Page 2
Nortel. Trademarks Nortel, Nortel (Logo), the Globemark, and This is the way, This is Nortel (Design mark) are trademarks of Nortel. Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation.
Page 10
How PPPoE works ........... 226 BCM50a Integrated Router as a PPPoE client ......226 Appendix E Hardware specifications .
Page 11
Enhanced DHCP option commands introduction ......282 Specifying the Nortel BCM50 IP address ......282 Nortel BCM50 DHCP server options .
Page 12
Log commands ............305 Configuring what you want the BCM50a Integrated Router to log ... 306 Displaying logs .
Page 13
Menu 14.1 – Edit Dial-in User ........88 BCM50a Integrated Router Configuration — Advanced...
Page 14
14 Figures Figure 30 Menu 4 – Applying NAT for Internet Access ..... . . 90 Figure 31 Menu 11.3 – Applying NAT to the Remote Node ....91 Figure 32 Menu 15 –...
Page 15
Windows 95/98/Me: TCP/IP properties: IP address ....195 Figure 99 Windows 95/98/Me: TCP/IP Properties: DNS configuration ..196 BCM50a Integrated Router Configuration — Advanced...
Page 16
Figure 132 Single-PC per router hardware configuration ..... 226 Figure 133 BCM50a Integrated Router as a PPPoE Client ....227 Figure 134 Ethernet cable pin assignments .
Page 19
SNMP Traps ..........139 Table 29 Menu 23.2 System Security: RADIUS Server ..... 143 BCM50a Integrated Router Configuration — Advanced...
Page 20
20 Tables Table 30 Menu 24.1 System Maintenance: Status ......147 Table 31 Menu 24.2.1 System Maintenance: Information ....150 Table 32 System Maintenance Menu Syslog Parameters .
Page 21
Log categories and available settings ......306 Table 81 Brute force password guessing protection commands ....309 BCM50a Integrated Router Configuration — Advanced...
Preface Before you begin This guide is designed to assist you with advanced configuration of your BCM50a Integrated Router for its various applications. Note: This guide explains how to use the System Management Terminal (SMT) or the command interpreter interface to configure your BCM50a Integrated Router.
For more information about using the BCM50a Integrated Router, refer to the following publications: N0115790 • BCM50a Integrated Router Configuration - Basics ( The basic manual covers how to use the WebGUI to configure your BCM50a Integrated Router. • WebGUI Online Help Embedded WebGUI help for descriptions of individual screens and...
Telephone: *European Free phone 00800 800 89009 European Alternative: United Kingdom +44 (0)870-907-9009 Africa +27-11-808-4000 Israel 800-945-9779 Calls are not free from all countries in Europe, Middle East, or Africa. Fax: 44-191-555-7980 E-mail: emeahelp@nortel.com BCM50a Integrated Router Configuration — Advanced...
APAC (Asia Pacific) Service Business Centre & Pre-Sales Help Desk: +61-2-8870-5511 (Sydney) Technical Support - GNTS Telephone: +612 8870 8800 Fax: +612 8870 5569 E-mail: asia_support@nortel.com Australia 1-800-NORTEL (1-800-667-835) 010-6510-7770 China India 011-5154-2210 Indonesia 0018-036-1004 Japan 0120-332-533 Malaysia 1800-805-380 New Zealand...
Page 27
Preface Thailand 001-800-611-3007 Service Business Centre & +61-2-8870-5511 Pre-Sales Help Desk BCM50a Integrated Router Configuration — Advanced...
This chapter introduces the main features and applications of the BCM50a Integrated Router. Introducing the BCM50a Integrated Router The BCM50a Integrated Router is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN). Your BCM50a Integrated Router integrates high-speed 10/100 Megabits per second (Mb/s) autonegotiating LAN interfaces and a high-speed Asymmetrical Digital Subscriber Line Plus (ADSL2+) port into a single package.
30 Chapter 1 Getting to know your BCM50a Integrated Router Table 1 Feature specifications Feature Specification Number of SUA (Single User Account) servers Number of address mapping rules Number of configurable VPN rules (gateway policies) Number of configurable IPSec VPN IP policies (network policies)
A combination of switch and router makes your BCM50a Integrated Router a cost-effective and viable network solution. You can connect up to four computers or phones to the BCM50a Integrated Router without the cost of a switch. Use a switch to add more than four computers or phones to your LAN.
The LAN interfaces automatically adjust to either a crossover or straight through Ethernet cable. Time and date Using the BCM50a Integrated Router, you can get the current time and date from an external server when you turn on your BCM50a Integrated Router. You can also set the time manually.
Chapter 1 Getting to know your BCM50a Integrated Router 33 Certificates The BCM50a Integrated Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.
Content filtering The BCM50a Integrated Router can block web features such as ActiveX controls, Java applets, and cookies, as well as disable web proxies. The BCM50a Integrated Router can block specific URLs by using the keyword feature. The administrator can also define time periods and days during which content filtering is enabled.
Chapter 1 Getting to know your BCM50a Integrated Router 35 IP Multicast The BCM50a Integrated Router can use IP multicast to deliver IP packets to a specific group of hosts. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The BCM50a Integrated Router supports versions 1 and 2.
36 Chapter 1 Getting to know your BCM50a Integrated Router Traffic Redirect Traffic Redirect forwards WAN traffic to a backup gateway when the BCM50a Integrated Router cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails.
ADSL. The BCM50a Integrated Router also provides IP address sharing and a firewall protected local network with traffic management. The BCM50a Integrated Router VPN is an ideal, cost effective way to connect branch offices and business partners over the Internet without the need (and expense) of leased lines between sites.
38 Chapter 1 Getting to know your BCM50a Integrated Router Figure 1 Secure Internet Access and VPN Application BCM50a Integrated Router Caution: Electro-static Discharge can disrupt the router. Use appropriate handling precautions to avoid ESD. Avoid touching the connectors on the router, particularly when it is in use.
SMT, and how to configure SMT menus. Initial screen When you turn on your BCM50a Integrated Router, it performs several internal tests as well as line initialization. After the tests, the BCM50a Integrated Router asks you to press...
If you see a blank screen, press [ENTER] to bring up the logon screen again. Navigating the SMT interface The SMT is an interface that you use to configure your BCM50a Integrated Router. Table 2 lists several operations you must be familiar with before attempting to modify the configuration.
Type 99 at the main menu prompt and press [ENTER]. [ENTER] to exit the SMT interface. Main menu After you enter the password, the SMT displays the BCM50a Integrated Router Main Menu, as shown in Figure 4. Not all models have all the features shown.
42 Chapter 2 Introducing the SMT Figure 4 Main menu BCM50a Integrated Router Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22. SNMP Configuration 3. LAN Setup 23. System Security 4. Internet Access Setup 24.
Use this menu to exit (necessary for remote configuration). Changing the system password To change the BCM50a Integrated Router administrator password:. From the main menu, enter 23 to display Menu 23 – System Security. Enter 1 to display Menu 23.1 – System Security – Change Password.
IP Address= N/A Third System DNS Server= From ISP IP Address= N/A Edit Dynamic DNS= No Route IP= Yes Bridge= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. BCM50a Integrated Router Configuration — Advanced...
Description Example System name Choose a descriptive name for identification purposes. BCM50a Nortel recommends you enter your computer name in Integrated this field. This name can be up to 30 alphanumeric Router characters long. Spaces, dashes (-) and underscores (_) are accepted.
Page 47
Router's WAN IP address). The IP Address field below displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the BCM50a Integrated Router has a fixed WAN IP address, From ISP changes to None after you save your changes. If...
DNS queries to the private DNS server. One of the rule’s IP policies must include the LAN IP address of the BCM50a Integrated Router as a local IP address and the IP address of the DNS server as a remote IP address.
Enter your host names in the fields provided. You me.dyndns.org can specify up to two host names separated by a comma in each field. EMAIL Enter your e-mail address. mail@mailserver User Enter your username. Password Enter the password assigned to you. BCM50a Integrated Router Configuration — Advanced...
Page 50
BCM50a Integrated Router’s WAN IP address. DDNS does not work with a private IP address. When both fields are set to No, the BCM50a Integrated Router must have a public WAN IP address in order for DDNS to work.
Page 51
Chapter 2 SMT menu 1 - general setup 51 The IP address updates when you reconfigure menu 1 or perform DHCP client renewal. BCM50a Integrated Router Configuration — Advanced...
Page 52
52 Chapter 2 SMT menu 1 - general setup N0115791...
This chapter describes how to configure the WAN using Menu 2. Introduction to WAN setup This chapter explains how to configure the settings for your WAN port. WAN setup From the main menu, enter 2 to open Menu 2. BCM50a Integrated Router Configuration — Advanced...
Field Description Example Route Selection: WAN Metric The BCM50a Integrated Router uses the connection with the lowest metric value first. Traffic Redirect Metric The default WAN connection is 1 as your broadband connection through the WAN port must always be Dial Backup your preferred method of accessing the WAN.
Select Yes and press [ENTER] to configure Menu 2.2 — Traffic Redirect Setup. Dial-Backup: Dial backup does not apply to all BCM50a Integrated Router models. Active Use this field to turn the dial-backup feature on (Yes) or off (No).
Internet connection of the BCM50a Integrated Router terminates. Metric This field sets the priority for this route among the routes the BCM50a Integrated Router uses. The metric represents the cost of transmission. A router determines the best route for transmission by choosing a path with the lowest cost. RIP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks.
LAN setup This chapter describes how to configure the LAN using Menu 3: LAN Setup. Introduction to LAN setup This section describes how to configure the BCM50a Integrated Router for LAN connections. Accessing the LAN menus From the main menu, enter 3 to open Menu 3 – LAN setup Figure 11 Menu 3 –...
58 Chapter 4 LAN setup Figure 12 Menu 3.1 – LAN Port Filter Setup Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: TCP/IP and DHCP ethernet setup menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Description Example DHCP This field enables and disables the DHCP server. Server If set to Server, your BCM50a Integrated Router will act as a DHCP server. If set to None, the DHCP server will be disabled. Configuration: Client IP Pool This field specifies the first of the contiguous 192.168.1.2...
Page 60
Address field below displays the (read-only) DNS server IP address that the ISP assigns. If you chose From ISP, but the BCM50a Integrated Router has a fixed WAN IP address, From ISP changes to None after you save your changes. If you chose From ISP...
TCP/IP parameters for the LAN port. Table 9 LAN TCP/IP setup menu fields Field Description Example TCP/IP Setup: IP Address Enter the IP address of your BCM50a Integrated 192.168.1.1 Router in dotted decimal notation. (default) IP Subnet Mask Your BCM50a Integrated Router automatically 255.255.255.0 calculates the subnet mask based on the IP address that you assign.
Example IP Alias Choose Yes to configure the LAN network for the BCM50a Integrated Router. IP Address Enter the IP address of your BCM50a 192.168.1.1 Integrated Router in dotted decimal notation. IP Subnet Mask Your BCM50a Integrated Router automatically 255.255.255.0 calculates the subnet mask based on the IP address that you assign.
Page 63
Filters incoming traffic between this node and the BCM50a Integrated Router. Outgoing Protocol Enter the filter sets you wish to apply to the Filters outgoing traffic between this node and the BCM50a Integrated Router. BCM50a Integrated Router Configuration — Advanced...
Chapter 5 Internet access This chapter shows you how to configure your BCM50a Integrated Router for Internet access. Internet access configuration Using Menu 4 you can enter the Internet Access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in Menu 11.
You have successfully connected, installed, and set up your BCM50a Integrated Router to operate on your network, as well as access the Internet. If all your settings are correct, your BCM50a Integrated Router can connect automatically to the Internet. If the connection fails, note the error message that you receive on the screen and take the appropriate troubleshooting steps.
If you encounter a case where the peer disconnects right after a successful authentication, please make sure that you specify the correct authentication protocol when connecting to such an implementation. BCM50a Integrated Router Configuration — Advanced...
The first is that idle timeout is disabled. The second is that the BCM50a Integrated Router will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
Scenario 1. One VC, Multiple Protocols PPPoA (RFC-2364) encapsulation with VC-based multiplexing is the best combination because no extra protocol identifying headers are needed. The PPP protocol already contains this information. • Scenario 2. One VC, One Protocol (IP) BCM50a Integrated Router Configuration — Advanced...
72 Chapter 6 Remote Node setup Selecting RFC-1483 encapsulation with VC-based multiplexing requires the least amount of overhead (0 octets). However, if there is a potential need for multiple protocol support in the future, it may be safer to select PPPoA encapsulation instead of RFC-1483, so you do not need to reconfigure either computer later.
Page 73
Type the login name assigned by your ISP when the BCM50a Integrated Router calls this remote node. My Password Type the password assigned by your ISP when the BCM50a Integrated Router calls this remote node. Authen This field sets the authentication protocol used for outgoing calls.
Idle Timeout Type the number of seconds (0-9999) that can elapse when (sec) the BCM50a Integrated Router is idle (there is no traffic going to the remote node), before the BCM50a Integrated Router automatically disconnects the remote node. 0 means that the session will not timeout.
ISP node (also the one you configure in menu 4),all other nodes are set to Static. Rem IP Addr This is the IP address you entered in the previous menu. Rem Subnet Type the subnet mask assigned to the remote node. Mask BCM50a Integrated Router Configuration — Advanced...
Page 76
IP network numbers for the WAN and LAN links and each end to have a unique address within the WAN network number. In that case, type the IP address assigned to the WAN port of your BCM50a Integrated Router. NOTE: Refers to local BCM50a Integrated Router address, not the remote router address.
Use menu 11.1.4 to specify the filter sets to apply to the incoming and outgoing traffic between this remote node and the BCM50a Integrated Router to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.
Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. LLC-based Multiplexing or PPP Encapsulation For LLC-based multiplexing or PPP encapsulation, one VC carries multiple protocols with protocol identifying information being contained in each packet header. BCM50a Integrated Router Configuration — Advanced...
80 Chapter 6 Remote Node setup Figure 23 Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation Menu 11.6 - Remote Node ATM Layer Options VPI/VCI (LLC-Multiplexing or PPP-Encapsulation) VPI #= 8 VCI #= 35 ATM QoS Type= UBR ENTER here to CONFIRM or ESC to CANCEL: In this case, only one set of VPI and VCI numbers need be specified for all protocols.
PPPoE client software on their computers to connect to the ISP. After you complete this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. BCM50a Integrated Router Configuration — Advanced...
Chapter 7 IP Static Route Setup This chapter shows you how to configure static routes with your BCM50a Integrated Router. IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown in Figure 26 to configure IP static routes in menu 12.
Enter the IP address of the gateway. The gateway is an immediate Address neighbor of your BCM50a Integrated Router that forwards the packet to the destination. On the LAN, the gateway must be a router on the same segment as your BCM50a Integrated Router; over the WAN, the gateway must be the IP address of one of the remote nodes.
Page 86
Description Private This parameter determines if the BCM50a Integrated Router includes the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node is propagated to other hosts through RIP broadcasts.
By storing user profiles locally, your BCM50a Integrated Router can authenticate users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your BCM50a Integrated Router. From the main menu, enter 14 to display Menu 14 - Dial-in User Setup.
88 Chapter 8 Dial-in User Setup Figure 29 Menu 14.1 – Edit Dial-in User Menu 14.1 - Edit Dial-in User User Name= test Active= Yes Password= ******** Press ENTER to Confirm or ESC to Cancel: Leave name field blank to delete profile Table 16 describes the fields in Figure...
Chapter 9 Network Address Translation (NAT) This chapter discusses how to configure NAT on the BCM50a Integrated Router. Using NAT Note: You must create a firewall rule in addition to setting up SUA/ NAT, to allow traffic from the WAN to be forwarded through the BCM50a Integrated Router.
“Address Mapping Sets” on Translation page 92 for further discussion). Choose Full Feature if you have multiple public WAN IP addresses for your BCM50a Integrated Router. When you select Full Feature you must configure at least one address mapping set! NAT is disabled when you select this option.
92 Chapter 9 Network Address Translation (NAT) NAT setup Use the address mapping sets menus and submenus to create the mapping table used to assign global addresses to computers on the LAN. You can see two NAT address mapping sets in menu 15.1. You can only configure Set 1. Set 255 is used for SUA.
Enter Menu Selection Number: SUA Address Mapping Set Enter 255 to display the screen shown in Figure 34 (see “SUA (Single User Account) Versus NAT” on page 89). The fields in this menu cannot be changed. BCM50a Integrated Router Configuration — Advanced...
94 Chapter 9 Network Address Translation (NAT) Figure 34 Menu 15.1.255 – SUA Address Mapping Rules Menu 15.1.255 - Address Mapping Rules Set Name= SUA Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------...
Name field means that this is a required field and you must enter a name for the set. Note: The entire set is deleted if you leave the Set Name field blank and press [ENTER] at the bottom of the screen. BCM50a Integrated Router Configuration — Advanced...
Figure Ordering your rules Ordering your rules is important because the BCM50a Integrated Router applies the rules in the order that you specify. When a rule matches the current packet, the BCM50a Integrated Router takes the corresponding action and the remaining rules are ignored.
36, Menu 15.1.1.1 - Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs. Note: An IP End address must be numerically greater than its corresponding IP Start address. BCM50a Integrated Router Configuration — Advanced...
98 Chapter 9 Network Address Translation (NAT) Figure 36 Menu 15.1.1.1: Editing or configuring an individual rule in a set Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= = N/A Global IP: Start= = N/A Press ENTER to Confirm or ESC to Cancel: Table 20 describes the fields in Figure...
[ESC] to cancel. Configuring a server behind NAT Note: If you do not assign a Default Server IP address, the BCM50a Integrated Router discards all packets received for ports that are not specified here or in the remote management setup.
Enter a port number in the Start Port field. To forward only one port, enter it again in the End Port field. To specify a range of ports, enter the last port to be forwarded in the End Port field. BCM50a Integrated Router Configuration — Advanced...
102 Chapter 9 Network Address Translation (NAT) Enter the inside IP address of the server in the IP Address field. In the following figure, you have a computer acting as an FTP, Telnet and SMTP server (ports 21, 23 and 25) at 192.168.1.33. Press [ENTER] at the “Press ENTER to confirm …”...
Internet access only In the Internet access example shown in Figure 41, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP. BCM50a Integrated Router Configuration — Advanced...
In this case, you do exactly as shown in Figure 43 (use the convenient pre-configured SUA Only set), and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in Figure BCM50a Integrated Router Configuration — Advanced...
106 Chapter 9 Network Address Translation (NAT) Figure 44 Menu 15.2: Specifying an inside server Menu 15.2 - NAT Server Setup Default Server: 192.168.1.10 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0...
Start IP as 10.132.50.1 (our first IGA). (see Figure 47). Repeat the previous step for rules 2 to 4 as outlined above. When finished, menu 15.1.1 looks like as shown in Figure BCM50a Integrated Router Configuration — Advanced...
108 Chapter 9 Network Address Translation (NAT) Figure 46 Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options IP Options: Bridge Options: IP Address Assignment = Dynamic Ethernet Addr Timeout(min)= N/A Rem IP Addr = 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set= 1...
110 Chapter 9 Network Address Translation (NAT) Figure 48 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 1.
Configuring Trigger Port forwarding Note: Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 — Trigger Port Setup, shown in Figure BCM50a Integrated Router Configuration — Advanced...
Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The BCM50a Integrated Router forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Page 113
Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the BCM50a Integrated Router to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port...
[SPACE BAR] and then [ENTER] to select Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Use the WebGUI to configure firewall rules. BCM50a Integrated Router Configuration — Advanced...
116 Chapter 10 Introducing the firewall Figure 52 Menu 21.2 – Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User’s Guide for details about the firewall default policies.
This chapter shows you how to create and apply filters. Introduction to filters Your BCM50a Integrated Router uses filters to decide whether to allow passage of a data packet, make a call, or both. There are two types of filter applications: data filtering and call filtering.
NetBIOS, into a single set and give it a descriptive name. With the BCM50a Integrated Router, you can configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. BCM50a Integrated Router Configuration — Advanced...
120 Chapter 11 Filter configuration Configuring a Filter Set The BCM50a Integrated Router includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. Enter 21 in the main menu to open menu 21.
21.1.1 - Filter Rules Summary. The screen shown in Figure 57 shows the summary of the existing rules in the filter set. Table 23 Table 24 contain a brief description of the abbreviations used in the previous menus. BCM50a Integrated Router Configuration — Advanced...
122 Chapter 11 Filter configuration Table 23 Abbreviations used in the Filter Rules Summary Menu Field Description The filter rule number: 1 to 6. Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here.
When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filter field or vice versa, the BCM50a Integrated Router warns you and prevents you from saving.
124 Chapter 11 Filter configuration Figure 57 Menu 21.1.1.1 – TCP/IP Filter Rule Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= IP Mask= Port #= Port # Comp= None Source: IP Addr=...
Page 125
Action Matched - Only packets that match the rule Action Not parameters are logged. Matched Action Not Matched - Only packets that do not Both match the rule parameters are logged. Both – All packets are logged. BCM50a Integrated Router Configuration — Advanced...
Page 126
126 Chapter 11 Filter configuration Table 25 TCP/IP Filter Rule Menu fields Field Description Options Action Matched Press [SPACE BAR] and then [ENTER] to select the Check Next action for a matching packet. Rule Forward Drop Action Not Matched Press [SPACE BAR] and then [ENTER] to select the action Check Next for a packet not matching the rule.
IP Protocol Matched Check Src & Not Matched Dest Port Matched More? Action Not Matched Action Matched Check Next Rule Check Next Rule Drop Forward Drop Forward Drop Packet Check Next Rule Accept Packet BCM50a Integrated Router Configuration — Advanced...
For IP packets, it is generally easier to use the IP rules directly. For generic rules, the BCM50a Integrated Router treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Enter the byte count of the data portion in the packet that you wish to compare. The range for this field is 0 to 8. Mask Enter the mask (in Hexadecimal notation) to apply to the data portion before comparison. BCM50a Integrated Router Configuration — Advanced...
This data is now be displayed on Menu 21.1.1 - Filter Rules Summary. Example Filter The example shown in Figure 60 is set to block outside users from accessing the BCM50a Integrated Router via Telnet. See the included disk for more Filter Rules example. N0115791...
Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.3 - Filter Rules Summary. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in Figure BCM50a Integrated Router Configuration — Advanced...
132 Chapter 11 Filter configuration Figure 61 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0...
LAN and WAN. Protocol filter rules act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next section. When NAT (Network Address Translation) is enabled, the inside IP address and port number BCM50a Integrated Router Configuration — Advanced...
They are applied at the point when the BCM50a Integrated Router is receiving and sending the packets; for example. the interface. The interface can be...
You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, for example., 3, 4, 6, 11. Input filter sets filter incoming traffic to the BCM50a Integrated Router and output filter sets filter outgoing traffic from the BCM50a Integrated Router.
SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The community for Get, Set and Trap fields is SNMP terminology for password. BCM50a Integrated Router Configuration — Advanced...
Set requests from the management by default) station. Trusted Host If you enter a trusted host, your BCM50a Integrated 0.0.0.0 Router will only respond to SNMP messages from this address. A blank (default) field means your BCM50a Integrated Router will respond to all SNMP messages it receives, regardless of source.
Chapter 12 SNMP Configuration 139 SNMP Traps The BCM50a Integrated Router will sends traps to the SNMP manager when any one of the following events occurs: Table 28 SNMP Traps Trap # Trap Name Description coldStart (defined in A trap is sent after booting (power on).
Chapter 13 System security This chapter describes how to configure the system security on the BCM50a Integrated Router. System security You can configure the system password, an external RADIUS server and 802.1x in this menu. System password Figure 67 Menu 23 – System security Menu 23 - System Security 1.
142 Chapter 13 System security Configuring external RADIUS server Enter 23 in the main menu to display Menu 23 – System security. Figure 68 Menu 23 – System Security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4.
BCM50a Integrated Router. The key is not sent over the network. This key must be the same on the external authentication server and BCM50a Integrated Router. Accounting Server Active Press [SPACE BAR] to select Yes and press [ENTER] to enable user authentication through an external accounting server.
Page 144
144 Chapter 13 System security N0115791...
This chapter covers SMT menus 24.1 to 24.4. Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your BCM50a Integrated Router. These tools include updates on system status, port status and log and trace capabilities.
System Status is a tool that can be used to monitor your BCM50a Integrated Router. Specifically, it gives you information on your system firmware version, number of packets sent, and number of packets received.
The number of received packets from this remote node. Errors The number of error packets on this connection. Tx B/s This shows the transmission rate in bytes per second. Rx B/s This shows the receiving rate in bytes per second. BCM50a Integrated Router Configuration — Advanced...
148 Chapter 14 System information and diagnosis Table 30 Menu 24.1 System Maintenance: Status (continued) Field Description Up Time This is the time this channel has been connected to the current remote node. My WAN IP This is the IP address of the ISP remote node. (from ISP) Ethernet This shows statistics for the LAN.
2. Console Port Speed Please enter selection: System Information System Information gives you information about your system, as shown in Figure 73. More specifically, it gives you information on your routing protocol, Ethernet address and IP address. BCM50a Integrated Router Configuration — Advanced...
Refers to the Ethernet MAC (Media Access Control) of your BCM50a Integrated Router. IP Address This is the IP address of the BCM50a Integrated Router in dotted decimal notation. IP Mask This shows the subnet mask of the BCM50a Integrated Router.
Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Log and trace The BCM50a Integrated Router has a syslog facility for message logging, and a trace function for viewing call-triggering packets. BCM50a Integrated Router Configuration — Advanced...
Press ENTER to Confirm or ESC to Cancel Syslog logging The BCM50a Integrated Router uses the syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog and accounting can be configured in Menu 24.3.2 - System Maintenance - Syslog Logging, as...
After you finish configuring this screen, press [ENTER] to confirm or [ESC] to cancel. Your BCM50a Integrated Router sends five types of syslog messages. Some examples of these syslog messages with their message formats are shown next: CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String );...
156 Chapter 14 System information and diagnosis Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol (“TCP”,”UDP”,”ICMP”, ”IGMP”, ”GRE”, ”ESP”)
Page 157
0020: 60 02 20 00 E0 6A 00 00-02 04 02 00 Press any key to continue... With the diagnostic facility, you can test the different aspects of your BCM50a Integrated Router to determine if it is working properly. In Menu 24.4, you can...
WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in WAN & LAN DHCP. LAN DHCP is discussed in BCM50a Integrated Router Configuration - Basics (N0115790). The BCM50a Integrated Router can act either as a WAN DHCP client (IP Address Assignment field in menu 4 or menu 11.3 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet) or...
Chapter 14 System information and diagnosis 159 Figure 79 WAN & LAN DHCP BCM50a Integrated Router Table 33 describes the diagnostic tests available in menu 24.4 for your BCM50a Integrated Router and associated connections. Table 33 System Maintenance menu diagnostic Field...
Page 160
160 Chapter 14 System information and diagnosis N0115791...
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup and TCP/IP Setup. It comes with a rom filename extension. Once you have customized the BCM50a Integrated Router settings, they can be saved back to your computer under a filename of your choosing.
BCM50a Integrated Router and the external filename refers to the filename not on the BCM50a Integrated Router, that is, on your computer, local network or FTP site and so the name (but not the extension) can vary. After uploading new firmware, see the F/W version field in Menu 24.2.1 –...
Press ENTER to Exit: Using the FTP command from the command line Launch the FTP client on your computer. Enter open, followed by a space and the IP address of your BCM50a Integrated Router. Press [ENTER] when prompted for a username.
164 Chapter 15 Firmware and configuration file maintenance Example of FTP commands from the command line Figure 81 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 config.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Telnet service. • The IP address in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the BCM50a Integrated Router disconnects the Telnet session immediately. Backup configuration using TFTP The BCM50a Integrated Router supports the uploading and downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN.
Enter the IP address of the BCM50a Integrated Router. 192.168.1.1 is the BCM50a Integrated Router’s default IP address when shipped. Send/Fetch Use Send to upload the file to the BCM50a Integrated Router and Fetch to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or...
FTP is the preferred method for restoring your current computer configuration to your BCM50a Integrated Router since FTP is faster. note that you must wait for the system to automatically restart after the file transfer is complete.
Press ENTER to Exit: Launch the FTP client on your computer. Enter open, followed by a space and the IP address of your BCM50a Integrated Router. Press [ENTER] when prompted for a username. Enter your password as requested (the default is “PlsChgMe!”).
FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you use Telnet to access the BCM50a Integrated Router, the screens for uploading firmware and the configuration file using FTP appear.
170 Chapter 15 Firmware and configuration file maintenance Figure 84 Telnet Into Menu 24.7.1 Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
FTP file upload command from the DOS prompt example Launch the FTP client on your computer. Enter “open”, followed by a space and the IP address of your BCM50a Integrated Router. Press [ENTER] when prompted for a username.
Use Telnet from your computer to connect to the BCM50a Integrated Router and log on. Because TFTP does not have any security checks, the BCM50a Integrated Router records the IP address of the Telnet client and accepts TFTP requests only from this address.
BCM50a Integrated Router and the computer. The file name for the firmware is ras. Note that the telnet connection must be active and the BCM50a Integrated Router must be in CI mode before and during the TFTP transfer. For details about TFTP commands (see “TFTP upload command example”...
Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet connection, although some commands are only available with a serial connection. See the included disk or www.nortel.com for more detailed information about CI commands. Enter 8 from Menu 24 - System Maintenance.
176 Chapter 16 System Maintenance menus 8 to 10 Figure 87 Command mode in Menu 24 Menu 24 - System Maintenance 1. System Status 2. System Information and Console Port Speed 3. Log and Trace 4. Diagnostic 5. Backup Configuration 6.
With the budget management function, you can set a limit on the total outgoing call time of the BCM50a Integrated Router within certain times. When the total outgoing call time exceeds the limit, the current call is dropped and any future outgoing calls are blocked.
178 Chapter 16 System Maintenance menus 8 to 10 Figure 88 Call Control Menu 24.9 - System Maintenance - Call Control 1.Budget Management 2.Call History Enter Menu Selection Number: Budget management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the Budget Management menu (Figure...
11.1.) The elapsed time is the 1-hour time period has time used up within this period. lapsed. Enter “0” to update the screen or press [ESC] to return to the previous screen. BCM50a Integrated Router Configuration — Advanced...
180 Chapter 16 System Maintenance menus 8 to 10 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control. Figure 90 Call History Menu 24.9.2 - Call History Phone Number...
Enter Menu Selection Number: Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your BCM50a Integrated Router, as shown in Figure BCM50a Integrated Router Configuration — Advanced...
182 Chapter 16 System Maintenance menus 8 to 10 Figure 92 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Time Protocol= NTP (RFC-1305) Time Server Address= a.ntp.alphazed.net Current Time: 01 : 07 : 41 New Time (hh:mm:ss): Current Date: 2000 - 01 - 01...
Page 183
02 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). After you fill in this menu, press [ENTER] at the message “Press ENTER to Confirm or ESC to Cancel“ to save your configuration, or press [ESC] to cancel. BCM50a Integrated Router Configuration — Advanced...
The BCM50a Integrated Router resets the time in three instances: • After you make changes to and leave menu 24.10 • After starting up the BCM50a Integrated Router starts up, if a time server configured in menu 24.10 • After starting the BCM50a Integrated Router, in 24-hour intervals...
Remote Management With remote management, you can determine which services and protocols can access which BCM50a Integrated Router interface (if any) from which computers. You can manage your BCM50a Integrated Router from a remote location via: • Internet (WAN only) •...
[ENTER] to choose from: LAN only, WAN only, ALL or Disable. Secure Client IP The default 0.0.0.0 allows any client to use this service to remotely manage the BCM50a Integrated Router. Enter an IP address to restrict access to a client with a matching IP address. N0115791...
You disable that service in menu 24.11. The IP address in the Secured Client IP field (menu 24.11) does not match the client IP address. If it does not match, the BCM50a Integrated Router disconnects the session immediately. There is already another remote management session of the same type (web, FTP or Telnet) running.
Introduction Using the call scheduling feature, the BCM50a Integrated Router can manage a remote node and dictate when a remote node is called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record).
For example, if sets 1, 2, 3, and 4 are applied in the remote node then set 1 takes precedence over sets 2, 3, and 4 as the BCM50a Integrated Router, by default, applies the lowest numbered set first. Set 2 takes precedence over sets 3 and 4, and so on.
Chapter 18 Call scheduling 191 If a connection is already established, your BCM50a Integrated Router does not drop it. After the connection is dropped manually or it times out, then that remote node cannot be triggered until the end of the Duration.
192 Chapter 18 Call scheduling After you configure your schedule sets, you must apply them to the desired remote nodes. Enter 11 from the Main Menu and then enter the target remote node index. Using [SPACE BAR], select PPPoE or PPPoA in the Encapsulation field and then press [ENTER] to make the schedule sets field available, as shown in Figure...
If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the BCM50a Integrated Router LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window BCM50a Integrated Router Configuration —...
194 Appendix A Setting up your computer IP address Figure 97 WIndows 95/98/Me: network: configuration Installing components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks.
IP Address and Subnet Mask fields. Figure 98 Windows 95/98/Me: TCP/IP properties: IP address Click the DNS Configuration tab. — If you do not know your DNS information, select Disable DNS. BCM50a Integrated Router Configuration — Advanced...
Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your BCM50a Integrated Router and restart your computer when prompted. Verifying Settings Click Start and then Run.
For Windows XP, click Start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. Figure 100 Windows XP: Start menu For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 101 Windows XP: Control Panel BCM50a Integrated Router Configuration — Advanced...
198 Appendix A Setting up your computer IP address Right-click Local Area Connection and then click Properties. Figure 102 Windows XP: Control Panel: Network Connections: Properties Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Figure 103 Windows XP: Local Area Connection Properties N0115791...
Subnet mask, and then click Add. — Repeat the above two steps for each IP address you want to add. — Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways. BCM50a Integrated Router Configuration — Advanced...
200 Appendix A Setting up your computer IP address — In TCP/IP Gateway Address, type the IP address of the default gateway in Gateway. To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric.
Appendix A Setting up your computer IP address 201 10 Turn on your BCM50a Integrated Router and restart your computer (if prompted). Verifying Settings Click Start, All Programs, Accessories and then Command Prompt. In the Command Prompt window, type ipconfig and press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.
— Type your IP address in the IP Address box. — Type your subnet mask in the Subnet mask box. — Type the IP address of your BCM50a Integrated Router in the Router address box. Close the TCP/IP Control Panel.
— Select Automatic from the Location list. — Select Built-in Ethernet from the Show list. — Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. Figure 109 Macintosh OS X: Network BCM50a Integrated Router Configuration — Advanced...
— Type your IP address in the IP Address box. — Type your subnet mask in the Subnet mask box. — Type the IP address of your BCM50a Integrated Router in the Router address box. Click Apply Now and close the window.
Triangle Route The Ideal Setup When the firewall is on, your BCM50a Integrated Router acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the BCM50a Integrated Router to protect your LAN against attacks.
The reply from the WAN goes directly to the computer on the LAN without going through the BCM50a Integrated Router. As a result, the BCM50a Integrated Router resets the connection, as the connection is not acknowledged. Figure 111 Triangle Route Problem...
Appendix B Triangle Route 207 The BCM50a Integrated Router reroutes the packet to Gateway B, which is in Subnet 2. The reply from WAN goes to the BCM50a Integrated Router. The BCM50a Integrated Router ends the response to the computer in Subnet...
Page 208
208 Appendix B Triangle Route N0115791...
This appendix shows examples for importing certificates. Import BCM50a Integrated Router certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the BCM50a Integrated Router server certificate by importing it into your operating system as a trusted certification authority.
210 Appendix C Importing certificates Importing the BCM50a Integrated Router Certificate into Internet Explorer For Internet Explorer to trust a self-signed certificate from the BCM50a Integrated Router, simply import the self-signed certificate into your operating system as a trusted certification authority.
Appendix C Importing certificates 211 Click Install Certificate to open the Install Certificate wizard. Figure 115 Certificate General Information before Import BCM50a Integrated Router Configuration — Advanced...
Appendix C Importing certificates 213 Select where you want to store the certificate and click Next. Figure 117 Certificate Import Wizard 2 BCM50a Integrated Router Configuration — Advanced...
214 Appendix C Importing certificates Click Finish to complete the Import Certificate wizard. Figure 118 Certificate Import Wizard 3 Click Yes to add the BCM50a Integrated Router certificate to the root store. Figure 119 Root Certificate Store N0115791...
The SSL client needs a certificate if Authenticate Client Certificates is selected on the BCM50a Integrated Router. You must have imported at least one trusted CA to the BCM50a Integrated Router in order for the Authenticate Client Certificates to be active (see “Certificates”...
216 Appendix C Importing certificates Figure 121 BCM50a Integrated Router Trusted CA screen The CA sends you a package containing the CA’s trusted certificates, your personal certificates and a password to install the personal certificates. N0115791...
You need a password in advance. The CA can issue the password or you can specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to Figure 123 BCM50a Integrated Router Configuration — Advanced...
The file name and path of the certificate you double-clicked automatically appears in the File name text box. Click Browse if you wish to import a different certificate. Figure 124 Personal certificate import wizard 2 BCM50a Integrated Router Configuration — Advanced...
Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 126 Personal certificate import wizard 4 BCM50a Integrated Router Configuration — Advanced...
222 Appendix C Importing certificates Click Finish to complete the wizard and begin the import process. Figure 127 Personal certificate import wizard 5 Figure 128 shows the screen that appears when the certificate is correctly installed on your computer. Figure 128 Personal certificate import wizard 6 N0115791...
Appendix C Importing certificates 223 Using a certificate when accessing the BCM50a Integrated Router example Use the following procedure to access the BCM50a Integrated Router via HTTPS. Enter https://BCM50a Integrated Router IP Address/ in your browser’s web address field. Figure 129 Access the BCM50a Integrated Router via HTTPS...
It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional dial-up scenario Figure 132 depicts a typical hardware configuration in which the PCs use traditional dial-up networking. BCM50a Integrated Router Configuration — Advanced...
However, the PPP negotiation is between the PC and the ISP. BCM50a Integrated Router as a PPPoE client When using the BCM50a Integrated Router as a PPPoE client, the PCs on the LAN see only the Ethernet and are not aware of the PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.
ID. • Class D addresses begin with 1 1 1 0. Class D addresses are used for multicasting. (There is also a class “E” address, which is reserved for future use.) BCM50a Integrated Router Configuration — Advanced...
232 Appendix F IP subnetting Table 43 Classes of IP addresses IP Address: Octet 1 Octet 2 Octet 3 Octet 4 Class A Network number Host ID Host ID Host ID Class B Network number Network number Host ID Host ID Class C Network number Network number...
This is usually specified by writing a / followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128. BCM50a Integrated Router Configuration — Advanced...
234 Appendix F IP subnetting Table 46 shows all possible subnet masks for a class C address using both notations. Table 46 Alternative Subnet Mask Notation Subnet mask IP address Subnet mask 1 Bits Last octet bit value 255.255.255.0 0000 0000 255.255.255.128 1000 0000 255.255.255.192...
IDs of all zeros represent the subnet itself and host IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 2 – 2 or 126 hosts for each subnet. BCM50a Integrated Router Configuration — Advanced...
236 Appendix F IP subnetting 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126.
Similarly, use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). Table 53 shows class C IP address last-octet values for each subnet. Table 53 Eight subnets Subnet Subnet Address First Address Last Address Broadcast Address BCM50a Integrated Router Configuration — Advanced...
238 Appendix F IP subnetting Table 53 Eight subnets Subnet Subnet Address First Address Last Address Broadcast Address Table 54 is a summary for class C subnet planning. Table 54 Class C subnet planning No. Borrowed Host Bits Subnet Mask No.
The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or www.nortel.com for more detailed information on these commands.
[year month date] date. Sets or displays the system time. time [hour [min [sec]]] Sets how often the BCM50a Integrated period [day] Router gets the date and time from the time server. Gets the date and time from the time sync server.
Page 243
2:alert/3:both] Records web access forward logs. urlforward [0:none/1:log] Clears the log. clear Displays all logs or specifies a category display [access|attack|error|ike|i of logs. psec|javablocked|mten|pack etfilter|pki| tcpreset|tls|upnp|urlblock ed|urlforward] errlog Clears the error log. clear BCM50a Integrated Router Configuration — Advanced...
Page 244
244 Appendix G Command Interpreter Table 56 Sys commands Command Description Displays the error log. disp Turns the error log online display on or online off. Loads the log settings buffer. Use this load command before you configure the log settings.
Page 245
Turns TOS debug message on or off. debug Displays all hosts session counts. listPerHost Sets the session per host limit. sessPerHost timeout Displays all TOS (Temporarily Open display Session) timeout information. Sets the ICMP session idle timeout icmp value. BCM50a Integrated Router Configuration — Advanced...
Page 246
246 Appendix G Command Interpreter Table 56 Sys commands Command Description Sets the IGMP session idle timeout igmp value. Sets the SYN TCP session idle timeout tcpsyn value. Sets the TCP session idle timeout value. Sets the TCP FIN session idle timeout tcpfin value.
Page 247
Displays the specified text file. view <filename> wdog Turns the watchdog firmware switch [on|off] protection feature on or off. Sets (0-34 463) or displays the current [value] watchdog count (in 1.6 sec units). BCM50a Integrated Router Configuration — Advanced...
Page 248
Saves UPnP information. load reserve [0:deny/1:permit] Saves UPnP information. save Turns Nortel’s proprietary DHCP m50Enable [yes|no] enhancement feature on or off. Displays the system socket’s ID #, socket type, control block address (PCB), IP address and port number of peer...
Ethernet commands. Each of these commands must be preceded by . For example, type to display ether ether config information on the LAN configuration. Table 58 Ether Commands Command Description Displays LAN configuration information. config driver BCM50a Integrated Router Configuration — Advanced...
250 Appendix G Command Interpreter Table 58 Ether Commands Command Description Displays the Ethernet driver counters. disp <name> Shows the LAN status. status <ch_name> Displays the Ethernet device type. version edit Loads Ethernet (1:LAN) data from the System load <1:LAN> Parameters Table.
Page 251
Shows the LAN DNS server settings. display Enables or disables the HTTP debug flag. httpd debug [on|off] This command currently does not work. icmp Displays the ICMP statistics counter. status Sets the ICMP router discovery flag. discovery <iface> [on|off] BCM50a Integrated Router Configuration — Advanced...
Page 252
252 Appendix G Command Interpreter Table 59 IP commands Command Description Configures a network interface. ifconfig [iface] [ipaddr] [broadcast <addr> |mtu <value>|dynamic] Pings a remote host. ping <hostid> route Displays the routing table. status [if] Adds a route. <dest_addr|defaul t>[/<bits>] <gateway>...
Page 253
Appendix G Command Interpreter 253 Table 59 IP commands Command Description Sets the BCM50a Integrated Router to use <iface> in [mode] the RIP information it receives. Sets the BCM50a Integrated Router to <iface> out broadcast its routing table. [mode] Shows the dial-in user RIP direction.
Page 254
254 Appendix G Command Interpreter Table 59 IP commands Command Description Sets the content filtering customize action actionFlags flags. [act(1-7)] [enable/disable] Sets the content filtering customize log flags. logFlags [type(1-3)][enabl e/disable] Adds a trusted Web site, forbidden Web site add [string] or keyword blocking string.
Page 255
[on|off] iface Sets IGMP group timeout for the specified <iface> grouptm interface. <timeout> Sets IGMP query interval for the specified <iface> interval interface. <interval> Adds an interface to a group. <iface> join <group> BCM50a Integrated Router Configuration — Advanced...
Page 256
256 Appendix G Command Interpreter Table 59 IP commands Command Description Removes an interface from a group. <iface> leave <group> Sends an IGMP query on the specified <iface> query interface. Sets the IGMP response time. <iface> rsptime [time] Turns on IGMP on the specified interface. <iface>...
Sets the autotimer for updating IPSec update_peer <0~255> rules that use a domain name as the secure gateway IP address. The interval is in minutes (30 default) and 0 means it never updates. BCM50a Integrated Router Configuration — Advanced...
Page 258
Description Adjusts autotimer to check if any inbound chk_input <0~255> IPsec traffic has passed during the specified period. If not, the BCM50a Integrated Router disconnects the tunnel. Displays runtime phase 1 and phase 2 show_runtime SA information. When a dynamic rule accepts a request and a tunnel is established, a runtime SPD is created according to the peer’s...
Page 260
Specifies whether the rule is for a branch connType <0:Branch office or Contivity Client VPN connection. Office | 1:Contivity Client> Sets the BCM50a Integrated Router to authOptions <0:Username either send just the username and Password | password to the remote Contivity IPSec 1:Group ID &...
Page 261
Sets the remote ending IP address or rmAddrEndMask <IP> subnet mask. Sets the remote starting port number. rmPortStart <port> Sets the remote ending port number. rmPortEnd <port> Turns branch tunnel NAT address btNatActive <Yes | No> mapping on or off. BCM50a Integrated Router Configuration — Advanced...
Page 262
262 Appendix G Command Interpreter Table 60 IPSec commands Command Description Sets the type of NAT address mapping. btNatType <0:single | 1:range | 2:all> Sets the branch tunnel NAT starting IP btNatAddrStart <IP address> address. Sets the branch tunnel NAT ending IP btNatArEnd <IP address>...
Page 263
AH_SHA1 | AH_MD5> <on | off> Enables or disables the specified <DES_DH1 | Diffie-Hellman encryption level. 3DES_DH2 | 128AES_DH5 > <on | off> Enables or disables the Use Static static <on | Address option. off> BCM50a Integrated Router Configuration — Advanced...
Page 264
264 Appendix G Command Interpreter Table 60 IPSec commands Command Description Select which IP pool, index is based on 1, ipPool <index> and inactive IP pool cannot be selected. Before you configure an IP pool for client ipPool load <index> termination, you must load the specified IP pool.
Page 265
<on | off> alpha-numeric password. Sets the maximum password age after age <days> which the login password expires, valid value: 0~180 days, and 0 means no expiration. Sets the minimum password length. minLen BCM50a Integrated Router Configuration — Advanced...
266 Appendix G Command Interpreter WAN Commands The following chart lists and describes the wan commands. Each of these commands must be preceded by wan when you use them. Table 61 WAN Commands Command Description Displays ADSL ber. adsl bert Displays the ADSL cell counter.
Page 267
Save Sets the waiting time before checking the timer hunting table result. Sends VC hunt pattern again. Send Displays hwsar packets incoming/outgoing hwsar information. driver Oam loopback function. Oamloopback [VPI] [VCI] [F5] [endToEnd] [funcType] BCM50a Integrated Router Configuration — Advanced...
268 Appendix G Command Interpreter Sys firewall commands Table 62 lists and describes the system firewall commands. Each of these commands must be preceded by . For example, type sys firewall to turn on the firewall. firewall active yes Table 62 Sys firewall commands Command Description...
# bandwidth xxx <name xxx> xxx b/s in LAN. The name is for your information. Sets the class priority. The <priority range is between 0 (the x> lowest) to 7 (the highest). BCM50a Integrated Router Configuration — Advanced...
Page 270
270 Appendix G Command Interpreter Table 63 Bandwidth management commands Command Description The class can borrow <borrow bandwidth from its parent on|off> class when borrowing is turned on, and vice versa. Deletes the class # and its del # filter and all its children classes and their filters in LAN.
Page 271
Displays the LAN classes. class Displays the WAN classes. Displays the LAN filter filter settings. Displays the WAN filter settings. Displays the statistics of the statistics LAN classes. Displays the statistics of the LAN classes. BCM50a Integrated Router Configuration — Advanced...
272 Appendix G Command Interpreter Table 63 Bandwidth management commands Command Description Displays the bandwidth usage monitor <#> of the specified LAN class (or all of the LAN classes if you do not specify one). The first time you use the command turns it on;...
Page 273
(required). The format is "subject-name-dn;{ip,dns,email}=value". If the name contains spaces, put it in quotes. [key size] specifies the key size. It has to be an integer from 512 to 2 048. The default is 1 024 bits. BCM50a Integrated Router Configuration — Advanced...
Page 274
For my certificate importation to be successful, a certification request corresponding to the imported certificate must already exist on BCM50a Integrated Router. After the importation, the certification request is automatically deleted. If a descriptive name is not...
Page 275
Renames the specified trusted CA certificate. rename <old name> <old name> specifies the name of the certificate to <new name> be renamed. <new name> specifies the new name the certificate is saved as. BCM50a Integrated Router Configuration — Advanced...
Page 276
276 Appendix G Command Interpreter Table 64 Certificates commands Command Description Specifies whether or not the specified CA issues crl_issuer <name> CRL. [on|off] <name> specifies the name of the CA certificate. [on|off] specifies whether or not the CA issues CRL. If [on|off] is not specified, the current crl_issuer status of the CA is used.
Page 277
[login:pswd] <addr[:port]> specifies the server address (required) and port (optional). The format is "server-address[:port]". The default port is 389. [login:pswd] specifies the logon name and password, if required. The format is "[login:password]". BCM50a Integrated Router Configuration — Advanced...
Page 278
278 Appendix G Command Interpreter N0115791...
Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. • Allow or disallow the sending of NetBIOS packets through VPN connections. • Allow or disallow NetBIOS packets to initiate calls. BCM50a Integrated Router Configuration — Advanced...
280 Appendix H NetBIOS filter commands Display NetBIOS filter settings Figure 135 NetBIOS Display Filter Settings Command Example ============== NetBIOS Filter Status =============== Between LAN and WAN: Block IPSec Packets: Forward Trigger Dial: Disabled Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes. The filter types and their default settings are as follows: Table 65 NetBIOS filter default settings Name...
This command forwards WAN to LAN and WAN to LAN NetBIOS packets Command: sys filter netbios config 3 on This command blocks IPSec NetBIOS packets Command: sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls. BCM50a Integrated Router Configuration — Advanced...
For example, you would type “2” to assign the second IP address of the DHCP server pool to the Nortel BCM50. Use this command to specify the IP address that the BCM50a Integrated Router is to assign to the BCM50.
Appendix I Enhanced DHCP option commands 283 The following example sets the BCM50a Integrated Router to assign an IP address of 11.12.13.10 to the Nortel BCM50. ip dhcp <interface> server m50ipreserve ip 11.12.13.10 Nortel BCM50 DHCP server options Use these commands to add site-specific options to the DHCP server’s offer messages that it sends to the BCM50.
You can type the full IP addresses or just the last parts. If you type part of an IP address, the BCM50a Integrated Router combines it with the IP address assigned to the BCM50 customer LAN interface to form a range of IP addresses that are on the same subnet as the BCM50 customer LAN interface.
Use “0” to not have the Nortel BCM50 assign VoIP server and VLAN settings to Nortel’s IP Telephone 2004. Use this command to set the Nortel BCM50 DHCP to assign VoIP server and VLAN settings to Nortel’s IP Telephone 2004. You must also configure the VoIP server and VLAN settings assignment, see the “Nortel i2004 IP phone options...
VoIP telephones. ip dhcp enif0 server voipserver 1 11.12.13.7 7001 3 This next command sets the BCM50a Integrated Router to assign the second VoIP server’s IP address (11.12.13.8), port number (7002) and retry count (2) to Nortel’s i2004 VoIP telephones.
Appendix I Enhanced DHCP option commands 287 This command sets DHCP option 191. The following example sets the BCM50a Integrated Router to assign a VLAN ID of five to VoIP telephones. ip dhcp enif0 server vlanid 5 Nortel WLAN handsets 2210 & 2211 phone options Nortel's WLAN Handsets 2210 &...
Handsets 2210 & 2211. This command sets DHCP option 151. The following example sets the BCM50a Integrated Router to assign a WLAN Telephony Manager 2245 IP address of 11.12.13.16 to WLAN Handsets 2210 & 2211. ip dhcp <interface> server wlantelmanager 11.12.13.16...
Someone has logged on to the router's WebGUI WEB Login Successfully interface. Someone has failed to log on to the router's WEB Login Fail WebGUI interface. Someone has logged on to the router via Telnet. TELNET Login Successfully BCM50a Integrated Router Configuration — Advanced...
UPnP packets can pass through the firewall. UPnP pass through Firewall Table 69 Content filtering logs Category Log Message Description The BCM50a Integrated Router allows URLFOR IP/Domain Name access to this IP address or domain name and forwards traffic to the IP address or domain name.
The firewall detected an ICMP echo attack. icmp echo ICMP (type:%d, code:%d) The firewall detected a TCP syn flood attack. syn flood TCP The firewall detected a TCP port scan attack. ports scan TCP BCM50a Integrated Router Configuration — Advanced...
Page 292
NetBIOS TCP The firewall detected a TCP IP spoofing attack while the ip spoofing - no routing BCM50a Integrated Router did not have a default route. entry TCP The firewall detected an UDP IP spoofing attack while the ip spoofing - no routing BCM50a Integrated Router did not have a default route.
Description TCP access matched the default policy of the listed ACL Firewall default set and the BCM50a Integrated Router blocked or policy: TCP (set:%d) forwarded it according to the ACL set’s configuration. UDP access matched the default policy of the listed ACL...
Page 294
Firewall rule match: BCM50a Integrated Router blocked or forwarded it OSPF (set:%d, rule:%d) according to the rule’s configuration. Access matched the listed firewall rule and the BCM50a Firewall rule match: Integrated Router blocked or forwarded it according to the (set:%d, rule:%d) rule’s configuration.
Page 295
The router blocked a TCP handshake packet that came out Out of order TCP of the proper order. handshake packet blocked The BCM50a Integrated Router generates this log after it Drop unsupported/ drops an ICMP packet due to one of the following two out-of-order ICMP reasons: 1.
WAN to LAN WAN to the LAN. ACL set 7 for packets traveling from the LAN to LAN/BCM50a LAN to the LAN or the BCM50a Integrated Router Integrated Router. ACL set 8 for packets traveling from the WAN to WAN/BCM50a...
To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. Figure 136 shows a typical log from the initiator of a VPN connection. BCM50a Integrated Router Configuration — Advanced...
Note: Double exclamation marks (!!) denote an error or warning message. Table 75 shows sample log messages during IKE key exchange. Note: A PYLD_MALFORMED packet usually means that the two ends of the VPN tunnel are not using the same pre-shared key. BCM50a Integrated Router Configuration — Advanced...
The BCM50a Integrated Router has started Send <Symbol> Mode request to negotiation with the peer. <IP>Send <Symbol> Mode request to <IP> The BCM50a Integrated Router has received an IKE Recv <Symbol> Mode request negotiation request from the peer. from <IP>Recv <Symbol> Mode request from <IP>...
Page 301
Appendix J Log descriptions 301 Table 75 Sample IKE key exchange logs Log Message Description The BCM50a Integrated Router limits the number of !! Active connection allowed simultaneous Phase 2 SA negotiations. The IKE key exceeded exchange process fails if this limit is exceeded.
Table 76 Sample IPSec logs during packet transmission LOG MESSAGE DESCRIPTION If the BCM50a Integrated Router’s WAN IP !! WAN IP changed to <IP> changes, all configured “My IP Addr” are changed to “0.0.0.0”. If this field is configured as 0.0.0.0, the BCM50a Integrated Router uses the...
The router received a CRL (Certificate Revocation List), with Rcvd CRL <size>: size and issuer name as recorded, from the LDAP server <issuer name> whose IP address and port are recorded in the Source field. BCM50a Integrated Router Configuration — Advanced...
304 Appendix J Log descriptions Table 78 PKI logs Log Message Description The router received an ARL (Authority Revocation List), with Rcvd ARL <size>: size and issuer name as recorded, from the LDAP server <issuer name> whose address and port are recorded in the Source field. The router received a corrupted certification authority Failed to decode the certificate from the LDAP server whose address and port are...
Path was not verified. Maximum path length reached. Log commands Go to the command interpreter interface (see Appendix G, “Command Interpreter” on page 241 for information on how to access and use the commands). BCM50a Integrated Router Configuration — Advanced...
Router (you must do this in order to record logs). Displaying logs Use the sys logs display command to show all of the logs in the BCM50a Integrated Router’s log. Use the sys logs category display command to show the log settings for all of the log categories.
Appendix J Log descriptions 307 Use the sys logs display [log category] command to show the logs in an individual BCM50a Integrated Router log category. Use the sys logs clear command to erase all of the BCM50a Integrated Router’s logs. Log command example This example shows how to set the BCM50a Integrated Router to record the access logs and alerts and then view the results.
N (a number from 1 to 60) minutes after the third time an incorrect password is entered. Example sys pwderrtm 5 This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered. BCM50a Integrated Router Configuration — Advanced...
Page 310
310 Appendix K Brute force password guessing protection N0115791...
Call Scheduling 34, 189 Diagnostic 157 Maximum Number of Schedule Sets 189 DoS (Denial of Service) 33 PPPoE 192 Dynamic DNS Support 34 Precedence 190 Precedence Example 190 Call-Triggering Packet 156 Central Network Management 35 EMAIL 49 BCM50a Integrated Router Configuration — Advanced...
Page 312
312 Index E-mail Address 49 Enable Wildcard 50 Hidden Menus 40 Encapsulation 66, 71 Hop Count 76 encapsulation 31 Host 49 Entering Information 41 Host IDs 232 Ethernet Encapsulation 78 HTTPS 33 F/W Version 162 Idle Timeout 70 Features 29 IGMP support 77 Filename Conventions 161 Incoming Protocol Filters 63...