Page 1 BCM50a Integrated Router Configuration — Advanced BCM50a BCM50a Integrated Router Document Number: N0115791 Document Version: 1.0 Date: September 2006...
Page 2 Nortel. Trademarks Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel. Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.
Page 3: Table Of Contents
Getting to know your BCM50a Integrated Router ....29 Introducing the BCM50a Integrated Router ....... . . 29 Features .
Page 4 IPSec VPN capability ......... . . 32 Nortel Contivity Client Termination ....... . . 32 Certificates .
Page 5 Nailed-Up Connection ..........70 BCM50a Integrated Router Configuration — Advanced...
Page 6 6 Contents Remote Node setup ........... 70 Remote Node profile .
Page 7 System Status ............146 BCM50a Integrated Router Configuration — Advanced...
Page 8 8 Contents System information and console port speed ....... 148 System Information .
Page 9 Verifying settings ..........204 Appendix B BCM50a Integrated Router Configuration — Advanced...
Page 10 How PPPoE works ........... 226 BCM50a Integrated Router as a PPPoE client ......226 Appendix E Hardware specifications .
Page 11 Enhanced DHCP option commands introduction ......282 Specifying the Nortel BCM50 IP address ......282 Nortel BCM50 DHCP server options .
Page 12 Log commands ............305 Configuring what you want the BCM50a Integrated Router to log ... 306 Displaying logs .
Page 13 Menu 14.1 – Edit Dial-in User ........88 BCM50a Integrated Router Configuration — Advanced...
Page 14 14 Figures Figure 30 Menu 4 – Applying NAT for Internet Access ..... . . 90 Figure 31 Menu 11.3 – Applying NAT to the Remote Node ....91 Figure 32 Menu 15 –...
Page 15 Windows 95/98/Me: TCP/IP properties: IP address ....195 Figure 99 Windows 95/98/Me: TCP/IP Properties: DNS configuration ..196 BCM50a Integrated Router Configuration — Advanced...
Page 16 Figure 132 Single-PC per router hardware configuration ..... 226 Figure 133 BCM50a Integrated Router as a PPPoE Client ....227 Figure 134 Ethernet cable pin assignments .
Page 17 Figure 137 Example VPN responder IPSec log ......299 BCM50a Integrated Router Configuration — Advanced...
Page 18 18 Figures N0115791...
Page 19 SNMP Traps ..........139 Table 29 Menu 23.2 System Security: RADIUS Server ..... 143 BCM50a Integrated Router Configuration — Advanced...
Page 20 20 Tables Table 30 Menu 24.1 System Maintenance: Status ......147 Table 31 Menu 24.2.1 System Maintenance: Information ....150 Table 32 System Maintenance Menu Syslog Parameters .
Page 21 Log categories and available settings ......306 Table 81 Brute force password guessing protection commands ....309 BCM50a Integrated Router Configuration — Advanced...
Page 22 22 Tables N0115791...
Page 23: Preface
Preface Before you begin This guide is designed to assist you with advanced configuration of your BCM50a Integrated Router for its various applications. Note: This guide explains how to use the System Management Terminal (SMT) or the command interpreter interface to configure your BCM50a Integrated Router.
Page 24: Related Publications
For more information about using the BCM50a Integrated Router, refer to the following publications: N0115790 • BCM50a Integrated Router Configuration - Basics ( The basic manual covers how to use the WebGUI to configure your BCM50a Integrated Router. • WebGUI Online Help Embedded WebGUI help for descriptions of individual screens and...
Page 25: Usa And Canada Authorized Distributors
Telephone: *European Free phone 00800 800 89009 European Alternative: United Kingdom +44 (0)870-907-9009 Africa +27-11-808-4000 Israel 800-945-9779 Calls are not free from all countries in Europe, Middle East, or Africa. Fax: 44-191-555-7980 E-mail: emeahelp@nortel.com BCM50a Integrated Router Configuration — Advanced...
Page 26: Cala (Caribbean & Latin America)
APAC (Asia Pacific) Service Business Centre & Pre-Sales Help Desk: +61-2-8870-5511 (Sydney) Technical Support - GNTS Telephone: +612 8870 8800 Fax: +612 8870 5569 E-mail: asia_support@nortel.com Australia 1-800-NORTEL (1-800-667-835) 010-6510-7770 China India 011-5154-2210 Indonesia 0018-036-1004 Japan 0120-332-533 Malaysia 1800-805-380 New Zealand...
Page 27 Preface Thailand 001-800-611-3007 Service Business Centre & +61-2-8870-5511 Pre-Sales Help Desk BCM50a Integrated Router Configuration — Advanced...
Page 28 Preface N0115791...
Page 29: Getting To Know Your Bcm50A Integrated Router
This chapter introduces the main features and applications of the BCM50a Integrated Router. Introducing the BCM50a Integrated Router The BCM50a Integrated Router is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN). Your BCM50a Integrated Router integrates high-speed 10/100 Megabits per second (Mb/s) autonegotiating LAN interfaces and a high-speed Asymmetrical Digital Subscriber Line Plus (ADSL2+) port into a single package.
Page 30: Physical Features
30 Chapter 1 Getting to know your BCM50a Integrated Router Table 1 Feature specifications Feature Specification Number of SUA (Single User Account) servers Number of address mapping rules Number of configurable VPN rules (gateway policies) Number of configurable IPSec VPN IP policies (network policies)
Page 31: Networking Compatibility
A combination of switch and router makes your BCM50a Integrated Router a cost-effective and viable network solution. You can connect up to four computers or phones to the BCM50a Integrated Router without the cost of a switch. Use a switch to add more than four computers or phones to your LAN.
Page 32: Autonegotiating 10/100 Mb/S Ethernet Lan
The LAN interfaces automatically adjust to either a crossover or straight through Ethernet cable. Time and date Using the BCM50a Integrated Router, you can get the current time and date from an external server when you turn on your BCM50a Integrated Router. You can also set the time manually.
Page 33: Certificates
Chapter 1 Getting to know your BCM50a Integrated Router 33 Certificates The BCM50a Integrated Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.
Page 34: Content Filtering
Content filtering The BCM50a Integrated Router can block web features such as ActiveX controls, Java applets, and cookies, as well as disable web proxies. The BCM50a Integrated Router can block specific URLs by using the keyword feature. The administrator can also define time periods and days during which content filtering is enabled.
Page 35: Ip Multicast
Chapter 1 Getting to know your BCM50a Integrated Router 35 IP Multicast The BCM50a Integrated Router can use IP multicast to deliver IP packets to a specific group of hosts. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The BCM50a Integrated Router supports versions 1 and 2.
Page 36: Traffic Redirect
36 Chapter 1 Getting to know your BCM50a Integrated Router Traffic Redirect Traffic Redirect forwards WAN traffic to a backup gateway when the BCM50a Integrated Router cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails.
Page 37: Upgrade Bcm50A Integrated Router Firmware
ADSL. The BCM50a Integrated Router also provides IP address sharing and a firewall protected local network with traffic management. The BCM50a Integrated Router VPN is an ideal, cost effective way to connect branch offices and business partners over the Internet without the need (and expense) of leased lines between sites.
Page 38: Figure 1 Secure Internet Access And Vpn Application
38 Chapter 1 Getting to know your BCM50a Integrated Router Figure 1 Secure Internet Access and VPN Application BCM50a Integrated Router Caution: Electro-static Discharge can disrupt the router. Use appropriate handling precautions to avoid ESD. Avoid touching the connectors on the router, particularly when it is in use.
Page 39: Chapter 2 Introducing The Smt
SMT, and how to configure SMT menus. Initial screen When you turn on your BCM50a Integrated Router, it performs several internal tests as well as line initialization. After the tests, the BCM50a Integrated Router asks you to press...
Page 40: Navigating The Smt Interface
If you see a blank screen, press [ENTER] to bring up the logon screen again. Navigating the SMT interface The SMT is an interface that you use to configure your BCM50a Integrated Router. Table 2 lists several operations you must be familiar with before attempting to modify the configuration.
Page 41: Main Menu
Type 99 at the main menu prompt and press [ENTER]. [ENTER] to exit the SMT interface. Main menu After you enter the password, the SMT displays the BCM50a Integrated Router Main Menu, as shown in Figure 4. Not all models have all the features shown.
Page 42: Figure 4 Main Menu
42 Chapter 2 Introducing the SMT Figure 4 Main menu BCM50a Integrated Router Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3. LAN Setup 23. System Security 4. Internet Access Setup 24.
Page 43: Changing The System Password
Use this menu to exit (necessary for remote configuration). Changing the system password To change the BCM50a Integrated Router administrator password:. From the main menu, enter 23 to display Menu 23 – System Security. Enter 1 to display Menu 23.1 – System Security – Change Password.
Page 44: Smt Menus At A Glance
44 Chapter 2 Introducing the SMT SMT menus at a glance Figure 6 SMT overview N0115791...
Page 45: Smt Menu 1 - General Setup
IP Address= N/A Third System DNS Server= From ISP IP Address= N/A Edit Dynamic DNS= No Route IP= Yes Bridge= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. BCM50a Integrated Router Configuration — Advanced...
Page 46: Table 4 General Setup Menu Fields
Description Example System name Choose a descriptive name for identification purposes. BCM50a Nortel recommends you enter your computer name in Integrated this field. This name can be up to 30 alphanumeric Router characters long. Spaces, dashes (-) and underscores (_) are accepted.
Page 47 Router's WAN IP address). The IP Address field below displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the BCM50a Integrated Router has a fixed WAN IP address, From ISP changes to None after you save your changes. If...
Page 48: Configuring Dynamic Dns
DNS queries to the private DNS server. One of the rule’s IP policies must include the LAN IP address of the BCM50a Integrated Router as a local IP address and the IP address of the DNS server as a remote IP address.
Page 49: Figure 8 Menu 1.1 - Configure Dynamic Dns
Enter your host names in the fields provided. You me.dyndns.org can specify up to two host names separated by a comma in each field. EMAIL Enter your e-mail address. mail@mailserver User Enter your username. Password Enter the password assigned to you. BCM50a Integrated Router Configuration — Advanced...
Page 50 BCM50a Integrated Router’s WAN IP address. DDNS does not work with a private IP address. When both fields are set to No, the BCM50a Integrated Router must have a public WAN IP address in order for DDNS to work.
Page 51 Chapter 2 SMT menu 1 - general setup 51 The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. BCM50a Integrated Router Configuration — Advanced...
Page 52 52 Chapter 2 SMT menu 1 - general setup N0115791...
Page 53: Wan Setup
This chapter describes how to configure the WAN using Menu 2. Introduction to WAN setup This chapter explains how to configure the settings for your WAN port. WAN setup From the main menu, enter 2 to open Menu 2. BCM50a Integrated Router Configuration — Advanced...
Page 54: Figure 9 Menu 2 - Wan Setup
Field Description Example Route Selection: WAN Metric The BCM50a Integrated Router uses the connection with the lowest metric value first. Traffic Redirect Metric The default WAN connection is 1 as your broadband connection through the WAN port must always be Dial Backup your preferred method of accessing the WAN.
Page 55: Traffic Redirect Setup
Select Yes and press [ENTER] to configure Menu 2.2 — Traffic Redirect Setup. Dial-Backup: Dial backup does not apply to all BCM50a Integrated Router models. Active Use this field to turn the dial-backup feature on (Yes) or off (No).
Page 56: Figure 10 Menu 2.2 - Traffic Redirect Setup
Internet connection of the BCM50a Integrated Router terminates. Metric This field sets the priority for this route among the routes the BCM50a Integrated Router uses. The metric represents the cost of transmission. A router determines the best route for transmission by choosing a path with the lowest cost. RIP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks.
Page 57: Lan Setup
LAN setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. Introduction to LAN setup This section describes how to configure the BCM50a Integrated Router for LAN connections. Accessing the LAN menus From the main menu, enter 3 to open Menu 3 – LAN setup Figure 11 Menu 3 –...
Page 58: Tcp/Ip And Dhcp Ethernet Setup Menu
58 Chapter 4 LAN setup Figure 12 Menu 3.1 – LAN Port Filter Setup Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: TCP/IP and DHCP ethernet setup menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 59: Figure 14 Menu 3.2 - Tcp/Ip And Dhcp Ethernet Setup
Description Example DHCP This field enables and disables the DHCP server. Server If set to Server, your BCM50a Integrated Router will act as a DHCP server. If set to None, the DHCP server will be disabled. Configuration: Client IP Pool This field specifies the first of the contiguous 192.168.1.2...
Page 60 Address field below displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the BCM50a Integrated Router has a fixed WAN IP address, From ISP changes to None after you save your changes. If you chose From ISP...
Page 61: Ip Alias Setup
TCP/IP parameters for the LAN port. Table 9 LAN TCP/IP setup menu fields Field Description Example TCP/IP Setup: IP Address Enter the IP address of your BCM50a Integrated 192.168.1.1 Router in dotted decimal notation. (default) IP Subnet Mask Your BCM50a Integrated Router automatically 255.255.255.0 calculates the subnet mask based on the IP address that you assign.
Page 62: Figure 15 Menu 3.2.1 - Ip Alias Setup
Example IP Alias Choose Yes to configure the LAN network for the BCM50a Integrated Router. IP Address Enter the IP address of your BCM50a 192.168.1.1 Integrated Router in dotted decimal notation. IP Subnet Mask Your BCM50a Integrated Router automatically 255.255.255.0 calculates the subnet mask based on the IP address that you assign.
Page 63 Filters incoming traffic between this node and the BCM50a Integrated Router. Outgoing Protocol Enter the filter sets you wish to apply to the Filters outgoing traffic between this node and the BCM50a Integrated Router. BCM50a Integrated Router Configuration — Advanced...
Page 64 64 Chapter 4 LAN setup N0115791...
Page 65: Internet Access
Chapter 5 Internet access This chapter shows you how to configure your BCM50a Integrated Router for Internet access. Internet access configuration Using Menu 4 you can enter the Internet Access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in Menu 11.
Page 66: Figure 16 Menu 4 - Internet Access Setup
66 Chapter 5 Internet access Figure 16 Menu 4 – Internet Access Setup Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= ENET ENCAP Multiplexing= LLC-based VPI #= 8 VCI #= 35 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Dynamic IP Address= N/A Network Address Translation= SUA Only...
Page 67: Basic Setup Complete
You have successfully connected, installed, and set up your BCM50a Integrated Router to operate on your network, as well as access the Internet. If all your settings are correct, your BCM50a Integrated Router can connect automatically to the Internet. If the connection fails, note the error message that you receive on the screen and take the appropriate troubleshooting steps.
Page 68 68 Chapter 5 Internet access N0115791...
Page 69: Chapter 6 Remote Node Setup
If you encounter a case where the peer disconnects right after a successful authentication, please make sure that you specify the correct authentication protocol when connecting to such an implementation. BCM50a Integrated Router Configuration — Advanced...
Page 70: Nailed-Up Connection
The first is that idle timeout is disabled. The second is that the BCM50a Integrated Router will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
Page 71: Encapsulation And Multiplexing Scenarios
Scenario 1. One VC, Multiple Protocols PPPoA (RFC-2364) encapsulation with VC-based multiplexing is the best combination because no extra protocol identifying headers are needed. The PPP protocol already contains this information. • Scenario 2. One VC, One Protocol (IP) BCM50a Integrated Router Configuration — Advanced...
Page 72: Figure 18 Menu 11.1 - Remote Node Profile
72 Chapter 6 Remote Node setup Selecting RFC-1483 encapsulation with VC-based multiplexing requires the least amount of overhead (0 octets). However, if there is a potential need for multiple protocol support in the future, it may be safer to select PPPoA encapsulation instead of RFC-1483, so you do not need to reconfigure either computer later.
Page 73 Type the login name assigned by your ISP when the BCM50a Integrated Router calls this remote node. My Password Type the password assigned by your ISP when the BCM50a Integrated Router calls this remote node. Authen This field sets the authentication protocol used for outgoing calls.
Page 74: Edit Ip/Bridge
Idle Timeout Type the number of seconds (0-9999) that can elapse when (sec) the BCM50a Integrated Router is idle (there is no traffic going to the remote node), before the BCM50a Integrated Router automatically disconnects the remote node. 0 means that the session will not timeout.
Page 75: Figure 19 Menu 11.3 - Remote Node Network Layer Options
ISP node (also the one you configure in menu 4),all other nodes are set to Static. Rem IP Addr This is the IP address you entered in the previous menu. Rem Subnet Type the subnet mask assigned to the remote node. Mask BCM50a Integrated Router Configuration — Advanced...
Page 76 IP network numbers for the WAN and LAN links and each end to have a unique address within the WAN network number. In that case, type the IP address assigned to the WAN port of your BCM50a Integrated Router. NOTE: Refers to local BCM50a Integrated Router address, not the remote router address.
Page 77: Remote Node Filter
Use menu 11.1.4 to specify the filter sets to apply to the incoming and outgoing traffic between this remote node and the BCM50a Integrated Router to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.
Page 78: Figure 20 Menu 11.1.4 - Remote Node Filter (Ethernet Encapsulation)
78 Chapter 6 Remote Node setup Figure 20 Menu 11.1.4 – Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 21 Menu 11.1.4 –...
Page 79: Editing Atm Layer Options
Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. LLC-based Multiplexing or PPP Encapsulation For LLC-based multiplexing or PPP encapsulation, one VC carries multiple protocols with protocol identifying information being contained in each packet header. BCM50a Integrated Router Configuration — Advanced...
Page 80: Advance Setup Options
80 Chapter 6 Remote Node setup Figure 23 Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation Menu 11.6 - Remote Node ATM Layer Options VPI/VCI (LLC-Multiplexing or PPP-Encapsulation) VPI #= 8 VCI #= 35 ATM QoS Type= UBR ENTER here to CONFIRM or ESC to CANCEL: In this case, only one set of VPI and VCI numbers need be specified for all protocols.
Page 81: Figure 25 Menu 11.8 - Advance Setup Options
PPPoE client software on their computers to connect to the ISP. After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. BCM50a Integrated Router Configuration — Advanced...
Page 82 82 Chapter 6 Remote Node setup N0115791...
Page 83: Ip Static Route Setup
Chapter 7 IP Static Route Setup This chapter shows you how to configure static routes with your BCM50a Integrated Router. IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown in Figure 26 to configure IP static routes in menu 12.
Page 84: Figure 26 Menu 12 - Ip Static Route Setup
84 Chapter 7 IP Static Route Setup Figure 26 Menu 12 – IP Static Route Setup Menu 12 - IP Static Route Setup 1. Reserved 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ 9. ________ 10.
Page 85: Figure 27 Menu 12.1 - Edit Ip Static Route
Enter the IP address of the gateway. The gateway is an immediate Address neighbor of your BCM50a Integrated Router that forwards the packet to the destination. On the LAN, the gateway must be a router on the same segment as your BCM50a Integrated Router; over the WAN, the gateway must be the IP address of one of the remote nodes.
Page 86 Description Private This parameter determines if the BCM50a Integrated Router includes the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node is propagated to other hosts through RIP broadcasts.
Page 87: Chapter 8 Dial-In User Setup
By storing user profiles locally, your BCM50a Integrated Router can authenticate users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your BCM50a Integrated Router. From the main menu, enter 14 to display Menu 14 - Dial-in User Setup.
Page 88: Figure 29 Menu 14.1 - Edit Dial-In User
88 Chapter 8 Dial-in User Setup Figure 29 Menu 14.1 – Edit Dial-in User Menu 14.1 - Edit Dial-in User User Name= test Active= Yes Password= ******** Press ENTER to Confirm or ESC to Cancel: Leave name field blank to delete profile Table 16 describes the fields in Figure...
Page 89: Network Address Translation (Nat)
Chapter 9 Network Address Translation (NAT) This chapter discusses how to configure NAT on the BCM50a Integrated Router. Using NAT Note: You must create a firewall rule in addition to setting up SUA/ NAT, to allow traffic from the WAN to be forwarded through the BCM50a Integrated Router.
Page 90: Figure 30 Menu 4 - Applying Nat For Internet Access
90 Chapter 9 Network Address Translation (NAT) Figure 30 Menu 4 – Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= ENET ENCAP Multiplexing= LLC-based VPI #= 8 VCI #= 35 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Dynamic...
Page 91: Figure 31 Menu 11.3 - Applying Nat To The Remote Node
“Address Mapping Sets” on Translation page 92 for further discussion). Choose Full Feature if you have multiple public WAN IP addresses for your BCM50a Integrated Router. When you select Full Feature you must configure at least one address mapping set! NAT is disabled when you select this option.
Page 92: Nat Setup
92 Chapter 9 Network Address Translation (NAT) NAT setup Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN. You can see two NAT address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used for SUA.
Page 93: Sua Address Mapping Set
Enter Menu Selection Number: SUA Address Mapping Set Enter 255 to display the screen shown in Figure 34 (see “SUA (Single User Account) Versus NAT” on page 89). The fields in this menu cannot be changed. BCM50a Integrated Router Configuration — Advanced...
Page 94: Figure 34 Menu 15.1.255 - Sua Address Mapping Rules
94 Chapter 9 Network Address Translation (NAT) Figure 34 Menu 15.1.255 – SUA Address Mapping Rules Menu 15.1.255 - Address Mapping Rules Set Name= SUA Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------...
Page 95: User-Defined Address Mapping Sets
Name field means that this is a required field and you must enter a name for the set. Note: The entire set is deleted if you leave the Set Name field blank and press [ENTER] at the bottom of the screen. BCM50a Integrated Router Configuration — Advanced...
Page 96: Ordering Your Rules
Figure Ordering your rules Ordering your rules is important because the BCM50a Integrated Router applies the rules in the order that you specify. When a rule matches the current packet, the BCM50a Integrated Router takes the corresponding action and the remaining rules are ignored.
Page 97: Table 19 Fields In Menu 15.1.1
36, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs. Note: An IP End address must be numerically greater than its corresponding IP Start address. BCM50a Integrated Router Configuration — Advanced...
Page 98: Figure 36 Menu 15.1.1.1: Editing Or Configuring An Individual Rule In A Set
98 Chapter 9 Network Address Translation (NAT) Figure 36 Menu 15.1.1.1: Editing or configuring an individual rule in a set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Press ENTER to Confirm or ESC to Cancel: Table 20 describes the fields in Figure...
Page 99: Configuring A Server Behind Nat
[ESC] to cancel. Configuring a server behind NAT Note: If you do not assign a Default Server IP address, the BCM50a Integrated Router discards all packets received for ports that are not specified here or in the remote management setup.
Page 100: Figure 37 Menu 15.2 - Nat Server Sets
100 Chapter 9 Network Address Translation (NAT) Figure 37 Menu 15.2 – NAT Server Sets Menu 15.2 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0...
Page 101: Figure 38 15.2.1 - Nat Server Configuration
Enter a port number in the Start Port field. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port field. BCM50a Integrated Router Configuration — Advanced...
Page 102: Figure 39 Menu 15.2 - Nat Server Setup
102 Chapter 9 Network Address Translation (NAT) Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. Press [ENTER] at the “Press ENTER to confirm …”...
Page 103: General Nat Examples
Internet access only In the Internet access example shown in Figure 41, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. BCM50a Integrated Router Configuration — Advanced...
Page 104: Figure 41 Nat Example 1
104 Chapter 9 Network Address Translation (NAT) Figure 41 NAT Example 1 BCM50a Integrated Router Figure 42 Menu 4: Internet access & NAT example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= ENET ENCAP Multiplexing= LLC-based VPI #= 8...
Page 105: Example 2: Internet Access With An Inside Server
In this case, you do exactly as shown in Figure 43 (use the convenient pre-configured SUA Only set), and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in Figure BCM50a Integrated Router Configuration — Advanced...
Page 106: Example 3: Multiple Public Ip Addresses With Inside Servers
106 Chapter 9 Network Address Translation (NAT) Figure 44 Menu 15.2: Specifying an inside server Menu 15.2 - NAT Server Setup Default Server: 192.168.1.10 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0...
Page 107: Figure 45 Nat Example 3
Start IP as 10.132.50.1 (our first IGA). (see Figure 47). Repeat the previous step for rules 2 to 4 as outlined above. When finished, menu 15.1.1 looks like as shown in Figure BCM50a Integrated Router Configuration — Advanced...
Page 108: Figure 46 Example 3: Menu 11.3
108 Chapter 9 Network Address Translation (NAT) Figure 46 Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options IP Options: Bridge Options: IP Address Assignment = Dynamic Ethernet Addr Timeout(min)= N/A Rem IP Addr = 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set= 1...
Page 109: Figure 47 Example 3: Menu 15.1.1.1
Chapter 9 Network Address Translation (NAT) 109 Figure 47 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 = N/A Global IP: Start= 10.132.50.1 = N/A Press ENTER to Confirm or ESC to Cancel: BCM50a Integrated Router Configuration — Advanced...
Page 110: Figure 48 Example 3: Final Menu 15.1.1
110 Chapter 9 Network Address Translation (NAT) Figure 48 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 1.
Page 111: Configuring Trigger Port Forwarding
Configuring Trigger Port forwarding Note: Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 — Trigger Port Setup, shown in Figure BCM50a Integrated Router Configuration — Advanced...
Page 112: Figure 50 Menu 15.3 - Trigger Port Setup
Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The BCM50a Integrated Router forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Page 113 Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the BCM50a Integrated Router to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port...
Page 114 114 Chapter 9 Network Address Translation (NAT) N0115791...
Page 115: Introducing The Firewall
[SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Use the WebGUI to configure firewall rules. BCM50a Integrated Router Configuration — Advanced...
Page 116: Figure 52 Menu 21.2 - Firewall Setup
116 Chapter 10 Introducing the firewall Figure 52 Menu 21.2 – Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User’s Guide for details about the firewall default policies.
Page 117: Chapter 11 Filter Configuration
This chapter shows you how to create and apply filters. Introduction to filters Your BCM50a Integrated Router uses filters to decide whether to allow passage of a data packet, make a call, or both. There are two types of filter applications: data filtering and call filtering.
Page 118: Filter Structure
NetBIOS, into a single set and give it a descriptive name. With the BCM50a Integrated Router, you can configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
Page 119: Figure 54 Filter Rule Process
You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. BCM50a Integrated Router Configuration — Advanced...
Page 120: Configuring A Filter Set
120 Chapter 11 Filter configuration Configuring a Filter Set The BCM50a Integrated Router includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. Enter 21 in the main menu to open menu 21.
Page 121: Figure 56 Menu 21.1- Filter Set Configuration
21.1.1 - Filter Rules Summary. The screen shown in Figure 57 shows the summary of the existing rules in the filter set. Table 23 Table 24 contain a brief description of the abbreviations used in the previous menus. BCM50a Integrated Router Configuration — Advanced...
Page 122: Table 23 Abbreviations Used In The Filter Rules Summary Menu
122 Chapter 11 Filter configuration Table 23 Abbreviations used in the Filter Rules Summary Menu Field Description The filter rule number: 1 to 6. Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here.
Page 123: Configuring A Filter Rule
When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filter field or vice versa, the BCM50a Integrated Router warns you and prevents you from saving.
Page 124: Figure 57 Menu 21.1.1.1 - Tcp/Ip Filter Rule
124 Chapter 11 Filter configuration Figure 57 Menu 21.1.1.1 – TCP/IP Filter Rule Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= IP Mask= Port #= Port # Comp= None Source: IP Addr=...
Page 125 Action Matched - Only packets that match the rule Action Not parameters are logged. Matched Action Not Matched - Only packets that do not Both match the rule parameters are logged. Both – All packets are logged. BCM50a Integrated Router Configuration — Advanced...
Page 126 126 Chapter 11 Filter configuration Table 25 TCP/IP Filter Rule Menu fields Field Description Options Action Matched Press [SPACE BAR] and then [ENTER] to select the Check Next action for a matching packet. Rule Forward Drop Action Not Matched Press [SPACE BAR] and then [ENTER] to select the action Check Next for a packet not matching the rule.
Page 127: Figure 58 Executing An Ip Filter
IP Protocol Matched Check Src & Not Matched Dest Port Matched More? Action Not Matched Action Matched Check Next Rule Check Next Rule Drop Forward Drop Forward Drop Packet Check Next Rule Accept Packet BCM50a Integrated Router Configuration — Advanced...
Page 128: Configuring A Generic Filter Rule
For IP packets, it is generally easier to use the IP rules directly. For generic rules, the BCM50a Integrated Router treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Page 129: Figure 59 Menu 21.1.1.1 - Generic Filter Rule
Enter the byte count of the data portion in the packet that you wish to compare. The range for this field is 0 to 8. Mask Enter the mask (in Hexadecimal notation) to apply to the data portion before comparison. BCM50a Integrated Router Configuration — Advanced...
Page 130: Example Filter
This data is now be displayed on Menu 21.1.1 - Filter Rules Summary. Example Filter The example shown in Figure 60 is set to block outside users from accessing the BCM50a Integrated Router via Telnet. See the included disk for more Filter Rules example. N0115791...
Page 131: Figure 60 Telnet Filter Example
Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in Figure BCM50a Integrated Router Configuration — Advanced...
Page 132: Figure 61 Example Filter: Menu 21.1.3.1
132 Chapter 11 Filter configuration Figure 61 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0...
Page 133: Filter Types And Nat
LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next section. When NAT (Network Address Translation) is enabled, the inside IP address and port number BCM50a Integrated Router Configuration — Advanced...
Page 134: Firewall Versus Filters
They are applied at the point when the BCM50a Integrated Router is receiving and sending the packets; for example. the interface. The interface can be...
Page 135: Applying Lan Filters
You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, for example., 3, 4, 6, 11. Input filter sets filter incoming traffic to the BCM50a Integrated Router and output filter sets filter outgoing traffic from the BCM50a Integrated Router.
Page 136: Figure 65 Filtering Remote Node Traffic
136 Chapter 11 Filter configuration Figure 65 Filtering Remote Node Traffic Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: N0115791...
Page 137: Chapter 12 Snmp Configuration
SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The community for Get, Set and Trap fields is SNMP terminology for password. BCM50a Integrated Router Configuration — Advanced...
Page 138: Figure 66 Menu 22 - Snmp Configuration
Set requests from the management by default) station. Trusted Host If you enter a trusted host, your BCM50a Integrated 0.0.0.0 Router will only respond to SNMP messages from this address. A blank (default) field means your BCM50a Integrated Router will respond to all SNMP messages it receives, regardless of source.
Page 139: Snmp Traps
Chapter 12 SNMP Configuration 139 SNMP Traps The BCM50a Integrated Router will sends traps to the SNMP manager when any one of the following events occurs: Table 28 SNMP Traps Trap # Trap Name Description coldStart (defined in A trap is sent after booting (power on).
Page 140 140 Chapter 12 SNMP Configuration N0115791...
Page 141: Chapter 13 System Security
Chapter 13 System security This chapter describes how to configure the system security on the BCM50a Integrated Router. System security You can configure the system password, an external RADIUS server and 802.1x in this menu. System password Figure 67 Menu 23 – System security Menu 23 - System Security 1.
Page 142: Configuring External Radius Server
142 Chapter 13 System security Configuring external RADIUS server Enter 23 in the main menu to display Menu 23 – System security. Figure 68 Menu 23 – System Security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4.
Page 143: Table 29 Menu 23.2 System Security: Radius Server
BCM50a Integrated Router. The key is not sent over the network. This key must be the same on the external authentication server and BCM50a Integrated Router. Accounting Server Active Press [SPACE BAR] to select Yes and press [ENTER] to enable user authentication through an external accounting server.
Page 144 144 Chapter 13 System security N0115791...
Page 145: System Information And Diagnosis
This chapter covers SMT menus 24.1 to 24.4. Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your BCM50a Integrated Router. These tools include updates on system status, port status and log and trace capabilities.
Page 146: System Status
System Status is a tool that can be used to monitor your BCM50a Integrated Router. Specifically, it gives you information on your system firmware version, number of packets sent, and number of packets received.
Page 147: Figure 71 Menu 24.1 - System Maintenance - Status
The number of received packets from this remote node. Errors The number of error packets on this connection. Tx B/s This shows the transmission rate in bytes per second. Rx B/s This shows the receiving rate in bytes per second. BCM50a Integrated Router Configuration — Advanced...
Page 148: System Information And Console Port Speed
148 Chapter 14 System information and diagnosis Table 30 Menu 24.1 System Maintenance: Status (continued) Field Description Up Time This is the time this channel has been connected to the current remote node. My WAN IP This is the IP address of the ISP remote node. (from ISP) Ethernet This shows statistics for the LAN.
Page 149: System Information
2. Console Port Speed Please enter selection: System Information System Information gives you information about your system, as shown in Figure 73. More specifically, it gives you information on your routing protocol, Ethernet address and IP address. BCM50a Integrated Router Configuration — Advanced...
Page 150: Figure 73 Menu 24.2.1 - System Maintenance - Information
Refers to the Ethernet MAC (Media Access Control) of your BCM50a Integrated Router. IP Address This is the IP address of the BCM50a Integrated Router in dotted decimal notation. IP Mask This shows the subnet mask of the BCM50a Integrated Router.
Page 151: Console Port Speed
Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Log and trace The BCM50a Integrated Router has a syslog facility for message logging, and a trace function for viewing call-triggering packets. BCM50a Integrated Router Configuration — Advanced...
Page 152: Syslog Logging
Press ENTER to Confirm or ESC to Cancel Syslog logging The BCM50a Integrated Router uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured in Menu 24.3.2 - System Maintenance - Syslog Logging, as...
Page 153: Cdr
After you finish configuring this screen, press [ENTER] to confirm or [ESC] to cancel. Your BCM50a Integrated Router sends five types of syslog messages. Some examples of these syslog messages with their message formats are shown next: CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String );...
Page 154: Packet Triggered
154 Chapter 14 System information and diagnosis Packet triggered Packet triggered Message Format SdcmdSyslogSend( SYSLOG_PKTTRI, SYSLOG_NOTICE, String ); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 RAS: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c0200010061626364656 66768696a6b6c6d6e6f7071727374...
Page 155: Ppp Log
Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP Jul 19 11:42:44 192.168.102.2 RAS: ppp:LCP Closing Jul 19 11:42:49 192.168.102.2 RAS: ppp:IPCP Closing Jul 19 11:42:54 192.168.102.2 RAS: ppp:CCP Closing BCM50a Integrated Router Configuration — Advanced...
Page 156: Firewall Log
156 Chapter 14 System information and diagnosis Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol (“TCP”,”UDP”,”ICMP”, ”IGMP”, ”GRE”, ”ESP”)
Page 157 0020: 60 02 20 00 E0 6A 00 00-02 04 02 00 Press any key to continue... With the diagnostic facility, you can test the different aspects of your BCM50a Integrated Router to determine if it is working properly. In Menu 24.4, you can...
Page 158: Wan Dhcp
WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in WAN & LAN DHCP. LAN DHCP is discussed in BCM50a Integrated Router Configuration - Basics (N0115790). The BCM50a Integrated Router can act either as a WAN DHCP client (IP Address Assignment field in menu 4 or menu 11.3 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet) or...
Page 159: Figure 79 Wan & Lan Dhcp
Chapter 14 System information and diagnosis 159 Figure 79 WAN & LAN DHCP BCM50a Integrated Router Table 33 describes the diagnostic tests available in menu 24.4 for your BCM50a Integrated Router and associated connections. Table 33 System Maintenance menu diagnostic Field...
Page 160 160 Chapter 14 System information and diagnosis N0115791...
Page 161: Firmware And Configuration File Maintenance
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup and TCP/IP Setup. It comes with a rom filename extension. Once you have customized the BCM50a Integrated Router settings, they can be saved back to your computer under a filename of your choosing.
Page 162: Backup Configuration
BCM50a Integrated Router and the external filename refers to the filename not on the BCM50a Integrated Router, that is, on your computer, local network or FTP site and so the name (but not the extension) can vary. After uploading new firmware, see the F/W version field in Menu 24.2.1 –...
Page 163: Backup Configuration
Press ENTER to Exit: Using the FTP command from the command line Launch the FTP client on your computer. Enter open, followed by a space and the IP address of your BCM50a Integrated Router. Press [ENTER] when prompted for a username.
Page 164: Example Of Ftp Commands From The Command Line
164 Chapter 15 Firmware and configuration file maintenance Example of FTP commands from the command line Figure 81 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 config.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 165: Backup Configuration Using Tftp
Telnet service. • The IP address in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the BCM50a Integrated Router disconnects the Telnet session immediately. Backup configuration using TFTP The BCM50a Integrated Router supports the uploading and downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN.
Page 166: Tftp Command Example
Enter the IP address of the BCM50a Integrated Router. 192.168.1.1 is the BCM50a Integrated Router’s default IP address when shipped. Send/Fetch Use Send to upload the file to the BCM50a Integrated Router and Fetch to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or...
Page 167: Restore Configuration
FTP is the preferred method for restoring your current computer configuration to your BCM50a Integrated Router since FTP is faster. note that you must wait for the system to automatically restart after the file transfer is complete.
Page 168: Figure 82 Telnet Into Menu 24.6
Press ENTER to Exit: Launch the FTP client on your computer. Enter open, followed by a space and the IP address of your BCM50a Integrated Router. Press [ENTER] when prompted for a username. Enter your password as requested (the default is “PlsChgMe!”).
Page 169: Restore Using Ftp Session Example
FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you use Telnet to access the BCM50a Integrated Router, the screens for uploading firmware and the configuration file using FTP appear.
Page 170: Configuration File Upload
170 Chapter 15 Firmware and configuration file maintenance Figure 84 Telnet Into Menu 24.7.1 Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 171: Ftp File Upload Command From The Dos Prompt Example
FTP file upload command from the DOS prompt example Launch the FTP client on your computer. Enter “open”, followed by a space and the IP address of your BCM50a Integrated Router. Press [ENTER] when prompted for a username.
Page 172: Ftp Session Example Of Firmware File Upload
Use Telnet from your computer to connect to the BCM50a Integrated Router and log on. Because TFTP does not have any security checks, the BCM50a Integrated Router records the IP address of the Telnet client and accepts TFTP requests only from this address.
Page 173: Tftp Upload Command Example
BCM50a Integrated Router and the computer. The file name for the firmware is ras. Note that the telnet connection must be active and the BCM50a Integrated Router must be in CI mode before and during the TFTP transfer. For details about TFTP commands (see “TFTP upload command example”...
Page 174 174 Chapter 15 Firmware and configuration file maintenance N0115791...
Page 175: System Maintenance Menus 8 To 10
Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet connection, although some commands are only available with a serial connection. See the included disk or www.nortel.com for more detailed information about CI commands. Enter 8 from Menu 24 - System Maintenance.
Page 176: Command Syntax
176 Chapter 16 System Maintenance menus 8 to 10 Figure 87 Command mode in Menu 24 Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6.
Page 177: Command Usage
With the budget management function, you can set a limit on the total outgoing call time of the BCM50a Integrated Router within certain times. When the total outgoing call time exceeds the limit, the current call is dropped and any future outgoing calls are blocked.
Page 178: Budget Management
178 Chapter 16 System Maintenance menus 8 to 10 Figure 88 Call Control Menu 24.9 - System Maintenance - Call Control 1.Budget Management 2.Call History Enter Menu Selection Number: Budget management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the Budget Management menu (Figure...
Page 179: Figure 89 Budget Management
11.1.) The elapsed time is the 1-hour time period has time used up within this period. lapsed. Enter “0” to update the screen or press [ESC] to return to the previous screen. BCM50a Integrated Router Configuration — Advanced...
Page 180: Call History
180 Chapter 16 System Maintenance menus 8 to 10 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control. Figure 90 Call History Menu 24.9.2 - Call History Phone Number...
Page 181: Time And Date Setting
Enter Menu Selection Number: Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your BCM50a Integrated Router, as shown in Figure BCM50a Integrated Router Configuration — Advanced...
Page 182: Figure 92 Menu 24.10 System Maintenance: Time And Date Setting
182 Chapter 16 System Maintenance menus 8 to 10 Figure 92 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= a.ntp.alphazed.net Current Time: 01 : 07 : 41 New Time (hh:mm:ss): Current Date: 2000 - 01 - 01...
Page 183 02 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). After you fill in this menu, press [ENTER] at the message “Press ENTER to Confirm or ESC to Cancel“ to save your configuration, or press [ESC] to cancel. BCM50a Integrated Router Configuration — Advanced...
Page 184: Resetting The Time
The BCM50a Integrated Router resets the time in three instances: • After you make changes to and leave menu 24.10 • After starting up the BCM50a Integrated Router starts up, if a time server configured in menu 24.10 • After starting the BCM50a Integrated Router, in 24-hour intervals...
Page 185: Chapter 17 Remote Management
Remote Management With remote management, you can determine which services and protocols can access which BCM50a Integrated Router interface (if any) from which computers. You can manage your BCM50a Integrated Router from a remote location via: • Internet (WAN only) •...
Page 186: Figure 93 Menu 24.11 - Remote Management Control
[ENTER] to choose from: LAN only, WAN only, ALL or Disable. Secure Client IP The default 0.0.0.0 allows any client to use this service to remotely manage the BCM50a Integrated Router. Enter an IP address to restrict access to a client with a matching IP address. N0115791...
Page 187: Remote Management Limitations
You disable that service in menu 24.11. The IP address in the Secured Client IP field (menu 24.11) does not match the client IP address. If it does not match, the BCM50a Integrated Router disconnects the session immediately. There is already another remote management session of the same type (web, FTP or Telnet) running.
Page 188 188 Chapter 17 Remote Management N0115791...
Page 189: Chapter 18 Call Scheduling
Introduction Using the call scheduling feature, the BCM50a Integrated Router can manage a remote node and dictate when a remote node is called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record).
Page 190: Figure 95 Menu 26.1 - Schedule Set Setup
For example, if sets 1, 2, 3, and 4 are applied in the remote node then set 1 takes precedence over sets 2, 3, and 4 as the BCM50a Integrated Router, by default, applies the lowest numbered set first. Set 2 takes precedence over sets 3 and 4, and so on.
Page 191: Table 41 Menu 26.1 Schedule Set Setup
Chapter 18 Call scheduling 191 If a connection is already established, your BCM50a Integrated Router does not drop it. After the connection is dropped manually or it times out, then that remote node cannot be triggered until the end of the Duration.
Page 192: Figure 96 Applying Schedule Sets To A Remote Node (Pppoe)
192 Chapter 18 Call scheduling After you configure your schedule sets, you must apply them to the desired remote nodes. Enter 11 from the Main Menu and then enter the target remote node index. Using [SPACE BAR], select PPPoE or PPPoA in the Encapsulation field and then press [ENTER] to make the schedule sets field available, as shown in Figure...
Page 193: Setting Up Your Computer Ip Address
If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the BCM50a Integrated Router LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window BCM50a Integrated Router Configuration —...
Page 194: Installing Components
194 Appendix A Setting up your computer IP address Figure 97 WIndows 95/98/Me: network: configuration Installing components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks.
Page 195: Configuring
IP Address and Subnet Mask fields. Figure 98 Windows 95/98/Me: TCP/IP properties: IP address Click the DNS Configuration tab. — If you do not know your DNS information, select Disable DNS. BCM50a Integrated Router Configuration — Advanced...
Page 196: Verifying Settings
Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your BCM50a Integrated Router and restart your computer when prompted. Verifying Settings Click Start and then Run.
Page 197: Windows 2000/Nt/Xp
For Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. Figure 100 Windows XP: Start menu For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 101 Windows XP: Control Panel BCM50a Integrated Router Configuration — Advanced...
Page 198: Figure 102 Windows Xp: Control Panel: Network Connections: Properties
198 Appendix A Setting up your computer IP address Right-click Local Area Connection and then click Properties. Figure 102 Windows XP: Control Panel: Network Connections: Properties Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Figure 103 Windows XP: Local Area Connection Properties N0115791...
Page 199: Figure 104 Windows Xp: Advanced Tcp/Ip Settings
Subnet mask, and then click Add. — Repeat the above two steps for each IP address you want to add. — Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. BCM50a Integrated Router Configuration — Advanced...
Page 200: Figure 105 Windows Xp: Internet Protocol (Tcp/Ip) Properties
200 Appendix A Setting up your computer IP address — In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric.
Page 201: Verifying Settings
Appendix A Setting up your computer IP address 201 10 Turn on your BCM50a Integrated Router and restart your computer (if prompted). Verifying Settings Click Start, All Programs, Accessories and then Command Prompt. In the Command Prompt window, type ipconfig and press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.
Page 202: Verifying Settings
— Type your IP address in the IP Address box. — Type your subnet mask in the Subnet mask box. — Type the IP address of your BCM50a Integrated Router in the Router address box. Close the TCP/IP Control Panel.
Page 203: Macintosh Os X
— Select Automatic from the Location list. — Select Built-in Ethernet from the Show list. — Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. Figure 109 Macintosh OS X: Network BCM50a Integrated Router Configuration — Advanced...
Page 204: Verifying Settings
— Type your IP address in the IP Address box. — Type your subnet mask in the Subnet mask box. — Type the IP address of your BCM50a Integrated Router in the Router address box. Click Apply Now and close the window.
Page 205: Triangle Route
Triangle Route The Ideal Setup When the firewall is on, your BCM50a Integrated Router acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the BCM50a Integrated Router to protect your LAN against attacks.
Page 206: The Triangle Route Solutions
The reply from the WAN goes directly to the computer on the LAN without going through the BCM50a Integrated Router. As a result, the BCM50a Integrated Router resets the connection, as the connection is not acknowledged. Figure 111 Triangle Route Problem...
Page 207: Figure 112 Ip Alias
Appendix B Triangle Route 207 The BCM50a Integrated Router reroutes the packet to Gateway B, which is in Subnet 2. The reply from WAN goes to the BCM50a Integrated Router. The BCM50a Integrated Router ends the response to the computer in Subnet...
Page 208 208 Appendix B Triangle Route N0115791...
Page 209: Importing Certificates
This appendix shows examples for importing certificates. Import BCM50a Integrated Router certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the BCM50a Integrated Router server certificate by importing it into your operating system as a trusted certification authority.
Page 210: Importing The Bcm50A Integrated Router Certificate Into Internet Explorer
210 Appendix C Importing certificates Importing the BCM50a Integrated Router Certificate into Internet Explorer For Internet Explorer to trust a self-signed certificate from the BCM50a Integrated Router, simply import the self-signed certificate into your operating system as a trusted certification authority.
Page 211: Figure 115 Certificate General Information Before Import
Appendix C Importing certificates 211 Click Install Certificate to open the Install Certificate wizard. Figure 115 Certificate General Information before Import BCM50a Integrated Router Configuration — Advanced...
Page 212: Figure 116 Certificate Import Wizard 1
212 Appendix C Importing certificates Click Next to begin the Install Certificate wizard. Figure 116 Certificate Import Wizard 1 N0115791...
Page 213: Figure 117 Certificate Import Wizard 2
Appendix C Importing certificates 213 Select where you want to store the certificate and click Next. Figure 117 Certificate Import Wizard 2 BCM50a Integrated Router Configuration — Advanced...
Page 214: Figure 118 Certificate Import Wizard 3
214 Appendix C Importing certificates Click Finish to complete the Import Certificate wizard. Figure 118 Certificate Import Wizard 3 Click Yes to add the BCM50a Integrated Router certificate to the root store. Figure 119 Root Certificate Store N0115791...
Page 215: Enrolling And Importing Ssl Client Certificates
The SSL client needs a certificate if Authenticate Client Certificates is selected on the BCM50a Integrated Router. You must have imported at least one trusted CA to the BCM50a Integrated Router in order for the Authenticate Client Certificates to be active (see “Certificates”...
Page 216: Figure 121 Bcm50A Integrated Router Trusted Ca Screen
216 Appendix C Importing certificates Figure 121 BCM50a Integrated Router Trusted CA screen The CA sends you a package containing the CA’s trusted certificates, your personal certificates and a password to install the personal certificates. N0115791...
Page 217: Figure 122 Ca Certificate Example
You need a password in advance. The CA can issue the password or you can specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to Figure 123 BCM50a Integrated Router Configuration — Advanced...
Page 218: Figure 123 Personal Certificate Import Wizard 1
218 Appendix C Importing certificates Click Next to begin the wizard. Figure 123 Personal certificate import wizard 1 N0115791...
Page 219: Figure 124 Personal Certificate Import Wizard 2
The file name and path of the certificate you double-clicked automatically appears in the File name text box. Click Browse if you wish to import a different certificate. Figure 124 Personal certificate import wizard 2 BCM50a Integrated Router Configuration — Advanced...
Page 220: Figure 125 Personal Certificate Import Wizard 3
220 Appendix C Importing certificates Enter the password given to you by the CA. Figure 125 Personal certificate import wizard 3 N0115791...
Page 221: Figure 126 Personal Certificate Import Wizard 4
Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 126 Personal certificate import wizard 4 BCM50a Integrated Router Configuration — Advanced...
Page 222: Figure 127 Personal Certificate Import Wizard 5
222 Appendix C Importing certificates Click Finish to complete the wizard and begin the import process. Figure 127 Personal certificate import wizard 5 Figure 128 shows the screen that appears when the certificate is correctly installed on your computer. Figure 128 Personal certificate import wizard 6 N0115791...
Page 223: Using A Certificate When Accessing The Bcm50A Integrated Router Example
Appendix C Importing certificates 223 Using a certificate when accessing the BCM50a Integrated Router example Use the following procedure to access the BCM50a Integrated Router via HTTPS. Enter https://BCM50a Integrated Router IP Address/ in your browser’s web address field. Figure 129 Access the BCM50a Integrated Router via HTTPS...
Page 224: Figure 131 Bcm50A Integrated Router Secure Login Screen
224 Appendix C Importing certificates The BCM50a Integrated Router login screen appears. Figure 131 BCM50a Integrated Router secure login screen N0115791...
Page 225: Pppoe
It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional dial-up scenario Figure 132 depicts a typical hardware configuration in which the PCs use traditional dial-up networking. BCM50a Integrated Router Configuration — Advanced...
Page 226: How Pppoe Works
However, the PPP negotiation is between the PC and the ISP. BCM50a Integrated Router as a PPPoE client When using the BCM50a Integrated Router as a PPPoE client, the PCs on the LAN see only the Ethernet and are not aware of the PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.
Page 227: Figure 133 Bcm50A Integrated Router As A Pppoe Client
Appendix D PPPoE 227 Figure 133 BCM50a Integrated Router as a PPPoE Client BCM50a Integrated Router BCM50a Integrated Router BCM50a Integrated Router Configuration — Advanced...
Page 228 228 Appendix D PPPoE N0115791...
Page 229: Hardware Specifications
IRD + OTD + IRD + IRD + IRD - OTD - IRD - IRD - OTD + IRD + OTD + 3 OTD + OTD - IRD - OTD - 6 OTD - BCM50a Integrated Router Configuration — Advanced...
Page 230 230 Appendix E Hardware specifications N0115791...
Page 231: Ip Subnetting
ID. • Class D addresses begin with 1 1 1 0. Class D addresses are used for multicasting. (There is also a class “E” address, which is reserved for future use.) BCM50a Integrated Router Configuration — Advanced...
Page 232: Table 44 Allowed Ip Address Range By Class
232 Appendix F IP subnetting Table 43 Classes of IP addresses IP Address: Octet 1 Octet 2 Octet 3 Octet 4 Class A Network number Host ID Host ID Host ID Class B Network number Network number Host ID Host ID Class C Network number Network number...
Page 233: Subnet Masks
This is usually specified by writing a / followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128. BCM50a Integrated Router Configuration — Advanced...
Page 234: Example: Two Subnets
234 Appendix F IP subnetting Table 46 shows all possible subnet masks for a class C address using both notations. Table 46 Alternative Subnet Mask Notation Subnet mask IP address Subnet mask 1 Bits Last octet bit value 255.255.255.0 0000 0000 255.255.255.128 1000 0000 255.255.255.192...
Page 235: Table 47 Subnet 1
IDs of all zeros represent the subnet itself and host IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 2 – 2 or 126 hosts for each subnet. BCM50a Integrated Router Configuration — Advanced...
Page 236: Example: Four Subnets
236 Appendix F IP subnetting 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126.
Page 237: Example: Eight Subnets
Similarly, use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). Table 53 shows class C IP address last-octet values for each subnet. Table 53 Eight subnets Subnet Subnet Address First Address Last Address Broadcast Address BCM50a Integrated Router Configuration — Advanced...
Page 238: Subnetting With Class A And Class B Networks
238 Appendix F IP subnetting Table 53 Eight subnets Subnet Subnet Address First Address Last Address Broadcast Address Table 54 is a summary for class C subnet planning. Table 54 Class C subnet planning No. Borrowed Host Bits Subnet Mask No.
Page 239 255.255.252.0 (/22) 1 022 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 512 255.255.255.192 (/26) 1 024 255.255.255.224 (/27) 2 048 255.255.255.240 (/28) 4 096 255.255.255.248 (/29) 8 192 255.255.255.252 (/30) 16 384 255.255.255.254 (/31) 32 768 BCM50a Integrated Router Configuration — Advanced...
Page 240 240 Appendix F IP subnetting N0115791...
Page 241: Command Interpreter
The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or www.nortel.com for more detailed information on these commands.
Page 242: Sys Commands
[year month date] date. Sets or displays the system time. time [hour [min [sec]]] Sets how often the BCM50a Integrated period [day] Router gets the date and time from the time server. Gets the date and time from the time sync server.
Page 243 2:alert/3:both] Records web access forward logs. urlforward [0:none/1:log] Clears the log. clear Displays all logs or specifies a category display [access|attack|error|ike|i of logs. psec|javablocked|mten|pack etfilter|pki| tcpreset|tls|upnp|urlblock ed|urlforward] errlog Clears the error log. clear BCM50a Integrated Router Configuration — Advanced...
Page 244 244 Appendix G Command Interpreter Table 56 Sys commands Command Description Displays the error log. disp Turns the error log online display on or online off. Loads the log settings buffer. Use this load command before you configure the log settings.
Page 245 Turns TOS debug message on or off. debug Displays all hosts session counts. listPerHost Sets the session per host limit. sessPerHost timeout Displays all TOS (Temporarily Open display Session) timeout information. Sets the ICMP session idle timeout icmp value. BCM50a Integrated Router Configuration — Advanced...
Page 246 246 Appendix G Command Interpreter Table 56 Sys commands Command Description Sets the IGMP session idle timeout igmp value. Sets the SYN TCP session idle timeout tcpsyn value. Sets the TCP session idle timeout value. Sets the TCP FIN session idle timeout tcpfin value.
Page 247 Displays the specified text file. view <filename> wdog Turns the watchdog firmware switch [on|off] protection feature on or off. Sets (0-34 463) or displays the current [value] watchdog count (in 1.6 sec units). BCM50a Integrated Router Configuration — Advanced...
Page 248 Saves UPnP information. load reserve [0:deny/1:permit] Saves UPnP information. save Turns Nortel’s proprietary DHCP m50Enable [yes|no] enhancement feature on or off. Displays the system socket’s ID #, socket type, control block address (PCB), IP address and port number of peer...
Page 249: Exit Command
Ethernet commands. Each of these commands must be preceded by . For example, type to display ether ether config information on the LAN configuration. Table 58 Ether Commands Command Description Displays LAN configuration information. config driver BCM50a Integrated Router Configuration — Advanced...
Page 250: Ip Commands
250 Appendix G Command Interpreter Table 58 Ether Commands Command Description Displays the Ethernet driver counters. disp <name> Shows the LAN status. status <ch_name> Displays the Ethernet device type. version edit Loads Ethernet (1:LAN) data from the System load <1:LAN> Parameters Table.
Page 251 Shows the LAN DNS server settings. display Enables or disables the HTTP debug flag. httpd debug [on|off] This command currently does not work. icmp Displays the ICMP statistics counter. status Sets the ICMP router discovery flag. discovery <iface> [on|off] BCM50a Integrated Router Configuration — Advanced...
Page 252 252 Appendix G Command Interpreter Table 59 IP commands Command Description Configures a network interface. ifconfig [iface] [ipaddr] [broadcast <addr> |mtu <value>|dynamic] Pings a remote host. ping <hostid> route Displays the routing table. status [if] Adds a route. <dest_addr|defaul t>[/<bits>] <gateway>...
Page 253 Appendix G Command Interpreter 253 Table 59 IP commands Command Description Sets the BCM50a Integrated Router to use <iface> in [mode] the RIP information it receives. Sets the BCM50a Integrated Router to <iface> out broadcast its routing table. [mode] Shows the dial-in user RIP direction.
Page 254 254 Appendix G Command Interpreter Table 59 IP commands Command Description Sets the content filtering customize action actionFlags flags. [act(1-7)] [enable/disable] Sets the content filtering customize log flags. logFlags [type(1-3)][enabl e/disable] Adds a trusted Web site, forbidden Web site add [string] or keyword blocking string.
Page 255 [on|off] iface Sets IGMP group timeout for the specified <iface> grouptm interface. <timeout> Sets IGMP query interval for the specified <iface> interval interface. <interval> Adds an interface to a group. <iface> join <group> BCM50a Integrated Router Configuration — Advanced...
Page 256 256 Appendix G Command Interpreter Table 59 IP commands Command Description Removes an interface from a group. <iface> leave <group> Sends an IGMP query on the specified <iface> query interface. Sets the IGMP response time. <iface> rsptime [time] Turns on IGMP on the specified interface. <iface>...
Page 257: Ipsec Commands
Sets the autotimer for updating IPSec update_peer <0~255> rules that use a domain name as the secure gateway IP address. The interval is in minutes (30 default) and 0 means it never updates. BCM50a Integrated Router Configuration — Advanced...
Page 258 Description Adjusts autotimer to check if any inbound chk_input <0~255> IPsec traffic has passed during the specified period. If not, the BCM50a Integrated Router disconnects the tunnel. Displays runtime phase 1 and phase 2 show_runtime SA information. When a dynamic rule accepts a request and a tunnel is established, a runtime SPD is created according to the peer’s...
Page 259 Sets the phase 2 encryption key length p2EncryKeyLen <0:128 | 1:192 (with AES encryption). | 2:256> Sets the phase 2 authentication p2AuthAlgo <0:MD5 | algorithm. 1:SHA1> Sets the phase 2 SA lifetime. p2SaLifeTime <seconds> BCM50a Integrated Router Configuration — Advanced...
Page 260 Specifies whether the rule is for a branch connType <0:Branch office or Contivity Client VPN connection. Office | 1:Contivity Client> Sets the BCM50a Integrated Router to authOptions <0:Username either send just the username and Password | password to the remote Contivity IPSec 1:Group ID &...
Page 261 Sets the remote ending IP address or rmAddrEndMask <IP> subnet mask. Sets the remote starting port number. rmPortStart <port> Sets the remote ending port number. rmPortEnd <port> Turns branch tunnel NAT address btNatActive <Yes | No> mapping on or off. BCM50a Integrated Router Configuration — Advanced...
Page 262 262 Appendix G Command Interpreter Table 60 IPSec commands Command Description Sets the type of NAT address mapping. btNatType <0:single | 1:range | 2:all> Sets the branch tunnel NAT starting IP btNatAddrStart <IP address> address. Sets the branch tunnel NAT ending IP btNatArEnd <IP address>...
Page 263 AH_SHA1 | AH_MD5> <on | off> Enables or disables the specified <DES_DH1 | Diffie-Hellman encryption level. 3DES_DH2 | 128AES_DH5 > <on | off> Enables or disables the Use Static static <on | Address option. off> BCM50a Integrated Router Configuration — Advanced...
Page 264 264 Appendix G Command Interpreter Table 60 IPSec commands Command Description Select which IP pool, index is based on 1, ipPool <index> and inactive IP pool cannot be selected. Before you configure an IP pool for client ipPool load <index> termination, you must load the specified IP pool.
Page 265 <on | off> alpha-numeric password. Sets the maximum password age after age <days> which the login password expires, valid value: 0~180 days, and 0 means no expiration. Sets the minimum password length. minLen BCM50a Integrated Router Configuration — Advanced...
Page 266: Wan Commands
266 Appendix G Command Interpreter WAN Commands The following chart lists and describes the wan commands. Each of these commands must be preceded by wan when you use them. Table 61 WAN Commands Command Description Displays ADSL ber. adsl bert Displays the ADSL cell counter.
Page 267 Save Sets the waiting time before checking the timer hunting table result. Sends VC hunt pattern again. Send Displays hwsar packets incoming/outgoing hwsar information. driver Oam loopback function. Oamloopback [VPI] [VCI] [F5] [endToEnd] [funcType] BCM50a Integrated Router Configuration — Advanced...
Page 268: Sys Firewall Commands
268 Appendix G Command Interpreter Sys firewall commands Table 62 lists and describes the system firewall commands. Each of these commands must be preceded by . For example, type sys firewall to turn on the firewall. firewall active yes Table 62 Sys firewall commands Command Description...
Page 269: Bandwidth Management Commands
# bandwidth xxx <name xxx> xxx b/s in LAN. The name is for your information. Sets the class priority. The <priority range is between 0 (the x> lowest) to 7 (the highest). BCM50a Integrated Router Configuration — Advanced...
Page 270 270 Appendix G Command Interpreter Table 63 Bandwidth management commands Command Description The class can borrow <borrow bandwidth from its parent on|off> class when borrowing is turned on, and vice versa. Deletes the class # and its del # filter and all its children classes and their filters in LAN.
Page 271 Displays the LAN classes. class Displays the WAN classes. Displays the LAN filter filter settings. Displays the WAN filter settings. Displays the statistics of the statistics LAN classes. Displays the statistics of the LAN classes. BCM50a Integrated Router Configuration — Advanced...
Page 272: Certificates Commands
272 Appendix G Command Interpreter Table 63 Bandwidth management commands Command Description Displays the bandwidth usage monitor <#> of the specified LAN class (or all of the LAN classes if you do not specify one). The first time you use the command turns it on;...
Page 273 (required). The format is "subject-name-dn;{ip,dns,email}=value". If the name contains spaces, put it in quotes. [key size] specifies the key size. It has to be an integer from 512 to 2 048. The default is 1 024 bits. BCM50a Integrated Router Configuration — Advanced...
Page 274 For my certificate importation to be successful, a certification request corresponding to the imported certificate must already exist on BCM50a Integrated Router. After the importation, the certification request is automatically deleted. If a descriptive name is not...
Page 275 Renames the specified trusted CA certificate. rename <old name> <old name> specifies the name of the certificate to <new name> be renamed. <new name> specifies the new name the certificate is saved as. BCM50a Integrated Router Configuration — Advanced...
Page 276 276 Appendix G Command Interpreter Table 64 Certificates commands Command Description Specifies whether or not the specified CA issues crl_issuer <name> CRL. [on|off] <name> specifies the name of the CA certificate. [on|off] specifies whether or not the CA issues CRL. If [on|off] is not specified, the current crl_issuer status of the CA is used.
Page 277 [login:pswd] <addr[:port]> specifies the server address (required) and port (optional). The format is "server-address[:port]". The default port is 389. [login:pswd] specifies the logon name and password, if required. The format is "[login:password]". BCM50a Integrated Router Configuration — Advanced...
Page 278 278 Appendix G Command Interpreter N0115791...
Page 279: Netbios Filter Commands
Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. • Allow or disallow the sending of NetBIOS packets through VPN connections. • Allow or disallow NetBIOS packets to initiate calls. BCM50a Integrated Router Configuration — Advanced...
Page 280: Display Netbios Filter Settings
280 Appendix H NetBIOS filter commands Display NetBIOS filter settings Figure 135 NetBIOS Display Filter Settings Command Example ============== NetBIOS Filter Status =============== Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes. The filter types and their default settings are as follows: Table 65 NetBIOS filter default settings Name...
Page 281: Example Commands
This command forwards WAN to LAN and WAN to LAN NetBIOS packets Command: sys filter netbios config 3 on This command blocks IPSec NetBIOS packets Command: sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls. BCM50a Integrated Router Configuration — Advanced...
Page 282: Enhanced Dhcp Option Commands
For example, you would type “2” to assign the second IP address of the DHCP server pool to the Nortel BCM50. Use this command to specify the IP address that the BCM50a Integrated Router is to assign to the BCM50.
Page 283: Nortel Bcm50 Dhcp Server Options
Appendix I Enhanced DHCP option commands 283 The following example sets the BCM50a Integrated Router to assign an IP address of 11.12.13.10 to the Nortel BCM50. ip dhcp <interface> server m50ipreserve ip 11.12.13.10 Nortel BCM50 DHCP server options Use these commands to add site-specific options to the DHCP server’s offer messages that it sends to the BCM50.
Page 284: Bcm50 Ip Sets Override Setting
You can type the full IP addresses or just the last parts. If you type part of an IP address, the BCM50a Integrated Router combines it with the IP address assigned to the BCM50 customer LAN interface to form a range of IP addresses that are on the same subnet as the BCM50 customer LAN interface.
Page 285: Nortel I2004 Ip Phone Options
Use “0” to not have the Nortel BCM50 assign VoIP server and VLAN settings to Nortel’s IP Telephone 2004. Use this command to set the Nortel BCM50 DHCP to assign VoIP server and VLAN settings to Nortel’s IP Telephone 2004. You must also configure the VoIP server and VLAN settings assignment, see the “Nortel i2004 IP phone options...
Page 286: Vlan Id Assignment
VoIP telephones. ip dhcp enif0 server voipserver 1 11.12.13.7 7001 3 This next command sets the BCM50a Integrated Router to assign the second VoIP server’s IP address (11.12.13.8), port number (7002) and retry count (2) to Nortel’s i2004 VoIP telephones.
Page 287: Nortel Wlan Handsets 2210 & 2211 Phone Options
Appendix I Enhanced DHCP option commands 287 This command sets DHCP option 191. The following example sets the BCM50a Integrated Router to assign a VLAN ID of five to VoIP telephones. ip dhcp enif0 server vlanid 5 Nortel WLAN handsets 2210 & 2211 phone options Nortel's WLAN Handsets 2210 &...
Page 288: Wlan Ip Telephony Manager Ip Address Assignment
Handsets 2210 & 2211. This command sets DHCP option 151. The following example sets the BCM50a Integrated Router to assign a WLAN Telephony Manager 2245 IP address of 11.12.13.16 to WLAN Handsets 2210 & 2211. ip dhcp <interface> server wlantelmanager 11.12.13.16...
Page 289: Log Descriptions
Someone has logged on to the router's WebGUI WEB Login Successfully interface. Someone has failed to log on to the router's WEB Login Fail WebGUI interface. Someone has logged on to the router via Telnet. TELNET Login Successfully BCM50a Integrated Router Configuration — Advanced...
Page 290: Table 68 Upnp Logs
UPnP packets can pass through the firewall. UPnP pass through Firewall Table 69 Content filtering logs Category Log Message Description The BCM50a Integrated Router allows URLFOR IP/Domain Name access to this IP address or domain name and forwards traffic to the IP address or domain name.
Page 291: Table 70 Attack Logs
The firewall detected an ICMP echo attack. icmp echo ICMP (type:%d, code:%d) The firewall detected a TCP syn flood attack. syn flood TCP The firewall detected a TCP port scan attack. ports scan TCP BCM50a Integrated Router Configuration — Advanced...
Page 292 NetBIOS TCP The firewall detected a TCP IP spoofing attack while the ip spoofing - no routing BCM50a Integrated Router did not have a default route. entry TCP The firewall detected an UDP IP spoofing attack while the ip spoofing - no routing BCM50a Integrated Router did not have a default route.
Page 293: Table 71 Access Logs
Description TCP access matched the default policy of the listed ACL Firewall default set and the BCM50a Integrated Router blocked or policy: TCP (set:%d) forwarded it according to the ACL set’s configuration. UDP access matched the default policy of the listed ACL...
Page 294 Firewall rule match: BCM50a Integrated Router blocked or forwarded it OSPF (set:%d, rule:%d) according to the rule’s configuration. Access matched the listed firewall rule and the BCM50a Firewall rule match: Integrated Router blocked or forwarded it according to the (set:%d, rule:%d) rule’s configuration.
Page 295 The router blocked a TCP handshake packet that came out Out of order TCP of the proper order. handshake packet blocked The BCM50a Integrated Router generates this log after it Drop unsupported/ drops an ICMP packet due to one of the following two out-of-order ICMP reasons: 1.
Page 296: Table 72 Acl Setting Notes
WAN to LAN WAN to the LAN. ACL set 7 for packets traveling from the LAN to LAN/BCM50a LAN to the LAN or the BCM50a Integrated Router Integrated Router. ACL set 8 for packets traveling from the WAN to WAN/BCM50a...
Page 297: Vpn/Ipsec Logs
To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. Figure 136 shows a typical log from the initiator of a VPN connection. BCM50a Integrated Router Configuration — Advanced...
Page 298: Figure 136 Example Vpn Initiator Ipsec Log
298 Appendix J Log descriptions Figure 136 Example VPN initiator IPSec log Index: Date/Time: Log: ------------------------------------------------------------ 01 Jan 08:02:22 Send Main Mode request to <192.168.100.101> 01 Jan 08:02:22 Send:<SA> 01 Jan 08:02:22 Recv:<SA> 01 Jan 08:02:24 Send:<KE><NONCE> 01 Jan 08:02:24 Recv:<KE><NONCE>...
Page 299: Vpn Responder Ipsec Log
Note: Double exclamation marks (!!) denote an error or warning message. Table 75 shows sample log messages during IKE key exchange. Note: A PYLD_MALFORMED packet usually means that the two ends of the VPN tunnel are not using the same pre-shared key. BCM50a Integrated Router Configuration — Advanced...
Page 300: Table 75 Sample Ike Key Exchange Logs
The BCM50a Integrated Router has started Send <Symbol> Mode request to negotiation with the peer. <IP>Send <Symbol> Mode request to <IP> The BCM50a Integrated Router has received an IKE Recv <Symbol> Mode request negotiation request from the peer. from <IP>Recv <Symbol> Mode request from <IP>...
Page 301 Appendix J Log descriptions 301 Table 75 Sample IKE key exchange logs Log Message Description The BCM50a Integrated Router limits the number of !! Active connection allowed simultaneous Phase 2 SA negotiations. The IKE key exceeded exchange process fails if this limit is exceeded.
Page 302: Table 76 Sample Ipsec Logs During Packet Transmission
Table 76 Sample IPSec logs during packet transmission LOG MESSAGE DESCRIPTION If the BCM50a Integrated Router’s WAN IP !! WAN IP changed to <IP> changes, all configured “My IP Addr” are changed to “0.0.0.0”. If this field is configured as 0.0.0.0, the BCM50a Integrated Router uses the...
Page 303: Table 78 Pki Logs
The router received a CRL (Certificate Revocation List), with Rcvd CRL <size>: size and issuer name as recorded, from the LDAP server <issuer name> whose IP address and port are recorded in the Source field. BCM50a Integrated Router Configuration — Advanced...
Page 304: Table 79 Certificate Path Verification Failure Reason Codes
304 Appendix J Log descriptions Table 78 PKI logs Log Message Description The router received an ARL (Authority Revocation List), with Rcvd ARL <size>: size and issuer name as recorded, from the LDAP server <issuer name> whose address and port are recorded in the Source field. The router received a corrupted certification authority Failed to decode the certificate from the LDAP server whose address and port are...
Page 305: Log Commands
Path was not verified. Maximum path length reached. Log commands Go to the command interpreter interface (see Appendix G, “Command Interpreter” on page 241 for information on how to access and use the commands). BCM50a Integrated Router Configuration — Advanced...
Page 306: Configuring What You Want The Bcm50A Integrated Router To Log
Router (you must do this in order to record logs). Displaying logs Use the sys logs display command to show all of the logs in the BCM50a Integrated Router’s log. Use the sys logs category display command to show the log settings for all of the log categories.
Page 307: Log Command Example
Appendix J Log descriptions 307 Use the sys logs display [log category] command to show the logs in an individual BCM50a Integrated Router log category. Use the sys logs clear command to erase all of the BCM50a Integrated Router’s logs. Log command example This example shows how to set the BCM50a Integrated Router to record the access logs and alerts and then view the results.
Page 308 308 Appendix J Log descriptions N0115791...
Page 309: Brute Force Password Guessing Protection
N (a number from 1 to 60) minutes after the third time an incorrect password is entered. Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered. BCM50a Integrated Router Configuration — Advanced...
Page 310 310 Appendix K Brute force password guessing protection N0115791...
Page 311: Index
Call Scheduling 34, 189 Diagnostic 157 Maximum Number of Schedule Sets 189 DoS (Denial of Service) 33 PPPoE 192 Dynamic DNS Support 34 Precedence 190 Precedence Example 190 Call-Triggering Packet 156 Central Network Management 35 EMAIL 49 BCM50a Integrated Router Configuration — Advanced...
Page 312 312 Index E-mail Address 49 Enable Wildcard 50 Hidden Menus 40 Encapsulation 66, 71 Hop Count 76 encapsulation 31 Host 49 Entering Information 41 Host IDs 232 Ethernet Encapsulation 78 HTTPS 33 F/W Version 162 Idle Timeout 70 Features 29 IGMP support 77 Filename Conventions 161 Incoming Protocol Filters 63...
Page 313 Ordering Rules 96 Remote Management Limitations 187 Network Address Translation 67 Remote Node 69, 148 Network Address Translation (NAT) 35, 89 Remote Node Setup 70 Remote Node Filter 77 Remote Node Index Number 147 Offline 50 BCM50a Integrated Router Configuration — Advanced...
Page 314 314 Index Required fields 41 Reset Button 32 TCP/IP 58, 61, 123, 124, 126, 129, 133 Resetting the Time 184 Setup 61 Restore Configuration 167 TCP/IP and DHCP Setup 58 RFC-1483 72 TCP/IP filter rule 123 RFC-2364 71 technical publications 24 RIP 61, 63, 76 text conventions 23 Direction 63...
Page 315 Index 315 WAN DHCP 158, 159 WAN Setup 53, 54 WebGUI 116 www.dyndns.org 50 BCM50a Integrated Router Configuration — Advanced...

Nortel BCM50a Configuration Manual

Table of Contents

Table of Contents

Chapter 1 Getting to Know Your Bcm50A Integrated Router

Chapter 2 Introducing the SMT

Chapter 3 WAN Setup

Chapter 4 LAN Setup

Chapter 5 Internet Access

Chapter 6 Remote Node Setup

Chapter 7

Chapter 8 Dial-In User Setup

Chapter 9 Network Address Translation (NAT)

Chapter 10 Introducing the Firewall

Chapter 11 Filter Configuration

Chapter 12 SNMP Configuration

Chapter 13 System Security

Chapter 14 System Information and Diagnosis

Chapter 15 Firmware and Configuration File Maintenance

Chapter 16 System Maintenance Menus 8 to 10

Chapter 17 Remote Management

Chapter 18 Call Scheduling

Appendix A

Appendix C

Appendix D Pppoe

Appendix E

Appendix F IP Subnetting

Appendix G

Appendix H Netbios Filter Commands

Appendix I

Appendix J

Appendix K

Quick Links

Chapters

Related Manuals for Nortel BCM50a

Summary of Contents for Nortel BCM50a