step 3 In the Upgrade From section, select an option (Cisco.com, PC, or USB). a) If you select Cisco.com, click Upgrade to upgrade the firmware or Download to USB to save the firmware image file. b) If you select PC or USB, click Browse to locate the firmware file on your PC and click Upgrade.

  • Page 33: Firmware Auto Fallback Mechanism

    Administration Firmware Auto Fallback Mechanism • The behavior only happens when the router is in factory default and attached with a USB flash drive before it is powered on. • The router will search the USB flash drive for a config file whose name has one or more of the following: PID, MAC address, and Serial Number.

  • Page 34: Diagnostic

    Administration Diagnostic Step 2 In the Active Image after reboot section, select an option (Active Image x.x.xx.xx ) from the drop-down list. Step 3 Select from the following reboot options. • Reboot the device. • Return to factory default settings after reboot. •...

  • Page 35: Import Certificate

    Administration Import Certificate Import Certificate To import a certificate, follow these steps: Step 1 Click Import Certificate. Step 2 Select the type of certificate to import from the drop-down list: • CA Certificate • Local Device Certificate • PKCS#12 Encoded File. Step 3 Enter a certificate name.

  • Page 36: Show Built-In 3Rd Party Ca Certificates

    Administration Show Built-in 3rd Party CA Certificates Common Name Enter a common name. Email Address Enter the email address. Key Encryption Length Select the Key Encryption Length from the drop-down menu. It should be 512, 1024 or 2048. Valid Duration Enter the number of days (Range 1-10950, Default: 360).
  • Page 37 Administration Copy/Save Configuration To copy the Running Configuration file, follow these steps: Step 1 In the Copy/Save Configuration section, select the Source from the drop-down list. Step 2 In Destination section, select the destination that the configuration file will be copied to from the drop-down list. Step 3 Click Apply.
  • Page 38 Administration Copy/Save Configuration RV260x Administration Guide...

  • Page 39: System Configuration

    C H A P T E R System Configuration This section describes the device's system configuration and contains the following topics: • Initial Router Setup, on page 31 • System, on page 33 • Time, on page 33 • Log, on page 34 •...
  • Page 40 System Configuration Initial Router Setup Static IP Address A static IP address is a number (in the form of a dotted quad) that is assigned to a computer by an Internet service provider (ISP) to be its permanent address on the Internet.

  • Page 41: System

    System Configuration System Step 15 In the Enable Security – Set Router Password section, enter, and confirm the router password. You can check the Disable Password Strength Enforcement to disable the strength enforcement. Step 16 Click Next, and in the Network Name field, enter a name for the network. Step 17 Click Next, and in the Enable Security –...

  • Page 42: Log

    System Configuration Step 2 Set Time Zone – Select your time zone relative to Coordinated Universal Time (UTC). Step 3 Set Date and Time – Select Auto or Manual. a) For Manual – Enter the date and time. Step 4 In the NTP Server section –...

  • Page 43: Email Server

    System Configuration Email Server System Logs involving the system. Firewall Logs involving the firewall rules, attacks, and content filtering. Network Logs involving the network. Logs involving the VPN. OpenVPN OpenVPN-related logs including instances like VPN tunnel establishment failure, VPN gateway failure, and so on. Logs involving web filtering.

  • Page 44: Email

    System Configuration Email Step 1 In the Syslog Servers section, check Enable to enable the syslog server. Step 2 In the Syslog Server 1 field, enter the IP address of a syslog server to which the log messages are sent. Step 3 In the Syslog Server 2 field, enter the IP address of a syslog server to which the log messages are sent.
  • Page 45 System Configuration User Accounts To configure the Web Login Session Timeout, select System Configuration > User Accounts and set the following in the Web Login Session Timeout section: Administrator Inactivity Timeout Set the minutes for the inactivity timeout. (Range: 0-1440, 0 means never times out.) Guest Inactivity Timeout Set the minutes for guest inactivity timeout.

  • Page 46: Remote Authentication Service

    Remote Authentication Service is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. The RADIUS security server is identified on the basis of their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers.
  • Page 47 System Configuration User Groups To create user groups, follow these steps: Step 1 Select System Configuration > User Groups. Step 2 Under the User Groups, click Add to create a new user group. Step 3 In the Group Name field, enter a name for the group. Step 4 Under the Local User Membership List, click Add and check the box and select desired user group to add the new user Step 5...

  • Page 48: Ip Address Groups

    System Configuration IP Address Groups IP Address Groups In order to configure and manage the application control policies and web filtering, you must set up the IP address groups. To configure the IP address groups, follow these steps: Step 1 Click System Configuration>...

  • Page 49: Discovery-Bonjour

    Note For discovery of Cisco Small Business products, Cisco provides a utility that works through a simple toolbar on the web browser called FindIt. The FindIT Discovery Utility discovers Cisco devices in the network and display basic information, such as serial numbers and IP addresses. For more information and to download the FindIT Discovery Utility, visit www.cisco.com/go/findit.

  • Page 50: Automatic Updates

    System Configuration Automatic Updates Step 1 Select System Configuration > LLDP. Step 2 In the LLDP section, check Enable. (It is enabled by default). Step 3 In the LLDP Port Setting Table, check Enable LLDP to enable LLDP on an interface. Step 4 Click Apply.

  • Page 51: Schedules

    System Configuration Schedules Schedules The network devices should be protected against intentional attacks and viruses that could compromise confidentiality or result in data corruption or denial of service. Schedules can be created to apply firewall or port forwarding rules on specific days or time of day. To configure the schedule, follow these steps.

  • Page 52: Plug And Play Connect Service

    Step 1 In your web browser, navigate to https://software.cisco.com. Step 2 Click the Log In button at the top right of the screen. Log in with a cisco.com ID associated with your Cisco Smart Account. Step 3 Select the Plug and Play Connect link under the Network Plug and Play heading. The main page for the Plug and Play Connect service is displayed.

  • Page 53: Registering Devices

    Certain products purchased directly from Cisco may be associated with your Cisco Smart Account at the time of purchase, and these will automatically be added to Plug and Play Connect. However, the majority of Cisco's 100 to 500 series Plug and Play-enabled products will need to be registered manually. To register the devices...
  • Page 54 System Configuration Registering Devices RV260x Administration Guide...

  • Page 55: Wan

    C H A P T E R A wide area network (WAN) is a collection of geographically distributed telecommunications or computer network. The term distinguishes a broader telecommunication structure from a local area network (LAN). A wide area network may be privately owned or rented and allows a business to effectively carry out its daily functions regardless of location.
  • Page 56 WAN Settings Default Gateway Enter the IP address of the default gateway. Default Gateway is needed on this interface to participate in the load balance and failover (Multi-WAN). Enter the IP address of the primary and or secondary Static DNS in the fields. Static DNS 1 &...
  • Page 57 WAN Settings MPPE Encryption Check to enable MPPE encryption. If the IPv4 uses L2TP to connect, configure the following: IP Assignment For DCHP, select this option to enable DHCP to provide an IP address. For Static IP, select this option and provide an IP address, netmask, and the IP address of the default gateway.

  • Page 58: Multi-Wan

    Multi-WAN Step 7 Click Apply. Multi-WAN WAN failover provides efficient utilization of multiple WAN interfaces. Based on the configuration, this feature can be used to distribute traffic among the interfaces. The Multi-WAN feature provides the outbound WAN traffic over multiple WAN interfaces (WAN & USB) based on a numeric weight assignment. It also monitors each WAN connection using repeated ping tests and automatically routes outbound traffic to another WAN interface if connectivity is lost.

  • Page 59: Mobile Network Setup

    Mobile Network Setup Step 6 Click Apply. Mobile Network Setup To configure the Mobile Network Setup, follow these steps: Step 1 In the Configuration Mode, select Auto to connect to the network automatically. Step 2 Enter the SIM PIN – the pin code associated with your SIM card. Step 3 Or, select Manual and to connect to the network manually and configure the following: •...

  • Page 60: Dynamic Dns

    Dynamic DNS • Check Send an email to administrator if 3G/4G usage has reached percentage of monthly bandwidth cap. Select the percentage of data for monthly bandwidth cap from the drop-down list. When the cap is reached, an email alert is sent to the administrator. Step 2 Click Apply.

  • Page 61: Ipv6 Transition

    IPv6 Transition Step 3 Select Subnet to identify a subnetwork for DMZ services and enter the DMZ IP Address and Subnet Mask. Step 4 Select Range to reserve a group of IP addresses on the same subnetwork for DMZ services and enter the IP address range. Step 5 Click Apply.
  • Page 62 IPv6 Rapid Deployment (6rd) Step 3 Or, select Manual and set the following 6rd parameters. a) Enter the IPv4 Address of Relay. b) Enter the IPv4 Common Prefix Length. c) Enter the IPv6 Prefix/Length. The IPv6 network (subnetwork) is identified by the prefix. All hosts in the network have the identical initial bits for their IPv6 address.

  • Page 63: Lan

    C H A P T E R A local area network (LAN) is a computer network that spans within a relatively small area close to each other, such as in an office building, a school, or a home. LANs are characterized by their topology, protocols, and media.

  • Page 64: Poe Settings (Rv260P)

    PoE Settings (RV260P) Flow Control Check to enable to symmetric flow control. Flow control is used to send pause frames and respecting pause frames to and from the LAN PC connected to the device. Select the port setting mode from the drop-down list. Mode Jumbo frames are Ethernet frames with more than 1500 bytes of payload, which is the Jumbo Frames...

  • Page 65: Vlan Settings

    VLAN Settings Step 4 Simple Network Management Protocol (SNMP) Traps enable an agent to notify the management station of significant events by way of an unsolicited SNMP message. To enable SNMP Traps, check Enable. Step 5 In the Power Trap Threshold, enter the threshold in %. (Range 1 to 99, Default 95). To configure the PoE Table, follow these steps: The PoE Properties table displays the operational status and power levels used in the PoE.
  • Page 66 VLAN Settings To create new VLANs, follow these steps: Step 1 Select LAN > VLAN Settings. Step 2 Click Add to create a new VLAN. Step 3 Enter the VLAN ID (Range is 1-4093) and a name. Step 4 Check Enabled to enable both the Inter-VLAN routing and Device Management. Step 5 Enter the following information for IPv4 or IPv6.

  • Page 67: Option82 Settings

    Option82 Settings Preview Preview the IPv6 address. Interface Select the appropriate interface identifier. Identifier DHCP Type • Disabled – Disables the DHCP IPv6 server on VLAN. • Server • Lease Time – Enter a time value of 5 to 43,200 minutes. Default is 1440 minutes (equal to 24 hours).

  • Page 68: Static Dhcp

    Static DHCP Step 1 Select LAN > Option82 Settings. Step 2 Click Add and configure the following: Step 3 Enter the following information to configure the Option 82 Circuit: Enter description for option 82 client. Description Enhances the validation security to determine about the information which is provided Circuit ID in the Option 82 Circuit ID.

  • Page 69: 802.1X Configuration

    802.1X Configuration Step 5 Check Enabled. Step 6 Click Apply to add the devices to the Static IP list. Step 7 Click Import or Export to use these details. 802.1X Configuration The IEEE 802.1X port-based authentication prevents unauthorized devices (clients) from gaining access to the network.
  • Page 70 Router Advertisement Advertisement Mode Select the advertisement mode from the drop-down list. • Unsolicited Multicast – Sends Router Advertisement messages to all interfaces in the multicast group. Enter the Advertisement Interval. This option is the default setting. • Unicast – Send Router Advertisement messages only to well-known IPv6 addresses. Advertisement Interval Enter the time interval between 10 and 1800 (Default is 30 seconds) at which the router advertisement messages are sent.

  • Page 71: Wireless

    C H A P T E R Wireless A Wireless Local Area Network (WLAN) is a wireless distribution method that implements a flexible data communication system using high-frequency radio waves and often includes an access point to the Internet. This is achieved by augmenting, rather than replacing a wired LAN within a building or campus. Since the WLANs use radio frequency to transmit and receive data, they don't require a wired connections.
  • Page 72 Wireless Basic Settings Actively applied to Radio Select 2.4G or 5G band to connect only to a network matching both network settings and band selection. The SSID is created on the radio selected. Select Both to configure the SSID on both the radios and connect this profile to an available network with matching network settings.

  • Page 73: Concurrent Dual Band Selection

    Wireless Concurrent Dual Band Selection Wireless Isolation with SSID Check Enable to enable wireless isolation within the SSID. When wireless isolation is configured, wireless clients will not be able to see or communicate with each other when connected to the same SSID. To prioritize and queue the traffic according to the Access Category (AC), check Enable to enable the Wireless Multimedia Extensions (WME).

  • Page 74: Configuring 5 Ghz Radio

    Wireless Configuring 5 GHz Radio Option Description B Only Select this option if you have only Wireless-B devices in your network. G Only Select this option if you have only Wireless-G devices in your network. N Only Select this option if you have only Wireless-N devices in your network.

  • Page 75: Advanced Settings

    Wireless Advanced Settings Step 3 Select the network band mode from the Wireless Network Mode drop-down list. Option Description A Only Select this option if you have only Wireless-A devices in your network. N/AC-Mixed Select this option if you have Wireless-N and Wireless-AC devices in your network.

  • Page 76: Wps

    Wireless WMM No Acknowledgment Check Enable to achieve efficient throughput. This may result in higher error rates in a noisy Radio Frequency (RF) environment. Data Rate For Data Rate, click Set to Default , to reset the default basic and transmission rates. Basic Rate Select the basic rate settings–...

  • Page 77: Captive Portal

    Wireless Captive Portal supported by WPS: WPS push button, WPS PIN number through your client’s device, and Device PIN number generated on the WPS configuration page. To configure WPS: Step 1 Click Wireless > WPS. The Wi-Fi Protected Setup page appears. Step 2 Select the SSID (for which the WPS is to be configured) from the WPS drop-down list.

  • Page 78: Lobby Ambassador

    Wireless Lobby Ambassador Step 4 On the Portal Page Customization section, configure the following: Select a font color, from the drop-down list, for the text you want to display on the page. Font Color Background Picture Click Browse and select an image to be displayed as the background of the portal page. Company Name Specify the company name to be displayed.
  • Page 79 Wireless Lobby Ambassador Step 5 In the Password field, enter a password or click Auto Generate to automatically generate a password. Step 6 In the Expires In section, select the Days, Hours, and Minutes, from the drop-down list. Step 7 Check one of the following radio buttons, Delete guest account when it expires or Suspend guest account when it expires, to delete or suspend the lobby ambassador account.
  • Page 80 Wireless Lobby Ambassador RV260x Administration Guide...

  • Page 81: Routing

    C H A P T E R Routing Routing is the process of selecting the best paths in a network. Dynamic routing is a networking technique that provides optimal data routing. Dynamic routing enables routers to select paths according to real-time logical network layout changes.

  • Page 82: Rip

    Routing Prefix Enter the IPv6 prefix. Length Enter the number of prefix bits of the IP address. Next Hop Enter the IP address of the router of the last resort. Hop Count Enter the hop count number (Max 255). Interface Choose the interface to use for this static route from the drop-down list.

  • Page 83: Igmp Proxy

    Routing IGMP Proxy RIPng (IPv6) Routing Information Protocol next generation (RIPng) uses User Datagram Packets (UDP) to send routing information. This is based on RIP version 2 but used for IPv6 routing. • Check Enable to enable RIP IPv6 routing. •...
  • Page 84 Routing IGMP Proxy RV260x Administration Guide...

  • Page 85: Firewall

    C H A P T E R Firewall A firewall is a function designed to prevent unauthorized access by analyzing the incoming and outgoing network traffic. The firewall examines traffic and filters the transmissions that do not meet the specified security criteria, The firewall decides the type of packets that should be allowed or denied into or out of a network.
  • Page 86 Firewall Basic Settings RESTCONF Port Enter the RESTCONF port number. Default is 443. NETCONF The NETCONF protocol defines a simple mechanism through which a network device can be managed, configuration data information can be retrieved, and new configuration data can be uploaded and manipulated. Check Enable and LAN and/ or WAN to enable NETCONF.

  • Page 87: Access Rules

    Firewall Access Rules Access Rules Rules can be configured for filtering the packets based on particular parameters like IP address or ports. To configure the access rules, follow these steps: Step 1 Select Firewall > Access Rules. Step 2 In the IPv4 or IPv6 Access Rules Table, click Add or select the row and click Edit and enter the following: Rule Status Check Enable to enable the specific access rule.

  • Page 88: Network Address Translation

    Firewall Network Address Translation Step 6 To add a service, click Add under the Service table. To edit a service, select the row and click Edit. The fields open for modification. Step 7 You can have many services in the list: •...

  • Page 89: Port Forwarding

    Firewall Port Forwarding Range Length Enter the number of IP addresses in the range. The range length must not exceed the number of valid IP addresses. To map Note a single address, enter 1. Select the name of the service, from the drop-down list, to apply for the Static NAT. Services Interfaces Select the name of the interface from the drop-down list.

  • Page 90: Port Triggering

    Firewall Port Triggering • Application Name – Name of the service or application. • Protocol – Required protocol. Refer to the documentation for the service that you are hosting. • Port Start/ICMP Type/IP Protocol – Range of port numbers reserved for this service. •...

  • Page 91: Policy Nat

    Firewall Policy NAT Policy NAT Policy NAT allows you to identify the real address for the address translation by specifying the source and destination address in an extended access list. You can specify the source and destination ports. The Policy NAT allows you to create flexible NAT rules for advanced users.
  • Page 92 Firewall Policy NAT Use Cases Case 1: The source address for the HTTP traffic is translated by another public address, for traffic that is initiated from the same LAN host. Topology: PC1 –– LAN[RV260W]WAN –– (Internet) –– PC2 • PC1: 192.168.1.111 •...
  • Page 93 Firewall Policy NAT Use Cases Note Disable the global NAT on WAN1. Address Object: Configure the VLAN2_subnet to 192.168.2.0/24. Result: The VLAN traffic from VLAN2 subnet is translated to WAN IP. The other traffic from VLAN2 goes to routing mode out of WAN (source address will not be translated). Case 4 You configure the VLAN1 with subnet A and VLAN2 with subnet B.

  • Page 94: Session Timeout

    Firewall Session Timeout Result The PC2 address is 172.16.1.110, and can access PC1 by http://172.16.1.1. Change the PC address to another address out of the range 172.16.1.100-110, if it cannot access the internal server. Case 7 Only allows particular Internet hosts to access the LAN server by 1:1 like rule. Topology PC1/PC10 ––...

  • Page 95: Dmz Host

    Firewall DMZ Host DMZ Host DMZ is a subnetwork that is open to the public but behind the firewall. With DMZ, the packets, which are coming into the WAN port, can be redirected to a specific IP address in the LAN. DMZ Host allows one host on the LAN to be exposed to the Internet to use services such as Internet gaming, video conferencing, web, or email servers.
  • Page 96 Firewall DMZ Host RV260x Administration Guide...

  • Page 97: Vpn

    C H A P T E R A Virtual Private Network (VPN) is used to establish an encrypted connection over a less secure network. VPN ensures the appropriate level of security to the connected systems when the underlying network infrastructure alone cannot provide it. A tunnel is established as a private network that can send data securely by using industry-standard encryption and authentication techniques to secure the data sent.
  • Page 98 VPN is useful when connecting from Laptop/PC from home to a corporate network through VPN server. The VPN allows a remote host to act as if they were located on the same local network. The RV260 series router supports 20 tunnels by default. The VPN Setup Wizard guides the user when configuring a secure connection for a site-to-site IPSec tunnel.

  • Page 99: Ipsec Vpn

    IPSec VPN Authentication The authentication method determines how the Encapsulating Security Payload Protocol (ESP) header packets are validated. The MD5 is a one-way hashing algorithm that produces a 128-bit digest. The SHA1 is a one-way hashing algorithm that produces a 160-bit digest.

  • Page 100: Ipsec Profiles

    IPSec Profiles communications mechanism for data and IP information that is transmitted between networks. A VPN can also be used over an existing network, such as the Internet, to facilitate the secure transfer of sensitive data across public networks. VPNs can also provide flexible solutions, such as securing communications between remote telecommuters and the organizations, regardless of where the telecommuters are located.
  • Page 101 IPSec Profiles Encryption Select an encryption option (3DES, AES-128, AES-192, or AES-256) from the drop-down list. This method determines the algorithm used to encrypt or decrypt ESP/ISAKMP packets. Authentication Select an authentication (MD5, SHA1, or SHA2-256). SA Lifetime (Sec) Amount of time a VPN tunnel (IPSec SA) is active in this phase. The default value for Phase 2 is 3600 seconds.

  • Page 102: Site-To-Site

    Site-to-Site Site-to-Site In a site-to-site VPN, the local router at one location connects to a remote router through a VPN tunnel. Client devices can access network resources as if they were all at the same site. This model can be used for multiple users at a remote location.
  • Page 103 Site-to-Site VPN Connection Step 1 On the Basic Settings tab, provide the following information: Click Enable to enable the configuration. Enable Enter a connection name for the VPN tunnel. This description is for reference purposes; Connection Name it does not have to match the name used at the other end of the tunnel. IPSec Profile Default –...
  • Page 104 Site-to-Site VPN Connection IP Address Enter the IP address of the device that can use this tunnel. Subnet Mask Enter the subnet mask. Aggressive Mode Check the box to enable aggressive mode. Step 2 On the Advanced Settings tab, provide the following: Compress (Support IP A protocol that reduces the size of IP datagrams.

  • Page 105: Client To Site

    Client to Site Split DNS Check Split DNS to enable. Splits the DNS server and other DNS requests to another DNS server, based on specified domain names. When the router receives an address resolution request, it inspects the domain name. If the domain name matches a domain name in the Split DNS settings, it passes the request to the specified DNS server.
  • Page 106 Client to Site IKE Authentication Method Authentication method to be used in IKE negotiations in IKE-based tunnels. • Pre-shared Key: IKE peers authenticate each other by computing and sending a keyed hash of data that includes the Pre-shared Key. If the receiving peer is able to create the same hash independently using its Pre-shared key, it knows that both peers must share the same secret, thus authenticating the other peer.

  • Page 107: Openvpn

    OpenVPN Aggressive Mode Check Aggressive Mode to enable. Aggressive Mode feature allows you to specify RADIUS tunnel attributes for an IP security (IPsec) peer and to initiate an Internet Key Exchange (IKE) aggressive mode negotiation with the tunnel. Compress (Support IP If the responder rejects this proposal, then the router does not implement compression.

  • Page 108: Pptp Server

    (Point-to-Point Tunneling Protocol) VPN tunnels can be enabled for users who are running PPTP client software on the RV260 series routers. In the Wizard, the user selects the option to create a connection to the workplace by using a VPN connection. The user must know the WAN IP address of the device. For more information, refer to the documentation or help files for your operating system.

  • Page 109: Gre Tunnel

    GRE Tunnel Microsoft Point-to-Point The MPPE encrypts data in PPP-based dial-up connections or PPTP VPN connections. 128-bit key MPPE encryption schemes are supported. Select the MPPE encryption (None (MPPE) Encryption or 128 bits) from the drop-down list. Step 2 Click Apply. GRE Tunnel Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses an IP as the transport protocol and carries many different passenger protocols.

  • Page 110: Resource Allocation

    Resource Allocation • PPTP Passthrough – Point-to-Point Tunneling Protocol (PPTP) allows the Point-to-Point Protocol (PPP) to be tunneled through an IP network. • L2TP Passthrough - Layer 2 Tunneling Protocol is the method used to enable Point-to-Point sessions by using the Internet at Layer 2.

  • Page 111: Security

    C H A P T E R Security This section describes the device's security features and contains the following topics: • Content Filtering, on page 103 • Web Filtering, on page 104 Content Filtering The Content Filtering enables you to restrict access to certain unwanted websites. It can block access to websites based on the domain names and keywords.

  • Page 112: Web Filtering

    Security Web Filtering Web Filtering Web filtering is a feature that allows you to manage access to inappropriate websites. It can screen a client’s web access requests to determine whether to allow or deny that website. To enable and configure the web filtering, follow these steps: Step 1 Click Security >...

  • Page 113: Cisco Small Business Web Filtering Service Supplemental End User License Agreement

    This Supplemental End User License Agreement (“SEULA”) contains additional terms and conditions that grant the right to use the Cisco Small Business Web Filtering Service and its associated software (collectively, the “Service”) under the End User License Agreement (“EULA”) between you and Cisco (collectively, the “Terms”).
  • Page 114 (b) End User access to the Service shall terminate. 3.2 Cisco may at any time terminate these Terms for convenience, for any reason, or for no reason at all, by providing End User with thirty (30) days prior notice of termination via posting an end of sale notice at: http://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/eos-eol-notice-listing.html.
  • Page 115 Cisco’s obligations, subject to these Terms, to provide the Service. All financial obligations associated with End User’s business are the sole responsibility of End User. 7.2 Third Party Services. Cisco reserves the right to subcontract the provision of all or part of the Service to a third party.
  • Page 116 Cisco Small Business Web Filtering Service Supplemental End User License Agreement 7.3 Force Majeure. Cisco shall not be liable for any delay or failure in performance whatsoever resulting from acts beyond its reasonable control. Such acts shall include, but not be limited to delays attributed to delays of common carriers, acts of God, earthquakes, labor disputes, shortages of supplies, actions of governmental entities, riots, war, acts or threatened acts of terrorism, fire, epidemics and similar occurrences.

  • Page 117: C H A P T E

    C H A P T E R Quality of service (QoS) is used to optimize network traffic management in order to improve the user's experience. QoS is a defined measure of performance in a communication network. It prioritizes one type of transmission over another.

  • Page 118: Wan Queuing

    WAN Queuing Service Name Name of the service to apply the traffic classification. Enter the name of the service. Receive Interface The interface that receives traffic to apply the classification records. Select one of the interfaces from the drop-down list. •...

  • Page 119: Wan Policing

    WAN Policing Rate Control Packets are served with their maximum allowed bandwidth from each queue. However, when congestion occurs with the help of minimum rate for each queue configured are applied on the network traffic. The sum of minimum rates of all queues should not exceed 100% and maximum rate for each queue should not exceed 100%.

  • Page 120: Wan Bandwidth Management

    WAN Bandwidth Management Step 7 Click Apply. WAN Bandwidth Management The WAN interfaces can be configured with the maximum bandwidth provided by the ISP. When the value (transfer rate in KBP/S) is configured, the traffic entering the interface is shaped in defined rate. To configure the WAN Bandwidth Management, follow these steps: Step 1 Click QoS >...

  • Page 121: Switch Queuing

    Switch Queuing DSCP-based For IPv6 traffic, the DSCP matches the traffic class value in the IPv6 header and places it in different queues. The traffic class value is 4 times the DSCP value. For example, if the user configures the DSCP as 10 mapping to Queue 1, then the IPv6 flows with traffic class value 40 are put into Queue 1.
  • Page 122 Switch Queuing RV260x Administration Guide...

  • Page 123: C H A P T E

    Cisco Firmware https://www.cisco.com/c/en/us/support/index.html Downloads Select a link to download the firmware for your Cisco product. No login is required. Cisco Open Source If you wish to receive a copy of the source code to which you are entitled under...
  • Page 124 Where To Go Where To Go From Here RV260x Administration Guide...

Table of Contents

Save PDF