Patton electronic ONSITE 2800 User's Manual
Contents
1. 80 About access control lists M 80 Wy Inet acces LET 80 Why you should configure access dista ie tet ia MERE dieta iia ds 80 bento configure access lists dida tuostt eats 81 Featuresiof control lists i 81 Access control list con Dear 30 Do task LE o aeo cnet Pda lle aida 82 Mapping out the goals of the access control list cian 82 Creating an access control list profile and enter configuration mode eee 83 Adding a filter vule to the current access control list prole oett eren 83 OnSite 2800 Series User Manual Table of Contents Adding an ICMP filter rule to the current access control list profile eene 85 Adding a TCP UDP or SCTP filter rule to the current access control list profile sss 87 Binding and unbinding an access control list profile to an IP interface i 89 Displaying an access control Bstprolile cidad 90 IR an access control ist profile ill di tit 90 Example nd i 92 Denying a epeciine subnet a crc a ii 92 8 Link scheduler configuration cscscsscsscssssssssssssssscsscssssssssnssssesssscssssscassssssssssssssssossossassasssssssossossoesessosses 93 Io seoho P 94 Configuring access control Ista oe iet nnb troie e e Rep cual iol te Fete D Leg cepere R tete ahead 94 Configuring qual obser QOS rile ie i reete aet reb re th cep arabe t2. Examples see page 92 About access control lists This section briefly describes what access lists do why and when you should configure access lists and basic versus advanced access lists What access lists do Access lists filter network traffic by controlling whether routed packets are forwarded dropped or blocked at the router s interfaces Your router examines each packet to determine whether to forward or drop the packet based on the criteria you specified within the access lists Access list criteria could be the source address of the traffic the destination address of the traffic the upper layer protocol or other information Note Sophisticated users can sometimes successfully evade or fool basic access lists because no authentication is required Why you should configure access lists There are many reasons to configure access lists For example you can use access lists to restrict contents of routing updates or to provide traffic flow control But one of the most important reasons to configure access lists is to provide security for your network and this is the reason explored in this chapter You should use access lists to provide a basic level of security for accessing your network If you do not configure access lists on your router all packets passing through the router could be allowed onto all parts of your network Introduction 80 OnSite 2800 Series User Manual 7 Access control list configuration For
3. ettet tette ttti eere e ete tee ee ERE des 66 G gt VEN configuration PR iii 67 Mito AMSG RON O O 68 O NN 68 imc wb EE 68 Transportand tunnel modes s under iE I DE 69 VEN contisuration task Etre idad 69 Creating an IPsec transformation profile 2 5 nato toda errores 69 Creatine an IPsec policy profile 5a tulo edere ae 70 Creatiop moditying an outgoing ACL profile for IPsec iii da 72 Configuration of an IP interface and the IP router for IPSec enero aE irr as 73 Displaying IPsec configuration informationi escitas 73 Debugging Base usina diia 74 Sample consulto ciao iii 75 IPsec tunnel IDES enerypulon 2 ri nete iret Sei eater orat poll Jada Shaan irate oo leg EE vea de De eritis 75 OVS Lie COMM CUE A TIO Ba PME EE 75 Ciscoxouter conte UA CEO iii RD Hen ERU iena RE be 76 IPsec tunnel AES encryption at 256 bit key length AH authentication with HMAC SHA1 96 76 a A RON 76 Cisco fouteer configuration x 2 Gerrit a acheni ic sp a ee ERE HER E 77 IPsec tunnel 3DES encryption at 192 bit key length ESP authentication with HMAC MD5 96 77 DST CSO AE UAT Boao eee etes EE eU re nn ete nde e Itu tete eee aede 77 Cisco router conato ue eret tegere aiar ree intret es losas 77 7 Access control list configuration eres eere entente nensi n ors nen eeze eee zio zio KEVESEK aos con zio zio zio nin rio nen esee enata 79 Introduction C
4. 2800 cfg profile acl Webserver 2800 pf acl Webserv permit ip host 172 16 1 20 any traffic class Web 2800 pf acl Webserv permit ip any any After packet classification is done using access control lists the link arbiter needs rules defining how to handle the different traffic classes For that purpose you create a service policy profile The service policy profile defines how the link arbiter has to share the available bandwidth among several traffic classes on a certain interface Creating a service policy profile The service policy profile defines how the link scheduler should handle different traffic classes The overall structure of the profile is as follows Link scheduler configuration task list 102 OnSite 2800 Series User Manual 8 Link scheduler configuration profile service policy lt profile name gt common settings link rate arbitratior common parameters source traffic class lt x gt settings for class x bandwidth packet mark queue size etc source traffic class lt y gt settings for class y source traffic class default settings for all other traffic classes not listed Figure 22 Structure of a Service Policy Profile The template shown above specifies an arbiter with three inputs which we call sources x y and default The traffic class default stands for all other packets that belong neither to traffic class x nor y There is no limit on the number of so
5. Example IPsec Debug Output 2800 cfg debug ipsec IPSEC monitor on 23 11 04 ipsec gt Could not find security association for inbound ESP packet SPI 1201 Example Display IPsec Security Associations 2800 cfg show ipsec security associations Active security associations Dir Type Policy Mode Udp Encapsulation Peer SPI AH SPI ESP AH ESP Auth ESP Enc Bytes processed lifetime Seconds age lifetime VPN configuration task list 74 OnSite 2800 Series User Manual 6 VPN configuration IN MANUAL ToBurg Tunnel no 200 200 200 1 1111 AES CBC 128 3622 unlimited 19047 unlimited OUT MANUAL ToBurg Tunnel no 200 200 200 1 2222 AES CBC 128 2857 unlimited 19047 unlimited Sample configurations The following sample configurations establish IPsec connections between an OnSite and a Cisco router To interconnect two OnSite routers instead derive the configuration for the second OnSite by doing the follow ing modifications Swap inbound and outbound settings Adjust the peer setting Swap the private networks in the ACL profiles Adjust the IP addresses of the LAN and WAN interfaces Adjust the route for the remote network IPsec tunnel DES encryption OnSite configuration profile ipsec transform DES esp encryption des cbc 64 profile ipsec policy manual VPN DES use profile ipsec transform DES session key inbound esp encryption 1234567890ABCDEF session key outbound esp encryption FEDCBA0987654321
6. OnSite 2800 Series Managed VPN Router User Manual ETHO ETH 0 1 Important C This is a Class A device and is intended for use in a light industrial environment It is not intended nor approved for use in an industrial or residential environment Sales Office 1 301 975 1000 Technical Support 1 301 975 1007 E mail support patton com WWW www patton com Part Number 07M2800 GS Rev F Revised February 22 2012 Patton Electronics Company Inc 7622 Rickenbacker Drive Gaithersburg MD 20879 USA Tel 1 301 975 1000 Fax 1 301 869 9293 Support 1 301 975 1007 URL www patton com E Mail support patton com Trademark Statement The term OnSite is a trademark of Patton Electronics Company All other trademarks presented in this document are the property of their respective owners Copyright 2012 Patton Electronics Company All rights reserved The information in this document is subject to change without notice Patton Elec tronics assumes no liability for errors that may appear in this document Warranty Information The software described in this document is furnished under a license and may be used or copied only in accordance with the terms of such license Patton Electronics warrants all OnSite router components to be free from defects and will at our option repair or replace the product should it fail within one year from the first date of the shipment This warranty is limited to
7. Shaping network traffic Setting traffic priorities across the network Applying scheduling at the bottleneck When an OnSite acts as an access router the access link is the point where intelligent use of scarce resources really makes a difference Frequently the access link modem is outside of the OnSite and the queueing would happen in the modem which does not distinguish between packet types To improve QoS you can configure the OnSite to send no more data to the Internet than the modem can carry This keeps the modem s queue empty and gives the OnSite control over which packet is sent over the access link at what time Using traffic classes The link scheduler needs to distinguish between different types of packets We refer to those types as traffic classes You can think of the traffic class as if every packet in the OnSite has a tag attached to it on which the classification can be noted The access control list stage ACL can be used to apply such a traffic class name to some type of packet based on its IP header filtering capabilities The traffic class tags exist only inside the OnSite router but layer 2 priority bits 802 1pq class of service and IP header type of service bits TOS field Configuring quality of service QoS 95 OnSite 2800 Series User Manual 8 Link scheduler configuration can be used to mark a specific packet type for the other network nodes By default the traffic class tag is empty Refer to figure 1
8. Spi inbound esp 1111 Spi outbound esp 2222 peer 200 200 200 1 mode tunnel profile acl VPN Out permit ip 192 168 1 0 0 0 0 255 172 16 0 0 0 0 255 255 ipsec policy VPN DES permit ip any any profile acl VPN In permit esp any any permit ah any any permit ip 172 16 0 0 0 0 255 255 192 168 1 0 0 0 0 255 deny ip any any context ip router interface LAN ipaddress 192 168 1 1 255 255 255 0 interface WAN Sample configurations 75 OnSite 2800 Series User Manual 6 VPN configuration ipaddress 200 200 200 2 255 255 255 252 use profile acl VPN_In in use profile acl VPN_Out out context ip router route 0 0 0 0 0 0 0 0 200 200 200 1 0 route 172 16 0 0 255 255 0 0 WAN 0 Cisco router configuration crypto ipsec transform set DES esp des crypto map VPN_DES local address FastEthernet0 1 crypto map VPN_DES 10 ipsec manual set peer 200 200 200 2 set session key inbound esp 2222 cipher FEDCBA0987654321 set session key outbound esp 1111 cipher 1234567890ABCDEF set transform set DES match address 110 access list 110 permit ip 172 16 0 0 0 0 255 255 192 168 1 0 0 0 0 255 interface FastEthernet0 0 ip address 172 16 1 1 255 255 0 0 interface FastEthernet0 1 ip address 200 200 200 1 255 255 255 252 crypto map VPN_DES ip route 192 168 1 0 255 255 255 0 FastEthernet0 1 IPsec tunnel AES encryption at 256 bit key length AH authentication with HMAC SHA1 96 OnSite configuration profile ipsec transform AES SHA1 esp encryption a
9. channel group configu T1 E1 port configuration task list 63 OnSite 2800 Series User Manual 5 e T1 E1 port configuration ration mode the encapsulation must be set to hdlc as well followed by configuring at least one timeslot per the timeslots command Mode port elt1 slot port Step Command Purpose 1 name prt e1t1 slot port hdle Entering the hdlc configuration mode Mode channel group group Step Command Purpose 1 name ch grp group name hdle Entering the hdlc configuration mode Configuring HDLC CRC Type This command specifies the length of the checksum for calculating the CRC of the hdlc frame It can be either a 16 bit or a 32 bit checksum Mode hdlc Step Command name hdle ere type crc16 crc32 Configuring HDLC Encapsulation The hdlc encapsulation command specifies what kinds of upper layer data are contained in the hdlc frames Two encapsulation types are available framerelay and ppp Once the hdlc configuration mode has been entered the procedure for setting up framerelay or ppp is exactly the same as for an X 21 V 35 serial port For that reason see 4 Serial port configuration on page 44 for details about frame relay configuration and the OnSite Software Configuration Guide for details about PPP configuration Mode hdlc Purpose Selects the checksum type to be used Default crc1 Purpose name hdlc amp encapsulation framere S
10. eee eee eee entente nente testata nio zen sensns tnus 38 Diva ole Nte Te o OPA A 39 Ra T U iria dio dr o a ias edi 40 Power connection and defaultrconfipurationi aia e rr de eee de i RO ERE SERIE 40 Connect withthe Serial utet AGE standar aio 40 m E RED REP RREO 41 Changing the IP address viaria p adi 41 2 Connect the OnSite VPN Router to the netWotke s doe rire 42 3 Load configuration x iaia caia 42 Serial port configuration ssscsssssssssssscssssscsssssssssesssssscossesssssssssssssossessossssssssssssssassesossossasssssassssossossesseseags 44 e 45 Serial port configuration task lt ie iaia liada 45 Disable ataco E 45 Temas lim Grain interface sui ai linoleico 46 Configuring the encapsulation for Frame Relay iui ine 47 Enter Frame Relay mode socinnniscniriinericriiircie tii o E E EEE EER 48 Contig ring the LM H iv a Al ia 48 Conf urina the keep alive internal uscii iaia 49 Entering Frame Relay PVC configuration mode i iici ria 49 Configuring the PVC encapsulation perilla 50 binding the Frame Relay PVG to P interface unitat 50 Enabled Eramos aa iia 52 Disabling a Frame Relay PVC arene 52 Displaying serial portinformanioni inu dile 53 Displaying Frame Relay information nina lalla i 54 ar e iaia Rini ele ceo i i ie iii i ot 55 TI EL T TTT eee reeeezesz ee zio nin een een rene esses ses anne sao ene sas
11. Automatic Line Framing T1 ESF default and unframed El CRC default non CRC 4 and unframed Isolation 1 500 Vrms PPP support X 21 or V 35 WAN Frame Relay 8 PVCs RFC1490 FRF 12 fragmentation LMI Q 933D ANSI 617D Gang of Four Ethernet interfaces 121 OnSite 2800 Series User Manual PPP PAP CHAP LCP IPCP IP services B Specifications IPv4 router RIPv1 v2 RFC 1058 and 2453 Programmable static routes ICMP redirect REC 792 Packet fragmentation DiffServe ToS set or queue per header bits Packet Policing discards excess traffic 802 1p VLAN tagging IPSEC AH amp ESP Modes Manual Key IKE optional AES DES 3DES Encryption Management Industry standard CLI with local console RJ 45 RS 232 and remote Telnet access TFTP configuration amp firmware loading SNMP v1 agent MIB II and private MIB Built in diagnostic tools trace debug Java Applet HPOV Integration with NNM pp 8 Operating environment Operating temperature 32 104 F 0 40 C Operating humidity 5 80 non condensing System CPU Motorola MPC875 operating at 66 MHz Memory 32 Mbytes SDRAM e 8 Mbytes Flash Dimensions 7 3W x 1 6H x 6 1D in 18 5H x 4 1W x 15 5D cm IP services 122 OnSite 2800 Series User Manual B Specifications Power supply Internal AC version Internal power supply 100 240 VAC 50 60 Hz 200 mA 12VDC version with External AC Power Adapter Models 28
12. ETH 0 1 ETH 0 0 Figure 3 Rear view of the router showing location of X 21 interface connector Installing the VPIN router 33 OnSite 2800 Series User Manual 2 Hardware installation The signal pin outs for the Model 2821 X 21 interface are shown in table 6 Table 7 Signal pin outs for the X 21 interface on the OnSite 2800 1 Frame Ground 8 Signal Ground 2 TXDa 9 TXDb 3 CNTa 10 CNTb 4 RXDa 11 RXDb 5 INDa 12 INDb 6 SETa 13 SETb The the router s X 21 interface is wired as a DCE No DTE configuration is possible The router s X 21 inter face requires a cable with a male DB 15 connector Attach the male DB 15 connector of the X 21 cable to the female DB 15 connector on the router Attach the other end of the cable to the X 21 connector on local modem or multiplexer device Installing the T1 E1 twisted pair cables The PRI is usually connected to a PBX or switch local exchange LE Type and pin outs of these devices vary depending on the manufacturer In most cases a straight through RJ 48C to RJ 48C can be used to connect to the PRI see for E1 RJ 48C pin out listing with a PBX A cross over cable is required to connect to an NT1 as illustrated in Table 8 RJ 48C receptacle TX tip TX ring TX shield RX tip RX ring RX shield S Gy RY O Kl Figure 5 Rear panel of 2803T EUI Installing the VPN router 34 OnSite 2800 Series User Manual Note Pins not listed
13. Model 2835 V 35 interface are shown in table 6 Table 6 Signal pin outs for the V 35 interface on the OnSite 2800 Frame Ground TXDa RXDa RTS 14 TXDb 15 RXCa Signal Ground DCD Installing the VPN router 32 OnSite 2800 Series User Manual 2 Hardware installation The router s V 35 interface is wired as a DTE No DCE configuration is possible If you are directly connect ing the router s V 35 interface to third party equipment that cannot be configured as a DCE you must use a tail circuit cable You can purchase a tail circuit cable from a datacom supply vendor A tail circuit cable will cross over the necessary V 35 signals so that the two DTE interfaces can communicate Note Some third party equipment will not be able to work properly in DTE to DTE configurations even when using a tail circuit cable Please refer to your third party equipment user manual for informa tion on DTE to DTE operation The router s V 35 interface requires a cable with a male DB 25 connector Attach the male DB 25 M35 con nector of the V 35 cable to the female DB 25 connector on the router Attach the other end of the cable to the V 35 connector on local V 35 modem or multiplexer device Installing the X 21 interface cable The OnSite Model 2821 comes with a V 35 interface presented on a DB 25 female connector see figure 3 X 21 serial port connector Status WAN Activity s 12V 1A Reset
14. O E nti 11 A EMT 12 T A 12 eil TER ETE dee a 12 Preca BN eee ee Ole LARA ARI e E ate IR 13 SUE O ele oe ee e eee E E E E E T E E E E 14 e Cea M RES 15 Typographical conventions E T dinner 16 E HIE E e i io O e na 16 e O T PR O NE EE 17 Onsite Model 2000 on 18 OpSite 2800 Series derailed desertion x Luino 19 Sl e e e E INR 19 Sla GI ER T o eE E trai ii e a eec EE E 19 Ethernet EH ii iti eA 20 Mad ete el II OOO RT 21 Portsidessriprione RC 22 L eni RR 23 Branch Officevirtual private network over Frame Relay service lano 23 Corporate multi function virtual private meteoro sario 24 2 Hardwate H TTT 26 Planner ihe installations e eet LI IRR i AR cora DER 27 Instalado T ance 28 o li ii 29 Network inonma onr cot ana ES 29 Borno lt a Dini A eae PG A E E e Mm e SE Te 29 DP re latbeeed atorado sessions a OS a aa nes 29 O EEE SO O 29 lj dd irt REI 29 Location and mounting TUI Ens uec E e idee ee ee EE RE 30 Fostalline the YPN route Ceca dl is lod 30 Mounting the VEN router Loana e USED e IEEE 30 CHITI p TR 30 Installino the Exherabe cable ns ei e ne REN URN dI UII 30 Teisrallipeches na 31 ln IT 32 Tisstalling She N23 imerrace cable aida 33 OnSite 2800 Series User Manual Table of Contents 3 4 5 Installing the TVET twisted par cables iii aid 34 Installing the El dual coaxial cables iie E depa 35 Connecting torexterha power SOU ii rn I E P ub ER P EH ee Ras at 36 Getting started with the OnSite Managed VPN Router
15. Structure ot aervice Policy Prone sar o 103 Using a senice Policy Profile oman IP Rotes o A E E nde 109 Examples ot OnSite 2800 Series front panels aran 113 Conmiectins aseral term mal ta a IS e eat 125 Ethernet SOON M EN LUE 126 E UREN CORE aN alt CLAN COLIC eos cto eatis NL 127 ETA 56 R 45 8 pin port orra orinar REEERE as UE ner eke ose ER HERE RA EIE M PIE eT ORE OS E 129 10 List of Tables MB ON GN M KR WYN E eee Rh po N ON AWK Q N Co EIOS eM vesc eed E NEC MOM eee Dae ee aS e 16 Resrpanelpors nc datus Su ene E E E a T 22 Installation checklist ssa ou eR RE tok baked ah e Ip rnb reat edocet wes usb ees 28 CN pp E 29 Etherner 101100 Base T R lt 5 part pin Outs uec etit Tene ORA DOSE arom Oars o 2 Siena pin out forthe y 35 nissan the Onone 2800 ass 32 Signal pin outa far the X 21 antertace an the OnSite 2000 ciere mrep mot ge E ra 34 ESC foso anita o ads dada E T 34 Factory defoule H address and network mask OA era 40 A MeO eth ee Se UE Uwe a a ees 99 Tus eluesiand El meann cen ays sn ech OI ATE ant eee AU te 106 talas T l CONA ode 107 Maldesidetimne desio ds quelo status da eich oss SUS ER ii Oosie LE R RTT T e ME t Ee 113 ESAS al I I CE T TU T 129 ER AAA POR Ra RRS De dad ew E 130 Wa ema BEA iS id ae AGS 130 DOO Female DB connector A A ca ER 131 Ilan il e 1 35 About this guide This guide describes OnSite VPN router hardware installation and configuration Audience This guide is intended f
16. all entry at the very end so packets that do not match the first crite ria of outbound Web related traffic will be dropped That is why a second access control list entry one that allows all other traffic is necessary This procedure describes creating an access control list for tagging web traffic from the single source host at a certain IP address Link scheduler configuration task list 101 OnSite 2800 Series User Manual 8 Link scheduler configuration Mode Configure Step Command Purpose 1 node cfg profile acl name Creates a new access control list profile named name 2 node pf acl name permit ip host ip address any traffic class Creates an IP access con class name trol list entry that permits access for host at IP address ip address and specifies that packets matched by this rule belong to the traffic class class name 3 node pf acl name permit ip any any Creates an IP access con trol list entry that permits IP traffic to or from all IP addresses Example Defining the access control list profile In the example below a new access control list profile named Webserver is created In addition an IP access con trol list entry that permits access for host at IP address 172 16 1 20 and specifies that packets matched by this rule belong to the traffic class Web is added Finally an IP access control list entry that permits IP traffic to or from all IP addresses is added to the access control list
17. are not used A WARNING A CAUTION Hazardous network voltages are present in the PRI cables If you detach the cable detach the end away from the OnSite first to avoid possible electric shock Network hazardous voltages may be present on the device in the area of the PRI port regardless of power being on or off To prevent damage to the system make certain you connect the PRI cable to the PRI port only and not to any other RJ type recep tacle 2 Hardware installation Installing the El dual coaxial cables If the PBX or switch connection provides dual coaxial cables for the El connection the transmit cable from the PBX switch connects to the RX coaxial connector Similarly the receive cable from the PBX switch connects to the TX coaxial connector A WARNING A CAUTION Installing the VPN router Figure 6 Rear panel of 2803K UI Hazardous network voltages are present in the PRI cables If you detach the cable detach the end away from the OnSite first to avoid possible electric shock Network hazardous voltages may be present on the device in the area of the PRI port regardless of power being on or off To prevent damage to the system make certain you connect the PRI cable to the PRI port only and not to any other RJ type recep tacle 35 OnSite 2800 Series User Manual 2 Hardware installation Connecting to external power source The VPN Router comes with one of the following
18. ea A CUu xe i ee o Se Ae lie 122 Operating tem perdite talea eene epit react tr TRR 122 peritiog eor a Me E E 122 cpi EE 122 A 125 Dies ga dg TIE e uen estes e eu HE uM i clara ELLE ELI IUe RR 123 Tite rta a Wigs cr 7 1 2 0 ereen heo e TED A bee reru Creer ee 123 12VDC version with External AC Power Adapter DOT 2809 209 T I t cd E e ere RIEN 123 SVG Version with External Power Adapter Model 2805 ias 123 120 OnSite 2800 Series User Manual B Specifications Ethernet interfaces 10 100Base TX Ethernet WAN port 4 port 10 100Base TX Ethernet LAN switch Model 2805 10 100Base TX Ethernet LAN port all other models All ports full duplex autosensing auto MDIX 10 100 Full Duplex Autosensing Ethernet RJ 45 Sync serial interface ITU T X 21 or V 35 interface Female DB 15 and DB 25 connectors receptacles DTE orientation DCE orientation for X 21 is available from the Patton factory upon special request T1 E1 interface Model 2803 only e T1 RJ 48C connector receptacle El RJ 48C connector receptacle and dual BNC coaxial connectors receptacles Line Rate 1 544 Mbps T1 in accordance with ANSI T1 403 2 048 Mbps E1 in accordance with ITU T G 703 Line Coding T1 AMI or B8ZS default selectable EI AMI or HDB3 default selectable e Clocking is software selectable as Internal or Network Timing source default e TI Line Build out Transmit Selectable for 0 7 5 15 22 5 dB Receive
19. example access lists can allow one host to access a part of your network and prevent another host from accessing the same area In figure 15 host A is allowed to access the Human Resources network and host B is prevented from accessing the Human Resources network jose seen i l Rh HIHHH Host A E J ETTER WL Host B Human Research amp Resource Development Network Network Figure 15 Using traffic filters to prevent traffic from being routed to a network You can also use access lists to decide which types of traffic are forwarded or blocked at the router interfaces For example you can permit e mail traffic to be routed but at the same time block all Telnet traffic When to configure access lists Access lists should be used in firewall routers which are often positioned between your internal network and an external network such as the Internet You can also use access lists on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network To provide the security benefits of access lists you should configure access lists at least on border routers i e those routers situated at the edges of your networks This provides a basic buffer from the outside network or from a less controlled area of your own network into a more sensitive area of your network On these routers you should configure access lists for each network protocol configured on t
20. for Internet or IP WAN access with traffic shaping and prioritization OnSite Model 2800 Series overview 18 OnSite 2800 Series User Manual 1 General information VPN tunneling for secure traversal of unsecured IP networks e IPSec payload encryption with authentication header AH specified in RFC 2402 and encapsulating secu rity payload ESP specified in RFC 2406 protects data integrity and confidentiality and prevents unautho rized data replay Firewall capabilities including IP address and IP port filtering access control lists ACLs and denial of service DoS attack detection Enhanced IP services include domain name service DNS resolver and relay NAT NAPT dynamic DNS and DHCP server OnSite 2800 Series detailed description The OnSite 2800 Series Managed VPN Router provides secure managed VPN routed networking with 2 port Ethernet LAN connectivity and serial WAN access via a built in V 35 or X 21 serial WAN interface see figure 2 IPLink 2835 V 35 serial WAN port connector Status WAN Activity 4s Power 12V 1A 2 ETH 0 1 ETH 0 0 10 100Base T Ethernet LAN ports 0 1 and 0 0 IPLink 2821 X 21 serial WAN port connector Status WAN Activity Power _ 12V 1A Reset ETH 0 1 ETH 0 0 10 100Base T Ethernet LAN 7 ports 0 1 and 0 0 Figure 2 OnSite 2800 Series X 21 and V 35 connectors OnSite 2800 Series model codes Serial WAN models The following models come equipped with an integrated V 35 o
21. leading 2800 on a command line represents the nodename of the OnSite An hash sign at the beginning of a line indicates a comment line 16 Chapter 1 General information Chapter contents Onsite Mods 2800 Sees DVECNIeW oe UPPER IUBET TEE RED 18 Onsite 2800 Senes detalled description 5 a ilari ERES Da mena SESE NAE ES SERERE ss asda Raso 19 RLE HTS e n Rin 19 Seral WAN o ca au A ene 19 Ethernet WAN Es A ili air 20 Model Camere ben SIMS oec s eredi tan d de uetus 21 Porte A ere veda seed svc ederet vereda se ck A tn 22 ART TRE eleme tee uM E 23 Branch Office virtual private network over Frame Relay service ries 23 Corporate multi tuncthon virtual piyate nebwarl nete EET EUIRRUTUI EDS 24 17 OnSite 2800 Series User Manual 1 General information OnSite Model 2800 Series overview The OnSite Model 2800 Series Managed VPN Router see figure 1 delivers secure optimized communica tions across unsecured IP networks between any enterprise headquarters and remote offices home offices RoHo or mobile users Patton s OnSite 2800 family of VPN routers combines an integrated synch serial interface for access to the Internet or any IP network with full service IP routing VPN security via IPSec and type of service quality of service ToS QoS traffic shaping and prioritization The built in V 35 or X 21 serial interface delivers LAN to WAN connectivity without the additional expense of external adapters or CSU DSU devices
22. power supply options as best suited to the expected installa tion environment 120 140VAC internal power supply designated by the model code extension UI 120 140VAC external power supply designated by the model code extension EUI e 120VAC external power supply designated by the model code extension E This section below describes installing the power cord into the VPN Router Do the following Note Do not connect the power cord to the power outlet at this time 1 Ifyour unit is equipped with an internal power supply go to step 2 Otherwise insert the barrel type con nector end of the AC power cord into the external power supply connector see figure 7 2 Insert the female end of the power cord into the internal power supply connector see figure 7 Internal power supply connector accepts 100 240 VAC 50 60 Hz up to 1 A Status WAN Activity gt AO Power 120 240 50 60 Hz 1A RESET ETH 0 1 ETH 0 0 External power supply connector accepts 12 VDC 1 A from external AC adapter some models accept 5VDC see Appendix B Specifications for details Status WAN Activity Q Power 12V 1A Reset ETH 0 1 ETH 0 0 Figure 7 Power connector location on rear panel Installing the VPN router 36 OnSite 2800 Series User Manual 2 Hardware installation input voltage from 100 to 240 VAC 50 60 Hz CAUTION Verify that the proper voltage is present before plugging the power cord into the r
23. rear of the OnSite VPN Router Connecting cables Do not work on the system or connect or disconnect cables during periods of A lightning activity WARNING and must be rated for the proper application with respect to volt age current anticipated temperature flammability and CAUTION mechanical serviceability The interconnecting cables must be acceptable for external use Installing VPN Router cables takes place in the following order 1 Installing the 10 100 Ethernet port cable or cables see section Installing the Ethernet cable on page 30 2 Installing the cables a V 35 or X 21 serial WAN cable see section Installing the serial WAN cable on page 31 or b T1 El WAN cable see section Installing the serial WAN cable on page 31 3 Installing the power input see section Connecting to external power source on page 36 Installing the Ethernet cable The OnSite 2800 Series has automatic MDX auto cross over detection and configuration on the Ethernet ports Any of the two ports five on the Model 2805 and three on the Model 2823 can be connected to a host or hub switch with a straight through wired cable see figure 1 Ethernet devices 10Base T or 100Base T are Installing the VPN router 30 OnSite 2800 Series User Manual 2 Hardware installation connected to the OnSite s Ethernet ports see table 5 for port pin out listing via a cable terminated with RJ 45 plugs Table 5 Ethernet 10 100
24. software on your OnSite VPN Router Power source If you suspect that your AC power is not reliable for example if room lights flicker often or there is machinery with large motors nearby have a qualified professional test the power Install a power conditioner if necessary Planning the installation 29 OnSite 2800 Series User Manual 2 Hardware installation Location and mounting requirements The OnSite VPN Router is intended to be placed on a desktop or similar sturdy flat surface that offers easy access to the cables Allow sufficient space at the rear of the chassis for cable connections Additionally you should consider the need to access the unit for future upgrades and maintenance Installing the VPN router OnSite VPN Router installation consists of the following e Placing the device at the desired installation location see section Mounting the VPN router on page 30 Installing the interface and power cables see section Connecting cables on page 30 When you finish installing the OnSite router go to chapter 3 Getting started with the OnSite Managed VPN Router on page 38 Mounting the VPN router Place the VPN Router on a desktop or similar sturdy flat surface that offers easy access to the cables The VPN Router should be installed in a dry environment with sufficient space to allow air circulation for cooling Note For proper ventilation leave at least 2 inches 5 cm to the left right front and
25. the interface connected to the modem context ip interface wan use profile service policy modem 512 out Some explanations Quick references 98 OnSite 2800 Series User Manual 8 Link scheduler configuration e modem 512 is the title of the profile which is referred to when installing the scheduler e rate limit 512 allows no more than 512 kbit sec to pass which avoids queueing in the modem e header length 20 specifies how many framing bytes are added by the modem to pack the IP packet on the link The framing is taken into account by the rate limiter e atm modem tells the rate limiter that the access link is ATM based This option includes the ATM over head into the rate limit calculation Please add 8 bytes to the header length for AALS in this case source traffic class enters a sub mode where the specific handling for a traffic class is described The list of sources in the service policy profile tells the arbiter which traffic sources to serve e critical q is the traffic class for the higheest priority packet streams that you have selected priority means that packet of the source being described are always passed on immediately packets of other classes follow later if the rate limit permits Command cross reference Comparing OnSite with the Cisco IOS QoS software command syntax often helps administrators to straight forwardly configure OnSite devices In table 10 the Cisco IOS Rel
26. the necessary route Mode Configure Step Command Purpose 1 node cfg context ip router Enter IP context 2 node ctx ip router interface ifname Create enter the IP interface ifname 3 node if ip ifname use profile acl Activate the outgoing ACL profile name name out 4 node if ip ifname context ip router Enter IP context 5 node ctx ip router route remote net Creates a route for the remote network that optional work address remote network mask ifname O points the above IP interface ifname You can omit this setting if the default route already points to this IP interface or to a next hub reachable via this IP interface and if there is no other route Make also sure that the IP router knows how to reach the peer of the secured communication Usually a default route does this job Example Activate outgoing ACL and establish route The following example configures an outgoing ACL profile that interconnects the two private networks 192 168 1 24 and 172 16 16 2800 cfg context ip router 2800 ctx ip router interface WAN 2800 if ip WAN Zuse profile acl VPN Out out 2800 if ip WAN Zcontext ip router 2800 ctx ip router Zroute 172 16 0 0 255 255 0 0 WAN O Displaying IPsec configuration information This section shows how to display and verify the IPsec configuration information Procedure To display IPsec configuration information Mode Configure Command Purpose node cfg show profile ipse
27. this purpose the share command is used which defines the relative weights of the source traffic classes and policies Link scheduler configuration task list 103 OnSite 2800 Series User Manual 8 Link scheduler configuration At a some point the source traffic class default must be listed This class must be present because it defines how packets which do not belong to any of the traffic classes listed in the profile are to be handled When all listed traffic classes have priority the handling of the remaining traffic is implicitly defined and the default sec tion can be omitted Similarly if no scheduling is used i e the link scheduler is used for packet marking only e g setting the TOS byte the default section can also be omitted The table below shows the basic syntax of the service policy profile structure Mode Configure Step Command Purpose 1 node cfg profile service policy name Creates a new service policy profile named name 2 node pf srvpl name rate limit value Limits global interface rate to value in kbps Be aware that the actual rate limit on a given interface has to be defined for reliable operation 3 node pf srvpl name mode shaper wfq Sets the arbitration scheme to mode shaper or weighted fair queuing wfq If not specified wfq is default 4 node pf srvpl name source traffic class policy Enters source configuration mode for a src name traffic class or a hi
28. to the IP interface wan that is defined within the IP context for outgoing traffic Link scheduler configuration task list 109 OnSite 2800 Series User Manual 8 Link scheduler configuration 2800 gt enable 2800 configure 2800 cfg context ip router 2800 ctx ip router interface wan 2800 if ip wan use profile service policy Voice Prio out Displaying link arbitration status The show service policy command displays link arbitration status This command supports the optional argument interface that select a certain IP interface This command is available in the operator mode Mode Operator execution Command Purpose 1 node gt show service policy interface name Displays the link arbitration status Example Displaying link arbitration status The following example shows how to display link arbitration status information 2800 gt show service policy available queue statistics default packets in queue 10 Displaying link scheduling profile information The show profile service policy command displays link scheduling profile information of an existing ser vice policy profile This command is only available in the administrator mode Mode Administrator execution Command Purpose node show profile service policy name Displays link scheduling profile information of the service policy profile name Example Displaying link scheduling profile information The following example shows how to display li
29. to which an access control list profile gets bound in Specifies that the access control list profile applies to incoming packets on this interface out Specifies that the access control list applies to outgoing packets on this interface Thus for each IP interface only one incoming and outgoing access control list can be active at the same time Example Bind and unbind an access control list entries to an IP interface Bind an access control list profile to incoming packets on the interface wan in the IP router context 2800 cfg context ip router 2800 cfg ip router interface wan 2800 cfg if wan use profile acl WanRx in Access control list configuration task list 89 OnSite 2800 Series User Manual 7 Access control list configuration Unbind an access control list profile from an interface 2800 cfg context ip router 2800 cfg ip router interface wan 2800 cfg if wan no use profile acl in Note When unbinding an access control list profile the name argument is not required since only one incoming and outgoing access control list can be active at the same time on a certain IP interface Displaying an access control list profile The show profile acl command displays the indicated access control list profile If no specific profile is selected all installed access control list profiles are shown If an access control list is linked to an IP interface the number of matches for each rule is displayed If the access control l
30. your right to file a complaint with the FCC if you believe it is necessary The telephone company may make changes in its facilities equipment operations or procedures that could affect the operation of the equipment If this happens the telephone company will provide advance notice in order for you to make necessary modifications to maintain uninterrupted service If trouble is experienced with this equipment for repair or warranty information please contact our company If the equipment is causing harm to the telephone network the telephone company may request that you dis connect the equipment until the problem is resolved Connection to party line service is subject to state tariffs Contact the state public utility commission public service commission or corporation commission for information Industry Canada Notice Model 2803 only This equipment meets the applicable Industry Canada Terminal Equipment Technical Specifications This is confirmed by the registration number The abbreviation C before the registration number signifies that reg istration was performed based on a Declaration of conformity indicating that Industry Canada technical speci fications were met It does not imply that Industry Canada approved the equipment Authorized European Representative 119 Appendix B Specifications Chapter contents T er 121 Swine Serial NO 121 E RTA EI T eae E E E E E E E 121 PEP SUPPO T ON 121 O 122 A eolica E 122
31. 02 2821 2835 Uses external AC Adaptor which provides 12VDC via barrel type connector AC Adapter Input 90 264VAC 47 63Hz AC Adapter Output 12 VDC 1 25A max Note Power must be provided by an agency approved external SELV source which provides reinforced insulation from the AC mains power and where the DC connector is the disconnect device The source must have a rating of 12 VDC 1 25 A 5VDC Version with External Power Adapter Model 2805 Uses external AC Adaptor which provides 5VDC via barrel type connector AC Adapter Input 100 240VAC 50 60Hz AC Adapter Output 5 VDC 2A max Note Power must be provided by an agency approved external SELV source which provides reinforced insulation from the AC mains power and where the DC connector is the disconnect device The source must have a rating of 5 VDC 2 A Power supply 123 Appendix C Cabling Chapter contents Mede e eee a A RR eee ee 125 A NN 125 Enero POB A ere icc ILC NDE erase a oec e det 126 124 OnSite 2800 Series User Manual C Cabling Introduction This section provides information on the cables used to connect the OnSite to the existing network infrastruc ture and to third party products and must be rated for the proper application with respect to volt age current anticipated temperature flammability and CAUTION mechanical serviceability The interconnecting cables must be acceptable for external use Serial console The OnSite can b
32. 1 9 16 23 encapsulation hdlc hdlc encapsulation ppp bind interface myPPP router port elt1 0 0 no shutdown T1 E1 port configuration task list 5 e T1 E1 port configuration 66 Chapter 6 VPN configuration Chapter contents Patrol UCO fend sa A ages bei atone Er eaten she iene eet ie c ee ees 68 PATH OTE 68 IBS yp UO ect soccer cet este Pec E eaten E 68 Vranspontand manel mode outer Pd estet xe d ede e tet eene uec 69 VPN configuration task Db EUST UEU ri 69 Creato Mal cene e t cct Mole fen co eu d ee I en 69 Creating an se pole profile cece enti steer reece test ed LM meer En du 70 Creating madiing an outcome ACL profile foe Meo nn 72 Configuration of an IP interface and the TP rontet Tor Mr as 73 Displaying DPscocombiontanan labora tia a rien 73 iebussig pie eae e e E RA ee oe 74 Sample con VENTA oo 75 IPSCO cine DES eae on cenno pi rr elio ai E e eei ie ce ES E T THT 75 icarortefconliglitaiona nn n 76 IPsec tunnel AES encryption at 256 bit key length AH authentication with HMAC SHA1 96 76 OnSite COD SUTTON e lie ile lei 76 a o o nn 2 IPsec tunnel 3DES encryption at 192 bit key length ESP authentication with HMAC MD5 96 77 DIS OS 77 EII n ERA RIO RR 77 67 OnSite 2800 Series User Manual 6 VPN configuration Introduction This chapter describes how to configure the VPN connections between two OnSite routers or between an OnSite and a third party device A virtual private n
33. 123456789 0ABCDEF set transform set 3DES_MD5 match address 110 For the remainder of the configuration see above just change the name of the IPsec policy profile in the ACL profile VPN_Out Sample configurations 78 Chapter 7 Access control list configuration Chapter contents Batroductigti De idees eL taste 80 Abonraccessiconttel MI M li n ini illo 80 VEE LOR e AO I IN I NZ a EI 80 Nhypyaushouldeantense ascese otro aiar 80 Wiheniteconiesicaccsst IBS lieu 81 o ts A ee e Ii ates alee 81 Acces control lise configure listone n 82 Mappinevene thevmaalsiat tae access control list C le 82 Creating an access control list profile and enter configuration made praline 83 Adding a rites tule to the current access Contra dico 83 Adding an ICME Aker mile tothe curent access control et pole na 85 Adding a TCP UDP erSCTP alter vule to the current access control list profile conan 87 Binding and wabinding an access control list profile toan TP interface serei eiee arae eee ee 89 IE STE ia 90 o ste eec c eet E E 90 Explain 92 IER TT T coer te i ce ee ean ees T n io 92 79 OnSite 2800 Series User Manual 7 Access control list configuration Introduction This chapter provides an overview of IP Access Control Lists and describes the tasks involved in configuring them through the OnSite router This chapter includes the following sections e About access control lists Access control list configuration task list see page 82
34. 134 OnSite 2800 Series User Manual F Installation checklist Introduction This appendix lists the tasks for installing an OnSite 2800 Series Managed VPN Router see table 19 Make a copy of this checklist and mark the entries as you complete each task For each OnSite 2800 Series Router include a copy of the completed checklist in your site log Table 19 Installation checklist Task Verified by Date Network information available amp recorded in site log Environmental specifications verified Site power voltages verified Installation site pre power check completed Required tools available Additional equipment available All printed documents available OnSite release amp build number verified Rack desktop or wall mounting of chassis completed Initial electrical connections established ASCII terminal attached to console port Cable length limits verified Initial configuration performed Initial operation verified Introduction 135
35. 8 on page 96 when using the ACL to classify traffic It illustrates the sequence of processing stages every routed packet passes Only stages that have been installed in the data path with a use profile statement in the corresponding interface configuration are present Both an input direction ACL on the receiv ing interface as well as an output ACL on the transmitting interface can be used to classify a packet for special handling by the output link scheduler on the transmit interface But as visible from the figure no ACL can be used for an input link scheduler Local applications CLI Web Server Routing IPSec encryption decryption Access control list ACL Network address translation NAT Sequence of processing stages Link Sadie passed by a routed packet To from network port Ethernet PPPoE Frame relay etc Figure 18 Packet routing in OnSite The QoS features in OnSite are a combination of an access control list used for packet classification and a ser vice policy profile used by the link arbiter to define the arbitration mode and the order in which packets of different classes are served Introduction to Scheduling Scheduling essentially means to determine the order in which packets of the different traffic classes are served The following sections describe the ways this arbitration can be done Priority One way of ordering packets is to give priority to one
36. Base T RJ 45 port pin outs 1 TX 2 TX 3 RX 6 RX Note Pins not listed are not used Straight through cable RJ 45 male RJ 45 male Te l WH a l Ra Ix 2 lt i Dear e eee 3 kk h aaas 6 lx Figure 1 Connecting an OnSite 2800 Series device to a hub Installing the serial WAN cable The OnSite 2800 Series is available with the following serial interfaces V 35 DB 25 Model 2835 see section Installing the V 35 interface cable on page 32 for details on installing the interface cable X 21 DB 15 Model 2821 see section Installing the X 21 interface cable on page 33 for details on installing the interface cable e TI EI RJ48C connectors Model 2803 see section Installing the T1 E1 twisted pair cables on page 34 for details on installing the twisted pair cable Installing the VPN router 31 OnSite 2800 Series User Manual 2 Hardware installation El Dual coaxial connectos Model 2803 see section Installing the El dual coaxial cables on page 35 for details on installing the coaxial cables Installing the V 35 interface cable The OnSite Model 2835 comes with a V 35 interface presented on a DB 25 female connector see figure 2 V 35 serial port connector Status Activity N D Power 100 240V 50 60 Hz 0 25A Reset ETH 0 1 ETH 0 0 Figure 2 Rear view of the router showing location of V 35 interface connector The signal pin outs for che
37. Declaration of Contorno Ee re RERO TED toS S is ae dro uec Aree baee ees eS 118 Authorized European Representa caia 119 ECC Past 68 ACTA Statement Model 2803 only 5 nre rere retire ctim etre aii 119 Industry Canada Notice Model 2803 only rte iare tree PEU a e Rt roe eie des 119 SPECIDCALIOMB 120 Ethernet ta Luciu To M B A M 121 Byne Sepia ONO aio 121 TIEI interface Model 2803 lia can eere cre eee hen ero te eite ride 121 PRP T ssc M 121 lil A A 122 UPPER HQ 122 perito enViroDIBellE etico dia 122 Operating rae llo E M 122 Operating humidity siii e rto e nen D ED DERE ERE IRR ER ida da ent DAR TR seston ERN US 122 K T LE 122 A UE T 122 DOWELSUDDIV O cH c Ed 123 Internal AG versiot M E 123 12VDC version with External AC Power Adapter Models 2802 2821 2833 ETC 123 5VDC Version with External Power Adapter Model 2805 eerte 123 ferr M MX 124 Introduction 125 Seral console M 125 OnSite 2800 Series User Manual Table of Contents Ethernet 10 Base T and DOOBases incida aan 126 jU n seasea 128 Introduction lina ia aan alia alal
38. Layer 2 header between the Source Address and the MAC Client Type Length field of an Ethernet Frame Table 12 lists the tag components Table 12 Traffic control info TCI field Tag Control Field Description Tagged Frame Type Interpretation Always set to 8100h for Ethernet frames 802 3ac tag format 3 Bit Priority Field 802 15 Value from O to 7 representing user priority levels 7 is the highest Canonical Always set to O 12 Bit 802 1Q VLAN Identifier VLAN identification number 802 1p compliant infrastructure devices read the 3 bit user priority field and route the frame through an inter nal buffer queue mapped to the corresponding user priority level The command set layer2 cos specifies the layer 2 marking applied to packets of this class by setting the 3 bit priority field 802 1p The no form of this command disables packet marking Please note that the Ethernet port must be configured for 802 1Q framing Standard framing has no class of service field Mode Source Command Purpose node src name set layer2 cos value Defines the Class Of Service value applied to packets of for the selected class or policy name The range for value is from O to 7 Link scheduler configuration task list 107 OnSite 2800 Series User Manual 8 Link scheduler configuration Defining random early detection The command random detect is used to request random early detection RED When a queue carries lots of TCP tr
39. Manual D Port pin outs Introduction This section provides pin out information for the ports of the OnSite router Console port RJ 45 EIA 561 RS 232 The RS 232 serial console port of the OnSite is configured to operate as a DCE View the image in figure 28 showing the RJ 45 receptacle with the numerical identification of the pin numbers and functions 8 RTS 7 15 6 TD 5 RD 123456798 Figure 28 EIA 561 RJ 45 8 pin port Table 15 RS 232 Console Port Signal Pin No Signal Name Direction DSR from OnSite 2 CD from OnSite 3 DTR to OnSite 4 Signal Ground 5 RD from OnSite 6 TD to OnSite 7 CTS from OnSite 8 RTS to OnSite Refer to table 15 which tabulates the pin number signal name and the direction of the signal Introduction 129 OnSite 2800 Series User Manual D Port pin outs Ethernet 10Base T and 100Base T port Table 16 RJ 45 socket Pin Signal Direction TX from OnSite 2 TX from OnSite 3 RX to OnSite 6 RX to OnSite The Ethernet ports are auto detect MDI X Note Pins not listed are not used Sync serial port V 35 serial port Table 17 V 35 Female DB 25 connector V 35 Interface Pin Out Pin Signal 1 Frame Ground 2 TD a 9 RDa 4 RTS 5 CIS 6 DSR CT Sanal Ground 8 DCD 9 RCb 11 ETC b 12 Tb 14 TD b 15 RC a 16 RD b Yo Ra 18 LL 20 DTR 21 RL 224 ETCa Ethern
40. PN Router to the network You can check the connection with the ping command to another host on the local LAN 172 16 1 99 if ip eth0 ping IP Address of the host Respectively from the host ping 172 16 1 99 Note To ping outside your local LAN you will need to configure the default gateway 3 Load configuration Patton provides a collection of configuration templates on the CD ROM that came with the OnSite device one of which may be similar enough to your application that you can use it to speed up configuring the OnSite router Simply download the configuration note that matches your application to your PC Adapt the configu ration as described in the configuration note to your network remember to modify the IP address and copy the modified configuration to a TFTP server The OnSite VPN Router can now load its configuration from this server In this example we assume the TFTP server on the host with the IP address 172 16 1 11 and the configuration named PL cfg in the root directory of the TFTP server 172 16 1 99 if ip eth0 copy tftp 172 16 1 11 IPL cfg startup config Download 100 172 16 1 99 if ip eth0 2 Connect the OnSite VPN Router to the network 42 OnSite 2800 Series User Manual 3 Getting started with the OnSite Managed VPN Router After the OnSite VPN Router has been rebooted the new start up configuration will be activated 172 16 1 99 if ip eth0 reload Running configuration has been changed D
41. Purpose node src name queue limit Defines the maximum number of packets queued for the selected class number of packets or policy name Specifying the type ofservice TOS field The set ip tos command specifies the type of service TOS field value applied to packets of the class name TOS and DSCP markings cannot be used at the same time The no form of this command disables TOS marking Link scheduler configuration task list 105 OnSite 2800 Series User Manual 8 Link scheduler configuration The type of service TOS byte in an IP header specifies precedence priority and type of service RFC791 RFC1349 The precedence field is defined by the first three bits and supports eight levels of priority The next four bits which are set by the set ip tos command determine the type of service TOS Table 11 TOS values and their meaning TOS Value OnSite Value Meaning 1000 8 Minimize delay 0100 4 Maximize throughput 0010 2 Maximizes reliability 0001 1 Minimize monetary costs 0000 0 All bits are cleared normal service default TOS Historically those bits had distinct meanings but since they were never consistently applied routers will ignore them by default Nevertheless you can configure your routers to handle specific TOS values and OnSite allows you to inspect the TOS value in the ACL rules and to modify the TOS value with the link scheduler set ip tos command Mode Source Command Purp
42. SA C22 2 N0 60950 1 EC EN60950 1 e AS NZS 60950 1 PSTN Regulatory ACTA Part 68 Model 2803 e CS03 Model 2803 AS ACIF S016 Model 2803 Radio and TV Interference FCC Part 15 The OnSite router generates and uses radio frequency energy and if not installed and used properly that is in strict accordance with the manufacturer s instructions may cause interference to radio and television reception The OnSite router have been tested and found to comply with the limits for a Class A computing device in accordance with specifications in Subpart B of Part 15 of FCC rules which are designed to provide reasonable protection from such interference in a commercial installation However there is no guarantee that interfer ence will not occur in a particular installation If the OnSite router does cause interference to radio or television reception which can be determined by disconnecting the unit the user is encouraged to try to correct the interference by one or more of the following measures moving the computing equipment away from the receiver re orienting the receiving antenna and or plugging the receiving equipment into a different AC outlet such that the computing equipment and receiver are on different branches CE Declaration of Conformity This equipment conforms to the requirements of Council Directive 1999 5 EC on the approximation of the laws of the member states relating to Radio and Telecommunication Terminal Equipm
43. Serial interface 2 PC or workstation Network or VT 100 emulation interface 422 terminal EE E Load configuration 2 Modify configuration 3 Load configuration Note You can manually configure the IPLink Router You do not have to load a configuration file Patton Web server with configuration examples Figure 9 Steps for setting up a new OnSite VPN Router Introduction 39 OnSite 2800 Series User Manual 3 Getting started with the OnSite Managed VPN Router 1 Configure IP address Power connection and default configuration First the OnSite VPN Router must be connected to the mains power supply with the power cable Wait until the Run LED stops blinking and lights constantly Now the OnSite VPN Router is ready The factory default configuration for the Ethernet interface IP addresses and network masks are listed in table 9 Table 9 Factory default IP address and network mask configuration IP Address Network Mask Interface Ethernet 0 0 ETHO 172 16 40 1 255 255 0 0 Interface Ethernet 0 1 ETH1 192 168 1 1 255 255 255 0 Interface Ethernet 0 2 ETH2 ER XXE Interface Ethernet O 3 ETH3 XO X X X X Interface Ethernet 0 4 ETH4 XXX XXX All Ethernet interfaces are activated upon power up If these addresses match with those of your network go to section 2 Connect the OnSite VPN Router to the network on page 42 Otherwise refer to the following sections to change th
44. The Model 2800 Series flexible AC or DC power source options accommodate virtually any installation environment IPLink VPN Router Figure 1 OnSite Managed VPN Router 2805 shown Each member of the Model 2800 family provides two 10 100Base T Ethernet ports and one integrated T1 E1 V 35 or X 21 synchronous serial WAN port to deliver a managed virtual private network VPN connection over the Internet or any unsecured IP network OnSite 2800 Series Routers support Frame Relay and PPP networking with VPN and firewall functionality Authentication and firewall services protect against unauthorized users while encryption and anti replay capa bilities preserve data confidentiality Patton s powerful CoS and QoS mechanisms provide traffic shaping and prioritization to guarantee your mission critical data is delivered promptly and unimpeded by traffic from other users on the same LAN Besides assuring first priority for key information Patton s advanced QoS tech nology enhances the quality and clarity of realtime application such as live voice and video communications with the main office These compact VPN Routers support PPP PPPoE and Frame Relay services over the serial WAN link The OnSite VPN Router performs the following major functions e Routed LAN to WAN connectivity between two 10 100 Ethernet LAN ports and one V 35 X 21 or syn chronous serial WAN port IP Routing with class of service quality of service CoS QoS support
45. The separation of corporation and Internet traffic is managed by using an ACL using IP addresses as the watershed To configure this application you must configure the following features A serial Frame Relay link as the WAN service which will carry both private corporate traffic and public Internet traffic e An IPSec VPN for private corporate traffic An ACL to distinguish between the two types of traffic so only the private corporate traffic is carried over the VPN See chapter 4 on page 44 to configure the serial port chapter 6 on page 67 to configure the VPN and chapter 7 on page 79 to configure the ACL Chapter 8 on page 93 provides more in depth explanations of scheduling various types of traffic Various techniques are also described including QoS and TOS Applications overview 25 Chapter 2 Hardware installation Chapter contents Elannine the instalamos ia 27 ls T E E E E Du E oseeteabess 28 GT 29 A TRT core eee nei ion 29 lys gv Did na ents iii sO NR 29 LE rele dino rara non e Cole eater PROT ilo paia edet ela a tee 29 Sotware TOS ai oe r a E E E R R GER A RA R A AE A R EE E ERTE R RR EAE 29 POWE SONICS Stio lait 29 Logcstion and mounting requirements uu ea aaa 30 cEnstslan ghe VEN TOMMEE eorn ed eset set E MID nn 30 ISTR R tie MPN IRAN 30 Comme Stata O 30 sali Ethernet cable onere A E uU EHE ES 30 o 31 Installing the Y 3Santeriace cable ore aio 32 Instale the 2 T anertaceucdbloz x thea io sin ade a
46. aaa 129 Console port RJ 45 ELA 361 RS 232 acetate aret iet tdi ie e AAA 129 Ethernet 10Base T and 100Base T port Reti ani 130 Syne sekidl POLE ne ttr a reiten du da 130 Vaso septa ORE id ue deii ita Diets 130 E ideas 131 E OnSite 2800 Series factory configuration esee eene entente state tn nsn instantia ostia inia sensn snas inen sna 132 aro Te ticae du tentiam et eere ech antes cakes eo vn c e e ERR OR RH ou deteees 133 E Installation checklist 5 eee sete eee teres ero erra lora ene Pa ehe veta st eae ave eres e Eee Md eoe vue ceseeesevendessucsenseaseveadsersest 134 Isto o etiain a 135 List of Figures CON DWN KRW NHN a WoW Qo bd Qo PI NN NN KA KM MM Ll RR YH f He Ked g qe eS ge ge de wo Ud UO N a G D 0 d GNM EUA NH SO N GN M UA LA EEO OnSite Managed VPN Router 2805 shown rr errata IE RES 18 OnSite 2800 Series X 21 and V Oo connect erir docu der desse doe unen odd EA ae I9 Onsite 2800 Series JDOBase T Ethernet port ConnectTo 005 eret rte mes SU UH PI eR Pise anon qe 20 OnSite 2800 Series power input COBIESEOIS discs detienen aaa ERR o 23 Onsite 2800 Series front paneli ones xU A pads dietus 22 Branch office virtual private network over a Frame Relay service network LL 23 Corppratemuli ivacion virtual private NetWork Loss eee reser ore sm este a ne rdv sward pa 24 Connecaine do Onsite 2800 Senes devise teca Bub oo cocos oer tse roi al Rear view of the router showing location of V 35 interface connecto
47. al coaxial connectors TI ANSI T1 403 amp AT amp T TR54016 with AMI coding D4 framing or B8ZS coding ESF framing RJ 48C connector Power Rear panel The router is available in a DC or AC power input version see figure 4 on page 21 labeled as follows AC version Internal power supply 100 240 VAC 50 60 Hz 1 A DC version 12 V 1 A Model 2821 2802 2835 or 5 VDC 1 A Model 2805 Console Front panel Used for service and maintenance and available on all OnSite 2800 models except the OnSite 2805 the Console port see figure 5 an RS 232 RJ 45 connector connects the router to a serial terminal such as a PC or ASCII terminal also called a dumb terminal IPLink VPN Router IPLink VPN Router Console Console port Figure 5 OnSite 2800 Series front panels OnSite Model 2800 Series overview 22 OnSite 2800 Series User Manual 1 General information Note For LED descriptions refer to chapter 9 LEDs status and monitor ing on page 112 Applications overview Patton s OnSite managed VPN routers deliver the features you need for secure optimized communication over non secured IP networks Combining VPN tunneling standard IPSec encryption and firewall capabili ties with Patton s powerful guality of service technology OnSite VPN routers deliver private prioritized net working for business government and military applications Banking insurance re
48. an IP interface The command use is used to bind an access control list profile to an IP interface This procedure describes how to bind an access control list profile to incoming packets on an IP interface Mode Profile access control list Command Purpose 1 node if ip ifname use profile acl name in Binds access control list profile name to incom ing packets on IP interface ifname Where the syntax is Keyword Meaning if name The name of the IP interface to which an access control list profile gets bound name The name of an access control list profile that has already been created using the profile acl command This argument must be omitted in the ne form in Specifies that the access control list profile applies to incoming packets on this interface out Specifies that the access control list applies to outgoing packets on this interface The no form of the use command is used to unbind an access control list profile from an interface When using this form the name of an access control list profile represented by the name argument above is not required This procedure describes how to unbind an access control list profile to incoming packets on an IP interface Mode Interface Command Purpose node if ip ifname no use profile acl in Unbinds access control list profile for incoming pack ets on IP interface ifname Where the syntax is Keyword Meaning if name The name of the IP interface
49. ansfers that last longer than simple web requests there is a risk that TCP flow control might be ineffi cient A burst tolerance index between 1 and 10 may optionally be specified exponential filter weight The no form of this command reverts the queue to default tail drop behavior Mode Source Purpose node src name random detect bursttolerance Defines random early detection RED for queues of for the selected traffic class or policy name The range for the optional value burst tolerance is from 1 to 10 Discarding Excess Load The command police controls traffic arriving in a queue for class name The value of the first argument aver age kilobits defines the average permitted rate in kbps the value of the second argument kilobits ahead defines the tolerated burst size in kbps ahead of schedule Excess packets are dropped This procedure describes defining discard excess load Mode Source Command Purpose node src name police average kilobits Defines how traffic arriving in a queue for the selected burst size kilobits ahead class or policy name has to be controlled The value aver age kilobits for average rate permitted is in the range from 0 to 10000 kbps The value kilobits ahead for burst size tolerated ahead of schedule is in the range from 0 to 10000 Link scheduler configuration task list 108 OnSite 2800 Series User Manual 8 Link scheduler configuration Devoting the service policy profil
50. ation type You must use the PVC configuration command encapsulation rfc1490 to set the encapsulation type to com ply with the Internet Engineering Task Force IETF standard RFC 1490 Use this keyword when connect ing to another vendor s equipment across a Frame Relay network This procedure describes how to set the encapsulation type to comply with RFC 1490 Mode Frame Relay Step Command Purpose 1 node frm rel slot pori encapsulation rfc1490 Sets RFC1490 PVC compliant encapsulation Example Configuring the PVC encapsulation type The following example sets the encapsulation type to comply with RFC 1490 for PVC with the assigned DLCI of 1 for Frame Relay over the serial interface on slot 0 and port 0 of an OnSite router 2800 cfg port serial 0 0 2800 prt ser 0 0 framerelay 2800 frm rel 0 0 pvc 1 2800 pvc 1 encapsulation rfc1490 Binding the Frame Relay PVC to IP interface A newly created permanent virtual circuit PVC for Frame Relay has to be bound to an IP interface for further use The logical IP interface has to be already defined and should be named according to the use of the serial Serial port configuration task list 50 OnSite 2800 Series User Manual 4 Serial port configuration Frame Relay PVC If serial Frame Relay PVC shall be used as WAN access a suitable name for the logical IP interface could be wan as in figure 12 below IP IP interface interface eth wan interface eth Port Po
51. by a serial interface use the encapsulation interface configuration command This procedure describes how to set the encapsulation type of the serial interface for Frame Relay Mode Administrator execution Step Command Purpose 1 node cfg port serial slot port Selects the serial interface on slot and port 2 node prt ser slot pori no encapsulation Sets the encapsulation type for the framerelay ppp selected interface 3 node prt ser slot pori show port serial Displays the serial interface configuration Example Configuring the serial encapsulation type The following example enables Frame Relay encapsulation for the serial interface on slot 0 and port 0 of an OnSite router Check that in the command output of show port serial Encapsulation is set to framerelay 2800 cfg port serial 0 0 2800 prt ser 0 0 encapsulation framerelay 2800 prt ser 0 0 Zshow port serial Serial Interface Configuration Port serial 0 0 0 State CLOSED Hardware Port V 35 Serial port configuration task list 47 OnSite 2800 Series User Manual 4 Serial port configuration Transmit Edge normal Port Type DTE CRC Type CRC 16 Max Frame Length 2048 Recv Threshold 1 Encapsulation framerelay Enter Frame Relay mode This section describes how to configure Frame Relay on the serial interface of an OnSite router after setting the basic serial interface parameters according to the previous sections This proc
52. c trans Displays all IPsec transformation profiles optional form node cfg show profile ipsec policy Displays all IPsec policy profiles optional manual VPN configuration task list 73 OnSite 2800 Series User Manual 6 VPN configuration Example Display IPsec transformation profiles 2800 cfg show profile ipsec transform IPSEC transform profiles Name AES_128 ESP Encryption AES CBC Key length 128 Example Display IPsec policy profiles 2800 cfg show profile ipsec policy manual Manually keyed IPsec policy profiles Name ToBurg Peer 200 200 200 1 Mode tunnel transform profile AES 128 ESP SPI Inbound 1111 Outbound 2222 ESP Encryption Key Inbound 1234567890ABCDEF1234567890ABCDEF ESP Encryption Key Outbound FEDCBA0987654321FEDCBA0987654321 Debugging IPsec A debug monitor and an additional show command are at your disposal to debug IPsec problems Procedure To debug IPsec connections Mode Configure Step Command Purpose 1 node cfg debug ipsec Enables IPsec debug monitor 2 node cfg show ipsec security associ Summarizes the configuration information of all optional jations IPsec connections If an IPsec connection does not show up then one or more parameters are missing in the respective Policy Profile The information Bytes processed supports debugging because it indicates whether IPsec packets depart from OUT or arrive at IN the OnSite router
53. cal knowledge base Here we have gathered together many of the more commonly asked questions and compiled them into a searchable database to help you quickly solve your problems Patton Support Headquarters in the USA Online support available at http www patton com E mail support e mail sent to support patton com will be answered within 1 business day Telephone support standard telephone support is available five days a week from 8 00 am to 5 00 pm EST 1300 to 2200 UTC by calling 1 301 975 1007 e Fax 1 253 663 5693 Alternate Patton support for Europe Middle Ease and Africa EMEA Online support available at http www patton inalp com e E mail support email sent to support patton inalp com will be answered within 1 day Telephone support standard telephone support is available five days a week from 8 00 am to 5 00 pm CET 0900 to 1800 UTC GMT by calling 41 0 31 985 25 55 e Fax 441 0 31 985 25 26 Warranty Service and Returned Merchandise Authorizations RMAs Patton Electronics is an ISO 9001 certified manufacturer and our products are carefully tested before ship ment All of our products are backed by a comprehensive warranty program Note Ifyou purchased your equipment from a Patton Electronics reseller ask your reseller how you should proceed with warranty service It is often more convenient for you to work with your local reseller to obtain a replacement Patton services our
54. capsulation hdlc will be available again Once the encapsulation of a T1 E1 port is set to channelized it is not possible to change the port type again or to use the unframed framing format Mode port elt1 slot port Command Purpose name prt e1t1 slot port no encapsu lation channelized hdlc Specifies the encapsulation type of the T1 E1 port Default no encapsulation Create a Channel Group If the desired encapsulated channel uses only selected time slots not the entire T1 E1 then it is necessary to set up a channel group To create a channel group set the T1 E1 port s encapsulation to channelized See sec T1 E1 port configuration task list 62 OnSite 2800 Series User Manual 5 e T1 E1 port configuration tion Configuring T1 E1 encapsulation On creating a new channel group the channel group configuration mode is immediately entered To remove an existing channel group the no form of the command has to be used Mode port elt1 slot port Command Purpose 1 name prt e1t1 slot port no channel Enters the channel group configuration mode of group group name group name If the group does not yet exist a new one will be created The no form of the command removes an existing channel group Configuring Channel Group Timeslots The timeslots command configures an arbitrary sequence of timeslots for use in data transmission The syntax of t
55. card host dest The address of a single destination host cos Optional Specifies that packets matched by this rule belong to a certain Class of Service CoS For detailed description of CoS configuration refer to chapter 8 Link scheduler configuration on page 93 cos rtp Optional Specifies that the rule is intended to filter RTP RTCP packets In this mode you can specify different CoS groups for data packets even port numbers and control pack ets odd port numbers Note this option is only valid when protocol UDP is selected group CoS group name group data CoS group name for RTP data packets Only valid when the rtp option has been specified group ctrl CoS group name for RTCP control packets Only valid when the rtp option has been spec ified Example Create TCP or UDP access control list entries Select the access list profile named WanRx and create the rules for Permitting any TCP traffic to host 193 14 2 10 via port 80 and permitting UDP traffic from host 62 1 2 3 to host 193 14 2 11 via any port in the range from 1024 to 2048 2800 cfg profile acl WanRx 2800 pf acl WanRx permit tcp any host 193 14 2 10 eq 80 2800 pf acl WanRx permit udp host 62 1 2 3 host 193 14 2 11 range 1024 2048 2800 pf acl WanRx exit 2800 cfg Access control list configuration task list 88 OnSite 2800 Series User Manual 7 Access control list configuration Binding and unbinding an access control list profile to
56. ccess to multi ple remote sites by leveraging OnSite s multiple frame relay PVC support see figure 7 The enterprise enjoys the benefits of secure multi office virtual private networking with QoS for prioritized traffic flow for mission critical information Corporate Headquarters I MS a FRPVG m Internet VPN Corporate traffic Figure 7 Corporate multi function virtual private network Applications overview 24 OnSite 2800 Series User Manual 1 General information In figure 7 the blue pipes represent VPN connections for private traffic within the corporate intranet while the green pipes represent the Internet traffic The red pipe is a Frame Relay PVC transporting Internet traffic and private corporate traffic over the VPN Each of the three remote sites is connected with headquarters via an OnSite VPN router Each remote site can take advantage of the most convenient and locally available interface the WAN service can offer whether X 21 or V 35 The corporate multi function application carries two types of traffic between each remote office and corpo rate s central office Private corporate traffic the intranet extranet e Internet traffic The service provider offers a Frame Relay network for access so both the private corporate traffic and the Inter net traffic is transported over a Frame Relay PVC with one DLCI The corporate traffic is transported within IPSec VPN that is in the Frame Relay PVC
57. cl WanRx 2800 pf acl WanRx permit ip host 62 1 2 3 host 193 14 2 11 cos Urgent 2800 pf acl WanRx permit ip 62 1 2 3 0 0 255 255 host 193 14 2 11 2800 pf acl WanRx permit ip 97 123 111 0 0 0 0 255 host 193 14 2 11 2800 pf acl WanRx deny ip any any 2800 pf acl WanRx exit 2800 cfg Access control list configuration task list 84 OnSite 2800 Series User Manual 7 Access control list configuration Adding an ICMP filter rule to the current access control list profile The command permit or deny are used to define an ICMP filter rule Each ICMP filter rule represents an ICMP access of control list entry This procedure describes how to create an ICMP access control list entry that permits access Mode Profile access control list Command Purpose 1 node pf acl name permit icmp src src wildcard any Creates an ICMP access of con host src dest destwildcard any host dest msg name trol list entry that permits access type type type type code code cos group defined according to the com mand options This procedure describes how to create an ICMP access control list entry that denies access Mode Profile access control list Purpose 1 node pf acl name deny icmp src src wildcard Creates an ICMP access of control list any host src dest dest wildcard any host dest entry that denies access defined accord msg name type type type type code code cos ing to the command options g
58. cnc i ei i lion 95 H TT sl cino ee e i o ie ie 96 eT ceti le ai es i eine e 96 DOTE 1na INEO A CT 96 nt oii T 97 E T T eee e e A E 97 He Me C aaa 97 TRS E esas A E S LT 98 SEADE T eto ni e i eo re e e ri 98 MOI II RAR RO I O O RO O E I 99 T TET task I eie aeee e E E EAA OE E EE A RAER RR E 99 Defining the access controller prole cs 100 Packet classilicationi o e EE EA A EE REN EE R EA A R eerte S 100 CS a 101 TTT prone O es Hee tuocbszasaeasenuneeteeees 102 Speci ine tia handling atlete 104 Detain arguens crinale 104 Dei EROI 105 UB Fetal catcher o A re E ps tere Aner eet ee ta vere een ni i ro 105 Defining cheanaximium queus ent eee eerte cere eene UE 105 Spee ane theippesabisenace NDS elus cec eto Ue TET Ed 105 Spee it yime the precedence feld ua 106 Specifying ditterentiated services codepoint USP marking oerte eee eee 106 Specihne layer 2 marking ecce URP NC ITE RU I ROTER EE 107 Defining random early detection NR ile 108 Discardinp diesis Loader ie ii i e fina i ie i 108 Devatine thesemice policy profile toan interface nio 109 Ibis plaza eim a era ias nti 110 Displaying linkischiedubing profile information nol 110 IT nane aa Ro ER ER 110 93 OnSite 2800 Series User Manual 8 Link scheduler configuration Introduction This chapter describes how to use and configure the OnSite Quality of Service QoS features Refer to 7 Access control list configuration on page 79 for more information on the use of access co
59. ct nettos redirect nettos unreachable netunreachable network unknown no room for option option missing packet too big parameter problem port unreachable precedence unreachable protocol unreachable reassembly timeout redirect router advertisement router solicitation source quench source route failed time exceeded timestamp reply timestamp request traceroute tthexceeded unreachable type type code code The ICMP message type A number from O to 255 inclusive The ICMP message code A number from O to 255 inclusive cos Optional Specifies that packets matched by this rule belong to a certain Class of Service CoS For detailed description of CoS configuration refer to chapter 8 Link scheduler configuration on page 93 group CoS group name If you place a deny ip any any tule at the top of an access list profile no packets will pass regardless of the other rules you defined Example Create ICMP access control list entries Select the access list profile named WanRx and create the rules to filter all ICMP echo requests as used by the ping command 2800 cfg profile acl WanRx 2800 pf acl WanRx deny icmp any any type 8 code 0 2800 pf acl WanRx exit 2800 cfg Access control list configuration task list 86 OnSite 2800 Series User Manual 7 Access control list configuration The same effect can also be obtained by using the simpler message name option See the foll
60. d injury caused by electric shock gt o 13 OnSite 2800 Series User Manual About this guide Safety when working with electricity A WARNING gt WARNING gt gt WARNING The OnSite contains no user serviceable parts The equipment shall be returned to Patton Electronics for repairs or repaired by qualified service per sonnel Opening the OnSite case will void the warranty Mains Voltage Do not open the case the when the power cord is attached For systems without a power switch line voltages are present within the power supply when the power cords are connected The mains outlet that is utilized to power the devise shall be within 10 feet 3 meters of the device shall be easily accessible and protected by a circuit breaker For units with an external power adapter the adapter shall be a listed Lim ited Power Source For AC powered units ensure that the power cable used with this device meets all applicable standards for the country in which it is to be installed and that it is connected to a wall outlet which has earth ground Hazardous network voltages are present in WAN ports regardless of whether power to the OnSite is ON or OFF To avoid electric shock use caution when near WAN ports When detaching cables detach the end away from the OnSite first Do not work on the system or connect or disconnect cables during periods of lightning activity Before opening the chassis disconnect
61. d prioritized net work connection to another location over virtually any available network service and any standard WAN interface 2800 IPLink s sm 2800 IPLink Figure 6 Branch office virtual private network over a Frame Relay service network Figure 6 shows a branch to branch VPN connection through a frame relay service network as delivered on serial lines The OnSite 2800 Series can support a similar scenario with network service delivered via V 35 or Applications overview 23 OnSite 2800 Series User Manual 1 General information X 21 serial interfaces or an Ethernet WAN interface For remote sites where PPP service is available the 2800 Series also supports PPP network access over all the standard WAN interface options mentioned above In this specific application all traffic between the branch and corporate offices is carried in an IPSec tunnel All of the IPSec VPN traffic is encapsulated in Frame Relay for transport over the Frame Relay service network The serial port is configured for Frame Relay To configure this application you need to configure the following features The serial port with Frame Relay as the encapsulation protocol e An IPSec VPN between the two endpoints See chapter 4 on page 44 to configure the serial port and chapter 6 on page 67 to configure the VPN Corporate multi function virtual private network The OnSite 2800 Series can deliver both private corporate intranet service and public Internet a
62. de an error message will be advised Mode port elt1 slot port Command Purpose Configures the line code of the port Default for e1 hdb3 Default for t1 b8zs name prt e1 1 slot port linecode ami b8zs hdb3 T1 E1 port configuration task list 60 OnSite 2800 Series User Manual 5 e T1 E1 port configuration Configuring T1 E1 framing Four framing formats are available for selection on the T1 E1 port Unframed can only be used if the encapsu lation is set for hdlc All other currently available upper layer encapsulation protocols do not run in unframed mode but in one of the framed modes In structured mode El can be configured for crc or non crc T1 has a single framed option esf The advantage of the unframed mode obviously with balc encapsulation is the utilization of the whole link speed for user data transmission 2 048MBit s for El and 1 544MBit s for T1 However note that HDLC has its own overhead which decreases the actual data rate Mode port elt1 slot lt port gt Purpose 1 name prt e1t1 slot port framing Configures the framing of the port crc4 non crc4 esf unframed El mode formats are crc4 non crc4 unframed T1 mode formats are esf unframed Default for e1 crc4 Default for t1 esf Configuring T1 E1 line build out T1 only The line build out configuration is used in long haul applications to prevent cross talk in the far end device M
63. defects in workmanship or materials and does not cover customer damage abuse or unauthorized modification If the product fails to perform as warranted your sole recourse shall be repair or replacement as described above Under no condition shall Patton Electronics be liable for any damages incurred by the use of this product These damages include but are not limited to the following lost profits lost savings and incidental or consequential damages arising from the use of or inability to use this product Patton Electronics specifically disclaims all other warranties expressed or implied and the installation or use of this product shall be deemed an acceptance of these terms by the user Summary Table of Contents Oo 0 NU A UL eR Qu ma 10 mm pnw gt General iat RE E 17 Hardmwareiustallaani a eI NS IS EE E IAS ETT EE TT EET 26 Getting started with the OnSite Managed VPN Router eee eese eee entente entente etatis satus enses ons in snos 38 oa T UN 44 E A NO UE NR EIOS IRE ORIS 58 MEIN Grunig bea TT 67 A 79 e AA NON 93 LEDs statis A A O OO Po OE 112 Contactos Patton fnr assistance csscscctscctsestecceocsescsecssccstecteccessecsccccuseisecceseesecseet EEEE EE EE EEEE 114 Compliance information ada aliada chs rio lia ls 117 T T aaa o 120 Gib TREE 124 OO E ceci 128 OnSite 2800 Series factory Con DE TOR inni 132 A no 134 Table of Contents ple OT 3 Table OF Contents iaa 4 RET p REO TOO ino 10 LA O
64. delete an access control list profile You cannot delete an access control list profile if it is currently linked to an interface When you leave the access control list configuration mode the new settings immediately become active Example Create an access control list profile In the following example the access control list profile named WanRx is created and the shell of the access con trol list configuration mode is activated 2800 gt enable 2800 configure 2800 cfg profile acl WanRx 2800 pf acl WanRx Adding a filter rule to the current access control list profile The commands permit or deny are used to define an IP filter rule This procedure describes how to create an IP access control list entry that permits access Mode Profile access control list Command Purpose Creates an IP access of control list entry that permits access defined according to the command options node pf acl name permit ip src src wildcard any host src dest destwildcard any host dest cos group This procedure describes how to create an IP access control list entry that denies access Access control list configuration task list 83 OnSite 2800 Series User Manual 7 Access control list configuration Mode Profile access control list Command Purpose 1 node pf acl name deny ip src src wildcard any host Creates an IP access of control list src dest dest wildcard any host desi cos group e
65. down exit Displaying serial port information The following example shows the commands used to display serial port configuration settings HDLC Driver 0x8496b8 Slot 0 Number of Ports 1 HDLC Driver 0x8496b8 Slot 0 Number of Ports 1 Port serial 0 00 State OPENED Configuration Hardware Port X 21 Port Type DCE CRC CRC 16 Transmit Edge Normal Max Frame Length 1920 Baudrate 64000 bps Recv Threshold 1 Serial port configuration task list 53 OnSite 2800 Series User Manual 4 Serial port configuration Displaying Frame Relay information Since Frame Relay configuration for the serial interface is complex and requires many commands it is helpful to list the frame relay configuration on screen This procedure describes how to display the Frame Relay configuration settings for the serial interface Mode Port serial Command Purpose 1 node prt ser slot porilgshow framerelay Displays Frame Relay information Example Displaying Frame Relay information The following example shows the commands used to display Frame Relay configuration settings 2800 gt enable 2800 configure 2800 cfg show framerelay Framerelay Configuration Port LMI Type Keepalive Fragmentation serial 0 0 0 ansi 10 disabled Pvc Configuration Port DLCI State Fragment Encaps Binding serial 0 0 0 1 open disabled rfc1490 wan router Serial port configuration task list 54 OnSite 2800 Series User Manual 4 Serial port con
66. e Boer Ucet ee Ee bets 95 Applying scheduling at the b stleneck euet ueste eo HR Ee a cala pellere Due ECT 95 Veine trate classes sur tn ee e edt itu tee LO debes 95 Introduction to Scheduling a erroe tan 96 DP ENEMY P aT aT EHH TH TH HR T 96 Wele ited turquesa WEO idet rr ture Dr EDO Te ace 96 Shaping A 97 Bursttolerant shaping Or WIG ente erred e er ue aei e oe ie ti is 97 Hieraichy EMEN D siga 97 OuickfeleretiGes i e ia da 98 Serine the modem Tte edet eet eet ee idee di HD abes etes eoe rete ee on 98 Command cross ateferende T 99 Link schednlerconhpuration task dn ii ii 99 Defining theaccesscontrol lise prone ia a ties 100 Packet clazzificatiohi iure lla aerei 100 Creatimpianvaccesscomtrol list iii reete operae Pere a UL Pa ER Cr E rad rari 101 Crea np a service policy prone a oie etr efie ici 102 Specitying the handling of tratficsel 4896 iskoreni ac teda co ORG ERE RU EUR D TER EREMO HERES ERR ERES CUR 104 Defining fair queump weight cicala cali aaa ERI ded De RED Eel eased atados 104 yes CBE DIES Ie eoo eire diano ta ca 105 IDebningabsolute proa re tbc pr rU er D loader 105 Defining the maximum queue T ces execs ste rre liar iio 105 speciiyine the type ot service TOS Beli ee ERE REEF OR 105 Specifying the precedence field cete eee re retener e e ERE DEVE Ee R 106 Specifying differentiated se
67. e accepted for repairs only RMA numbers RMA numbers are required for all product returns You can obtain an RMA by doing one of the following Completing a request on the RMA Request page in the Support section at http www patton com e By calling 1 301 975 1007 and speaking to a Technical Support Engineer e By sending an e mail to returns patton com All returned units must have the RMA number clearly visible on the outside of the shipping container Please use the original packing material that the device came in or pack the unit securely to avoid damage during shipping Shipping instructions The RMA number should be clearly visible on the address label Our shipping address is as follows Patton Electronics Company RMA xxxx 7622 Rickenbacker Dr Gaithersburg MD 20879 4773 USA Patton will ship the equipment back to you in the same manner you ship it to us Patton will pay the return shipping costs Warranty Service and Returned Merchandise Authorizations RMAs 116 Appendix A Compliance information Chapter contents BS Reguladora asso E Tita a Radio and asa R T Geo e RA A A eee e adido Authorized European Representative eet te ER RR Ee RU ere epe ERREUR FCC Parm 68 ACTA Statement Model 2803 ea Industry Canada Notice Model 2803 only iaia ini OnSite 2800 Series User Manual A Compliance information Compliance EMC e FCC Part 15 Class A EN55022 Class A EN55024 Safety UL 60950 1 C
68. e addresses and network masks Connect with the serial interface The Console port is wired as an EIA 561 RS 232 port Use the included Model 16F 561 adapter and cable see figure 10 between the OnSite VPN Router s Console port and a PC or workstation s RS 232 serial interface Activate the terminal emulation program on the PC or workstation that supports the serial interface e g HyperTerm L Cs gt li Serial Terminal MO 2 0 s 2 5 2 Note A Patton Model 16F 561 RJ45 to DB 9 adapter is included with each IPLink 2800 Series device Figure 10 Connecting to the terminal Terminal emulation program settings 9600 bps no parity e 8 bit 1 Configure IP address 40 OnSite 2800 Series User Manual 3 Getting started with the OnSite Managed VPN Router e 1 stop bit No flow control Login Accessing your OnSite VPN Router via the local console port or via a Telnet session causes the login screen to display Type the factory default login administrator and leave the password empty Press the Enter key after the password prompt login administrator password lt Enter gt 172 16 40 1 gt After you have successfully logged in you are in the operator execution mode indicated by gt as command line prompt With the commands enable and configure you enter the configuration mode 172 16 40 1 gt enable 172 16 40 1 configure 172 16 40 1 c g Changing the IP address Select the c
69. e connected to a serial terminal over its serial console port as depicted in figure 25 Serial Terminal Note A Patton Model 16F 561 RJ45 to DB 9 adapter is included with each IPLink 2800 Series device Figure 25 Connecting a serial terminal Note See section Console port RJ 45 EIA 561 RS 232 on page 129 for console port pin outs Introduction 125 OnSite 2800 Series User Manual C Cabling Ethernet 10Base T and 100Base T Ethernet devices 10Base T 100Base T are connected to the OnSite over a cable with RJ 45 plugs Use a cross over cable to a host or a straight cable to a hub See figure 26 host and figure 27 on page 127 hub for the different connections Cross over cable RJ 45 male RJ 45 male Tx 1 1 TX Twisted pair 1 Tx 2 2 TX Wise poz 3 RX wisted pair 2 T Figure 26 Ethernet cross over Ethernet 10Base T and 100Base T 126 OnSite 2800 Series User Manual C Cabling Straight through cable RJ 45 male RJ 45 male Tee l oyuayY Jo q 1 Re T 2 2 Rx 3 8 T ke gt bx Figure 27 Ethernet straightthrough Ethernet 10Base T and 100Base T 127 Appendix D Port pin outs Chapter contents Introduce Ta CRER PR went RR Tate 129 Console port RJ 435 BLASS Gil CRS e ORE SUN I HEU UE UE 129 Ethernet MBase Mand NOME as ORE eee e RPM EC 130 Syne se ln Rn n 130 ES c igo dee EE 130 A seo roit cr sete ro i di e I Nd qo dido diede dede 131 128 OnSite 2800 Series User
70. e to an interface Any service policy profile needs to be bound to a certain IP interface to get activated According the terminol ogy of OnSite a service policy profile is used on a certain IP interface as shown in figure 23 piis Po io Profile use command bind command Context IP router re I I I I I I l Figure 23 Using a Service Policy Profile on an IP Interface Therefore the use profile service policy command allows attaching a certain service policy profile to an IP interface that is defined within the IP context This command has an optional argument that defines whether the service policy profile is activated in receive or transmit direction Providers may use input shaping to improve downlink voice jitter in the absence of voice support The default setting no service policy sets the interface to FIFO queuing Mode nterface Step Command 1 node if ip ifname use profile service policy name in out Purpose Applies the service policy profile name to the selected interface ifname Depending on select ing the optional in or out argument the service policy profile is active on the receive or transmit direction Be aware that service policy profiles can only be activated on the transmit direction at the moment Example Devoting the service policy profile to an interface The following example shows how to attach the service policy profile Voice_Prio
71. ease 12 2 QoS commands are in contrast with the respective OnSite commands Table 10 Command cross reference Action IOS command OnSite command profile service policy profile name policy map policy map name Specifies the name of the policy map or profile to be created or modified Specifies the name of the class map or class to be created For IOS specifies average or peak bit rate shaping for the OnSite assigns the average bit rate to a source class map class map name shape average peak cir bc be source traffic class class name rate bitrate For IOS specifies or modifies the bandwidth allocated for a class belonging to a policy map Percent defines the percentage of avail able bandwidth to be assigned to the class for the OnSite assigns the weight of the selected source only used with wfq bandwidth bandwidth kbps percent percent share percent o bandwidth Link scheduler configuration task list To configure QoS features perform the tasks described in the following sections Depending on your require ments some of the tasks are required while other tasks are optional Defining the access control list profile Creating a service policy profile see page 102 Specifying the handling of traffic classes see page 104 e Devoting the service policy profile to an interface see page 109 Displaying link arbitration status see page 110 Link scheduler con
72. eceptacle Failure to do so could result in equipment damage j The UI and EUI power supplies automatically adjust to accept an 3 Verify that the AC power cord included with your VPN Router is compatible with local standards If it is not refer to chapter 10 Contacting Patton for assistance on page 114 to find out how to replace it with a compatible power cord 4 Connect the male end of the power cord to an appropriate power outlet IPLink VPN Router Power Enet 0 Enet 0 Enet 1 Enet 1 Link Activity Link Activity Figure 8 VPN Router front panel LEDs and Console port locations OnSite 2835 shown 5 Verify that the green Power LED is lit see figure 8 Congratulations you have finished installing the OnSite VPN Router Now go to chapter 3 Getting started with the OnSite Managed VPN Router on page 38 Installing the VPN router 37 Chapter3 Getting started with the OnSite Managed VPN Router Chapter contents TOR SERU T oi 39 IESUS e O I 40 Powerconteciuom A inn 40 Connect o nie EURO ERNST 40 O 41 Chane me e ME I 41 2 Connect the OnSite VPN Reiter to the neW A eI EAE R NERIS 42 EE LST T TET 42 38 OnSite 2800 Series User Manual 3 Getting started with the OnSite Managed VPN Router Introduction This chapter leads you through the basic steps to set up a new OnSite VPN Router Figure 9 show the main steps for setting up a new OnSite VPN Router BE Configure IP address
73. edure describes how to enter the Frame Relay configuration mode Mode Administrator execution Command Purpose 1 node cfg port serial slot port Selects the serial interface on slot and port 2 node prt ser slot pori amp framerelay Enters the Frame Relay configuration mode 3 node frm rel slot pori Displays the Frame Relay configuration mode prompt Example Enter Frame Relay mode The following example shows how to enter into the Frame Relay configuration mode for the serial interface on slot 0 and port 0 of an OnSite router 2800 cfg Zport serial 0 0 2800 prt ser 0 0 framerelay 2800 frm rel 0 0 Configuring the LMI type For a Frame Relay network the line protocol is the periodic exchange of local management interface LMI packets between the OnSite device and the Frame Relay provider equipment If the OnSite device is attached to a public data network PDN the LMI type must match the type used on the public network You can set one of the following three types of LMIs on the OnSite devices ansi for ANSI T1 617 Annex D gof for Group of 4 which is the default for Cisco LMI and itu for ITU T Q 933 Annex A This procedure describes how to set the LMI type Mode Frame Relay Step Command Purpose 1 node frm rel slot pori Imi type ansi gof itu Sets the LMI type Example Configuring the LMI type The following example sets the LMI type to ANSI T1 617 Annex D for Frame Relay over the serial
74. ent and the mutual rec ognition of their conformity The safety advice in the documentation accompanying this product shall be obeyed The conformity to the above directive is indicated by the CE sign on the device The signed Declaration of Conformity can be down loaded from the Patton website at www patton com certifications Compliance 118 OnSite 2800 Series User Manual A Compliance information Authorized European Representative D RM Green European Compliance Services Limited Oakdene House Oak Road Watchfield Swindon Wilts SN6 8TD UK FCC Part 68 ACTA Statement Model 2803 only This equipment complies with Part 68 of FCC rules and the requirements adopted by ACTA On the bottom side of this equipment is a label that contains among other information a product identifier in the format US AAAEQ TXXXX If requested this number must be provided to the telephone company A plug and jack used to connect this equipment to the premises wiring and telephone network must comply with the applicable FCC Part 68 rules and requirements adopted by the ACTA This equipment uses a Universal Service Order Code USOC jack RJ 11C If this equipment causes harm to the telephone network the telephone company will notify you in advance that temporary discontinuance of service may be required But if advance notice isn t practical the telephone company will notify the customer as soon as possible Also you will be advised of
75. er 7 Access control list configuration on page 79 Procedure To create modify an outgoing ACL profile for IPsec Mode Configure Step Command Purpose 1 node cfg profile acl name Creates or enters the ACL profile name 2 node pf ipstr name permit The expression ipsec policy name appended to a permit ACL rule activates the IPsec policy profile name to encrypt authenticate the traffic identified by this rule ipsec policy name Note New entries are appended at the end of an ACL Since the position in the list is relevant you might need to delete the ACL and rewrite it completely Example Create modify an ACL profile for IPsec The following example configures an outgoing ACL profile that interconnects the two private networks 192 168 1 24 and 172 16 16 2800 cfg profile acl VPN_Out 2800 pf acl VPN Out Zpermit ip 192 168 1 0 0 0 0 255 172 16 0 0 0 0 255 255 ipsec policy ToBurg 2800 pf acl VPN Out Zpermit ip any any VPN configuration task list 72 OnSite 2800 Series User Manual 6 VPN configuration Configuration of an IP interface and the IP router for IPsec The IP interface that provides connectivity to the IPsec peer must now activate the outgoing ACL profile con figured in the previous section Furthermore the IP router must have a route for the remote network that points to the respective IP interface Procedure To activate the outgoing ACL profile and to establish
76. erarchical lower level service policy profile named src name 5 node src src name At this point the necessary commands used to specify the handling of the traf fic class es have to be entered 6 node src src name exit Leaves the source configuration mode optional 7 node pf srvpl name Repeat steps 4 to 6 for all necessary source classes or lower level service policy profiles 8 node pf srvpl name exit Leaves the service policy profile mode Specifying the handling of traffic classes Several commands are available to specify what happens to a packet of a specific traffic class Defining fair queving weight The command share is used with wfq link arbitration to assign the weight to the selected traffic class When defining a number of source classes the values are relative to each other It is recommended to split 100 which can be read as 100 among all available source classes e g with 20 30 and 50 as value for the respec tive share commands which represent 20 30 and 50 Link scheduler configuration task list 104 OnSite 2800 Series User Manual 8 Link scheduler configuration Mode Source Command Purpose node src name share percentage Defines fair queuing weight relative to other sources to percent age for the selected class or policy name Defining the bit rate The command rate is used with shaper link arbitration to assign the average bit rate to the selec
77. erial port configuration task list 57 Chapter 5 T1 E1 port configuration Chapter contents Titrcdluctigtt een eee eee eite se ae a eet err at edo daa 59 TAXE pas configuram tale T cronaca Sie ii ino 59 leur ed ES RON AO 59 Contiene DIE A IRR 60 Conftgumg TIET dockanode ie iaa 60 Conan ie ke Seah Met ento A eet e e A e iu 60 E e Meme n RE 61 TTT R Mine onbres cec rcc c e TT ae 61 Contigurine TIE Lused connector E ny oues EID EDS 61 STT TVE aplica een 62 Cue ELOS 62 Configure TUE evra sulla ran Rini i 62 e rie ni at E A redet e 62 Configuring Channel Gronn tel luo 63 Cart Chanos i enne 63 Entering HDLC TH T taa 63 Contem HDLC CRC Type eee note eec ALI ii 64 Ei Ee TT eens eee 64 TIE Confsurtion Examples ori Un EE 64 Example To rane Relay without achanne eerop ato 65 Example 2 Framereliy wich a chanel T cena rese ai 66 Example seed eA GN T ape hinne aro e meee n 66 Example 4 PPP with ad elo eee 66 58 OnSite 2800 Series User Manual 5 e T1 E1 port configuration Introduction This chapter provides an overview of the T1 E1 WAN port their characteristics and describes the configura tion tasks The model 2803 has a T1 E1 WAN port on the rear panel of the unit The T1 version Model 2803T has an RJ 48C connector and the El version Model 2803K offers the user connectivity via either the RJ 48C or dual coaxial connectors Both models can be configured for T1 or El operation The configurable parameters for the T1 E1 p
78. es cbc 256 ah authentication hmac shal 96 profile ipsec policy manual VPN AES SHAI use profile ipsec transform AES SHA1 session key inbound ah authentication 1234567890ABCDEF1234567890ABCDEF12345678 session key outbound ah authentication FEDCBA0987654321FEDCBA0987654321FEDCBA09 session key inbound esp encryption 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF session key outbound esp encryption FEDCBA0987654321FEDCBA0987654321FEDCBA0987654321FEDCBA0987654321 Spi inbound ah 3333 Spi outbound ah 4444 Spi inbound esp 5555 Spi outbound esp 6666 peer 200 200 200 1 mode tunnel Sample configurations 76 OnSite 2800 Series User Manual 6 VPN configuration Rest of the configuration see above just change the name of the IPsec policy pro file in the ACL profile VPN_Out Cisco router configuration crypto ipsec transform set AES SHAl ah sha hmac esp aes 256 crypto map VPN AES SHA1 local address FastEthernet0 1 crypto map VPN AES SHAl 10 ipsec manual set peer 200 200 200 2 set session key inbound esp 6666 cipher FEDCBA0987654321FEDCBA0987654321FEDCBA0987654321FEDCBA0987654321 set session key outbound esp 5555 cipher 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF set session key inbound ah 4444 FEDCBA0987654321FEDCBA0987654321FEDCBA09 set session key outbound ah 3333 1234567890ABCDEF1234567890ABCDEF12345678 set transform set AES SHAI match address 110 For the remainder of the confi
79. et 10Base T and 100Base T port 130 OnSite 2800 Series User Manual X 21 serial port Sync serial port D Port pin outs Table 18 X 21 Female DB 15 connector X 21 Interface Pin Out Pin Signal 1 Frame Ground 2 TD a 3 CNTRLa 4 RD a 5 IND a 6 SET a 8 Signal Ground 2 TD b 10 CNTRL b 11 RD b 12 IND b 18 SET b Note Pins not labeled are not used 131 Appendix E OnSite 2800 Series factory configuration Chapter contents A A RP Oe ET M AH Or ERR 133 132 OnSite 2800 Series User Manual E OnSite 2800 Series factory configuration Introduction The factory configuration settings for the OnSite 2800 Series devices are as follows 2800 Series f R3 xx BUILDXXXXX 2005 01 18T00 00 00 f Factory configuration file profile napt NAPT profile dhcp server DHCP network 192 168 1 0 255 255 255 0 include 192 168 1 10 192 168 1 19 lease 2 hours default router 192 168 1 1 context ip router interface eth0 ipaddress 172 16 40 1 255 255 0 0 use profile napt NAPT interface ethl ipaddress 192 168 1 1 255 255 255 0 context ip router dhcp server use DHCP port ethernet 0 0 medium auto encapsulation ip bind interface eth0 router no shutdown port ethernet 0 1 medium auto encapsulation ip bind interface ethl router no shutdown Introduction 133 Appendix F Installation checklist Chapter contents ING Eee 135
80. etwork VPN is a private data network that uses the public telecommunications infrastruc ture maintaining privacy through the use of a tunneling protocol and security procedures There are different technologies to implement a VPN OnSite applies the internet protocol security IPsec Architecture see RFC 2401 The following sections describe the main building blocks of the IPsec architec ture as implemented in OnSite router Authentication Authentication verifies the integrity of data stream and ensures that it is not tampered with while in transit It also provides confirmation about data stream origin Two authentication protocols are available Authentication header AH protects the IP payload the IP header and the authentication header itself e Encapsulating security payload ESP protects the IP payload and the ESP header and trailer but not the IP header Two algorithms perform the authentication HMAC MD5 96 is a combination of the keyed hashing for message authentication HMAC and the message digest version 5 MDS hash algorithm It requires an authenticator of 128 bit length and calculates a hash of 96 bits over the packet to be protected see RFC 2403 e HMAC SHAI 96 is a combination of the HMAC and the secure hash algorithm version 1 SHA It requires an authenticator of 160 bit length and calculates a hash of 96 bits over the packet to be protected see RFC 2404 Encryption Encryption protects the data i
81. figuration Multi Service Provider IPLink Router Leased Line Network VPN Provider Figure 13 Typical Integrated Service Access Scenario with dedicated PVCs Integrated service access The example in figure 13 shows a typical integrated service access scenario where different service providers are accessed via permanent virtual circuits PVCs on Frame Relay over the serial interface of an OnSite router The multi service provider MSP offers both Internet access and intranet services based on IP The virtual private network VPN provider offers secure interconnections of local access networks LAN via its public wide area network based on IP Since both providers are working independently the OnSite needs a configuration which has two dedicated PVCs on Frame Relay The first PVC labeled as PVC 1 connects to the MSP access device The second PVC labeled PVC 2 connects to the VPN provider access device on the leased line network A OnSite is working as a DTE and accesses the leased line network via a leased line modem connected to the serial interface The hardware port protocol V 35 is used on the serial interface on slot 0 and port 0 Devices accessing the MSP and VPN services are attached to the 100 Mbps Ethernet port 0 0 on the OnSite router For that reason an IP context with three logical IP interfaces bound to Ethernet port 0 0 PVC 1 and PVC 2 on serial port 0 0 as shown in figure 13 has to be co
82. figuration traffic class number called With OnSite you can inspect the DSCP value in the ACL rules and modify the DSCP value with the link scheduler set ip dscp command Note When configuring service differentiation on the OnSite router ensure that codepoint settings are arranged with the service provider The command set ip dscp sets the DS field applied to packets of the class name Additionally shaping may be needed to make the class conformant The no form of this command disables packet marking Mode Source Command Purpose Defines the Differentiated Services Codepoint value applied to packets of for the selected class or policy name The range for value is from O to 63 node src name set ip dscp value Specilying layer 2 marking The IEEE ratified the 802 1p standard for traffic prioritization in response to the realization that different traf fic classes have different priority needs This standard defines how network frames are tagged with user priority levels ranging from 7 highest priority to 0 lowest priority 802 1p compliant network infrastructure devices such as switches and routers prioritize traffic delivery according to the user priority tag giving higher priority frames precedence over lower priority or non tagged frames This means that time critical data can receive preferential treatment over non time critical data Under 802 1p a 4 byte Tag Control Info TCI field is inserted in the
83. figuration task list 99 OnSite 2800 Series User Manual Displaying link scheduling profile information see page 110 Enable statistics gathering see page 110 ACL Profile Packet Classification Predefined Classes A Different Types Classes of Traffic Povo a St y Link Arbiter m JU n Service Polic Profile IP Interface wan The service policy profile This interface is used as access link and normally represents the bottleneck of the system 8 Link scheduler configuration defines the arbitration mode and order in which packets of different classes are served Figure 20 Elements of link scheduler configuration Defining the access control list profile Packet classification The basis for providing any QoS lies in the ability of a network device to identify and group specific packets This identification process is called packet classification In OnSite access control lists are used for packet classi fication An access control list in OnSite consists of a series of packet descriptions like addressed to xyz Those descrip tions are called rules For each packet the list of descriptions is sequentially checked and the first rule that matches decides what happens to the packet As far as filtering is concerned the rule decides if the packet is dis carded deny or passed on permit You can a
84. guration see above just change the name of the IPsec policy profile in the ACL profile VPN Out IPsec tunnel 3DES encryption at 192 bit key length ESP authentication with HMAC MD5 96 OnSite configuration profile ipsec transform TDES MD5 esp encryption 3des cbc 192 esp authentication hmac md5 96 profile ipsec policy manual VPN TDES MD5 use profile ipsec transform TDES MD5 session key inbound esp authentication 1234567890ABCDEF1234567890ABCDEF session key outbound esp authentication FEDCBA0987654321FEDCBA0987654321 session key inbound esp encryption 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF session key outbound esp encryption FEDCBA0987654321FEDCBA0987654321FEDCBA0987654321 Spi inbound esp 7777 Spi outbound esp 8888 peer 200 200 200 1 mode tunnel For the remainder of the configuration see above just change the name of the IPsec policy profile in the ACL profile VPN Out Cisco router configuration crypto ipsec transform set 3DES MD5 esp 3des esp md5 hmac crypto map VPN 3DES MD5 local address FastEthernet0 1 crypto map VPN 3DES MD5 10 ipsec manual set peer 200 200 200 2 Sample configurations 77 OnSite 2800 Series User Manual 6 VPN configuration set session key inbound esp 8888 cipher FEDCBA0987654321FEDCBA0987654321FEDCBA0987654321 authenticator FEDCBA0987654321FEDCBA0987654321 set session key outbound esp 7777 cipher 1234567890ABCDEF 123456789 0ABCDEF1234567890ABCDEF authenticator 1234567890ABCDEF
85. have static IP address DNS reso lution is not available yet node pf ipstr name mode tunnel transport Selects tunnel or transport mode Use no in front of the above commands to delete a profile or a configuration entry VPN configuration task list 71 OnSite 2800 Series User Manual 6 VPN configuration Example Create an IPsec policy profile The following example defines a profile for AES encryption at a key length of 128 2800 cfg Zprofile ipsec policy manual ToBurg 2800 pf ipsma ToBurg use profile ipsec transform AES 128 2800 pf ipsma ToBurg session key inbound esp encryption 1234567890ABCDEF1234567890ABCDEF 2800 pf ipsma ToBurg session key outbound esp encryption FEDCBA0987654321FEDCBA0987654321 2800 pf ipsma ToBurg spi inbound esp 1111 2800 pf ipsma ToBurg spi outbound esp 2222 2800 pf ipsma ToBurg peer 200 200 200 1 2800 pf ipsma ToBurg mode tunnel Creating modifying an outgoing ACL profile for IPsec An access control list ACL profile in the outgoing direction selects which outgoing traffic to encrypt and or authenticate and which IPsec policy profile to use IPsec does not require an incoming ACL Note Outgoing and incoming IPsec traffic passes an ACL if available twice once before and once after encryption authentication So the respective ACLs must permit the encrypted authenticated and the plain traffic For detailed information on how to set up ACL rules see chapt
86. he command accepts comma separated groups of timeslots A group can be a single timeslot or a range of timeslots The channel group timeslots do not have to be contiguous The no form of the command releases all previously selected timeslots Example gt timeslots 1 4 6 Selects three timeslots 1 4 an 6 gt timeslots 1 4 6 Selects four timeslots 1 4 5 and 6 gt timeslots 1 3 4 6 Selects six timeslots 1 2 3 4 5 and 6 Mode channel group group name Command Purpose Selects the timeslots to be used Default no timeslots name ch grp group name no timeslots timeslots Configuring Channel Group Encapsulation In the channel group configuration mode only the encapsulation type hdlc is available For more details see Configuring T1 E1 encapsulation on page 62 Mode channel group group name Purpose 1 name ch grp group name no encap Specifies the encapsulation type of the channel sulation hdlc group Default no encapsulation Entering HDLC Configuration Mode The hdlc configuration mode can be entered either from the port T1 E1 configuration mode or from the channel group configuration mode If you cannot enter the hdlc mode it may be due to an invalid or incom plete configuration and an error message will be issued In port T1 E1 configuration mode you only need to set the encapsulation for hdlc in order to enter the hdlc configuration mode In
87. he router interfaces You can configure access lists so that inbound traffic or outbound traffic or both are filtered on an interface Features of access control lists The following features apply to all IP access control lists e A list may contain multiple entries The order access of control list entries is significant Each entry is pro cessed in the order it appears in the configuration file As soon as an entry matches the corresponding action is taken and no further processing takes place About access control lists 81 OnSite 2800 Series User Manual 7 Access control list configuration All access control lists have an implicit deny ip any any at the end A packet that does not match the criteria of the first statement is subjected to the criteria of the second statement and so on until the end of the access control list is reached at which point the packet is dropped Filter types include IP Internet Control Message Protocol ICMP Transmission Control Protocol TCP User Datagram Protocol UDP and Stream Control Transmission Protocol SCTP An empty access control list is treated as an implicit deny ip any any list Note Two or more administrators should not simultaneously edit the con figuration file This is especially the case with access lists Doing this can have unpredictable results Once in access control list configuration mode each command creates a statement in the access control list When the access c
88. i ole ili colo 93 Instalbneg the TIREI twisted pair cables ottenere Rer eU 34 Installing the E1 dualicusuuleableg se neri 35 Conncecbhe A uet RN EIE UNIUS USA ies 36 26 OnSite 2800 Series User Manual 2 Hardware installation Planning the installation Before you start the actual installation we strongly recommend that you gather all the information you will need to install and setup the device See table 3 for an example of what pre installment checks you might need to carry out Completing the pre installation checks enables you to install and set up your VPN router within an existing network infrastructure with confidence within 1 meter 3 feet of the device and shall be easily accessible The mains outlet that is utilized to power the equipment must be CAUTION Note When setting up your VPN router you must consider cable length limitations and potential electromagnetic interference EMI as defined by the applicable local and international regulations Ensure that your site is properly prepared before beginning installation Before installing the VPN Router device the following tasks should be completed Create a network diagram see section Network information on page 29 Gather IP related information see section IP related information on page 29 for more information Install the hardware and software needed to configure the OnSite router See section Software tools on page 29 Verify power sou
89. ides a number of virtual circuits that form the basis for connections between stations attached to the same Frame Relay network The resulting set of interconnected devices forms a private Frame Relay group which may be either fully inter connected with a complete mesh of virtual circuits or only partially interconnected In either case each virtual circuit is uniquely identified at each Frame Relay interface by a Data Link Connection Identifier DLCI In most circumstances DLCIs have strictly local significance at each Frame Relay interface Assigning a DLCI to a specified Frame Relay sub interface on the OnSite is done in the PVC configuration mode The DLCI has to be in the range from 1 to 1022 Note A maximum of eight PVCs can be defined This procedure describes how to enter the PVC configuration Serial port configuration task list 49 OnSite 2800 Series User Manual 4 Serial port configuration Mode Frame Relay Command Purpose 1 node frm rel slot porilgpve dici Enters the PVC configuration mode by assigning a DLCI number to be used on the specified sub interface Example Entering Frame Relay PVC configuration mode The following example enters the configuration mode for PVC with the assigned DLCI of 1 for Frame Relay over the serial interface on slot 0 and port 0 of an OnSite router 2800 cfg port serial 0 0 2800 prt ser 0 0 framerelay 2800 frm rel 0 0 pvc 1 2800 pvc 1 Configuring the PVC encapsul
90. interface on slot 0 and port 0 Serial port configuration task list 48 OnSite 2800 Series User Manual 4 Serial port configuration 2800 cfg port serial 0 0 2800 prt ser 0 0 framerelay 2800 frm rel 0 0 1mi type ansi Configuring the keep alive interval A keep alive interval must be set to configure the LMI By default this interval is 10 seconds and according to the LMI protocol must be less than the corresponding interval on the switch The keep alive interval in sec onds which is represented by number has to be in the range from 1 to 3600 This procedure describes how to set the keep alive interval Mode Frame Relay Step Command Purpose 1 node frm rel s ot porilgkeepalive number Sets the LMI keep alive interval To disable keep alives on networks that do not utilize LMI use the no keepalive interface configuration command Example Configuring the keep alive interval The following example sets the keepalive interval to 10 seconds for Frame Relay over the serial interface on slot 0 and port 0 of an OnSite router 2800 cfg port serial 0 0 2800 prt ser 0 0 framerelay 2800 frm rel 0 0 keepalive 10 Entering Frame Relay PVC configuration mode The permanent virtual circuit PVC is a virtual circuit that is permanently established PVCs save bandwidth associ ated with circuit establishment and tear down in situations where certain virtual circuits must exist all the time The Frame Relay network prov
91. ist configuration Mode Interface Step Command Purpose 1 node cfg context ip router Selects the IP router context 2 node ctx ip router interface ifname Selects IP interface ifname for which access control list profile shall be debugged 3 node if ip ifname debug acl in out level Enables access control list debug monitor with a certain debug level for the selected interface ifname Where the syntax is Keyword Meaning if name The name of the IP interface to which an access control list profile gets bound level The detail level Level O disables all debug output level 7 shows all debug output in Specifies that the settings for incoming packets are to be changed out Specifies that the settings for outgoing packets are to be changed Example Debugging access control list profiles The following example shows how to enable debugging for incoming traffic of access control lists on interface wan On level 7 all debug output is shown 2800 cfg context ip router 2800 cfg ip router interface wan 2800 cfg if wan debug acl in 7 The following example enables the debug monitor for access control lists globally 2800 debug acl The following example disables the debug monitor for access control lists globally 2800 no debug acl Access control list configuration task list 91 OnSite 2800 Series User Manual 7 Access control list configuration Examples Denying a specific
92. ist profile is linked to more than one IP interface it will be shown for each interface This procedure describes how to display a certain access control list profile Mode Administrator execution or any other mode except the operator execution mode Command Purpose 1 node show profile acl name Displays the access control list profile name Example Displaying an access control list entries The following example shows how to display the access control list profile named WanRx 2800 show profile acl WanRx IP access list WanRx Linked to router wan in deny icmp any any msg echo permit ip 62 1 2 3 0 0 255 255 host 193 14 2 11 permit ip 97 123 111 0 0 0 0 255 host 193 14 2 11 permit tcp any host 193 14 2 10 eg 80 permit udp host 62 1 2 3 host 193 14 2 11 range 1024 2048 deny ip any any Debugging an access control list profile The debug acl command is used to debug the access control list profiles during system operation Use the no form of this command to disable any debug output This procedure describes how to debug the access control list profiles Mode Administrator execution or any other mode except the operator execution Command Purpose 1 node debug acl Enables access control list debug monitor This procedure describes how to activate the debug level of an access control list profiles for a specific interface Access control list configuration task list 90 OnSite 2800 Series User Manual 7 Access control l
93. it 2800 ctx ip router interface internal 2800 if ip internal ipaddress 192 168 3 1 255 255 255 0 2800 if ip internal interface external 2800 if ip external ipaddress 192 168 2 1 255 255 255 0 2800 if ip external interface lan 2800 if ip lan ipaddress 192 168 1 1 255 255 255 0 3 Configure the serial interface settings 2800 cfg port serial 0 0 2800 prt ser 0 0 Zshutdown 2800 prt ser 0 0 Zencapsulation framerelay 4 Configure the Frame Relay You must thus change to the Frame Relay configuration mode Use the ser vice policy profile defined above to give voice priority over data 2800 prt ser 0 0 framerelay 2800 frm rel 0 0 1mi type ansi 2800 frm rel 0 0 keepalive 20 Serial port configuration task list 56 OnSite 2800 Series User Manual 4 Serial port configuration 5 Configure the introduced PVCs 2800 frm rel 0 0 Zpvc 1 2800 pvc 1 encapsulation rfc1490 2800 pvc 1 bind interface external router 2800 pvc 1 no shutdown 2800 pvc 1 pvc 2 2800 pvc 2 encapsulation rfc1490 2800 pvc 2 bind interface internal router 2800 pvc 2 no shutdown 6 Check that the Frame Relay settings are correct 2800 frm rel 0 0 show framerelay Framerelay Configuration Port LMI Type Keepalive Fragmentation serial 0 0 0 ansi 20 disabled PVC Configuration Port DLCI State Fragment Encaps Binding serial 0 0 0 1 open disabled rfc1490 external router serial 0 0 0 2 open disabled rfc1490 internal router S
94. ls accept 5VDC see Appendix B Specifications for details Status WAN Activity lt S Power 12V 1A Reset ETH 0 1 ETH 0 0 Figure 4 OnSite 2800 Series power input connectors Model code extensions 1 General information A model code extension indicates the type of power supply the Router model provides The model code con ventions are e Ulstands for internal 100 240V AC universal input power supply see figure 4 e EUI stands for external 100 240V AC universal input power supply see figure 4 For example the model code 2821 EUT describes an OnSite configured with the following Two 10 100 Base T Ethernet ports e X 21 serial WAN data port e External 120 220 VAC universal input power supply OnSite Model 2800 Series overview 21 OnSite 2800 Series User Manual Ports descriptions 1 s General information The OnSite 2800 Series rear panel ports are described in table 2 Port Location Table 2 Rear panel ports Description 10 100 Ethernet Rear panel RJ 45 connectors see figure 2 on page 19 and figure 3 on page 20 ETH 0 0 WAN 8 that connect the router to an Ethernet device e g a cable or DSL ETH 0 1 0 4 LAN modem LAN hub or switch WAN Rear panel DB 25 or DB 15 receptacle provides a V 35 or X 21 serial interface for leased line connection to a WAN at rates up to 2 Mbps T1 E1 Rear panel E1 G 703 G 704 with HDB3 or AMI encoding RJ 48C and du
95. lso add a traffic class to the rule and if this rule is the first matching rule for a packet it is tagged with the traffic class name Link scheduler configuration task list 100 OnSite 2800 Series User Manual 8 Link scheduler configuration Some types of packets you do not have to tag with ACL Voice and data packets from of for the OnSite itself are automatically tagged with predefined traffic class names Predefined internal classes for data are local default All other packets that originate from the OnSite itself e default All traffic that has not otherwise been labeled Creating an access control list The procedure to create an access control list is described in detail in chapter 7 Access control list configura tion on page 79 At this point a simple example is given that shows the necessary steps to tag any outbound traffic from a Web server The scenario is depicted in figure 21 The IP address of the Web server is used as source address in the permit statement of the IP filter rule for the access control list 172 16 1 0 lan wan Node IP Access f Network 172 16 1 1 24 17 254 0 91 16 O Web Server 172 16 1 20 24 Figure 21 Scenario with Web server regarded as a single source host A new access control list has to be created In the example above the traffic class that represents outbound Web related traffic is named Web Access control list have an implicit deny
96. n transit from unauthorized access Encapsulating security payload ESP is the protocol to transport encrypted IP packets over IP see RFC 2406 The following encryption algorithms are available Key Length Bit RFC DES CBC Data Encryption Standard Cipher Block Chaining 56 2405 3DES CBC Triple Data Encryption Standard Cipher Block Chaining 128 or 1929 1851 AES CBC Advanced Encryption Standard Cipher Block Chaining 128 192 or 256 3268 a The 3DES algorithm uses only 112 out of the 128 Bit or 168 out of the 192 Bit as key information Cisco only supports 192 Bit keys with 3DES The single DES algorithm no longer offers adequate security because of its short key length a minimum key length 100 bits is recommended The AES algorithm is very efficient and allows the fastest encryption AES with a key length of 128 bits is therefore the recommended algorithm Introduction 68 OnSite 2800 Series User Manual 6 VPN configuration Transport and tunnel modes The mode determines the payload of the ESP packet and hence the application Transport mode Encapsulates only the payload of the original IP packet but not its header so the IPsec peers must be at the endpoints of the communications link e A secure connection between two hosts is the application of the transport mode Tunnel mode Encapsulates the payload and the header of the original IP packet The IPsec peers can be edge routers that are not at
97. never the configuration is changed or OnSite is reloaded Mode Source Command Purpose node src name debug queue statistics level Enables statistic gathering for the selected class or policy name The optional argument level which is in the range from 1 to 4 defines the ver bosity of the command output Example Enable statistics gathering for all queues of a profile The following example shows how to enable statistic gathering for all traffic classes 2800 gt enable 2800 configure 2800 cfg profile service policy sample 2800 pf srvpl sample debug queue statistics 4 Link scheduler configuration task list 111 Chapter9 LEDs status and monitoring Chapter contents Status AMEN O 113 112 OnSite 2800 Series User Manual Status LEDs 9 e LEDs status and monitoring This chapter describes OnSite gateway router front panel LEDs Figure 24 shows OnSite 2800 Series LEDs LED definitions are listed in table 14 on page 113 LED IPLink VPN Router 2 fi 3 8 4 oOo O L L LAN WAN J IPLink 2800 EA FSE UR IPLink VPN Router Console Figure 24 Examples of OnSite 2800 Series front panels Table 14 OnSite LED Indications Description Note If an error occurs all LEDs will flash once per second Power When lit indicates power is applied Off indicates no power applied Run When lit indicates normal operation Flashes once per second during boot start
98. nfigured for the OnSite router The IP interfaces are labeled to represent the function of their configuration Hence Ethernet port 0 0 is named Jan PVC 1 is named external since external services are accessed via this PVC and PVC 2 is named internal to indicate the private network interconnection via this PVC Between the leased line modem and the OnSite router ANSI T 617 type of LMI packets have to be exchanged In addition the keep alive interval has to be set to 20 seconds Serial port configuration task list 55 OnSite 2800 Series User Manual 4 Serial port configuration Port Serial 00 IP interface external 192 168 2 1 IP interface Port lan Ethernet 00 Context IP router 192 168 1 1 192 168 3 1 Port Serial PVC 2 00 IP interface external Figure 14 IP Context with logical IP interfaces bound to Ethernet port serial port PVC 1 and PVC 2 The related IP serial interface and Frame Relay configuration procedure is listed below Where necessary comments are added to the configuration for better understanding 1 Enter the configuration mode 2800 gt enable 2800 configure 2 Set up the IP interface configuration first Be aware that not all of the necessary settings are listed below 2800 cfg context ip router 2800 ctx ip router interface external 2800 if ip external interface internal 2800 if ip internal interface lan 2800 if ip lan ex
99. nk scheduling profile information of an existing service policy profile VoIP Layer2 Cos 2800 show profile service policy VoIP Layer2 CoS VoIP Layer2 CoS default mark layer 2 cos 1 Enable statistics gathering Using the debug queue statistics commands enables statistic gathering of link scheduler operations Link scheduler configuration task list 110 OnSite 2800 Series User Manual 8 Link scheduler configuration The command has optional values in the range of 1 to 4 that define the level of detail see table 13 Table 13 Values defining detail of the queuing statistics Optional Value Implication on Command Output 0 Statistic gathering is switched off 1 Display amount of packets passed did not have to wait queued arrived ear lier than rate permitted and discarded due to overflowing queue 2 Also collects byte counts for the catego ries listed above 3 Also keeps track of the peek queue lengths ever reached since the last con figuration change or reload 4 Adds delay time monitoring Note The debug features offered by OnSite require the CPU resources of your OnSite router Therefore do not enable statistic gathering or other debug features if it is not necessary Disable any debug feature after use with the no form of the command You can enable queue statistics for all queues of a link scheduler by placing the debug queue statistics com mand in the profile header Queue statistics are reset whe
100. ntions The procedures described in this manual use the following text conventions Convention Garamond blue type Table 1 General conventions Meaning Indicates a cross reference hyperlink that points to a figure graphic table or sec tion heading Clicking on the hyperlink jumps you to the reference When you have finished reviewing the reference click on the Go to Previous View button in the Adobe Acrobat Reader toolbar to return to your starting point Futura bold type Commands and keywords are in boldface font Futura bold italic type Parts of commands which are related to elements already named by the user are in boldface italic font Italicized Futura type Futura type Variables for which you supply values are in italic font Indicates the names of fields or windows Garamond bold type lt gt Indicates the names of command buttons that execute an action Angle brackets indicate function and keyboard keys such as lt SHIFT gt lt CTRL gt lt C gt and so on Elements in square brackets are optional a b c Alternative but required keywords are grouped in braces and are separated by vertical bars blue screen Information you enter isin blue screen font screen Terminal sessions and information the system displays are in screen font node The leading IP address or nodename of an OnSite is substituted with node in boldface italic font 2800 The
101. ntrol lists This chapter includes the following sections Quick references see page 98 e Packet Classification see page 100 e Assigning bandwidth to traffic classes see page 98 Link scheduler configuration task list see page 99 QoS in networking refers to the capability of the network to provide a better service to selected network traffic This chapter shows you how to configure the OnSite router to best use the access link In many applications you can gain a lot by applying the minimal configuration found in the quick reference section but read sections Applying scheduling at the bottleneck and Using traffic classes first to under stand the paradox of why we apply a rate limit to reduce delay and what a traffic class means Configuring access control lists Packet filtering helps to control packet movement through the network Such control can help to limit net work traffic and to restrict network use by certain users or devices To permit or deny packets from crossing specified interfaces the OnSite 2800 provides access control lists An access control list is a sequential collection of permit and deny conditions that apply to packets on a certain interface Access control lists can be configured for all routed network protocols IP ICMP TCP UDP and SCTP to filter the packets of those protocols as the packets pass through an OnSite 2800 The 2800 tests packets against the conditions in an access list
102. ntry that denies access defined according to the command options Where the syntax is Keyword Meaning src The source address to be included in the rule An IP address in dotted decimal format e g 64 231 1 10 src wildcard A wildcard for the source address Expressed in dotted decimal format this value specifies which bits are significant for matching One bits in the wildcard indicate that the corre sponding bits are ignored An example for a valid wildcard is 0 0 0 255 which speci fies a class C network any Indicates that IP traffic to or from all IP addresses is to be included in the rule host src The address of a single source host dest The destination address to be included in the rule An IP address in dotted decimal for mat e g 64 231 1 10 dest wildcard A wildcard for the destination address See src wildcard host dest The address of a single destination host cos Optional Specifies that packets matched by this rule belong to a certain Class of Service CoS For detailed description of CoS configuration refer to chapter 8 Link scheduler configuration on page 93 group CoS group name If you place a deny ip any any rule at the top of an access control list profile no packets will pass regardless of the other rules you defined Example Create IP access control list entries Select the access list profile named WanRx and create some filter rules for it 2800 cfg profile a
103. o encapsulation or encapsulation hdlc is set Be aware that changing the port type also resets the framing and linecode parameters to the default values of the new port type If port type change is not allowed due to current configuration an error message will be issued Mode port elt1 slot port Command Purpose 1 name prt e1t1 slot port port type Changes operation mode of the port el t1 Default e 7 Configuring T1 E1 clock mode The T1 E1 Port can either work in clock master or in clock slave mode This setting defines the clock depen dency of the internal data processing In clock master mode the internal data processing is running on an inde pendent clock source In clock slave mode the clock source for internal data processing is recovered from the receive line interface Be aware that always a port pair of clock master and clock slave are connected together In the other case the data transmission will fail due to bit failures Mode port elt1 slot port Command Purpose name prt e1 1 slot port clock mas Configures the clock mode of the port ter slave Default master Configuring T1 E1 line code Three different line codes can be selected on the T1 E1 port whereas only ami is standardized for El and T1 If the port is running in El mode hdb3 is also configurable and in T1 mode b8zs If a linecode will be selected that is not standardized for the current port mo
104. o you want to copy the running config to the startup config Press yes to store no to drop changes no Press yes to restart no to cancel yes The system is going down 3 Load configuration 43 Chapter 4 Serial port configuration Chapter contents Mica dd aa 45 Serial port comme uration task etone ae E a 45 lE ver n eee acto OC 45 Enable an CRAG o A A e a 46 Configuring die encapsulation for Frame Relay ca 47 Enter rama ll ema eee enis i a 48 Contscihte the EMILE ctae eU ELA I M ELE 48 TRT RT the keep aliye menya L E E E E 49 Entering Frame Relay PVC configuration mode aa 49 A the E encapo amen pe nn 50 Bidgerhe eme Rda Veio 50 Enabling a Frame Relay T 52 A ame Relay PYCO cm ates eee re sitet O T AEA tee tede vie o 52 Displayineseriall post iniarmaneni Ra ae ke eee sa abe aban da eee 53 A Pano Relar oido e RE 54 a a 55 44 OnSite 2800 Series User Manual 4 Serial port configuration Introduction This chapter provides an overview of the serial port and describes the tasks involved in its configuration through the OnSite router it includes the following sections Serial port configuration task list Configuration tasks Examples The V 35 standard is recommended for speeds up to 48 kbps although in practice it is used successfully at 4 Mbps The X 21 standard is recommended for data interfaces transmitting at rates up to 2 Mbps and is used primarily in Europe and Japan The synchronous serial in
105. o your OnSite 2000 use the no shut down command to enable the serial interfaces again When you enable an interface it has the state OPENED in the show port serial command display Note Use the shutdown command to disable the serial interface for any software or hardware configuration procedure This procedure describes how to enable a serial interface Mode Administrator execution Step Command Purpose 1 node cfg port serial slot port Selects the serial interface on slot and port 2 node prt ser slot porijgno shutdown Enables the interface 3 node prt ser slot pori show port serial Displays the serial interface configuration Serial port configuration task list 46 OnSite 2800 Series User Manual Example Enabling an interface 4 Serial port configuration The example shows how to enable the built in serial interface on slot 0 and port 0 of an OnSite router Check that State is set to OPENED in the command output of show port serial 2800 cfg port serial 0 0 2800 prt ser 0 0 Zno shutdown 2800 prt ser 0 0 Zshow port serial Serial Interface Configuration Port serial 0 0 0 State OPENED Hardware Port V 35 Transmit Edge normal Port Type DTE CRC Type CRC 16 Max Frame Length 2048 Recv Threshold 1 Encapsulation Configuring the encapsulation for Frame Relay The synchronous serial interface supports the Frame Relay serial encapsulation method To set the encapsulation method used
106. ode port elt1 slot port Command Purpose 1 name prt e1t1 slot port line build Specifies the pulse attenuation in dB on the line inter out 0 7 5 15 22 5 face Default for t1 O dB Configuring T1 E1 used connector E1 only The El WAN port provides several line interface connector types RJ 48C and dual coaxial BNC connectors This command specifies which one is currently in use Though the signal is always on all available connectors the internal impedance matching must be selected for the appropriate interface RJ 48C 120 Ohm BNC 75 Ohm Mode port elt1 slot lt port gt Command Purpose 1 name prt e1t1 slot port used con Specifies the currently used connector nector bnc rj45 Default for el rj45 T1 E1 port configuration task list 61 OnSite 2800 Series User Manual 5 e T1 E1 port configuration Configuring T1 E1 application mode The T1 E1 port can be configured to work in either short haul or in long haul mode Short haul is the default application and should be used for transmission distances up to 180m 600ft For transmission distances up to 1800m 6000ft select the long haul application Mode port elt1 slot port Command Purpose 1 name prt e1t1 slot porf application Specifies the e1 t1 application mode long haul short haul Default short haul Configuring T1 E1 LOS threshold This command takes effect only if the T1 E1 port is configu
107. one by one The first match determines whether the OnSite 2800 accepts or rejects the packet Because the OnSite 2800 stops testing conditions after the first match the order of the conditions is critical If no conditions match the software rejects the address For information and examples on how configure access control lists refer to chapter 7 Access control list con figuration on page 79 Introduction 94 OnSite 2800 Series User Manual 8 Link scheduler configuration A NES D O IL UT SEN CATAS NAPT Profile x o an Polic Context l use command Profil ell ACL use command Interfaces Profile y bind command bind command Circuit Ports AR e re e al Figure 17 IP context and related elements Configuring quality of service QoS In the OnSite 2800 the link scheduler enables the definition of QoS profiles for network traffic on a certain interface as shown in figure 17 QoS refers to the ability of a network to provide improved service to selected network traffic over various underlying technologies including Frame Relay Ethernet and 802 x type net works and IP routed networks In particular QoS features provide improved and more predictable network service by providing the following services Supporting dedicated bandwidth Improving loss characteristics Avoiding and managing network congestion
108. ontext IP mode to configure an IP interface 172 16 40 1 cfg Zcontext ip router 172 16 40 1 ctx ip router Now you can set your IP address and network mask for the interface ethO Within this example a class C net work 172 16 1 0 24 is assumed The IP address in this example is set to 772 16 1 99 you should set this to an unused IP address on your network 172 16 40 1 ctx ip router interface eth0 172 16 40 1 1f ip eth0 kipaddress 172 16 1 99 255 255 255 0 2002 10 29700 09 40 LOGINFO Link down on interface eth0 2002 10 29T00 09 40 LOGINFO Link up on interface eth0 172 16 1 99 if ip eth0 Copy this modified configuration to your new start up configuration Upon the next start up the system will initialize itself using the modified configuration 172 16 1 99 if ip eth0 copy running config startup config 172 16 1 99 if ip eth0 The OnSite VPN Router can now be connected with your network 1 Configure IP address 41 OnSite 2800 Series User Manual 3 Getting started with the OnSite Managed VPN Router 2 Connect the OnSite VPN Router to the network Depending whether you connect the OnSite VPN Router to a host directly or via a hub or switch either straight through wired or cross over cables must be used see figure 1 1 Network interface Cross over cable Network interface Straight through Straight through 7 wired cable wired cable Figure 11 Connecting the OnSite V
109. ontrol list is applied the action performed by each statement is one of the following permit statement causes any packet matching the criteria to be accepted deny statement causes any packet matching the criteria to be dropped To delete an entire access control list enter configuration mode and use the ne form of the profile acl com mand naming the access list to be deleted e g no profile acl name To unbind an access list from the interface to which it was applied enter the IP interface mode and use the no form of the access control list command Access control list configuration task list To configure an IP access control list perform the tasks in the following sections Mapping out the goals of the access control list Creating an access control list profile and enter configuration mode see page 83 Adding a filter rule to the current access control list profile see page 83 Adding an ICMP filter rule to the current access control list profile see page 85 Adding a TCP UDP or SCTP filter rule to the current access control list profile see page 87 Binding and unbinding an access control list profile to an IP interface see page 89 Displaying an access control list profile see page 90 Debugging an access control list profile see page 90 Mapping out the goals of the access control list To create an access control list you must Specify the protocol to be filtered Assign a unique name to the acces
110. or the following users Operators Installers Maintenance technicians Structure This guide contains the following chapters and appendices e Chapter 1 on page 17 provides information about router features capabilities operation and applications Chapter 2 on page 26 provides hardware installation procedures Chapter 3 on page 38 provides quick start procedures for configuring the OnSite VPN router e Chapter 4 on page 44 provides an overview of the serial port and describes the tasks involved in its configu ration through the OnSite router e Chapter 5 on page 58 provides information on T1 E1 port configuration Chapter 6 on page 67 describes how to configure the VPN connections between two OnSite routers or between an OnSite and a third party device e Chapter 7 on page 79 provides an overview of IP access control lists and describes the tasks involved in their configuration through the OnSite router e Chapter 8 on page 93 describes how to use and configure OnSite quality of service QoS features Chapter 9 on page 112 provides LED definitions e Chapter 10 on page 114 contains information on contacting Patton technical support for assistance Appendix A on page 117 contains compliance information Appendix B on page 120 contains specifications for the routers Appendix C on page 124 provides cable recommendations Appendix D on page 128 describes the router s ports and pin outs Appendix E on page 132 lis
111. ort are type T1 or E1 clock mode or source master or slave line code AMI HDB3 or B8ZS framing CRC 4 ESF or unframed line build out for T1 only and encapsulation channelized or HDLO A further feature is the creation and configuration of channel groups T1 E1 port configuration task list This section describes the configuration tasks for the T1 E1 port e Enable Disable T1 E1 port Configuring the T1 El port type e Configuring T1 E1 clock mode Configuring T1 E1 line code Configuring T1 E1 framing Configuring T1 line build out LBO T1 only Configuring El impedance connector Configuring T1 El application mode Configuring T1 E1 LOS threshold Configuring T1 E1 encapsulation e Create a Channel Group Configuring channel group timeslots Configuring channel group encapsulation Entering HDLC configuration mode Configuration HDLC CRC type Configuring HDLC encapsulation Enable Disable T1 E1 port By default the T1 E1 port is disabled The following command is used for enabling or disabling it Introduction 59 OnSite 2800 Series User Manual 5 e T1 E1 port configuration Mode port eltl slot port Command Purpose 1 name prt e1t1 slot port no Enable Disable the T1 E1 port shutdown Default shutdown which is disabled Configuring T1 E1 port type The T1 E1 Port can either work in T1 or in El G 704 mode This mode can be changed dynamically as long as n
112. ose node src name set ip tos valve Defines the type of service TOS value applied to packets of for the selected class or policy name Standard ToT values are O 1 2 4 and 8 as given in table 11 on page 106 but any number from 0 to 15 can be configured Specifying the precedence field The set ip precedence command specifies the precedence marking applied to packets of the class name Pre cedence and DSCP markings cannot be used at the same time The type of service TOS byte in an IP header specifies precedence priority and type of service RFC791 RFC1349 The precedence field is defined by the first three bits and supports eight levels of priority The low est priority is assigned to 0 and the highest priority is 7 The no form of this command disables precedence marking Mode Source Command Purpose node src name set ip precedence value Defines the precedence marking value applied to pack ets of for the selected class or policy name The range for value is from O to 7 but only values from O to 5 should be used Specifying differentiated services codepoint DSCP marking Differentiated services enhancements to the Internet protocol are intended to enable the handling of traffic classes throughout the Internet In this context the IP header TOS field is interpreted as something like a Link scheduler configuration task list 106 OnSite 2800 Series User Manual 8 Link scheduler con
113. ound ah aauthentication esp authentication esp encryption key node pf ipstr name spi inbound outbound ah esp spi Sets a key for encryption or an authenticator for authentication either for inbound or outbound direction The key shall consist of hexadecimal digits 0 9 A F one digit holds 4 Bit of key information The key setting must match definitions in the respective IPsec transformation profile In particu lar the length of the key or authenticator must match the implicit see section Authentication on page 68 and Encryption on page 68 or explicit specification Keys must be available for inbound and out bound directions They can be different for the two directions Make sure that the inbound key of one peer matches the outbound key of the other peer Sets the SPI for encryption esp or authentication ah either for inbound or outbound direction The SPI shall be a decimal figure in the range 1 232 1 SPIs must be available for encryption and or authentication as specified in the respective IPsec transformation profile SPIs must be available for inbound and outbound directions They can be identical for the two directions but must be unique in one direction Make sure that the inbound SPI of one peer matches the outbound SPI of the other peer node pf ipstr name peer ip address Sets the IP address of the peer Note The peers of the secured communication must
114. owing example 2800 cfg profile acl WanRx 2800 pf acl WanRX deny icmp any any msg echo 2800 pf acl WanRX exit 2800 c g Adding a TCP UDP or SCTP filter rule to the current access control list profile The commands permit or deny are used to define a TCP UDP or SCTP filter rule Each TCP UDP or SCTP filter rule represents a respective access of control list entry This procedure describes how to create a TCP UDP or SCTP access control list entry that permits access Mode Profile access control list Command Purpose node pf acl name permit tcp udp sctp src src wild Creates a TCP UDP or SCTP card any host src eq port gt port It port range access of control list entry that from to dest dest wildcard any host desi eq port gt permits access defined according port It port range from toj cos group cos rtp group to the command options data group ctrl This procedure describes how to create a TCP UDP or SCTP access control list entry that denies access Mode Profile access control list Command Purpose Creates a TCP UDP or SCTP access of control list entry that denies access defined according to the command options node pf acl name deny tcp udp sctp src src wildcard any host src leg port gt port It port range from toj dest destwildcard any host dest lied port gt port It port range from to cos group cos r
115. pecifies the encapsulation type of hdlc lay ppp Default no encapsulation T1 E1 Configuration Examples Here is a group of four configuration examples Example 1 Frame Relay without a channel group Example 2 Frame Relay with a channel group Example 3 PPP without a channel group Example 4 PPP with a channel group T1 E1 port configuration task list 64 OnSite 2800 Series User Manual Example 1 Frame Relay without a channel group port elt1 0 0 port type el framing crc4 encapsulation hdlc hdlc encapsulation framerelay framerelay lmi type itu pvc 100 encapsulation rfc1490 bind interface pvc100 router no shutdown port elt1 0 0 no shutdown T1 E1 port configuration task list 5 e T1 E1 port configuration 65 OnSite 2800 Series User Manual Example 2 Framerelay with a channel group port elt1 0 0 port type el framing crc4 encapsulation channelized channel group myGroup timeslots 13 17 encapsulation hdlc hdlc encapsulation framerelay framerelay lmi type itu pvc 100 encapsulation rfc1490 bind interface pvc100 router no shutdown port eltl 0 0 no shutdown Example 3 PPP without a channel group port elt1 0 0 port type el framing crc4 encapsulation hdlc hdlc encapsulation ppp bind interface myPPP router port elt1 0 0 no shutdown Example 4 PPP with a channel group port elt1 0 0 port type el framing crc4 encapsulation channelized channel group yourGroup timeslots
116. products no matter how you acquired them Warranty coverage Our products are under warranty to be free from defects and we will at our option repair or replace the prod uct should it fail within one year from the first date of shipment Our warranty is limited to defects in work manship or materials and does not cover customer damage lightning or power surge damage abuse or unauthorized modification Introduction 115 OnSite 2800 Series User Manual 10 Contacting Patton for assistance Outofwarranty service Patton services what we sell no matter how you acquired it including malfunctioning products that are no longer under warranty Our products have a flat fee for repairs Units damaged by lightning or other catastro phes may require replacement Returns for credit Customer satisfaction is important to us therefore any product may be returned with authorization within 30 days from the shipment date for a full credit of the purchase price If you have ordered the wrong equipment or you are dissatisfied in any way please contact us to request an RMA number to accept your return Patton is not responsible for equipment returned without a Return Authorization Return for credit policy Less than 30 days No Charge Your credit will be issued upon receipt and inspection of the equipment 30 to 60 days We will add a 20 restocking charge crediting your account with 80 of the purchase price Over 60 days Products will b
117. r 32 Rearview or thewouter showing locaton of X 21 interac connector osse animes dette ex D idas 33 Rear panel OF 2800 BIEUL odo omen meer o BUR Ubi te oeste s sux Due een o Ws ia Vos d e m Ue sop tater 34 Sd A cc er 34 Rear panel of 2809 RJU sac oe eec e EE tr dower cba cd Ure messes Dee o one UE ps Poser connector location on rear panel uso csse a Re Oben T PNE Eq R aR HS 36 VPN Router front panel LEDs and Console port locations OnSite 2835 shown LL 37 Steps On sering up a Aew OnSite VPN ROUET ni ao e LR 39 Connecting to the terminal 300522001 a A owned AAA 40 Conse the Onsite YPN Router tothe nenvOlk a e aE E EE EEEE a 42 IP interface wan is bound to PVE Lon post setial OO iu ro sss emo mde ms eens eec pa pra paia 51 Uy picall Integred Service Access Scenanionwith dedicated PYOST ini o ene 35 IP Context with logical IP interfaces bound to Ethernet port serial port PVC 1 and PVC 2 56 Using tralie filters to prevent tare trom being routed to network cetus eese ta eet sera Sede dens 81 Deny specihe subnet onan HNODI E avo caaraveriasware se a eros PA x ees 22 Di conteucand velaced A cise ENS eren tds chutes ete totes ua RUE enisi edo pee GU 95 Packet routing in OnSite 00013 stre tor P CPV SEU II a OPUS E 96 Examples Eliene nal Seb see cue se pesa o E CORE Ge ES ecd UE 98 Elemente or link scheduler confio amamos sme sepe wy e gue ones em Pu DE RR 100 Scenario With Web sementes arde asd E Dost sas ete ses als Ge onsite wee 101
118. r X 21 serial WAN port and two 10 100Base T Ethernet ports see figure 2 OnSite 2821 X 21 WAN interface and two Ethernet ports OnSite 2835 V 35 WAN interface and two Ethernet ports OnSite 2803 T1 E1 WAN interface and two Ethernet ports OnSite Model 2800 Series overview 19 OnSite 2800 Series User Manual 1 General information IPLink 2805 10 100Base T Ethernet WAN port 0 0 WAN LAN ETH 0 1 0 3 0 2 0 1 Ethernet LAN ports 0 1 0 4 Reset 5V 1A ETH 0 0 0 4 Power 12V 1A Reset ETH 0 1 ETH 0 0 IPLink 2802 10 100Base T Ethernet ports 0 1 and 0 0 Figure 3 OnSite 2800 Series 10Base T Ethernet port connectors Ethernet WAN models The following models come equipped with 10 100Base T Ethernet ports only see figure 3 OnSite 2802 Dual 10 100Base T Ethernet ports one for LAN connection and one for connection to a WAN OnSite 2805 Integrated Ethernet switch with four 10 100Base T Ethernet ports and one 10 100Base T Ethernet port for connection to a WAN OnSite 2823 Three 10 100 Base T Ethernet ports with the independent purpose of WAN LAN and DMZ OnSite Model 2800 Series overview 20 OnSite 2800 Series User Manual Internal power supply connector accepts 100 240 VAC 50 60 Hz up to 1 A Status WAN Activity e e Power 120 240 50 60 Hz 1A RESET ETH 0 1 ETH 0 0 External power supply connector accepts 12 VDC 1 A from external AC adapter some mode
119. rarchical scheduling is illustrated The 1 level arbiter Level 1 uses weighted fair queuing to share the bandwidth among source classes VPN Web and incorporates the traffic from the 2 level arbiter Low Priority which itself uses shaping to share the bandwidth among source classes Mail and Default Configuring quality of service QoS 97 OnSite 2800 Series User Manual 8 Link scheduler configuration Mode WFQ critical q priority VPN 000 min 30 Web o T D Default o min 40 min 30 Low_Priority p Shaper Define 2nd level Define 1st level Use arbiter on arbiter arbiter an interface Figure 19 Example of Hierarchical Scheduling Quick references The following sections provide a minimal standard link scheduler configuration for the case where a DSL cable modem link is shared for all traffic You will also find a command cross reference list for adminis trators familiar with Cisco s IOS QoS features and having to become acquainted with OnSite QoS configura tion Setting the modem rate To match the data multiplexing of different traffic types to the capacity of the access link is the most common application of the OnSite link scheduler 1 Create a minimal profile profile service policy modem 512 rate limit 512 header length 20 atm modem source traffic class critical q priority 2 Apply the profile just created to
120. rce reliability see section Power source on page 29 When you finish preparing for your VPN Router installation go to section Installing the VPN router on page 30 to install the device Planning the installation 27 OnSite 2800 Series User Manual 2 Hardware installation Installation checklist The installation checklist see table 3 lists the tasks for installing an OnSite 2800 Series VPN Router Make a copy of this checklist and mark the entries as you complete each task For each OnSite 2800 Series VPN Router include a copy of the completed checklist in your site log Table 3 Installation checklist Task Verified by Date Network information available amp recorded in site log Environmental specifications verified Site power voltages verified Installation site pre power check completed Required tools available Additional equipment available All printed documents available OnSite release amp build number verified Rack desktop or wall mounting of chassis completed Initial electrical connections established ASCII terminal attached to console port Cable length limits verified Initial configuration performed Initial operation verified Planning the installation 28 OnSite 2800 Series User Manual 2 Hardware installation Site log Patton recommends that you maintain a site log to record all actions relevant to the system if you do not already keep such a log Site log entrie
121. reate an IPsec transformation profile The following example defines a profile for AES encryption at a key length of 128 2800 cfg profile ipsec transform AES 128 2800 pf ipstr AES 128 esp encryption aes cbc 128 VPN configuration task list 69 OnSite 2800 Series User Manual 6 VPN configuration Creating an IPsec policy profile The IPsec policy profile supplies the keys for the encryption and or the authenticators for the authentication the security parameters indexes SPIs and IP address of the peer of the secured communication Furthermore the profile defines which IPsec transformation profile to apply and whether transport or tunnel mode shall be most effective The SPI identifies a secured communication channel The IPsec component needs the SPI to select the suitable key or authenticator Inbound and outbound channels can have the same SPI but the channels in the same direction inbound or outbound must have unique SPIs The SPI is not encrypted and can be monitored Procedure To create an IPsec policy profile VPN configuration task list 70 OnSite 2800 Series User Manual Mode Configure Step 1 Command node cfg profile ipsec policy man ual name 6 VPN configuration Purpose Creates the IPsec policy profile name 2 node pf ipstr name use profile ipsec transform name Selects the IPsec transformation profile to be applied 3 optional node pf ipstr name session key inbound outb
122. red for long haul applications It specifies the sen sitivity for Loss Of Signal threshold A signal suffers more attenuation over long distances than over short dis tances Therefore the LOS Threshold must be set higher for longer transmission distances This command has a default value of 46dB what should be enough for distances up to 1600 m 5250 ft Mode port elt1 slot port Command Purpose name prt e1t1 slot port los thresh Specifies Loss Of Signal Threshold old 4dB 6dB 8dB 46dB Default 46dB 48dB Configuring T1 E1 encapsulation Only hdlc encapsulation is available on a T1 E1 port Once encapsulation is configured as hdlc the hdlc submode can be entered for selecting the next encapsulation type like ppp or framerelay Depending on the port type the encapsulation hdlc selects automatically all timeslots of the port for data transmission 1 31 for el and 1 24 for t1 It is also possible to use the port in channelized mode In channelized mode the user selects less than the total number of timeslots for the channel 1 31 for El 1 24 for T1 is able to configure single or multiple timeslots for data transmission To use this feature the encapsulation must be configured for channelized afterwards the channel group command is used to create the channel group In the channel group configura tion mode the user selects the specific timeslots and the en
123. roup Access control list configuration task list 85 OnSite 2800 Series User Manual 7 Access control list configuration Where the syntax is as following Keyword src Meaning The source address to be included in the rule An IP address in dotted decimal format e g 64 231 1 10 src wildcard A wildcard for the source address Expressed in dotted decimal format this value specifies which bits are significant for matching One bits in the wildcard indicate that the corre sponding bits are ignored An example for a valid wildcard is 0 0 0 255 which specifies a class C network any Indicates that IP traffic to or from all IP addresses is to be included in the rule host src The address of a single source host dest dest wildcard The destination address to be included in the rule An IP address in dotted decimal format e g 64 231 1 10 A wildcard for the destination address See src wildcard host dest The address of a single destination host The ICMP message name The following are valid message names msg name administratively prohibited alternate address conversion error dod host prohibited dod net prohibited echo echo reply general parameter problem host isolated hostprece dence unreachable hostredirect hosttos redirect hosttos unreachable hostunknown host unreachable information reply information request mask reply mask request mobile redirect net redire
124. rt Ethernet Ethernet 00 01 Figure 12 IP interface wan is bound to PVC 1 on port serial O O This procedure describes how to bind the Frame Relay PVC DLCI on the serial interface to the logical IP interface name which is related to the IP context router Mode PVC Command Purpose 1 node pvc dici bind interface name router Binds Frame Relay PVC dlci to the IP interface name of IP context router Example Binding the Frame Relay PVC to IP interface The following example binds the Frame Relay PVC 1 to the IP interface wan of IP context router to the serial interface on slot 0 and port 0 of an OnSite router 2800 cfg port serial 0 0 2800 prt ser 0 0 framerelay 2800 frm rel 0 0 pvc 1 2800 pvc 1 bind interface wan router Serial port configuration task list 51 OnSite 2800 Series User Manual 4 Serial port configuration Enabling a Frame Relay PVC After binding Framerelay PVC to an ip interface it must be enabled for packet processing This procedure acti vates the PVC by opening the bound ip interface This procedure describes how to enable Framerelay PVC for packet processing Mode PVC Step Command Purpose 1 node pvc dlci no shutdown Enables the Frame Relay PVC Example Disabling a Frame Relay PVC The following example enables Frame Relay PVC with the DLCI 1 on the serial interface on slot 0 and port 0 2800 cfg port serial 0 0 2800 prt ser 0 0 framerelay 2800 frm rel 0 0 pvc 1 2800 pvc 1 no
125. rvices codepoint DSCP marking eene 106 Specifying layer 2 marlene condones 107 Defining random early T iii ada 108 Distardine Excess E oia did ides 108 Devoting the service policy profile to an interface ciones certera oceania 109 Displaying link arbitration stati cae rope ds prae ee ERR ei 110 Displaying link scheduling profile information 52 2 di edites 110 Enabl statistics gathering coma retener edes tia ae Ut ge toe tee iege 110 9 LEDs status and monitoring X 112 OnSite 2800 Series User Manual Table of Contents 1 e O Diano e 113 Contacting Patton for assistance M 114 A ia E dalai 115 Contact nto mato ciale pica pida 115 Patton Support Headquarters in the USA ici alii 115 Alternate Patton support for Europe Middle Ease and Africa EMEA eee 115 Warranty Service and Returned Merchandise Authorizations RMAS i 115 Ni 115 A SERVIC G css GER UP SORS ERE E CHER ERREUR GER EEEHAT E TERRENT ERE RETE FRE YE vase tases oor 116 Returns for credit Em 116 Return top credit policy id 116 RMA numbers M m 116 Shippine InstFucblons ii ida 116 Compliance information T siii 117 T Aerei i 118 IM ll 118 Mod A 118 POEN Reculator toni eere iet i etre ch SE REESE taa pira ITIN TUE IS sd idas 118 Radio and TV Interference FOC Panicale ecce iii 118 CE
126. s list Define packet filtering criteria A single access control list can have multiple filtering criteria statements Access control list configuration task list 82 OnSite 2800 Series User Manual 7 Access control list configuration Before you begin to enter the commands that create and configure the IP access control list be sure that you are clear about what you want to achieve with the list Consider whether it is better to deny specific accesses and permit all others or to permit specific accesses and deny all others Note Since a single access control list can have multiple filtering criteria statements but editing those entries online can be tedious Therefore we recommend editing complex access control lists offline within a configuration file and downloading the configuration file later via TFTP to your OnSite device Creating an access control list profile and enter configuration mode This procedure describes how to create an IP access control list and enter access control list configuration mode Mode Administrator execution Command Purpose node cfg profile acl name Creates the access control list profile name and enters the configura tion mode for this list name is the name by which the access list will be known Entering this command puts you into access control list configuration mode where you can enter the individual statements that will make up the access control list Use the no form of this command to
127. s should include information such as listed in table 4 Table 4 Sample site log entries Entry Description Installation Make a copy of the installation checklist and insert it into the site log Upgrades and maintenance Use the site log to record ongoing maintenance and expansion history Configuration changes Record all changes and the reasons for them Maintenance Schedules requirements and procedures performed Comments Notes and problems Software Changes and updates to OnSite software Network information When planning your installation there are certain network connection considerations that you should take into account The following sections describe such considerations for several types of network interfaces Network Diagram Draw a network overview diagram that displays all neighboring IP nodes connected elements and telephony components IP related information Before you can set up the basic IP connectivity for your OnSite 2800 Series you should have the following information IP addresses and subnet masks used for Ethernet LAN and WAN ports IP addresses and subnet masks used for the V 35 or X 21 serial WAN port e IP addresses and subnet masks used for the T1 E1 WAN port IP addresses of central TFTP Server used for configuration upload and download Login and password for PPPoE Access Software tools You will need a PC or equivalent with a VT 100 emulation program e g HyperTerminal to configure the
128. sas aaa nen eenecneeneone zio neneoneoneseeizeeneneo 58 len ICD MM P PEE 59 T1 El post configuration task list aria nia Lina 59 Enable Disable TEL polit een b ERR aie RERO HORN ee 59 Conf surng T1 BI POE PE seio etie ertet e eer iier e tie OR 60 Contouring IMEI elge a eei deduces rere re eni 60 Ora LS DI Ellade 60 Gonfig rme T IE I EIA c ccce ctt erbe tras reote reet ertet aethere pb uto die feet a PUR ar E AETA etse 61 Contpurng TIAE biesbuid ouc CET only ira eth mter besote npe sieben 61 Conficurins T T ETused conneetor El olla i n 61 Configuring T VEI application mode 5 edet eem rettet eter re tiere rete eret ere oes 62 Contouring TUELLOS threshold cana Ai 62 Configuring T B encapsulati n inet rp ee rada iii depa 62 Create a Channel GEOUD ina utat au Ode Oe uU eet riii cope OR PD PERITO M need 62 OnSite 2800 Series User Manual Table of Contents Contouring Channel Group Tameslots cios it dead reet ldap udita eicere be 63 Configuring Channel Group Encapsulation ninia aa ei 63 Entering HOLC Configuration Mode codi nd id 63 Contisaring DLC NG RG ISBE diari ia 64 Confisurng HDLCEncipsalation suit titm be re rie etr eee ee eee tte dear cs iii 64 TI El ConpheurationExamples 0 2 tron ated decas deerat rere pce iii 64 Example T Frame Relay without a channel group 1 22 24 iii 65 Example 2 Framerelay widya channel top coa lea tad 66 Eixample 2 PPPwithoutia channel erop cias 66 Example 4 PPP with a channel group
129. shutdown Check the PVC 1 status using show running config and verify that the entry no shutdown occurs in the con figuration part responsible for this PVC 2800 pvc 1 show running config Running configuration _ ____ _ 0 0 00 1 00 0011 10200 1 pvc 1 encapsulation rfc1490 bind interface wan router no shutdown Disabling a Frame Relay PVC Frame Relay PVCs can be disabled whenever it is necessary Be aware that disabling a specific PVC also dis ables the related serial interface and vice versa This procedure describes how to disable the Frame Relay PVC DLCI on the serial interface Mode PVC Step Command Purpose 1 node pvc dlci shutdown Disables the Frame Relay PVC DICI Example Disabling a Frame Relay PVC The following example disables Frame Relay PVC 1 on the serial interface on slot O and port 0 of an OnSite router 2800 cfg port serial 0 0 2800 prt ser 0 0 framerelay Serial port configuration task list 52 OnSite 2800 Series User Manual 4 Serial port configuration 2800 frm rel 0 0 pvc 1 2800 pvc 1 shutdown Check the PVC 1 status by using show running config and verify that the entry shutdown occurs in the con figuration part responsible for this PVC 2800 pvc 1 show running config Running configuration 2500 pvc 1 encapsulation rfc1490 bind interface wan router shut
130. subnet Figure 16 shows an example in which a server attached to network 172 106 1 0 shall not be accessible from outside networks connected to IP interface an of the OnSite device To prevent access an incoming filter rule named Jamming is defined which blocks any IP traffic from network 172 16 2 0 and has to be bound to IP interface 7 172 16 1 0 172 16 2 0 secure lan A 172 16 1 1 24 172 16 2 1 24 E Host 172 16 2 13 24 Server Figure 16 Deny a specific subnet on an interface The commands that have to be entered are listed below The commands access the OnSite device via a Telnet session running on a host with IP address 172 16 2 13 which accesses the OnSite via IP interface an 172 172 172 172 172 172 172 172 172 172 172 Examples 16 16 16 16 16 16 16 16 16 16 16 2 2 2 2 2 2 2 2 2 2 2 l enable lZconfigure l cfg Zprofile acl Jamming 1 pf acl Jamming deny ip 172 16 2 0 0 0 0 255 172 16 1 0 0 0 0 255 l pf acl Jamming Zpermit ip any any 1 pf acl Jamming fexit 1 cfg context ip router 1 cfg ip router interface lan 1 if ip lan use profile acl Jamming in 1 if ip lan exit l cfg ip copy running config startup config 92 Chapter 8 Link scheduler configuration Chapter contents Danisco ssf dt cti et eet 94 Cantiga access control sta 94 a el dU nn 95 Applying scheduling at the borden sce ste redet eee EU ES 95 ST
131. tail utilities railroads or government any organization with more than one site can benefit from the security and traffic shaping advantages of the OnSite family of VPN routers As traffic traverses unsecured networks VPN tunneling with standard IPSec encryption plus firewall capabilities preserve data security and integrity Meanwhile OnSite s ToS Qos traffic shaping and prioritization prevent critical information getting blocked or impeded by less important traffic while enhancing the quality of real time applications such as voice and video OnSite 2800 Series Serial WAN models provide dual 10 100Base T Ethernet ports with a selection of various synchronous serial WAN ports V 35 X 21 or T1 E1 The two Ethernet ports provide full featured IP routing plus Ethernet and IP layer QoS services The sync serial port provides WAN access by means of a leased line connection to the network OnSite 2800 Series Ethernet WAN models provide one or four Ethernet LAN ports in addition to the Ethernet WAN interface The following sections show some typical applications for the OnSite 2800 Series This chapter describes typical applications for which the OnSite 2800 Series series is uniquely suited Branch Office virtual private network over Frame Relay service Featuring VPN tunneling combined with built in frame relay support and a selection of standard serial inter faces on board the OnSite 2800 Series offers the remote branch office a secure private an
132. te as long as the average stays below the limit This burstiness measure allows the network to explicitly assign buffers to bursty sources When you use shaping on the access link the shaper sometimes has the problem that multiple sources are scheduled for the same time and therefore some of them will be served too late If the rate of every source had to strictly obey its limit all following packets would also have to be delayed by the same amount and further collisions would reduce the achieved rate even further To avoid this effect the OnSite shaper assumes that the burstiness needed for sources to catch up after collisions is implicitly allowed Future versions of OnSite might allow setting the burst rate and bursting size if more control over its behavior is considered necessary Burst tolerance has a different effect when used with weighted fair queuing Think of it as a higher initial rate when a source device starts transmitting data packets This allows giving a higher weight to short data transfers This feature is sometimes referred to as a service curve Hierarchy An arbiter can either use wfq or shaping to determine which source to serve next If you want the scheduler to follow a combination of decision criteria you can combine different schedulers in hierarchy to do a multi level arbitration Hierarchical scheduling is supported in OnSite with service policy profiles used inside service pol icy profiles In figure 19 an example of hie
133. ted source When enough bandwidth is available each source will exactly receive this bandwidth but no more when overloaded the shaper will behave like a wfq arbiter Bit rate specification for shaper kilobits Mode Source Command Purpose node src name rate kilobits remaining Defines the average bit rate to the selected in kbps kilobits or as remaining if a second priority source is getting the unused band width for the selected class or policy name Defining absolute priority This command priority can only be applied to classes but not to lower level polices The class is given absolute priority effectively bypassing the link arbiter Care should be taken as traffic of this class may block all other traffic The packets given priority are taken into account by the rate limit Use the command police to control the amount of priority traffic Mode Source Purpose node src name priority Defines absolute priority effectively bypassing the link arbiter for the selected class or policy name Defining the maximum queve length The command queue limit specifies the maximum number of packets queued for the class name Excess pack ets are dropped Used in class mode queuing only happens at the leaf of the arbitration hierarchy tree The no form of this command reverts the queue limit to the internal default value which depends on your configuration Mode Source Command
134. terface supports full duplex operation and allows interconnection to various serial network interface cards or equipment The OnSite device supports the Frame Relay protocol on the synchronous serial interface Frame Relay is an example of a packet switched technology Packet switched networks enable end stations to dynamically share the network medium and the available bandwidth Variable length packets are used for more efficient and flex ible transfers These packets are then switched between the various network segments until the destination is reached Statistical multiplexing techniques control network access in a packet switched network The advan tage of this technique is that it provides more flexibility and more efficient use of bandwidth Serial port configuration task list Perform the tasks in the following sections to configure a synchronous serial interface Disabling an interface see page 45 Enabling an interface see page 46 Configuring the serial encapsulation type see page 47 Entering Frame Relay mode see page 48 Configuring the LMI type see page 48 Configuring the keep alive interval see page 49 Entering Frame Relay PVC configuration mode see page 49 Configuring the PVC encapsulation type see page 50 Binding the Frame Relay PVC to IP interface see page 50 Disabling a Frame Relay PVC see page 52 Displaying Frame Relay information see page 54 Disabling an interface Before
135. the endpoints of the communications link A secure connection of the two private LANs a tunnel is the application of the tunnel mode VPN configuration task list To configure a VPN connection perform the following tasks Creating an IPsec transformation profile Creating an IPsec policy profile e Creating modifying an outgoing ACL profile for IPsec Configuration of an IP Interface and the IP router for IPsec Displaying IPsec configuration information Debugging IPsec Creating an IPsec transformation profile The IPsec transformation profile defines which authentication and or encryption protocols which authentica tion and or encryption algorithms shall be applied Procedure To create an IPsec transformation profile Mode Configure mac sha1 96 Enables authentication and defines the authentication protocol and the hash algorithm Step Command Purpose 1 node cfg profile ipsec transform name Creates the IPsec transformation profile name 2 node pf ipstr name esp encryption Enables encryption and defines the encryp optional jaes cbc des cbc 3des cbc key length tion algorithm and the key length 3 node pf ipstr name ah authentication Enables authentication and defines the optional esp authentication hmac md5 96 authentication protocol and the hash algo hmac shal 96 rithm Use no in front of the above commands to delete a profile or a configuration entry Example C
136. the telephone network cables to avoid contact with telephone line voltages When detaching the cables detach the end away from the OnSite first 14 OnSite 2800 Series User Manual About this guide age from 100 to 240 VAC 50 60 Hz CAUTION Verify that the proper voltage is present before plugging the power cord into the receptacle Failure to do so could result in equipment damage T The power supply automatically adjusts to accept an input volt The interconnecting cables shall be acceptable for external use A and shall be rated for the proper application with respect to volt age current anticipated temperature flammability and CAUTION mechanical serviceability ensure that at end of life you separate this product from other waste and scrap and deliver to the WEEE collection system in In accordance with the requirements of council directive 2002 X 96 EC on Waste of Electrical and Electronic Equipment WEEE mm your country for recycling General observations e Clean the case with a soft slightly moist anti static cloth Place the unit on a flat surface and ensure free air circulation Avoid exposing the unit to direct sunlight and other heat sources Protect the unit from moisture vapors and corrosive liquids 15 OnSite 2800 Series User Manual About this guide Typographical conventions used in this document This section describes the typographical conventions and terms used in this guide General conve
137. tp group data group ctrl Access control list configuration task list 87 OnSite 2800 Series User Manual 7 Access control list configuration Where the syntax is Keyword Meaning src The source address to be included in the rule An IP address in dotted decimal format e g 64 231 1 10 src wildcard A wildcard for the source address Expressed in dotted decimal format this value specifies which bits are significant for matching One bits in the wildcard indicate that the corre sponding bits are ignored An example for a valid wildcard is 0 0 0 255 which speci fies a class C network any Indicates that IP traffic to or from all IP addresses is to be included in the rule host sre The address of a single source host eq port Optional Indicates that a packets port must be equal to the specified port in order to match the rule It port Optional Indicates that a packets port must be less than the specified port in order to match the rule gt port Optional Indicates that a packets port must be greater than the specified port in order to range from to match the rule Optional Indicates that a packets port must be equal or greater than the specified from port and less than the specified to port to match the rule dest The destination address to be included in the rule An IP address in dotted decimal for mat e g 64 231 1 10 dest wildcard A wildcard for the destination address See src wild
138. traffic class and to serve the other traffic classes when the first has nothing to send OnSite uses the priority scheme to make sure that voice packets generated by the OnSite will experience as little delay as possible Weighted fair queuing WFQ This arbitration method assures a given minimal bandwidth for each source An example you specify that traf fic class A gets three times the bandwidth of traffic class B So A will get a minimum of 75 and B will get a minimum of 25 of the bandwidth But if no class A packets are waiting B will get 100 of the bandwidth Configuring quality of service QoS 96 OnSite 2800 Series User Manual 8 Link scheduler configuration Each traffic class is in fact assigned a relative weight which is used to share the bandwidth among the currently active classes Patton recommends that you specify the weight as percent which is best readable Shaping There is another commonly used way to assign bandwidth It is called shaping and it makes sure that each traf fic class will get just as much bandwidth as configured and not more This is useful if you have subscribed to a service that is only available for a limited bandwidth e g low delay When connecting the OnSite to a DiffServ network shaping might be a required operation Burst tolerant shaping or wfq For weighted fair queuing and shaping there is a variation of the scheduler that allows to specify if a traffic class may temporarily receive a higher ra
139. ts the factory configuration settings for the OnSite VPN router Appendix F on page 134 provides license information that describes acceptable usage of the software pro vided with the OnSite VPN router For best results read the contents of this guide before you install the router 12 OnSite 2800 Series User Manual About this guide Precautions Notes cautions and warnings which have the following meanings are used throughout this guide to help you become aware of potential problems Warnings are intended to prevent safety hazards that could result in per sonal injury Cautions are intended to prevent situations that could result in property damage or impaired functioning Note A note presents additional information or interesting sidelights The alert symbol and IMPORTANT heading calls attention to important information gt IMPORTANT The alert symbol and CAUTION heading indicate a potential hazard Strictly follow the instructions to avoid property damage gt potential electric shock hazard Strictly follow the instructions to avoid property damage caused by electric shock j The shock hazard symbol and CAUTION heading indicate a T The alert symbol and WARNING heading indicate a potential safety hazard Strictly follow the warning instructions to avoid personal injury The shock hazard symbol and WARNING heading indicate a potential electric shock hazard Strictly follow the warning instructions to avoi
140. up Serial e STATUS Lit when serial link is up e ACTIVITY Flashes when serial data is transmitted or received from the unit Ethernet each port e Link Lit when Ethernet link is up e 100M On when 100 Mbps Ethernet is selected Activity Flashes when data is received or transmitted from the unit to the LAN Status LEDs 113 Chapter 10 Contacting Patton for assistance Chapter contents aa LUE Ae eA Ere 115 Contact TBIOERIRUOR aci 115 E T e T e t c rere or ere I I 115 Alternate Parton support for Europe Middle Ease and Africa EMEA cette tenentem 115 Warranty Service and Returned Merchandise Authorizations RIMAS ccrte eteet TRS TRT ERR S 115 rien rc EET 115 too ino 116 A d am Ln d T m Tes 116 Berat forcredit policy een linee ibn le li ie aio 116 IS T e O O 116 ST SUR er E A O RPPN RA RR RD 116 OnSite 2800 Series User Manual 10 Contacting Patton for assistance Introduction This chapter contains the following information e Contact information describes how to contact Patton technical support for assistance Warranty Service and Returned Merchandise Authorizations RMAs contains information about the RAS warranty and obtaining a return merchandise authorization RMA Contact information Patton Electronics offers a wide array of free technical services If you have questions about any of our other products we recommend you begin your search for answers by using our techni
141. urces an arbiter can have Example Creating a service policy profile The following example shows how to create a top service policy profile named sample This profile does not include any hierarchical sub profiles The bandwidth of the outbound link is limited to 512 kbps therefore the interface rate limit is set to 512 In addition weighted fair queuing wfq is used as arbitration scheme among the source classes profile service policy sample rate limit 512 mode wfq source traffic class Web share 30 source traffic class local default share 20 source traffic class default queue limit 40 share 50 The first line specifies the name of the link arbiter profile to configure On the second line the global band width limit is set The value defining the bandwidth is given in kilobits per second Each service policy profile must have a rate limit except if no scheduling is used i e the link scheduler is used for packet marking only like setting the TOS byte How the bandwidth on an IP interface is shared among the source classes is defined on the third line The mode command allows selecting between the weighted fair queuing and shaping arbitration mode The default mode is wfq the command shown above can therefore be omitted The following lines configure the source traffic classes When using weighted fair queuing wfq each user specified source traffic class needs a value specifying its share of the overall bandwidth For
142. you replace a compact serial cable or attach your OnSite to other serial equipment use the shutdown command to disable the serial interfaces This prevents anomalies and hardware faults When you shut down an interface it has the state CLOSED in the show port serial command display Introduction 45 OnSite 2800 Series User Manual 4 Serial port configuration Note Use the no shutdown command to enable the serial interface after the configuration procedure This procedure describes how to shut down a serial interface Mode Administrator execution Step Command Purpose 1 node cfg port serial slot port Selects the serial interface on slot and port 2 node prt ser slot pori shutdown Shuts the selected interface down 3 node prt ser slot pori show port serial Displays the serial interface configuration Example Disabling an interface The example shows how to disable the built in serial interface on slot 0 and port 0 of an OnSite router Check that State is set to CLOSED in the command output of show port serial 2800 cfg port serial 0 0 2800 prt ser 0 0 shutdown 2800 prt ser 0 0 show port serial Serial Interface Configuration Port serial 0 0 0 State CLOSED Hardware Port V 35 Transmit Edge normal Port Type DTE CRC Type CRC 16 Max Frame Length 2048 Recv Threshold 1 Encapsulation Enabling an interface After configuring the serial interface or connecting other serial devices t
Download Pdf Manuals
Related Search