Siemens 5881 Network Router User Manual
Contents
1. Agint time must be within the range from 10 seconds to 1000000 seconds and must be an integer Switch Management Main Page Home 2 In Ageing Time enter the number of seconds that must pass before the port MAC address entry is removed from the table This can be a number between 10 and 100 000 3 Click Apply SIEMENS 45 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide Command Line Interface Command Line Interface Use the Command Line Interface option to use the web interface to enter CLI commands Refer to the Command Line Interface Guide for available commands To execute a CLI command from the web interface 1 Click Command Line Interface on the left navigation pane of the Router Information window This displays the Execute a CLI command page Execute a CLI command CLI command eth list Execute Output Window 2 Inthe field provided enter the desired command 3 Click Execute The response will be displayed in the Output Window SIEMENS 46 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide File Editor File Editor Use the File Editor to create and edit files stored on the router These files contain configuration and other data used by the router For advanced users who understand the file formats and syntax this method may be more efficient than configuring the router with commands or the web interface particularly when2. Memory usage Shows the user Run Diagnostics various diagnostic a 5 amatin Choose Diagnostic Home PPPoE session al Execute Output Window amount of RAM installed 8192 Kbytes i Small buffers used 26 2 of 1200 used Large buffers used 83 9 of 900 used Buffer descriptors used 109 4 of 2625 used Number of waiters s l o o Table memory allocation statistics Sizes 8 16 32 64 128 256 12 1024 Used 8 231 73 187 173 11 11 9 Free 2 3 1 3 3 4 0 2 Sizes 2048 4096 8192 Used 17 14 2 Free bY 1 0 Total in use 166416 total free 2829536 9888 2819648 superuser lan gt y SIEMENS 80 SIEMENS 5881 Broadband Internet Router User s Guide Chapter 7 Monitoring Router Diagnostics List All Configuration Data Select List all configuration data from the drop down menu and click Execute to display configuration information Diagnostics Shows the user various diagnostic information Home Request complete for List all configuration data Run Diagnostics Choose Diagnostic w Execute PPPoE session Output Window 3 HISTORY Begin System History POST summary successful Initializing the system RAM done Siemens Subscriber Networks Inc 5940 P N 060 5940 001 Rev C S N 1453331 Now 4812k free before buffers Interfaces detected VAN Conexant T1E1 Bt8370 LAN Ethernet 100BASET SWITCH Siemens 5940 T1E1 COMBO Router 594
3. On the IP Address tab select Obtain an IP address from a DHCP server Click OK to close each dialog Restart the PC to ensure it obtains an IP address from the router Configure the router SIEMENS SIEMENS 5881 Broadband Internet Router Chapter 2 Installation User s Guide PC Configuration Windows 2000 Select Start gt Settings gt Control Panel This displays the Control Panel window 2 Double click the Network and Dial up Connection icon This i i ion wi Local Area Connection Properties ES displays the Network and Dialup Connection window ae a axi General 3 Right click Local Area Connections and select Properties T This displays the Local Area Connections Properties window 9 Int PR07100 Aet on LAN Management Adapter 4 Select Internet Protocol TCP IP from the list of components Components checked are used by this connection Click Properties This displays the Internet Protocol TCP IP Bi Cert fc Microsol Netas Properties window a File and Printer Sharing for Microsoft Networks Internet Protocol TCP IP Internet Protocol TCP IP Properties 2 x General l Install Uninstall Properties You can get IP settings assigned automatically if your network supports Description this capability Otherwise you need to ask your network administrator for ae the appropriate IP settings Transmission Control Protocol Intemet Protocol The default wide area network protocol that pr
4. To configure a dial backup connection 1 Click Dial Backup on the left navigation pane of the Router Information page This displays the Dial Backup page Current User superuser Dial Backup Dial Backup Uses the internal modem or the console serial port to attach an external analog Enable Dial Backup modem To use the dial backup function users must enable it first User name Home Password Phone number Alternative Phone number 1 optional Alternative Phone number 2 optional Alternative Phone number 3 optional Alternative Phone number 4 optional Alternative Phone number 5 optional Disable Dial Backup 2 Click Enable Dial Backup Enter the User name and Password to use for the dial up connection This information is provided by your ISP 4 In Phone number enter the ISP s dial up phone number Optionally in Alternate Phone number enter an alternate phone number to use in the event the first number is unavailable 6 Click Apply SIEMENS 43 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide Switch Management Switch Management Each router provides four or eight Ethernet 10 100 switching ports for connection to the local area network LAN These RJ 45 ports are located on the rear panel and have individual Link Status LEDs to provide port status and link activity Labeling is provided for port identification To manage the switches using the web inte
5. Click Apply This displays the firewall script in the Output Window SIEMENS 58 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide Stateful Firewall Stateful Firewall Stateful Firewall varies from the IP Filtering Firewall in that it gathers and maintains state information about each session IP Filtering Firewall examines the packet s header information and matches it against a set of defined rules If it finds a match the corresponding action is performed If not the packet is accepted Stateful firewall intercepts outgoing packets and gathers information from them for example IP address information port number to create state information for that session When an incoming packet is received the Stateful Firewall checks the packet against the state information it has maintained and accepts the packet if the packet belongs to the session By default the firewall is disabled and your system is vulnerable until this feature is enabled This section describes how to perform the following tasks Configure Stateful Firewall Configure settings that control how the Stateful Firewall performs Dropped Packets View the most recent dropped packets Firewall Rules Configure Stateful Firewall rules SIEMENS 59 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide Stateful Firewall Configure Stateful Firewall To configure the Stateful Firewall 1 Click Statefu
6. displays the Firewall Dropped Packet List page How many packets do you want to see o 1 200 Default 200 packets Apply Sre Jia Dst Port Firewall Dropped Packet List 1 111 30 2001 00 41 45 0 icmp 172 17 32 3 8 172 17 20 69 denied 11 30 2001 D0 41 44 O icmp 172 17 32 3 172 17 20 69 denied icmp 172 17 32 3 172 17 20 69 denied 11 30 2001 00 41 42 O icmp 172 17 32 3 172 17 20 69 denied 2 3 11 30 2001 00 41 43 0 4 5 11 30 2001 00 41 41 0 icmp 172 17 32 3 8 8 8 8 172 17 20 69 denied 2 Doone of the following e Specify the number of dropped packets to view from 1 to 200 Netscape 4 users may have to wait a very long time to get the complete list of 200 displayed Select a smaller value for viewing if this is the case e Click Default to view the most recent 200 dropped packets 3 Click Apply SIEMENS 61 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide Stateful Firewall Configure Firewall Rules To configure firewall rules 1 Click Firewall Rules from the left navigation pane of the Stateful Firewall Configuration page This displays the Firewall Rule Configuration page Firewall Rule Configuration Firewall Rule Configuration es com Create Modity View esting frewa Creste j Motty View Delete Refesr Delete enetng ru
7. 1389 or static routing on the LAN or WAN Novell IPX with RIP SAP RFC 1552 DHCP client RFC 2132 DHCP server Automatic assignment of IP address mask default gateway and DNS server addresses to workstations RFC 2131 2132 DHCP relay agent RFC 1542 DNS relay Multiple subnets on LAN Virtual routing Virtual Router Redundancy Protocol RFC 2338 Differentiated Services Quality of Service provisioning Weighted Fair Queuing WFQ Differentiated Services DiffServ PPP RFC 1661 PPP over Ethernet RFC 2516 SIEMENS SIEMENS 5881 Broadband Internet Router Chapter 1 Product Specifications User s Guide Software Specifications Security Role based management User authentication PAP CHAP with PPP RFC 1334 RFC 1994 Password control for Configuration Manager SNMP password and community name reassignment HTTP Syslog SNMP Telnet port reassignment access control list VPN support L2TP IPSec IKE DES 3DES AES Firewall IP filtering Stateful Firewall ICSA Compliant Secure Management Communications IPsec and SSH Radius Server support TACACS Server support VPN Hardware Acceleration support SNMP V3 SIEMENS Chapter 2 Installation This chapter describes the steps you must take to install and configure the various components in your network to utilize the Siemens Ethernet Security Router This includes setting up the hardware connections to the Internet router confi
8. Access Status VPN User Mgmt Class read Mgmt Class write Access Status Viewer Mgmt Class read Mgmt Class write Access Status Network System Admin Voice Security Debug Network System Admin Voice Security Debug WAN LAN Console Enabled Network System Network System WAN LAN Console Enabled System Security System Security WAN LAN Console Enabled Network System Voice Security None WAN LAN Console Enabled SIEMENS 28 SIEMENS 5881 Broadband Internet Router Chapter 4 User Setup User s Guide Change Password Change Password User passwords are changed from the Change Password page To change a user password 1 Click Change Password from the left navigation pane on the Router Information page This displays the Change Password page Change Password Change Password Change the password for the currently logged in user Enter New Password l Howe New Password again Apply Enter the new password for the Current User in Enter New Password and New Password again boxes Click Apply to save the new password SIEMENS 29 SIEMENS 5881 Broadband Internet Router Chapter 4 User Setup User s Guide Access Control Access Control Restrict administrative control of the router to a specific set of IP addresses Each remote access method Telnet Web and SNMP can be configured separately To set Access Control parameters 1 Click Acces
9. Advanced Setup User s Guide DMZ DMZ One computer on your local network can be configured to allow unrestricted two way communication with servers or individual users on the Internet This provides the ability to run programs that are incompatible with firewalls This feature is primarily used for gaming This function is recommended for use only when you require this special level of unrestricted access as it leaves your router and network exposed to the Internet with no firewall protection To configure DMZ 1 Click DMZ on the left navigation pane of the Router Information page This displays the DMZ Configuration page DMZ Configuration DMZ Configuration User can enable or disable DMZ port An A IP address and subnet mask is needed DMZ Port enable for DMZ part IP Address DMZ DHCP Configuration Subnet Mask Home disable Apply Select enable or disable to enable or disable DMZ Port If you selected enable enter the IP Address and Subnet Mask of the DMZ port Apply Configure the DMZ DHCP server To do this click DMZ DHCP Configuration on the left navigation pane to configure the DMZ DHCP server This displays the DMZ DHCP Configuration page oe ON SIEMENS 32 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide DMZ DMZ DHCP Configuration Warning there is no DMZ port enabled Click here to back to main page to enable it DMZ DHCP Server
10. Configuration page This displays the SNMP IP Filter Configuration 2 3 4 5 page The current IP filter ranges are displayed in the IP Addresses SNMP IP Filter Configuration IP Addresses Activating an IP Filter range will limit GEFs 5 SNMP requests to ONLY those that Beginning IP Addr Ending IP Addr originate from these addresses 192 168 61 1 192 168 61 255 Delete SNMP Main Page 1 1 1 1 Delete Delete Home Add an IP Range To Add a IP Range enter the IP Range or check LAN Start IP Range End IP Range LAN D Add IP Range In Start IP Range enter the first IP address in the range to be filtered In End IP Range enter the last IP address in the range to be filtered Optionally click LAN Click Add IP Range SNMP Password An SNMP password is used to authenticate an SNMP Manager Once authenticated SNMP set requests will be performed To set the SNMP Password 1 Click SNMP Password from the SNMP Configuration page This displays the SNMP Password page SNMP Password SNMP Password This is the password used by all Client based Support applications such as Enter New Password 7 Configuration Manager and Quick Start New Password again SNMP Main Page Home Apply 2 Enter the New Password and New Password again 3 Click Apply SIEMENS 53 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide Secure Shell Secure Shell
11. In Status select Enable or Disable to enable or disable the QoS policy Disabled the policy will not be used SIEMENS 39 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide QoS 10 11 12 13 14 15 16 In Source IP select one of the following e From To Enables source address checking Specify the source IP address or range of IP addresses that must match for this policy to be used e Do not care Disables source address checking In Dest IP select one of the following e From To Enables destination address checking Specify the destination IP address or range of IP addresses that must match for this policy to be used Do not care Disables destination address checking In Protocol select one of the following By number Enter the protocol number to match in the protocol check e From the drop down menu select the protocol to match in the protocol check TCP or UDP Do not care Disables protocol checking In Source Port select one of the following From To Enter the source port or range of source ports to match in the source port check e From the drop down menu select the application to match in the source port check Do not care Disables source port checking In Destination Port select one of the following From To Enter the destination port or range of destination ports to match in the destination port check e From the drop down menu se
12. Servers Sre imerface Protocol First Port Last Pert IP Address Peet 4 Delete 2 Select the interface you want to configure from the Source Interface drop down menu Do one of the following e Select the network service you are configuring from the Service drop down menu for Easy Setup This configures NAT to support the most common network services e For Advanced Setup select a protocol from the Protocol drop down menu and specify a First Port to assign a port number for the protocol to use To assign a range of port numbers specify a Last Port as well 4 Enter the IP address of the local machine in IP Address Do one of the following to enter port Information for the selected service e Click Add next to Default Port to use the default port for the specified service Enter the port number on the local machine you want the specified service to use in Port and click Add Leave this field blank if you want the local machine to use the same port number as the WAN SIEMENS 50 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide NAT Configure Host Mapping To configure the mapping between private IP addresses and public IP addresses 1 Click NAT Host Mapping on the left navigation pane This displays the NAT Host Settings page NAT Host Settings Internal to External IP Mapping Pronte et e mapping cf LAN IF 7 Create Host Mapping Entry NAT Main Page Home Ma Cu
13. This displays the Generate Public Private Key Pair page Generate Public Private Key Pai CAUTION Executing this function will generate new keys This alr function may take in excess of 1 hour to complete When started the user will be redirected to a status page which will be refreshed every 60 Allows the user to generate a public and private SSH key pair The public key will be displayed upon completion however the private is hidden and protected This function may take in excess of 1 hour to complete SSH Main Page Home seconds The status page will indicate whether the task is running When the task is no longer running results will be displayed Once the task is started you may monitor key generation via the status page or you may browse to any other pages or you may close the browser The Keygen function will continue running regardless of the state of your browser You may also generate key files offline and upload them using the CLI or the Load Keys page CAUTION Rebooting the router will terminate the task and new keys will not be generated Press the Generate button to confirm you wish to generate the public and private SSH keys Generate Click Generate to generate the keys To monitor the key generation progress click Key Generator Status from the left navigation pane of the Secure Shell SSH Configuration List page SIEMENS 57 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Se
14. beeen aes 57 Firewall SCTIP S iii A A ta aa dia eau 58 Stateful Firewall ooooconnnnnncnnnnnnnnnccnn noc nc ono ce cecaaeaaeeeeeeeeeeeeesecseccaeeeeeeeeereeeeeesececesieeaeeees 59 Configure Stateful Firewall doi caia 60 View Dropped Packets cesccecceeeceeeeeeeeeeeeeeeeceaeaaaeaeeeeeeeeeeeeeeeceaaaaaaaeeeeeeeeeeeeeeeeseccaecaeaeeeeeeeeeteeeseenanes 61 Configure Firewall RuU ES ioooiiiia aida adi 62 Delete Firewall Rules cccccccceeeeeeeeeccce cece cece ee eee eee eaaaaaaeeeeeeeee eee ceeaacaaeaeeeeeeeeeeeeeesecscccieeeeeeeeeeeetensseesaees 64 IKEAP S66 Congre E S 65 Easy IKE IP SOC SEUD eea ta E a a a ed tas 66 Advanced IKEMP SCC Setup seciccsceta canine spancenneceassdauandandaven chess cus evs cisadawanmnsinatensvseaed iaa edades sea 67 SIEMENS ii SIEMENS 5881 Broadband Internet Router User s Guide MPN LOG Oia Qakelalen NEEE O S OEE E EE E EE AEREE OERE 74 Chapter 7 Monitoring Router Systemi SUMMA NN 75 Ethernet Interface Information 0 cece scene eee ettte eee erent ee eee eae ee tu EASA E nr eee eaaeee eee eaaaeeeesesaaeeeeeseenaeeeeeeeeaas 76 Remote Connection Information cccccccceecccceeeeeeeeceeeeeeeeceeeeesecceeeeensaaeeceeesneaeeeesseaceeeesnsnseeeeesneaeeeeeneaaes 76 IP Routing Information cece eeeeeee tere eeeneeeeteeeeee eee eeeeaeeeeeeceaaeeeeseeeaaeeeeeeeaeeeeseeeaeeeeseeneeeesseneeeeeseeaas 77 Syslemi Monna ii dida 77 DIAQGNOSUCS cidad A ia 78 PPPOE SOSSI
15. load a private key from a file In Key File specify the file that contains the key You can optionally Browse for the key file Click Upload to load the key file A confirmation message will be displayed upon file upload completion SIEMENS 56 Chapter 6 Security Setup Secure Shell SIEMENS 5881 Broadband Internet Router User s Guide Key Generator Diffie Hellman is the key exchange system used for authentication in the establishment and maintenance of SSH connections The Key exchange requires a Public key and a Private key This key pair can either be loaded from a source file or generated by the router This section describes how to generate the key pair on the router Refer to the section titled Load Keys for details on loading the key pair from a file Executing this function will generate new keys This function may take in excess of one hour to complete When started the user will be redirected to a status page that is refreshed every 60 seconds The status page indicates whether the task is running When the task is no longer running results are displayed Once the task is started you can close this page and the Keygen function will continue You can reopen it anytime by clicking Key Generator Status on the left navigation pane of the Secure Shell SSH Configuration List page To generate the key pair on the router 1 Click Key Generator on the left navigation pane of the Secure Shell SSH Configuration List page
16. mask lt will be supplied by server gt Ending domain name Router address lt will be supplied by server gt _ a into Additional Search domains Select Ethernet from the Connect via drop down menu Select Using DHCP Server from the Configure drop down menu Complete the fields shown with any information supplied by your service provider Close window and save changes Configure the router oa F wo DN SIEMENS 12 SIEMENS 5881 Broadband Internet Router Chapter 2 Installation User s Guide PC Configuration Mac OSX 1 Click Apple gt System Preferences This displays the System Preferences window Syste an Pretere mces lt 2mao B Sewa tas rn Meters Soves rerseea IiE e aaoo a o Appearance DLE amp Ook apar memaoni Stcarty rs Saver lardnare gt Ca 2 ES a CUsSGUVUs Dsotepi tery Keptorrg amp Minera swsra Sas Mosse ae 422 a2 eL nd Anous Cor Desh Tera 2 Double click the Network icon under the Internet amp Network section This displays the Network window Network pos as thew Ati A Sowa Neremi AS Lotsson Auromane Show Bult in Diver er TOPAP PPPoE Applelak Proxes Ethernet Configure Pr Usiny DHCP Yo IF Address Rerew OUCF Lease Sabnet Mash ONC Chent ID Route DIS Servers apes Search Domaine ia Pe Address Contqure PE o 1 rr id Ck the oct do presen Parher Changes AU te Select Ethernet
17. such cases you must remove all copies of the Software from any devices onto which you have installed it and must ensure that the party to whom you transfer the Hardware receives this License Agreement and Limited Warranty 3 Upgrades Covered This License covers the Software originally provided to you with the Hardware and any additional software that you may receive from Siemens Subscriber Networks whether delivered via tangible media CD ROM or floppy disk down loaded from Siemens Subscriber Networks or delivered through customer support Any such additional software shall be considered Software for all purposes under this License 4 Export Law Assurances You acknowledge that the Software may be subject to export control laws and regulations of the U S A You confirm that you will not export or re export the Software to any countries that are subject to export restrictions 5 No Other Rights Granted Other than the limited license expressly granted herein no license whether express or implied by estoppel or otherwise is granted to any copyright patent trademark trade secret or other proprietary rights of Siemens Subscriber Networks or its licensors 6 Termination Without limiting Siemens Subscriber Networks s other rights Siemens Subscriber Networks may terminate this license if you fail to comply with any of these provisions Upon termination you must return the Software and all copies thereof Limited Warranty The followin
18. the number of seconds an SSH connection can remain idle before the SSH session is disconnected This can be a number between 30 and 1200 with 600 being the default 7 In D H ReKey Interval enter the number of minutes that must pass between additional key exchanges This can be a number between 0 and 600 with 600 being the default 8 Click Apply SIEMENS 55 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide Secure Shell Load Keys Diffie Hellman is the key exchange system used for authentication in the establishment and maintenance of SSH connections The key exchange requires a Public Key and a Private Key This key pair can either be loaded from a source file or generated by the router This section describes how to load the key pair from a source file Refer to the section title Key Generator for details on generating the key pair on the router To load the key pair from a source file 1 Click Load Keys on the left navigation pane of the Secure Shell SSH Configuration List page This displays the Load Private and Public Keys from file page Load Private and Public Keys from file Load Public and Private SSH Keys Allows the user to load a public and private key O Public key O Private key used to authenticate the SSH server from a source file Key File SSH Main Page Home 2 Doone of the following e Select Public key to load a public key from a file e Select Private key to
19. 0 001 v6 1 120 Copyright C 2004 Siemens Subscriber Networks Inc All rights reserved INIT buffer pool is 1919780 bytes INIT Using Titan accelerated encryption hardware lt lt lt lt lt lt FRAME RELAY gt gt gt gt gt gt gt gt gt INIT Switch management initialized successfully code 1 ETHERNET 0 interface started MAC 00 20 6F 16 2D 13 TCP IP Statistics Select TCP IP statistics from the drop down menu and click Execute to display TCP IP information Diagnostics Shows the user various diagnostic information Home Request complete for TCP IP statistics Run Diagnostics Choose Diagnostic PPPoE session x Execute Output Window TCP Statistics Active Opens Passive Opens Failed Connect Attempt Connections Reset Current Connection Segments Receive Segments Sent Segments Retransmitted Bad Checksums Bad Packet Length Bad Packet Length Segments with Reset 54 2 1138 ESTABLISHED s 0 r 0 f 0 LISTEN LISTEN LISTEN 192 168 254 254 80 80 23 pr 22 superuser lan gt IES gt SIEMENS 81
20. 44 U S A Attn Customer Service SIEMENS 5881 Broadband Internet Router User s Guide Table of Contents Chapter 1 Product Specifications Front Panel acron a cade cadigandacnacagidedubrsedelluaducuhagalwedeaspadvauvaad a Ua E a 1 Back Peli i 2 Hardware Specifications cccccceeececcceceeeeeeeeeeeeeeceaeaaeceeeeeeeeeegsceeaaaeaeceeeeeeeeeseseccceaecaeeeeeeeseeeeccaceaseeeeseeeeseeees 3 Physical SP cificatlOnS icieeeciccseeaviaecseee el tested eniviica weed aaa 3 Operational Environment uineet a annaddada vanhaddus saan daadenad dices seaunaddenteldeetaauadahan 3 Power Requirements coria idad atada dais 3 A A NO 3 Ethernet Interfaces cocos tias 3 serial Interface cid id diia 3 Software SPCCIICALONS eiii ia rada 4 O 4 Configuration ManageMeNtoocccccnonocccccccnnonnccccno nao ncnn cnn non nc eter ener eee need eee r ran enn r rra nn rn rr nn AEE EE Enne 4 Dial Backup viii ida ad it Aida are 4 ROUND ds 4 Differentiated Services Quality of Service provisioning oocoonocicicnnnnocccnccconcannnccnancnn cnn cnnnnn rca rr nano rca 4 IP Address Tras A adi 4 PPP REC TEC1 esec add aiadinad 4 SOC ui bi ia A AA A ia decade 5 Chapter 2 Installation Installation Requirements iio nt scene pase ceex sagceecessdsaudeascandaceddevsagectantedscnadadhaaeaaceuaaasancdes 6 Package Contents arica Ai A 6 PC REGQUIRCINGINS coins AA A ada 6 Network Service Provider Requirement ooooooccccnnnnonnoncoccccccncnnccnnnnnnnnonnnncnnnc
21. Info on the left navigation pane of the System Summary page to display information about the active interfaces in the IP routing table e Ethernet Info IP Routing Info Remote Info IP route Mask gt Gateway Interface Hops Flags e IP Routing Info 192 168 254 0 ffffff00 gt 0 0 0 ETHERNET O 1 NW FW DIR PRM RP1 RP 192 168 254 254 f fffffff gt 0 0 0 ETHERNET 0 0 ME e System Info superuser lan gt e Home System Information Click System Info on the left navigation pane of the System Summary page to display general information for select system settings Ethernet Info System Info Remote Info System Start Time Up for 0 days 0 hours 40 minutes started 1 5 2000 at 12 55 IP Routing Info pasada Telnet Clients Allowed all e System Info SSH Port 22 SSH Clients Allowed all SNMP Port 161 SNMP Clients Allowed all e Home HTTP Port 80 HTTP Clients Allowed all Syslog Port 514 Syslog Servers Allowed all Secure Mode Status enabled LAN trusted WAN untrusted Backup Interface Defined no SIEMENS 77 SIEMENS 5881 Broadband Internet Router Chapter 7 Monitoring Router User s Guide Diagnostics Diagnostics The Diagnostic feature provides information about various components of your system that might help in diagnosing a problem To run diagnostics click Diagnostics on the left navigation pane of the Router Information page This displays the Run Diagnostics page Diagnostics Ru
22. LL SSN OR ITS LICENSORS BE LIABLE WHETHER UNDER CONTRACT WARRENTY TORT OR ANY OTHER THEORY OF LAW FOR ANY SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES WHATSOEVER INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS BUSINESS INTERRPUTION PERSONAL INJURY LOSS OR IMPAIRMENT OF DATA OR BUSINESS INFORMATION EVEN IF SSN HAS BEEN NOTIFIED OF THE POSSIBILITY OF SUCH DAMAGES SSN S OR IT S LICENSOR S LIABILITY TO YOU IF ANY FOR ACTUAL DIRECT DAMAGES FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION WILL BE LIMITED TO AND SHALL NOT EXCEED THE AMOUNT PAID FOR THE HARDWARE SOFTWARE General This Software License and Limited Warranty will be covered by and construed in accordance with the laws of the State of Texas United States excluding conflicts of laws rules and shall insure to the benefit of Siemens Subscriber Networks and its successor assignees and legal representatives If any provision of this Software License and Limited Warranty is held by a court of competent jurisdiction to be a invalid or unenforceable to any extent under applicable law that provision will be enforced to the maximum extent permissible and the remaining provisions of this Software License and Limited Warranty will remain in full force and effect Any notices or other communications to be sent to Siemens Subscriber Networks must be mailed by certified mail to the following address Siemens Subscriber Networks LLC 4849 Alpha Road Dallas TX 752
23. ON macia ii O Ai 78 Interface NTOFMAtION cidaomsdaini riia e dl td da dia 79 Routing Table INTO rMAtiOn ooo iaa ptr 79 Files INOrMAatION tos iii di A aa 80 Memory US AY cereneenranneen rre 80 List All Configuration Data suaccecceeduee caus stanceechasancecevienaciecstastanes 81 TOPIIP Statistics ooococnonnnncccnnononccccnnnnanaccnnnnnrrn cnn eee aa Aa nan 81 SIEMENS iii Chapter 1 Product Specifications Front Panel The following table explains the LEDs that appear on the Front Panel of the Siemens 5881 router Light Color Indications A PWR Green steady Power is ON Off Power is OFF E Yellow steady Running Power On Self Test a Yellow blinking Self Test failure Green 2 sec blink Normal operation heartbeat TEST Yellow steady Running Power On Self Test Yellow blinking Self Test failure Green 2 sec blink Normal operation heartbeat Off Router is shut down U TX Green Ethernet link detected Green blinking Traffic on Untrusted interface Yellow blinking Traffic on DMZ port Off No current transmit traffic on Untrusted interface U RX Green Ethernet link detected Green blinking Receiving data on Untrusted interface Yellow blinking Receiving data on DMZ port Off No current recieve traffic on Untrusted interface T TX Green Ethernet link detected Green blinking Transmitting data on Trusted interface Off No current transmit traffic on Trusted interface T
24. RX Green Ethernet link detected Green blinking Receiving data on Trusted interface Off No current recieve traffic on Trusted interface SIEMENS SIEMENS 5881 Broadband Internet Router Chapter 1 Product Specifications User s Guide Back Panel Back Panel The following table descrcibes the various connections on the back panel of the Siemens 5881 router Connection Function le moma anm Power Switch Enables and disables power to the system o 7 Power Connector Power cord connection for internal power supply Trusted Four port full duplex 10 100 BaseT Ethernet Switch RJ 45 Untrusted Single full duplex 10 100 BaseT switched Ethernet port RJ 45 MGMT This 8 pin RJ 45 port provides RS232 connectivity for console connections or a dial backup analog modem connection SIEMENS 2 SIEMENS 5881 Broadband Internet Router User s Guide Chapter 1 Product Specifications Hardware Specifications Hardware Specifications Physical Specifications e Unit Dimensions 8 4W x 7D x 1 7H inches 21 3W x 17 8D x 4 3H cm e Weight 1 5 Ibs 68 Kg Power Requirements e AC Voltage 100 to 120V AC or 220 to 240V AC e Frequency 50 60 Hz e Consumption 10W maximum e Built in power supply with on off switch Ethernet Interfaces e Trusted Ethernet Interface Four port full duplex 10 100 BaseT Ethernet switch 8 pin RJ 45 Untrusted WAN Ethernet Interface Single full dup
25. SIEMENS Business Class 5881 Broadband Internet Router User s Guide SIEMENS Part No 107 5883 001 Software License and Limited Warranty Copyright 2005 Siemens Home and Office Communications Devices LLC All rights reserved Siemens and the Siemens logo are trademarks of Siemens AG Germany All other trademarks are held by their respective companies Siemens reserves the right to make changes to product specifications at any time without notice Slemens Subscriber Networks LLC End User Software License and Warranty INSTALLATION OF THE HARDWARE AND SOFTWARE PROVIDED BY SIEMENS SUBSCRIBER NETWORKS INC SSN CONSTITUTES ACCEPTANCE BY YOU OF THE TERMS OF THE FOLLOWING SOFTWARE LICENSE AND LIMITED WARRENTY IF YOU DO NOT ACCEPT THESE TERMS PLEASE RETURN THE HARDWARE AND SOFTWARE AND SOFTWARE IN ITS ORIGINAL PACKAGING TO THE VENDOR FROM WHICH YOU PURCHASED IT FOR A FULL REFUND OF THE PURCHASE PRICE The following describes your license to use the software the Software that has been provided with your Siemens customer premise equipment Hardware and the limited warranty that Siemens Subscriber Networks provides on its Software and Hardware Siemens Subscriber Networks reserves any right not expressly granted to the end user Software License The Software is protected by copyright laws and international copyright treaties The Software is licensed and not sold to you The definition of Software includes but not limited to sy
26. Sec Policy Mame Peer Binding The PFS Group dent es 1 IPSec Proposal Bindings IP Protocol Source IP Address Source Sebwet Mask is 1 Tee Destination IP Address 15 1 2 In IPSec Policy Name enter a logical name for the IPSec policy The name specified is of no consequence to the other IPSec party 3 From the Peer Binding drop down menu select the remote IKE peer to which this policy will apply This peer must already be defined as an IKE Peer 4 From the IPSec Proposal Bindings drop down menu select the IKE IPSec proposal to be used with this policy The IKE IPSec proposal must be already defined as an IKE IPSec Proposal 5 From the PFS Group drop down menu select one of the following the Diffie Hellman group to use for Perfect Forward Secrecy Perfect Forward Secrecy enhances the security of the key exchange In the event of a key becoming compromised only the data protected by that compromised key becomes vulnerable None e Group 1 Uses Diffie Hellman Group 1 768 bits e Group 2 Uses Diffie Hellman Group 2 1024 bits 6 From the IP Protocol drop down menu select the protocol of the IP traffic that uses this protocol In Source IP Address enter the IP address of the local area network that will use this policy This will usually be the IP address assigned to the network local to your router 8 In Source Subnet Mask enter the subnet mask of the local area network that will use this policy This will us
27. Secure Shell SSH secures network services over an insecure network such as the public Internet The objective of SSH is to make a secure functional equivalent for telnet Telnet connections and commands are vulnerable to a variety of different kinds of attacks allowing unauthorized system access and even allowing interception and logging of traffic to and from the system including passwords SSH also provides secure FTP type file transfers To access the Secure Shell configuration pages click Secure Shell from the left navigation pane on the Router Information page This displays the Secure Shell SSH Configuration List page Secure Shell SSH Secure Shell SSH Configuration List Configuration List Sets e This page shows the user the list of SSH version ssh2 currently configured items for SSH Encryption Set 3des cbc Configure SSH Load Keys MAC Set hmac md5 Key Generator E Key Generator Status Idle Timeout secs 600 D H Rekey Interval min 60 Home This page displays the current SSH configuration settings as well as provides links to the other SSH configuration pages Configure SSH Configure SSH Load Keys Load public and private SSH keys used to authenticate the SSH server from a source file Key Generator Generate public and private SSH keys Key Generator Status Check the status of the key generation process SIEMENS 54 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Gui
28. Status Shows the current DMZ DHCP setting DMZ DHCP Server Status and allows the administrator to enable disable it Current Setting New Setting IP Addresses Pool Setting enabled enable Apply Shows the current first IP address and the last IP address in the range of the IP address pool and enables the administrator to specify a new range of IP Addresses Pool Setting IP addresses Remember The last IP Current address must be greater or equal to the Settin New Setting first IP address Both the first IP 9 address and the last IP address cannot First IP be a subnet address or a broadcast Address 2802 address Last IP Current DHCP Leases List Address 0900 Shows the current leased IP addresses including information such as the client IP address state host name and expiration time Current DHCP Leases List ClientIP State Host Name Expires mm dd yy DMZ Configuration Main Page Home v 6 To change the server status select Enable or Disable from LAN DHCP Server Status Disabled the router will not act as a DHCP server 7 To change the start and ending address range of the IP address pool enter the starting address in First IP Address and the ending address in Last IP Address 8 Click Apply Note that a list of network clients that are currently leasing their IP addresses from the pool are shown in Current DHCP Leases List From left to right the following information is presented for each clie
29. System NIS IPX interface setup PPP SLIP PLIP EH Server tasks Exported file systems NFS IP aliases for virtual hosts Apache Web server Defaults Virtual domains Sub directory specs Files specs Modules Performance mod_ssl configuration 5 To update the system status ensure that the Activate the changes button is highlighted then click Act Changes 6 Configure the router SIEMENS 14 SIEMENS 5881 Broadband Internet Router Chapter 2 Installation User s Guide Configuring the Router Configuring the Router The Siemens Business Class Router family of products provides two user interfaces a Web Management Interface and a console based Command Line Interface CLI The Web Management Interface uses an HTTP server housed in the router Using this server you can connect to and manage the router using your Web browser The Web Management Interface is accessible through most HTML browsers though Internet Explorer 4 0 or Netscape 4 0 and higher are recommended Refer to the Technical Reference Guide for details on managing the router through the CLI Establish Connection To establish a connection from your computer to the router through your Web browser 1 Open your Internet Explorer or Netscape Navigator Web browser 2 Inthe Address bar enter the default router IP address 192 168 254 254 This displays the Login Dialog page Connect to 12 37 63 180 i 21x FA N Siemens Web User Interface User name a X Pas
30. all IKE IPSec Configuration VPN Log On Network Address Translation provides a level of security by hiding the private IP addresses of your LAN behind a single public IP address of your router Simple Network Management Protocol controls message exchanges between a management client and a management agent Secure Shell SSH secures network services over an insecure network such as the public Internet Secures network and data communications with built in firewall capabilities A firewall is any combination of hardware and software that secures a network and traffic on the network to prevent interception or intrusion An IP filtering firewall that examines the packet s header information and matches it against a set of defined rules Internet Key Exchange Internet Protocol Security provides authentication and encryption of IP traffic for authenticity integrity and privacy Start an IPSec session SIEMENS 48 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide NAT NAT Network Address Translation NAT provides a level of security by hiding the private IP addresses of your LAN behind the single public IP address of your router All connections pass through the router and are translated by NAT Network addresses on inbound traffic are translated from public to private IP addresses while addresses on outbound traffic are translated from private IP addresses to the router s public IP add
31. allows access from all servers Allowed from LAN Limits access for System Logging to servers on the LAN 5 Click Save and Reboot SIEMENS 30 Chapter 5 Advanced Setup This chapter describes how to configure advanced features on the router Advanced features are listed below To configure one of these features click the link on the left navigation pane of the Router Information page DMZ Router Clock DHCP Quality of Service QoS Routing Table Configuration Dial Backup Switch Management Command Line Interface File Editor Configure unrestricted two way communication with servers or individual users on the internet Set the date and time on your router View and configure the current DHCP settings Configure QoS which actively manages network resources to sustain service levels for priority applications Configure multiple routing tables for a single host Enable a backup connection to the Internet through an internal V 90 model 5835 only or an external asynchronous modem connected to the Console port Manage the Ethernet 10 100 switching ports located on the rear panel of the router Enter any CLI command over the web interface For complete command line syntax refer to the Command Line Interface Guide Create and edit files stored on the router These files contain configuration and other data used by the router SIEMENS 31 SIEMENS 5881 Broadband Internet Router Chapter 5
32. anges of IP addresses to be assigned by the DHCP server housed in the router DHCP configuration is done from the Dynamic Host Configuration Protocol page Dynamic Host Configuration Protocol DHCP Dynamic Host Configuration Protocol DHCP DHCP assigns IP configuration M DHCP server enabled on trusted interface information to hosts on the trusted interface thus avoiding the need for Obtain DNS information automatically manual setup Configure DNS manually Domain Name Service DNS maps Domain Name names to addresses 5 i Primary DNS Server The Domain Name identifies the default network name Secondary DNS Server Primary WINS Server Domain Name Servers map host Secondary WINS Server names to IP addresses Windows Internet Naming Service WINS maps NetBIOS names to IP Previous Next Cancel addresses Previous Next Cancel Home To configure DHCP 1 Optionally select DHCP server enabled on the LAN If selected the DHCP server dynamically assigns IP addresses to all LAN side devices 2 Select one of the following to configure the Domain Name Service Obtain DNS information automatically The DNS server address will be learned when DHCP client requests are placed over the WAN link Configure DNS manually Define DNS server address manually from information you get from your service provider If you select this option provide the following information Domain Name The router s DNS domain name as as
33. ary servers provide the IP Address Port and Secret for accessing the Radius Server The Secret is used to authentication requests between servers SIEMENS 27 SIEMENS 5881 Broadband Internet Router Chapter 4 User Setup User s Guide User Management Management Classes All system operations are partitioned into functional groups called management classes Management classes group functions into the following categories Class Voice Network System Security Admin VPN User Debug Functional Areas Voice operations and shared network functions if applicable File system System Interfaces SNMP DHCP NAT remote commands Various system administrative tasks SSH L2TP IPSec Firewall User Management functions Access virtual private networks Debug functions When creating a user account you can manually configure the management classes and access methods for the account by issuing multiple commands or you can use one of the pre defined templates that group multiple management classes for a logically defined user type When using the template method Access privileges for WAN LAN and Console are granted by default The following table lists the privileges given to each logically defined user type Super User Mgmt Class read Mgmt Class write Access Status Network Manager Mgmt Class read Mgmt Class write Access Status Security Manager Mgmt Class read Mgmt Class write
34. cement Hardware or Software will be warranted for the remainder of the original warranty period or thirty days which ever is longer 4 Warranty Procedures If a problem develops during the limited warranty period the end user shall follow the procedure outlined below A Prior to returning a product under this warranty the end user must first call Siemens Subscriber Networks at 888 286 9375 or send an email to Siemens Subscriber Networks at support efficient com to obtain a return materials authorization RMA number RMAs are issued between 8 00 a m and 5 00 p m Central Time excluding weekends and holidays The end user must provide the serial number s of the products in order to obtain an RMA B After receiving an RMA the end user shall ship the product or defective component including power supplies and cable where applicable freight or postage prepaid and insured to Siemens Subscriber Networks at 4849 Alpha Road Dallas Texas 75244 U S A Within five 5 days notice from Siemens Subscriber Networks the end user shall provide Siemens Subscriber Networks with any missing items or at Siemens Subscriber Networks s sole option Siemens Subscriber Networks will either a replace missing items and charge the end user or b return the product to the end user freight collect The end user shall include a return address daytime phone number and or fax The RMA number must be clearly marked on the outside of the package C Returned Products
35. cheduler Mm Internet Protocol TCP IP Internet Protocol TCP IP Properties L a General Alternate Configuration Install Y O O Sie Description fou can get IP settings assigned automatically if your network supports Transmission Control Protocol Intemet Protocol The default pa 4 Are wide area network protocol that provides communication this capability Otherwise you need to ask your network administrator for across diverse interconnected networks the appropriate IP settings Show icon in notification area when connected Obtain an IP address automatically Use the following IP address Obtain DNS server address automatically Use the following DNS server addresses 6 Ensure the Obtain an IP address automatically and Obtain DNS server address automatically options are selected 7 Restart the PC to ensure it obtains an IP address from the router 8 Configure the router SIEMENS 11 SIEMENS 5881 Broadband Internet Router Chapter 2 Installation User s Guide PC Configuration Mac OS 9 x 1 Click Apple gt Control Panels gt TCP IP This displays the TCP IP Control Panel window a TCP IP Default B Connect via Ethernet O use 802 3 Setup Configure Using DHCP Server Select Hosts File i i Implicit Search Path DHCP Client ID o Starting domain name IP Address lt will be supplied by server gt Subnet
36. configure Secure Mode 1 Click Secure Mode Configuration on the left navigation pane of the User Management page This displays the Secure Mode Configuration page Secure Mode Configuration Secure Mode Confiquraties Secure Mode E Ethermet 0 Interface Ethermet 1 Interface 90 A trusted interface Apoty User Management Main Page Home 2 Doone of the following for Secure Mode e Click the box next to Enabled so a check mark appears This enables secure mode e Click the box next to Enabled so there is no check mark This disables secure mode 3 Ifyou enabled secure mode select one of the following for Ethernet 0 Interface and Ethernet 1 Interface e Trusted A trusted interface does not have to come over an encrypted tunnel e Untrusted An untrusted interface must come over an encrypted tunnel such as SSH or telnet over IPSec SIEMENS 25 SIEMENS 5881 Broadband Internet Router Chapter 4 User Setup User s Guide User Management Configure the Radius Server Remote Authentication Dial In User Service RADIUS is client server based access control and authentication feature The RADIUS client resides locally on the router and works in conjunction with a variety of RADIUS Server applications e The client is responsible for passing user information to designated RADIUS servers then acting on the returned response e RADIUS servers are responsible for receiving user connection requests authenticating t
37. dd yy Date when the IP address lease will expire At that time if not before the leased IP address will be freed for re assignment and the network client will need to request a new IP address from the router SIEMENS 36 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide QoS QoS Quality of Service actively manages network resources to sustain service levels for priority applications Mission critical and real time Internet applications demand a network that provides high bandwidth and low latency Such applications cannot tolerate unpredictable degradations of network services Therefore network services must contain features that provide adequate assurance of sustained service levels Some of the benefits associated with Quality of Service include Guaranteed available bandwidth and minimum delays to real time Voice over IP traffic Dynamic allocations of bandwidth to non critical applications User control over network traffic levels and potential cost efficiencies Advanced differentiation of network services Measurement and reporting of network service levels Applications such as video conference or IP telephony must be able to communicate their service level requirements to an infrastructure that can consistently meet those requirements To do this QoS control mechanisms must be present in each network element This router provides such QoS control mechanisms and can interpret the service require
38. de Secure Shell Configure SSH To configure Secure Shell settings 1 Click Configure SSH from the Secure Shell SSH Configuration List page This displays the Configure Secure Shell SSH page Configure Secure Shell SSH SSH Configuration This form allows the user to configure Status Enable Disable SSH DES M3DES D ARC4 E Twofish I Blowfish MMDS D SHAI Disable Default O Port Idle Timeout secs 600 D H ReKey Interval mins feo I No Retries Apply Encryption SSH Main Page Home 2 For Status select Enable or Disable to enable or disable the SSH feature Before enabling SSH a private public key pair should be loaded on the router using either the Key Generator or Load Keys option 3 For Encryption select one or more of the encryption methods The selected method s is configured locally on the router or server When a client initiates a session the encryption type is realized and the client adheres to the server encryption mode If the encryption method is not supported on the client side the connection will fail 4 For MAC select the type of Message Authentication Code to use for the SSH connection For Port select one of the following to specify the port that the SSH server listens on e Default Sets the SSH port to the default port of 22 e Disable Disables the SSH port Port Number Enter the desired number in the field next to Port 6 In Idle Timeout enter
39. e SIEMENS 42 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide Dial Backup Dial Backup Dial Backup provides a backup to the Internet through an asynchronous modem connection when the default WAN link service experiences interruption The modem connection can be provided through either an internal V 90 modem or an external V 90 or ISDN modem connected to the MGMT Console port Dial Backup is intended for customers with critical applications for which continuous Internet access is vital If the WAN link for those applications goes down the router automatically switches traffic to the specified asynchronous modem Once the WAN link is up and stable the router automatically switches the modem traffic back to the WAN Use the Dial Backup option to configure a backup connection to the Internet through an external asynchronous modem connected to the console port This backup connection can be activated in the event of WAN service interruption During an interruption to the WAN interface connection the router will use the dial backup modem connection while waiting for WAN service to be restored Once the WAN link is active again Dial Backup will automatically switch back to the WAN service This feature may also be useful for a customer whose WAN connection is not yet installed The router begins providing service through an asynchronous modem and then automatically switches to the WAN when it becomes available
40. e drop down menu select one of the following to specify when watch messages are displayed for this firewall rule The messages are sent to the console serial port and a Syslog server e Quiet No messages are displayed for this firewall rule even if the rule causes a packet to be dropped This is the default setting for firewall allow rules e Verbose A message is displayed every time this firewall rule matches a packet regardless of the rule action 8 From the Direction drop down menu select the direction of the packet to which the firewall rule is applied The default is both 9 Click Save SIEMENS 63 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide Stateful Firewall Delete Firewall Rules To delete firewall rules 1 Click Firewall Rules from the left navigation pane of the Stateful Firewall Configuration page This displays the Firewall Rule Configuration page Firewall Rule Configuration Firewall Rule Configuration User can Create a new firewall rule Modify View an existing firewall rule Create ModifyAiew Delete Refresh Delete existing rules and Refresh the C j UDP b0tn Allow and Deny rule lists Allow Rule List 1 UDP both y C Deny Rule List 1 TCP both Firewall Main Page Home Click Delete This expands the Firewall Rule Configuration page Firewall Rule Configuration Create Modify View Delete Refresh Allow Rule List 1 UDP b
41. e other than an Siemens Subscriber Networks authorized service provider The limited warranty does not cover defects in appearance cosmetic decorative or structural items including framing and any non operative parts Siemens Subscriber Networks s limit of liability under the limited warranty shall be the actual cash value of the product at the time the end user returns the product for repair determined by the price paid by the end user for the product less a reasonable amount for usage Siemens Subscriber Networks shall not be liable for any other losses or damages The end user will be billed for any parts or labor charges not covered by this limited warranty The end user will be responsible for any expenses related to reinstallation of the product THIS LIMITED WARRENTY IS THE ONLY WARRENTY SSN MAKES FOR THE PRODUCT AND SOFTWARE TO THE EXTENT ALLOWED BY LAW NO OTHER WARRENTY APPLIES WETHER EXPRESS IMPLIED OR STATUTORY INCLUDING ANY WARRENTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE 6 Out of Warranty Repair Out of warranty repair is available for a fixed fee Please contact Siemens Subscriber Networks at the numbers provided above to determine out of warranty repair rate End users seeking out of warranty repair should contact Siemens Subscriber Networks as described above to obtain an RMA and to arrange for payment of the repair charge All shipping charges will be billed to the end user General Provisions The f
42. es and pre defined behavior e Off DiffServ is not marked this is DiffServ pass through 4 Assign weight values to four different priorities This can be a number between 1 and 255 Click Apply 6 Configure QoS policies SIEMENS 38 SIEMENS 5881 Broadband Internet Router User s Guide Chapter 5 Advanced Setup QoS Configure QoS Policy QoS policies control how QoS manages network resources To configure a QoS policy 1 Click QoS Policy Page from the left navigation pane of the QoS Configuration page This displays the QoS Policy Setting page QoS Policy Setting Create Modifyview Move Delete Refresh IP Policy List mypolicy Move Policy mypolicy to the end before policy Apply Cancel 2 Click Create This expands the QoS Policy Setting page To modify or delete an existing policy select the policy in the IP Policy List drop down menu and click Modify or Delete QoS Policy Setting Create ModifyView Move Delete Refresh IP Policy List mypolic y Create Policy Name Status Source IP Dest IP Protocol Source Port Dest Port Priority 3 In Policy Name enter a unique name to identify the policy m Enable Disable O From Tol Do not care From tol Do not care By number c era Do not care C From Tol c FIP H Do not care From Tol c Fe H Do not care Low 4
43. ew IKE Peer 1 Click Create next to IKE Peers from the Advanced IKE IPSec Setup page This displays the IKE Peer Definition page IKE Peer Definition IKE Peer Definition NOTE If the remote peer does not have a fixed IP address enter 0 0 0 0 for IKE Peer Name the Peer Gateway IP Address and use Aggressive Mode Pre shared Secret The IKE Peer Name is a logical name CIA for an IKE Peer This name has no Peer Gateway IP Address significance to the remote party The Pre shared Secret is a mutually agreed upon secret between both parties The Peer Gateway IP Address specifies the IP address of the other end of the IKE connection Advanced IKE IPSec Setup IPSec Main Page Home 2 In IKE Peer Name enter a logical name for an IKE Peer This name is of no importance to the remote IKE peer Choose a name that is meaningful to you 3 In Pre shared Secret enter a case sensitive character string used for authentication This secret can be up to 256 characters with no spaces or non printable characters The pre shared secret must be mutually agreed upon by both parties to the IKE connection 4 In Peer Gateway IP Address enter the IP address of the gateway at the remote end of the IKE connection If the remote IKE peer does not have a fixed or permanent IP address enter 0 0 0 0 to use Aggressive Mode in Phase 1 negotiations Your system supports two Phase 1 IKE modes Main and Aggressive Use Main Mode when both t
44. from the Connect via drop down menu Select Using DHCP Server from the Configure drop down menu Enter any information supplied by your service provider Click Apply Now to save and exit the Network window Configure the router No gt amp SIEMENS 13 SIEMENS 5881 Broadband Internet Router Chapter 2 Installation User s Guide PC Configuration Linux 1 From a terminal window run linuxconfig This displays the Config window H Client tasks Basic host information Name server specification DNS Routing and gateways Set Defaults Set other routes to networks Set other routes to hosts Set routes to alternate local nets Configure the routed daemon Host name search path Network Information System NIS IPX interface setup PPP SLIP PLIP Server tasks Exported file systems NFS IP aliases for virtual hosts H Apache Web server Defaults Virtual domains Sub directory specs Files specs Modules Performance mod_ssl configuration rs 2 Click the Adaptor tab Enter any information specified by your service provider in the fields under the appropriate Adapter tab 4 When settings are completed click Accept This displays the Status of the system tab Basic host information Name server specification DNS Routing and gateways Set Defaults Set other routes to networks Set other routes to hosts Set routes to alternate local nets Configure the routed daemon Host name search path Network Information
45. from the IP address of this interface Home Untrusted Interface Configuration O Using PPPoE Username Password Service Name PPPoE Timer NAT enabled Not Using PPPoE Obtain configuration automatically from WAN using DHCP Configure IP Routing manually IP Address Subnet Mask Default Gateway NAT enabled SIEMENS 17 SIEMENS 5881 Broadband Internet Router Chapter 3 Easy Setup User s Guide Select Protocol Using PPPoE If you will use the Point to Point Protocol PPP to establish the connection you selected Using PPPoE Perform the following steps to complete setting up the router 1 Enter the User Name and Password which are used for authentication when the PPP connection is being established In Service Name enter the domain name of your network service provider Use as a default for all services In PPPoE Timer enter the number of seconds of inactivity that must elapse before the PPP connection closes This helps to limit connection charges from your service provider during times of inactivity The default entry of permanent will keep the PPP connection open constantly with no time out interval Optionally select NAT Enabled to enable Network Address Translation NAT NAT allows multiple workstations on your LAN to share a single public IP address All outgoing traffic appears to originate from the router s IP address 5 Click Nex
46. from the left navigation pane Easy IKE IPSec Setup Perform basic IKE IPSec setup Advanced IKE IPSec Setup Perform advanced IKE IPSec setup SIEMENS 65 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide IKE IPSec Configuration Easy IKE IPSec Setup Internet Key Exchange IKE is a means of dynamically creating IP Security IPSec connections IPSec uses encryption and authentication to virtual private networks over an insecure network The Easy IKE IPSec Setup form is used to create a default IKE configuration To perform Easy IKE IPSec setup 1 Click Easy IKE IPSec Setup from the left navigation pane of the IKE IPSec Information page This displays the Easy IKE IPSec Setup page Curent User superuser Easy IKE IPSec Setup Easy IKE IPSec Setup Internet Key Exchange IKE is a means of dynamically creating IP IKE Peer Name Security IPSec connections IPSec uses encryption and authentication to Pre shared Secret TIE create virtual private networks over an A insecure network Peer Gateway IP Address This screen will create a default IKE Pee configuration Destination IP Address pooo The IKE Peer Name is a logical name Destination Subnet Mask 0 0 0 0 for an IKE Peer This name has no significance to the remote party The Pre shared Secret is a mutually agreed upon secret between both parties The Peer Gateway IP Address specifies the IP address of the other end of t
47. g limited warranties provided by Siemens Subscriber Networks extend to the original end user of the Hardware licensee of the Software and are not assignable or transferable to any subsequent purchaser licensee 1 Hardware Siemens Subscriber Networks warrants that the Hardware will be free from defects in materials and workmanship and will perform substantially in compliance with the user documentation relating to the Hardware for a period of one year from the date the original end user received the Hardware 2 Software Siemens Subscriber Networks warrants that the Software will perform substantially in compliance with the end user documentation provided with the Hardware and Software for a period of ninety days from the date the original end user received the Hardware and Software The end user is responsible for the selection of Hardware and Software used in the end user s network Given the wide range of third party hardware and applications Siemens Subscriber Networks does not warrant the compatibility or uninterrupted or error free operation of our Software with the end user s systems or network 3 Exclusive Remedy Your exclusive remedy and Siemens Subscriber Networks s exclusive obligation for breach of this limited warranty is in Siemens Subscriber Networks s sole option either a a refund of the purchase price paid for the Hardware Software or b repair or replacement of the Hardware Software with new or remanufactured products Any repla
48. guring the PC to use the Internet router for Internet access and setting up the Internet router configuration Before beginning installation make sure you meet all installation requirements Installation Requirements Before beginning the installation and configuration of the various components on the network make sure you received all the package contents meet the basic PC requirements and have the necessary information from your network Service Provider Package Contents Your package should contain the items listed below If you determine anything to be damaged or missing please contact the dealer from whom the equipment was purchased e One Siemens 5881 Ethernet Wireless LAN Router e One Siemens Documentation CD ROM e One AC power supply module w cord e Two RJ 45 Ethernet cables e One RJ 45 to DB 9 serial port adapter console PC Requirements At a minimum your computer must be equipped with the following to successfully install the broadband Internet router e CD ROM Drive Ethernet network interface card TCP IP network protocol installed on your PC e Web browser e Terminal emulation software if you want to configure your router via your computer s serial port before placing it into service on a network Network Service Provider Requirements Your Network Service Provider will provide you with information to configure your router s WAN connection Depending upon the type of service that you ordered you wil
49. he IKE connection The Destination IP Address is the IP address of the remote private network that uses this policy The Destination Subnet Mask is the subnetwork mask of the remote private network that uses this policy Advanced IKE IPSec Setup IPSec Main Page A 2 In IKE Peer Name enter a logical name for an IKE Peer This name is of no importance to the remote IKE peer Choose a name that is meaningful to you 3 In Pre shared Secret enter a case sensitive character string used for authentication This secret can be up to 256 characters with no spaces or non printable characters The pre shared secret must be mutually agreed upon by both parties to the IKE connection 4 In Peer Gateway IP Address enter the IP address of the gateway at the remote end of the IKE connection 5 In Destination IP Address enter the IP address of the remote private network that your system will authenticate using this IKE policy 6 In Destination Subnet Mask enter the destination subnet mask of the remote private network that your system will authenticate using this IKE policy 7 Click Apply SIEMENS 66 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide IKE IPSec Configuration Advanced IKE IPSec Setup The Advanced IKE IPSec Setup page presents information about current IKE and IPSec peers policies and proposals To perform Advanced IKE IPSec setup click Advanced IKE IPSec Setup from the left na
50. he source and destination IP addresses are known and use Aggressive Mode when either the source or destination IP addresses could change 5 Click Apply SIEMENS 68 Chapter 6 Security Setup IKE IPSec Configuration SIEMENS 5881 Broadband Internet Router User s Guide IKE Proposals Definition IKE proposals specify how packets will be encrypted authenticated for Phase To define a new IKE proposal 1 Click Create next to IKE Proposals from the Advanced IKE IPSec Setup page This displays the IKE Proposal Definition page IKE Phase Proposal Definition IKE Phase Proposal Definition The IKE Proposal Name is a logical name for an IKE Proposal This name has no significance to the remote party The Message Authentication Scheme is the hashing algorithm used to validate the IKE Phase exchange The Diffie Hellman Oakley group specifies the polynomial function for the IKE Phase exchange The Encryption Type specifies the encryption algorithm that will be used during the IKE Phase II Quick Mode IKE Proposal Name Message Authentication Scheme Diffie Hellman Oakley group Encryption Type Key Length AES Encryption only Phase Proposal Lifetime seconds SHAT Y Group 2 Y ENS gt 86400 exchange Key Length js the length of the AES encryption key Other encryption methods use a fixed length key that is not user selectable The Phase Proposal Lifetime is the duration of ti
51. he user then returning all configuration information necessary for the client to deliver service to the user Transactions between the client and server are authenticated through the use of a shared secret which is never sent over the network In addition any user passwords are sent encrypted between the client and RADIUS server to further secure account passwords When the router is configured to use RADIUS a user attempting to login presents authentication information Username and Password to the router Upon receipt the router s RADIUS Client creates an access request containing username the user s password and method being used to access the system The password is hidden using a method based on the RSA Message Digest Algorithm MD5 3 The access request is submitted to the RADIUS server via the network If no response is returned within a length of time the request is re sent a specified number of times The router s RADIUS client can also forward requests to a secondary server in the event that the primary server is down or unreachable Once the RADIUS server receives the request it validates the RADIUS client that sent the request A request from a client for which the RADIUS server does not have a shared secret is discarded If the client is valid the RADIUS server consults a database of users to find the user whose name matches the request The user entry in the database contains the required elements for authentication i
52. ht Setting QoS Status COn Current New User can turn QoS on or off In On Sort E Friday Weight Weight y mode QoS will forward packets set S urrent Seting A o diffsery marking based on user defined High 10 10 25 mapping rules and QoS policies In Off F fio mode QoS will forward packets based DitiSery Status Medium 10 on pre defined mapping rules and QoS Con Normal ro 25 settings Off Current Setting Low fio 25 DiffServ Status User can turn diffsery on or off In Off mode QoS will not touch the IP headers DiffServ Marking This is DiffServ pass through In On mode QoS Awy will mark the DiffServ field according to the QoS Policies and pre defined behavior QoS Priority Weight Setting User can setup values for 4 different priorities The range of value is from 1 to 255 Note for Netscape users you may need to click somewhere outside the field you just entering to make the percentage update working QoS Policy Page Home 2 Select one of the following from QoS Status to enable or disable QoS e On QoS will forward packets and set diffserv marking based on user defined mapping rules and enabled QoS policies e Off QoS will forward packets based on pre defined mapping rules and enabled QoS policies 3 To enable or disable marking of the Differentiated Services field of the IP header select one of the following from DiffServ Status On QoS will mark the DiffServ field according to the QoS Polici
53. iate the IKE connection 8 Click Apply SIEMENS 69 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide IKE IPSec Configuration IKE IPSec Proposals Definition IKE IPSec Proposals specify how packets will be encrypted authenticated for the final SA To define a new IKE IPSec proposal 1 Click Create next to IKE IPSec Proposals from the Advanced IKE IPSec Setup page This displays the IKE IPSec Proposal Definition page IKE IPSec Proposal Definition IKE IPSec Proposal Definition The IPSec Proposal Name is a logical name for an IPSec Proposal This name IPSec Proposal Name has no significance to the remote party AH Authentication Scheme none The AH Authentication Scheme is the hashing algorithm used for ESP Authentication Scheme SHA 1 Y Authentication Header AH IPSec ESP Encryption Scheme DES CBC v The ESP Authentication Scheme is eee the hashing algorithm used for Key Length AES Encryption only 128 Encapsulating Security Payload ESP a IPSec Phase II Proposal Lifetime seconds 1800 The ESP Encryption Scheme is the algorithm used to encrypt ESP IPSec packets Phase II Proposal Lifedata KBytes 50000 j Key Length is the length of the AES Aven J encryption key Other encryption methods use a fixed length key that is not user selectable The Phase II Proposal Lifetime is the duration of time after which the IKE Phase Il negotiation expires A new IKE Phase l
54. icity data integrity and confidentiality of IP packets providing the level of security required by Virtual Private Networks VPNs To start an IPSec session 1 Click VPN Log On on the left navigation pane of the Router Information page This displays the VPN Log On page VPN Log On Feature enable O disable Apply User s current IP address 192 168 254 2 Available IPSEC tunnels Name Status Dest IP Dest Mask Protocol Src Port Dest Port Action wrew down 0 0 0 0 0 0 0 0 all all all log on 2 For Feature click enable 3 For Available IPSEC tunnels select the tunnel you wish to use for the IPSec session 4 Click log on corresponding to the tunnel you selected You must keep the VPN Logon window open to remain logged into the VPN over IPSec Do not close the window until you have finished using the VPN Log On SIEMENS 74 Chapter 7 Monitoring Router This chapter describes how to monitor the health of your router connections Router health can be monitored using the following functions System Summary View status and statistical information Diagnostics Run diagnostic programs to determine potential problems System Summary To view system summary information click System Summary on the left navigation pane of the Router Information page This displays the System Summary page e Ethernet Info Ethernet Info Remote Info Bridging disabled IP Routing disabled Firewall Filter Applied
55. l Firewall from the left navigation pane of the Router Information page This displays the Stateful Firewall Configuration page Stateful Firewall Configuration Firewall Status Watch Setting Oon OOn Off Current Setting Of Current Setting Dropped Packets Page Firewall Rule Page Firewall Status User can turn the firewall on off Dropped Packet Threshold Setting ij UDP Packet Threshold Setting Watch Setting Current New Current New If watch is turned on the messages are printed to the console whenever a 200 1000 packet is accepted or dropped Dropped Packet Threshold Setting ICMP Ping Packet Threshold Setting SYN Packet Threshold Setting When the number of dropped packets Current New Cirranit New exceeds the threshold value the firewall will log a message to the console 1000 200 Default value is 200 per second UDP Packet Threshold Setting The firewall would block any subsequent Apply UDP packets by default if the counter for the UDP packets exceeds the threshald value Default value is 1000 per second ICMP Ping Packet Threshold Setting The firewall would block any subsequent ICMP ping packets by default if the counter for the ICMP ping packets exceeds the threshold value Default value is 1000 per second SYN Packet Threshold Setting The firewall would block any subsequent SYN requests to a destination by default if the counter for the SYN packets for de th that dactinatin
56. l exchange will occur automatically The Phase II Proposal Lifedata is the number of kilobytes of data after which the IKE Phase Il negotiation expires A new IKE Phase II exchange will occur automatically 2 In IPSec Proposal Name enter the logical name for the IKE IPSec Proposal Definition This name is of no importance to the remote IKE peer 3 From the AH Authentication Scheme drop down menu select one of the following to use as the hashing algorithm for Authentication Header AH IPSec NONE Requests no AH encapsulation SHA1 Requests AH encapsulation and authenticate using Secure Hashing Algorithm 1 e MD5 Requests AH encapsulation and authenticate using Message Digest 5 4 From the ESP Authentication Scheme drop down menu select one of the following ESP specify the hashing algorithm to used for Encapsulating Security Payload ESP IPSec NONE Requests no AH encapsulation SHA1 Requests AH encapsulation and authenticate using Secure Hashing Algorithm 1 e MD5 Requests AH encapsulation and authenticate using Message Digest 5 SIEMENS 70 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide IKE IPSec Configuration 5 From the ESP Encryption Scheme drop down menu select one of the following to specify the algorithm to use to encrypt ESP IPSec packets NONE No ESP encapsulation and no encryption is used NULL ESP encapsulation but no data encryption ESP encapsulation ve
57. l need some of the items from the following list Contact your Network Service Provider for specific details on the items you should receive e DNS address e One or more IP addresses and a subnet mask PPP Username and Password if required SIEMENS 6 SIEMENS 5881 Broadband Internet Router Chapter 2 Installation User s Guide Hardware Installation Hardware Installation You may position the Siemens broadband router at any convenient location where it will be well ventilated Do not stack it with other devices or place it on the carpet You can connect the router to an existing Ethernet port on your computer To connect the SpeedStream device via the Ethernet interface your computer must have an Ethernet adapter also called a network interface card or NIC installed If your computer does not have this adapter install it before proceeding further Refer to your Ethernet adapter documentation for complete installation instructions Once you verify installation of an Ethernet adapter perform the following procedure to connect the router to your computer To set up the harware connections Optionally connect to serial porton Connect to Ethernet port on PC using RJ 45 red label cable PC or an external modem to prowde gt ay for dial backup TRUSTED Ethernet ports 1 4 is MGMT port t2vDCc INTRUSTEL POWER 0 100 ETHERNET LAN 1 SA MAX i 2 4 wom Power switch O T poe Pi oi es 6 ES gt Power Supply Pl
58. le Refresh the a gt E g E Elreecall Main Page Home When firewall rules are created they are specified as Allow or Deny rules When a packet is evaluated the Deny rules are applied first then the Allow rules 2 Select one of the following e Click Allow Rule List to define a new rule that allows an action if the action matches the specified criteria e Click Deny Rule List to defne a new rule that denies an action if the action matches the specified criteria e Select an existing rule from the Allow Rule List or Deny Rule List drop down menu 3 Click Create or Modify View if you selected an existing rule This expands the Firewall Rule Configuration page to include appropriate fields for the Allow Rule List and Deny Rule List selection Firewall Rube Configuration Create Modify View Delete Retesh 7 E 3 SIEMENS 62 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide Stateful Firewall 4 For Target select one of the following to specify the characteristics a packet must have in order to match the firewall rule e Protocol Port Specifies the protocol or port that applies to the rule This can be one of the following tcp to specify TCP protocol for this rule You can specify a source and destination port or port range If only one source destination port is specified the packet must have the specified port If a range is defined the packet can have a port wi
59. lect the application to match in the destination port check e Do not care Disables destination port checking From the Priority drop down menu select the priority to place on this policy if match criteria is met This can be High Medium Normal or Low Normal is the default In Code Point incoming and Code Point outgoing select one of the following e Click the button next to the box to specify the Code Point Be sure to enter the Code Point in the appropriate field e Click Default to accept the default Code Point In Bidirection select one of the following e On Enables bidirectional operation of the policy e Off Disables bidirectional operation of the policy In Start Time specify the time of day when the policy becomes active In Duration specify the time period for the policy to remain active In Repetition select one of the following e Always on Policy is applied every day At Policy is applied only one time on the specified month MM day DD and year YY e Every Policy is applied on the specified day of the week Click Save SIEMENS 40 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide QoS Reorder QoS Policies To move a QoS policy 1 On the QoS Policy Setting page select the policy you want to move in the IP Policy List drop down menu and click Move This expands the QoS Policy Setting page QoS Policy Setting Create ModifyView Move De
60. lete Refresh IP Policy List mypolicy Move Policy mypolicy to the end before policy Apply Cancel 2 To specify the new location select one of the following e to the end Moves the policy to the end of the policy list before policy Select the name of the policy where you want to move the Policy in the policy name drop down menu The policy will be moved to the location immediately preceding the policy specified in before policy 3 Click Apply SIEMENS 41 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide Routing Table Configuration Routing Table Configuration Every host has a default routing table that it uses to determine which physical interface address to use for outgoing IP traffic The router supports virtual routing which allows you to define multiple routing tables for a single host Each routing table added has a defined range of IP source addresses that use that table The router determines which routing table to use based on the source address in the packet For example if the router receives a packet whose source address is 192 168 254 10 it checks if that address is within the address range defined for a virtual routing table If it is the virtual routing table is used to route the packet If it is not the default routing table is used instead To configure additional routing tables 1 Click Routing Table Configuration on the left navigation pa
61. lex 10 100 BaseT switched Ethernet port 8 pin RJ 45 e Green Amber LEDs Operational Environment e Temperature 40 F to 105 F 5 C to 40 C Humidity 20 to 80 non condensing Processor e Motorola 64 MHz MPC875 8 MB DRAM 4 MB Flash Memory e 3DES DES MD5 SHA hardware assist e AES hardware encryption assist Serial Interface e One RS 232 asynchronous console or modem port RJ 45 SIEMENS SIEMENS 5881 Broadband Internet Router User s Guide Chapter 1 Product Specifications Software Specifications Software Specifications Bridging Transparent bridging including Spanning Tree protocol IEEE 802 1D Bridge filters Configuration Management Easy Setup Web Management Interface Microsoft Windows configuration management via SNMP TFTP download upload of new software and configuration files Performance monitor Dynamic event and history logging Administration through HTTP SNMP Telnet or VT100 terminal Network boot uses the BootP server RFC 2131 RFC 2132 Dial Backup Failover to modem on console port Web Management Interface User selectable fail restore criteria Supports L2TP and IPSec tunnel failover Optional modem connector DB9 or DB25 IP Address Translation Network renumbering RFC 1631 Network Address Translation NAT PAT LAN servers supported with NAT Support for NAT inside an IPSec tunnel Routing TCP IP with RIP1 RFC 1058 RIP1 compatible and RIP2 RFC
62. maining queues Consequently WFQ ensures that queues are not starved for bandwidth and that traffic service levels are made more predictable Weighted Fair Queuing adapts automatically to changing network conditions and requires minimal configuration WFQ is implemented on the router and applies to network traffic passing through it Unlike DiffServ external nodes have no affect on QoS through Weighted Fair Queuing Weighted Fair Queuing provides a means of ensuring that high priority or mission critical applications receive adequate levels of bandwidth This is accomplished by controlling two key factors in QoS policies Manipulation of these two factors determines the quality of service to each application SIEMENS 37 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide QoS e Priority Priority determines the order in which packets will be processed by the router Weight Weight determines the amount of bandwidth to be allocated to a given application The router supports four priority levels High Medium Normal and Low A weight value can be assigned to each of these priority levels from a minimum of 1 to a maximum of 255 To configure QoS 1 Click QoS in the left navigation pane of the Router Information page This displays the QoS Configuration page This page shows the current settings as well as provides a means to change the current settings Qos Configuration QoS Status QoS Priority Weig
63. mation from the drop down menu and click Execute to display information about the configured routing tables gt Diagnostics Request complete for Routing table information Shows the user Run Diagnostics various diagnostic 7 sx information Choose Diagnostic Home PPPoE session y Execute Output Window IP route Mask gt Gateway Interface Hops Flags y 1192 168 254 0 00 gt 0 0 0 ETHERNET 0 1 NU FU DIR PRM RP1 RP 192 168 254 254 ffffffff gt 0 0 0 0 ETHERNET 0 0 ME superuserflan gt SIEMENS 79 SIEMENS 5881 Broadband Internet Router Chapter 7 Monitoring Router User s Guide Diagnostics Files Information Select Files information from the drop down menu and click Execute to display files store on the router Diagnostics Request complete for Files information Shows the user Run Diagnostics various diagnostic information Home l PPPoE session _ Output Window Choose Diagnostic KERNEL F2K 1395728 KERNEL BAK 1395728 AUTOEXECHFG 482 MAXSEC TXT 1808 MEDSEC TXT 1990 MINSEC TXT 1886 NOSEC TXT 415 RELNOTESHTM 32734 KEYFILE DAT 768 SYSTEM CNF 5376 ISSHCFG DAT 192 TACPLUS DAT 164 USERS DAT 1224 DNS DAT 156 FILTER DAT 1284 HOSTKEY PUB 733 superuser lan gt Memory Usage Select Memory usage from the drop down menu and click Execute to display memory usage information a Diagnostics Request complete for
64. me after which the Phase negotiation expires A new IKE Phase exchange will occur automatically Advanced IKE IPSec Setup IPS jain Pa Home y 2 In IKE Proposal Name enter a logical name for the IKE Proposal Definition This name is of no importance to the remote IKE peer 3 From the Message Authentication Scheme drop down menu select one of the following hashing authentication options to use to validate IKE Phase exchange MD5 Performs message authentication using Message Digest 5 SHA1 Performs message authentication using Secure Hashing Algorithm 1 default 4 From the Diffie Hellman Oakley Group drop down menu select one of the following Diffie Hellman key generation groups to use during IKE Phase exchange e Group 1 Uses Diffie Hellman Group 1 768 bits e Group 2 Uses Diffie Hellman Group 2 1024 bits 5 From the Encryption Type drop down menu select one of the following encryption types to use during IKE Phase II Quick Mode exchange DES Encrypts using a 56 bit key e 3 DES Encrypts using three 56 bit keys to produce 168 bit encryption AES Encrypts using a 128 192 or 256 bit key 6 If you selected AES as the encryption type specify the key bit size to use in Key Length This can be 128 192 or 256 7 In Phase Proposal Lifetime enter the number of seconds after which the Phase negotiation expires The default is 1800 seconds Once this time is elapsed the system will renegot
65. ments indicated by network applications fully participating in any differentiated services architecture This router provides Quality of Service using two methods Differentiated Services Framework DiffServ and Weighted Fair Queuing WFQ Differentiated Services Framework DiffServ is a facility to prioritize the requirements of each Class of Service for example e mail streaming video voice according to defined policies DiffServ is suited to Metropolitan Area Networks or private networks where control over the infrastructure is guaranteed and differentiated services can be deployed end to end To employ DiffServ each packet of data is tagged with a six bit pattern known as the DiffServ CodePoint DSCP replacing the three IP precedence bits in the ToS byte of the IPv4 header This tag determines the processing of each packet as a Pre Hop Behavior PHB at each DiffServ node Each DSCP is read and network resources are allocated to a packet according to the Class of Service defined in its associated policy When DiffServ is activated on your router data packets are read and marked according to their DiffServ priority The packets are then queued and processed according to the defined QoS policy Weighted Fair Queuing WFQ is a flow based queuing algorithm that performs two functions simultaneously e t schedules priority traffic to the front of the queue to reduce response time e It fairly distributes remaining bandwidth between re
66. n Diagnostics Shows the user various diagnostic information Choose Diagnostic Home PPPoE cession Output Window From the Run Diagnostics page you can view information for the following e PPPoE session e Interface information e Routing Table information e Files information Memory usage e List all configuration data e TCP IP statistics PPPoE Session Select PPPoE session from the drop down menu and click Execute to display PPPoE session information This option is available only if you have a PPPoE session configured Diagnostics Request complete for PPPoE session Shows the user Run Diagnostics various diagnostic information Choose Diagnostic Home PPPoE session w Execute Output Window superuser lan gt SIEMENS 78 SIEMENS 5881 Broadband Internet Router Chapter 7 Monitoring Router User s Guide Diagnostics Interface Information Select Interface information from the drop down menu and click Execute to display interface information Diagnostics Request complete for Interface Information Shows the user Run Diagnostics o A Choose Diagnostic Home PPPoE session xj Execute Output Window Interface Speed In Out Protocol State Connection ETHERNET O 100 0mb 0 0 0 0 Ethernet OPENED FR O ob HDLC FR OFF CONSOLE 7 0 9600 b 0 0 0 0 TTY OPENED superuserBlan gt Routing Table Information Select Routing Table infor
67. n aveoade tha thrachald 2 For Firewall Status select On or Off to turn Stateful Firewall on or off 3 For Watch Setting select On or Off to control whether or not messages are printed to the console whenever a packet is accepted or dropped 4 In Dropped Packet Threshold Setting specify the number of packets per second that must be dropped before a message is logged to the console The default value is 200 packets per second 5 In UDP Packet Threshold Setting specify the number of UDP Packets per second that can be received When this number is exceeded the firewall blocks any subsequent UDP packets The default value is 1000 UDP packets per second 6 In ICMP Ping Packet Threshold Setting specify the number of ICMP Ping Packets per second that can be received When this number is exceeded the firewall blocks any subsequent ICMP ping packets The default value is 1000 ICMP Ping Packets per second 7 In SYN Packet Threshold Setting specify the number of SYN requests per second that can be received When this number is exceeded the firewall blocks any subsequent SYN requests The default value is 200 SYN packets per second 8 Click Apply SIEMENS 60 SIEMENS 5881 Broadband Internet Router User s Guide Chapter 6 Security Setup Stateful Firewall View Dropped Packets To view the most recent dropped packets 1 Click Dropped Packets from the left navigation pane of the Stateful Firewall Configuration page This
68. ncluding the username password access and management privileges To configure the RADIUS Server 1 Click Configure Radius Server on the left navigation pane of the User Management page This displays the Radius Server Configuration page Radius Server Configuration Radius Server Configuration When a Radius server cannot be teached a response Timeout is set Timeout 1 to 5 seconds default 3 3 by default to 3 seconds between retry attempts ta the Radius server Retry 0 to 5 times per server default 3 3 Ifthe primary server cannot be reached on the first attempt the client will Server IP Address Port Secret Action attempt to contact primary server based on the Retry times before try to eis AE Delete contact the secondary server Secondary 0 0 0 0 Delete To configure a Radius server users need to provide IP address Port by default 1812 and Secret Apply User Management Main Page Home 2 In Timeout enter the number of seconds to between retry attempts when the Radius Server cannot be reached 3 In Retry enter the number of times the Radius Server should be contacted before attempting to connect to the secondary server 4 For Primary and optionally Secondary servers provide the IP Address Port and Secret for accessing the Radius Server The Secret is used to authenticate requests between servers SIEMENS 26 SIEMENS 5881 Broadband Internet Router Chapter 4 User Setup U
69. ne of the Router Information page This displays the Routing Table Configuration page R SIEMENS Routing Table Configuration Routing Table Configuration The Routing Table specifies the mapping between IP networks and network interfaces Select an interface Create a new route by entering new information and clicking Add Delete an existing route by clicking the Delete for that route Edit an existing route by removing and re creating the entry Home Save changes with the Save button Interface eth 0 0 LAN vw 2 From the Interface drop down menu select the interface you want to configure 3 Click Select This expands the Routing Table Configuration page Routing Table Configuration Routing Table Configuration s 1 Select an interface The Routing Table specifies the 2 Create a new route by entering new information and clicking Add mapping between IP networks and 3 Delete an existing route by clicking the Delete for that route network interfaces 4 Edit an existing route by removing and re creating the entry M 5 Save changes with the Save button ome Interface eth 0 0 LAN vw Select Address Mask Gateway Metric it 4 Enter the subnet Address Mask and Gateway IP address associated with the routing table 5 In Metric enter the priority for the routing table This can be a number between 1 and 15 with 1 being the highest priority 6 Click Add Click Sav
70. nnnnnncnnnnnnnnnnnnnnnncnnnnnnnnannennnnns 6 Hardware Installation diia riada 7 PG COmMQUration saint din ic a A 8 Windows 98 M eee 8 Windows NT diia a dhe eee 9 Windows 2000 ee cece 10 WiINdOWS XP isis awk cd cde eee lid A il Riad dla 11 MacOS O iva edie eta can gnc sere T O ea been aap ocean Tad a ti 12 Mac OSX a iscvccrvasiacccucsasacevcwennstdedvvvadeacdivedsnecddcussastdaduawassacedeessaadddavsaashacdeawaanadedawsagacdictsgascdeavagtdieensasatca ind 13 LINUX ce NN 14 Configuringithe Route soas aiea Macedaays deescdaves por 15 Establish CONMMCCUOM uc Da dt AA A ii 15 Router Information PAE omic AA Adan 16 Chapter 3 Easy Setup Access Easy Setup Wizard ici iria lane aleta dit dolida 17 Select Proc ee AE AAA eceeeen idee rene 17 USING PPPOE scinsioni i E io 18 Not Using AN 18 Dynamic Host Configuration Protocol 0 ccceeecei eee ee erties eerie ee ee nao n cn nc nan nn E 19 SIEMENS i SIEMENS 5881 Broadband Internet Router User s Guide Chapter 4 User Setup ERE E NO 21 Adding Modifying A User ACCOUN ooononcccccononoccconcnnnonnccnnnnnnnn nn nana no nn anna nn nn anna rra r nn n rar ran nn SEEE EAEE E Ennen 22 Deleting A User ACCOUN oe ie aia 23 User LookUp tanimi aea dt dada 24 Secure Mode CoMmblQuratlon ressonar O 25 Configure the Radius See rica ad 26 Conigure the TacPlUS Severin AEEA EEEE EAA 27 Management Classes resa a a A ead 28 Change Password cccccccccececccceeeeeececeeeeeeeaaaeeeaeacaaeee
71. no e IP Routing Info e System Info IPX Routing disabled Ethernet MAC Address 00 20 6F 17 89 0B NAT disabled IP Filters Applied no IP Address 192 168 254 254 e Home From the System Summary page you can view information for the following e Ethernet interface e Remote connections e IP Routing e System SIEMENS 75 SIEMENS 5881 Broadband Internet Router Chapter 7 Monitoring Router User s Guide System Summary Ethernet Interface Information Click Ethernet Info on the left navigation pane of the System Summary page to display information about the Ethernet interface e Ethernet Info Ethernet Info Remote Info Bridging disabled IP Routing disabled Firewall Filter Applied no e IP Routing Info e System Info IPX Routing disabled Ethernet MAC Address 00 20 6F 17 89 0B Home NAT disabled IP Filters Applied no IP Address 192 168 254 254 Remote Connection Information Click Remote Info on the left navigation pane of the System Summary page to display information about remote connections for all entries in the Remote Router database e Ethernet Info Remote Info Remote Info Name Protocol PVC NAT IP Address Bridging Status IP Routing Info internet PPP notset disabled 0 0 0 0 disabled enabled e System Info e Home SIEMENS 76 SIEMENS 5881 Broadband Internet Router Chapter 7 Monitoring Router User s Guide System Summary IP Routing Information Click IP Routing
72. nt e Client IP The leased IP address assigned to the specific client State Whether the IP address is enabled or disabled e Host Name Name of the host leasing the specific IP address Expires mm dd yy Date when the IP address lease will expire At that time if not before the leased IP address will be freed for re assignment and the network client will need to request a new IP address from the router SIEMENS 33 SIEMENS 5881 Broadband Internet Router User s Guide Chapter 5 Advanced Setup Router Clock Router Clock Use the Router Clock option to set the date and time on the router To set the current date and time on the router 1 Click Router Clock on the left navigation pane of the Router Information page This displays the Current Date and Time page Current Date and Time Current Date and Time This is the current date and time as provided by the workstation PC Clock Time 01 07 2002 17 01 19 Synchronize Router Clock will set the router clock to this date and time Synchronize Router Clock Home The current date and time from your PC are displayed in the field labeled Current Date and Time To synchronize the date and time on your router with the current date and time displayed click Synchronize Router Clock SIEMENS 34 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide DHCP DHCP Dynamic Host Configuration Protocol DHCP is a communicati
73. ollowing general provisions apply to the foregoing Software License and Limited Warranty 1 No Modification The foregoing Limited Warranty is the end user s sole and exclusive remedy and is in lieu of all other warranties express or implied No oral or written information or advice given by Siemens Subscriber Networks or tis dealers distributors employees or agents shall in any way extend modify or add to the foregoing Software License and Limited Warranty This Software License and Limited Warranty constitutes the entire agreement between Siemens Subscriber Networks and the end user and supersedes all prior and contemporaneous representation agreements or understandings oral or written This Software License and Limited Warranty may not be changed or amended except by a written instrument executed by a duly authorized officer of Siemens Subscriber Networks Siemens Subscriber Networks neither assumes nor authorizes any authorized service center or any other person or entity to assume for it any other obligation or liability beyond that which is expressly provided for in this Limited Warranty including the provider or seller of any extended warranty or service agreement The Limited Warranty period for Siemens Subscriber Networks supplied attachments and accessories is specifically defined within their own warranty cards and packaging EXCLUSION OF INCIDENTAL CONSEQUENTIAL AND OTHER DAMAGES TO THE FULL EXTENT PERMITTED BY LAW IN NO EVENT SHA
74. on protocol that allocates IP address automatically to any DHCP client requesting an IP address A DHCP client can be any device attached to your network for example a PC Note that DHCP is effective only if the TCP IP is installed on the DHCP client The router can act as a DHCP server automatically providing a suitable IP address and related information to each computer when the computer boots up Without DHCP IP addresses must be entered manually at each device When configured as a DHCP server the router acts As a DHCP server by assigning IP addresses to workstations attached to the LAN that issue DHCP address requests Before responding to a DHCP client request the routers DHCP server attempts to locate other active DHCP servers on the network such as Windows NT servers If one is detected or if a DHCP server on the WAN has been explicitly specified the router s DHCP server disables itself As a DHCP client by requesting that an IP address be assigned to the WAN side port of the router As a relay by passing through client requests from the LAN side onto the WAN asking for IP address assignment and relaying responses back to the appropriate client DHCP Dynamic Host Configuration Protocol is a TCP IP service protocol that provides dynamic leasing of IP addresses and other configuration information to client hosts on the network The router can act as a DHCP server automatically providing a suitable IP address and related informa
75. oth Deny Rule List 1 TCP both y Delete all ruls in allow list all rules in deny list all rules in allow list and deny list rule number from to in Allow y Apply Cancel 3 Select the rule list s or range of rules you want to delete To delete a single rule only enter a number in the from field When entering a range of rules to be deleted the rule range specified is inclusive of the first and last rules 4 Click Apply SIEMENS 64 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide IKE IPSec Configuration IKE IPSec Configuration IKE IPSec Internet Key Exchange Internet Protocol Security provides authentication and encryption of IP traffic for the authenticity integrity and privacy of your communications IPSec sessions are established through Security Associations SAs that enable secure devices to negotiate a level of security attributes needed for a Virtual Private Network VPN To configure IKE IPSec 1 Click IKE IPSec Configuration from the left navigation pane of the Router Information window This displays the IKE IPSec Information page IKE IPSec Information IKE IPSec Information Easy IKE IPSec Setu IKE Peers No IKE Peers defined Advanced IKE IPSec Setup Home IKE Proposals No IKE Proposals defined IKE IPSec Proposals No IPSec Proposals defined IKE IPSec Policies No IPSec Policies defined 2 Select one of the following
76. ough this is the default settings for the PC it is a good idea to verify that they have not been changed Each supported PC Operating System varies slightly in how the configuration windows are presented Select the Operating System installed on the PC connected to the router from the list below and follow the associated procedure e Windows 98 ME e Windows NT 4 e Windows 2000 e Windows XP e Mac OS 9 x e Mac OS X e Linux OS Windows 98 ME 1 Click Start gt Control Panel gt Network This displays the Configuration tab on the Network window 2 Select TCP IP protocol for your network card 3 Click Properties This displays the TCP IP Properties window TCP IP Properties 4 Click the IP Address tab Ensure that the Obtain an IP address automatically option is selected This is the default Windows setting 6 Click OK to close each dialog Restart the PC to ensure it obtains an IP address from the router 8 Configure the router SIEMENS 8 SIEMENS 5881 Broadband Internet Router User s Guide Chapter 2 Installation PC Configuration Windows NT 4 1 On your desktop right click on the Network Neighborhood 2 3 4 o ONO y icon This displays the Network window Click the Protocols tab Select TCP IP Protocol from the Network Protocols list Click Properties This displays the Microsoft TCP IP Properties window Microsoft TCP IP Properties Click the IP Address tab
77. ovides communication across diverse interconnected networks lt K K IV Show icon in taskbar when connected IP address A A Subnet mask A E 7 Default gateway e A Obtain DNS server address automatically C Use the following DNS server addresses Preferred DNS server Altemate DNS server Advanced 6 Ensure that the Obtain an IP address automatically and Obtain DNS server address automatically options are selected 7 Click OK to close each dialog 8 Restart the PC to ensure it obtains an IP address from the router 9 Configure the router SIEMENS 10 SIEMENS 5881 Broadband Internet Router Chapter 2 Installation User s Guide PC Configuration Windows XP Click Start gt Control Panel This displays the Control Panel window 2 Double click the Network Connections icon This displays the Network Connection window Right click Local Area Connection then click Properties This displays the Local Area Connection Properties window 4 Local Area Connection Properties General Authentication Advanced 4 Select Internet Protocol TCP IP Connect using _ B Siemens SpeedStream PCI 10 100 Click Properties This displays the Internet Protocol TCP IP a 7 This connection uses the following items Properties window E Client for Microsoft Networks 5 File and Printer Sharing for Microsoft Networks dE QoS Packet S
78. r between the SNMP manager and agent for requests The community setting allows the SNMP manager to request information from a community rather than each node agent individually In Write Communicty String enter the name of the SNMP write community to which the router belongs In Port Number select one of the following e Port Number Enter the desired number in the field next to Port Number e Disable Disables the SNMP port Default Sets the port to the default port of 161 5 In Enabled Interfaces select one or both of the following LAN designates the Local Area Network as a trusted interface WAN designates the Wide Area Network as a trusted interface 6 In Trap Enable select Enable or Disable SNMP agents also have the ability to send unrequested messages to SNMP managers these messages are called traps and notify the SNMP managers that an event has happened on the system 7 If you enabled Trap Enable in Trap Manager 1 4 specify the IP address for a node that will receive a Trap event from the router You can specify up to four trap managers 8 Click Apply Configure SNMP IP Filter and SNMP Password SIEMENS 52 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide SNMP SNMP IP Filter Activating an IP Filter range will limit SNMP requests to only those that originate from the designated addresses or LAN To activate IP filtering 1 Click SNMP IP Filter from the SNMP
79. ress This section describes how to perform the following tasks Configure NAT Configure passthrough settings and enable or disable NAT for outbound traffic on an interface Configure NAT Server Configure NAT for inbound traffic Configure Host Mapping Configure mapping between private IP addresses and public IP addresses Configure NAT To configure NAT for outbound traffic 1 Click NAT on the left navigation pane of the Router Information page This displays the NAT Configuration page NAT Configuration NAT Pass through Setting Outbound NAT Setieg NAT Server NAT Hest Mapping 2 For NAT Passthrough select Enable or Disable to specify whether or not multiple VPN clients are allowed Enabled multiple VPN clients are allowed disabled only a single VPN client is allowed Click Apply In the Outbound NAT Setting section of this page select Enable or Disable for each of the listed interfaces to enable or disable NAT for communications for that interface SIEMENS 49 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide NAT Configure the NAT Server To configure NAT for inbound traffic 1 Click NAT Server on the left navigation pane This displays the NAT Server Settings page NAT Server Setting WAT Server Setting Inbound NAT Server Creation Provides t ays hence inh Inbound NAT Server Creation Easy Setup t just pich Advanced Setp an pack Current inbound NAT
80. rface click Switch Management on the left navigation pane of the Router Information page This displays the Switch Status page Switch Status Display the current port states for the Ethernet switch User can block unblock individual port s Aging Time Configuration Home Trusted Untrusted 1 a Al mn 100Mbps 100Mbps 100Mbps 100Mbps 100Mbps Full Duplex Full Duplex Full Duplex Full Duplex Full Duplex The Switch Status page provides a graphical representation of the switch port information including connection speed mode and port status and provides links to switch management pages to perform the following tasks Aging Time Configuration Configure the aging time of the switch SIEMENS 44 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide Switch Management Switch Age Time The Switch Age Time specifies the aging time of the switch When the age time expires the port MAC address entry is removed from the table containing this information To configure Switch Age Time 1 Click Aging Time Configuration from the left navigation pane of the Switch Status page This displays the Switch Aging Time Configuration page Switch Aging Time Configuration Switch Aging Time Configuration Specifies the aging time of the switch Aging Time 300 seconds When age time expires the port MAC address entry will be removed from the table containing this information Apot
81. rifies the source but data is sent in the clear to increase throughput e DES CBC Encrypts using a 56 bit key e 3 DES Encrypts using three 56 bit keys to produce 168 bit encryption e AES Encrypts using a 128 192 or 256 bit key 6 If you selected AES as the encryption type specify the key bit size to use in Key Length This can be 128 192 or 256 7 In Phase Il Proposal Lifetime enter the number of seconds after the IPSec SA expires The default is 1800 seconds Once this time is elapsed the system will renegotiate the IKE connection 8 In Phase Il Proposal Life Data enter the amount of data measured in kilobytes before the IPSec SA terminates After the specified quantity of data has been transferred the system will renegotiate the IKE connection If zero is entered the data quantity will be unlimited By setting a limit on the amount of data transferred the risk of a key becoming compromised is reduced 9 Click Apply SIEMENS 71 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide IKE IPSec Configuration IKE IPSec Policies Definition IPSec policies are criteria for packets that IPSec will recognize and actions that IPSec will take upon recognition To define a new IKE IPSec policy 1 Click Create next to IKE IPSec Policies from the Advanced IKE IPSec Setup page This displays the IKE IPSec Policy Definition page IKE IPSec Policy Definition IKE IPSec Policy Definition IP
82. rrent Host Mapping Entries Lae aa Beginning Intertace LANP LANIP WAN IP Select the interface you want to configure from the Interface drop down menu In Beginning LAN IP enter the first private IP address you want to map to a public address In Ending LAN IP enter the last private IP address you want to map to a public address a F YN In Beginning WAN IP enter the first public IP address you want to map to a private IP address It is only necessary to specify a starting IP address The rest of the addresses in the range are computed automatically 6 Click Add This adds the entry to the Current Host Mapping Entries table SIEMENS 51 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide SNMP SNMP Simple Network Management Protocol SNMP exchanges messages between a management client and a management agent Messages contain requests to get and set variables that exist in network nodes thus allowing a management client to obtain statistics set configuration parameters and monitor events Communication with the SNMP agent can occur over the LAN or WAN connection To configure SNMP 1 Click SNMP on the left navigation pane of the Router Information Page This displays the SNMP Configuration page SNMP Configuration SNMP IP Filter SNMP Pasewerd Home avy 2 In Community String enter the name of the SNMP community to which the router belongs This name acts as a identifie
83. s Control from the left navigation pane of the Router Information page This displays the Access Control page Access Control Access Control Access Control restricts administrative control of the router to a specific set of Mi Enable Telnet Management IP addresses No access restrictions Allowed from LAN No access restrictions allows access from all hosts M Enable Web Management No access restrictions Allowed from LAN limits access to hosts on the LAN Allowed from LAN Home M Enable SNMP Management No access restrictions Allowed from LAN M Allow System Logging to Syslog Servers No access restrictions Restricted to servers on LAN Save and Reboot 2 Optionally select one or more of the following remote access methods to enable that method of remote access A check in the box next to the method specifies enabled If disabled any access restriction specification is disregarded e Telnet e Web e SNMP 3 For each remote access method selected specify any access restrictions This can be one of the following e No access restrictions Remote access method is enabled and not restricted This setting allows access from all hosts e Allowed from LAN Limits access to the host from the LAN 4 Optionally select Allow System Logging to Syslog Servers If selected specify any access restrictions This can be one of the following e No access restrictions System Logging is not restricted This setting
84. s and to the Internet The features that control users and their access are listed below To access one of these options click the link on the left navigation pane of the Router Information page User Management Manage user accounts Change Password Change user password Access Control Configure remote access to the router configuration settings User Management When you select User Management from the left navigation pane of the Router Information page the User Management page is displayed User Management Select User Used to create edit and delete users You must have Admin access to add superuser modify or delete users Press the New User button to create a new user or select an existing user in the select box and press the appropriate button to Edit or Delete that user User Lookup Config Secure Mode Config Radius Server Config Tacplus Server Config Home New User Edit User Delete User Use this page to add delete edit and view user accounts You can also use this page to configure secure mode configure the Radius Server and configure the Tacplus Server Click Home at anytime to return to the Router Information page To access one of these options click its link on the User Management page Use the table below to locate detailed instructions for the desired function To do this Refer to Add or modify a user account Add or Modify A User Account Delete a user account Delete a User Account Specify databa
85. saaeaaeeesaaaaaaeessaaaaceesaaeaaeaeesaaaaeaeeeaaaeeesneaaaeeeesseaaeeeeeenaaes 29 ACCESS COMO incoada aer aca 30 Chapter 5 Advanced Setup A RR RR 32 Router Clock iii ii A A a a dai aed 34 A T reer eee eT 35 QOS inicia id Mev dade accent A Han Se dete ei ns Oo Saad da ceed diese ae 37 Differentiated Services Framework ccccceeeeeeeeccecee cence eeeeee ees caaeaaaeaeeceeeeeeeeeeesecacccaecaeeeeeeeeeeeseeeeesenaees 37 Weighted Fair QUEUING iio e eo cai aca dida 37 Configure QOS Policy ida 39 Reorder QoS Policia ii 41 Routing Table Configuration E id dd edad aa A 42 Dial BACKUP cuca RIO a did AER i di iaa 43 Switch Management iio id E 44 A NN 45 Command Line Interface oidos adi eA Natt idea ead ae eee ee 46 NSS GIO cidad eae ogee anes eat sag dation en alee ane eee 47 Chapter 6 Security Setup NAT Liria A eg ee eee ee es ee A eed de 49 Configure NAT 0 cccceccccceeeeecceeeeeeeeeaeceeeeaaaeeeenseaaeeeeeesaaaeceeeaaaaaeeeensnacaeeeeeseaaeaeesaaaaaeeeesasaaaeeeaeaaeeeeteeeaaeeetenes 49 Configure the NAT Serve ui A ceca 50 A et itr et ine ine ee eee ieee ernest ieee eee neeee ee SEE EE Ennen 51 SNMP inicial Wisden ede alle el eaten aed Malet aera ea diet 52 SNMP IP Fiteni ld ead id ae Ai a ae eee 53 SNMP PassWord scada A a aa Ta a 53 Secure Shell icono a a a a aa a aaa aana aa ada dista 54 AS A NO 55 LOA KEYS int a ita dddecnvlvad E usb digest vlad cada asl Ddeaatelvad ceaeynad haphd alae deetia sats 56 Key Generali ica e idad
86. se for identifying users when User Lookup logging into the router Configure Secure Mode Secure Mode Configuration Configure the Radius Server Configure the Radius Server Configure the Tacplus Server Configure the Tacplus Server SIEMENS 21 SIEMENS 5881 Broadband Internet Router Chapter 4 User Setup User s Guide User Management Adding Modifying A User Account User accounts are used to control access to the router and the Internet To add a user account 1 Click New User on the User Management page This displays the Add Modify User page AddiModify User NOTE User Management Main Page Apply Home To modify a user select the desired name in the Select User list and click Edit User to display the Add Modify User page Note that changing the password or privileges of an existing user account may terminate a user s current activity or connection 2 Enter User Name Password and Confirm Password in the appropriate boxes The User Name cannot be modified for an existing account When editing an existing account the Password and Confirm Password values are not displayed If you leave them blank the password is not changed 3 Doone of the following to assign privileges to this user account e Select one of the buttons at the top of this page to automatically assign pre set privileges to the user based on common user roles Refer to Management Classes for details on the privileges automatically assigned
87. ser s Guide User Management Configure the TacPlus Server Tacplus allows access control and user authentication to be managed from a remote server To configure the Tacplus Server 1 Click Configure Tacplus Server on the left navigation pane of the User Management page This displays the Tacplus Server Configuration page Tacplus Server Configuration Tacplus Server Configuration When a Tacplus server cannot be reached a response Timeout is set Timeout 1 to 300 seconds default 10 10 between retry attempts to the Tacplus server Retry 0 to 5 times per server default 2 2 ifthe primary server cannot be reached CACHE Timeout 0 to 60 minutes default 4 pa en on the first attempt the client will attempt to contact primary server based on the Retry times before try to Server IP Address Port Secret Action contact the secondary server Primary 0 0 0 0 Ho To configure a Tacplus server users Secondary 0 0 0 0 o need to provide IP address Port by default 49 and Secret User Management Main Page Home 2 In Timeout enter the number of seconds to between retry attempts when the Tacplus Server cannot be reached 3 In Retry enter the number of times the Tacplus Server should be contacted before attempting to connect to the secondary server 4 In CACHE Timeout enter the number of seconds that must pass before the user must be authenticated again 5 For Primary and optionally Second
88. signed by your service provider Primary DNS Server IP address where DNS requests will be sent Secondary DNS Server Optional IP address where DNS requests will be sent if the primary DNS server is unavailable Primary WINS Server IP address of the Windows Internet Naming Service where WINS requests will be sent This maps NetBIOS names to IP addresses similar to DNS Secondary WINS Server Optional IP address where WINS requests will be sent if the primary WINS server is unavailable SIEMENS 19 SIEMENS 5881 Broadband Internet Router Chapter 3 Easy Setup User s Guide Select Protocol 3 Click Next This displays the Trusted Interface Configuration page Trusted Interface Configuration Trusted Interface Configuration The IP Address is the network address IP Address 192 168 254 254 of the router This address must be globally unique unless NAT is enabled Subnet Mask 255 255 255 0 Subnet Mask is used along with the IP address to determine whether or not the local IP traffic should be forwarded Previous J Save and Reboot J Cancel Home Y 4 Enter the IP Address and Subnet Mask of the router The IP address must be unique unless Network Address Translation NAT is enabled 5 Click Save and Reboot You are prompted to confirm the reboot SIEMENS 20 Chapter 4 User Setup This chapter describes how to set up users on the router and control their access to router function
89. stem and operating software marketed by Siemens Subscriber Networks including firmware embedded software software provided on media downloadable software software for configuration or programmable logic elements and all Siemens Subscriber Networks maintenance and diagnostic tools associated with the above mentioned software Accordingly while you own the media such as CD ROM or floppy disk on which the software is recorded Siemens Subscriber Networks or its licensors retains ownership of the Software itself 1 Grant of License You may install and use one and only one copy of the Software in conjunction with the Siemens Subscriber Networks provided Hardware You may make backup copies of the system configuration as required If the Hardware is being installed on a network you may install the Software on the network server or other server side devise on which the Hardware is being installed and onto the client side devices 2 Restrictions The license granted is a limited license You may NOT e sublicense assign or distribute copies of the Software to others decompile reverse engineer disassemble or otherwise reduce the Software or any part thereof to a human perceivable form modify adapt translate or create derivative works based upon the Software or any part thereof or rent lease loan or otherwise operate for profit the Software 2 Transfer You may transfer the Software only where you are also transferring the Hardware In
90. sword I Remember my password coa 3 Enter the administrative User name and Password The default settings are User name superuser and Password admin This displays the Router Information page SIEMENS 15 SIEMENS 5881 Broadband Internet Router User s Guide Chapter 2 Installation Configuring the Router Router Information Page The Router Information Page is the first page you encounter after logging into the router Lavy Sis Change Password ROUTER INFORMATION e Access Cosarol User Management DMZ Router Clock Network Time e DHCP e MAI ROUTER CONFIGURATION SNUP Secure Shell SSH Fhewall Scripts rusted Interface IP Address IM Interface IP Address gt Bridging Stateful Firewall Routing Table Configuration IP Routing Dial Backer Ustrusted Interface IP Addrow Switch Management Diagnostic Command Line Interface DNS Servet Addioss Jntiunted Interlace Gateway Address Translation System Summary VPN Log On KE IPSec Configuration Reboot Rewter The Router Information page displays basic router information and configuration settings On the Router Information page the following information is presented Router Information Including the model number software version number and additional features that may be configured Router Configuration Displays router configuration details such as LAN IP address trusted and un
91. t This displays the Dynamic Host Configuration Protocol page Not Using PPPoE If you will establish the connection based on IP addressing you selected Not Using PPPoE Perform the following steps to complete setting up the router 1 IP Routing routes all IP packets for remote hosts to the WAN Specify how to obtain an IP address and subnet mask by selecting one of the following e Obtain configuration automatically from Wan using DHCP to have an IP address assigned automatically using DHCP e Configure IP Routing manually to assign IP addresses manually If you select this option you must specify an IP Address Subnet Mask and Default Gateway in the appropriate fields Default Gateway assigns the IP address of the next hop device Optionally select NAT Enabled to enable Network Address Translation NAT NAT allows multiple workstations on your LAN to share a single public IP address All outgoing traffic appears to originate from the router s IP address Click Next This displays the Dynamic Host Configuration Protocol page SIEMENS 18 SIEMENS 5881 Broadband Internet Router Chapter 3 Easy Setup User s Guide Select Protocol Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol DHCP provides a dynamic upon request IP address to computers and other networked devices The router can act as a DHCP server for devices on your local network The router provides the flexibility to use different r
92. the amount of data is large or complex To use the File Editor 1 Click File Editor on the left navigation pane of the Router Information window This displays the File Editor page with a list of stored files in the left navigation pane Current User superuser l File Editor File name Save KERHEL F2K 1502420 KERHEL BAK 1404177 MAXSEC TXT 2822 MEDSEC TXT 3540 MINSEC TXT 2702 HOSEC TXT 376 KEYFILE DAT 768 SYSTEM CHE 4864 ATOM DAT 44 DHCP DAT 1792 SWITCH DAT 36 SHDSL DAT 48 ISDNVOX DAT 48 VOICE DAT 4028 USERS DAT 1224 FILTER DAT 1284 Home 2 Doone of the following e To create a new file enter file text in the editing window and the name of the file in File name using filename txt format then click Save To edit an existing file click the file you want to edit on the left navigation pane This displays the contents of the file in the editing window Make your changes and click Save Edits can be discarded without saving by clicking the Home link at the bottom of the navigation pane If you save a file with the same name as an existing file the existing file will be immediately over written SIEMENS 47 Chapter 6 Security Setup This chapter describes how to configure security features on the router Security features are listed below To configure one of these features click the link on the left navigation pane of the Router Information page Secure Shell Firewall Scripts Stateful Firew
93. thin the specified range If no source destination port is specified the firewall rule matches any port in the range 0 65535 udp to specify UDP protocol for this rule You can specify a source and destination port or port range If only one source destination port is specified the packet must have the specified port If a range is defined the packet can have a port within the specified range If no source destination port is specified the firewall rule matches any port in the range 0 65535 number to specify a protocol number icmp to specify ICMP protocol for this rule If you select this protocol my must specify an ICMP Type for matching the packet source and ICMP Code for matching the packet destination e Application Select the application that must match from the Application drop down menu 5 For Source and Destination under Address optionally specify the First IP and Last IP addresses to define the source and destination IP address boundaries to apply to the firewall rule The packet must have a source destination IP address within the specified address range If only First IP address is specified the packet must have that source destination IP address If no source destination IP address is specified the firewall rule matches any valid IPV4 address 6 For Source and Destination under Address optionally specify a Mask that must match for the rule to apply If no mask is specified 255 255 255 255 is used 7 From the Mod
94. tion window This wizard will walk you through the configuration screens necessary to setup the router You can exit the Easy Setup Wizard at anytime by clicking Cancel on the bottom of the configuration page If the wizard is cancelled no changes will be made and you will need to begin again Select Protocol When you click Easy Setup in the left navigation pane of the Router Information page the Untrusted Interface Configuration page is displayed This page is used to enter information for the Untrusted WAN side Ethernet Interface that will communicate with the Internet access device broadband modem or similar To configure the Untrusted interface 1 Select one of the following connection methods Using PPPoE if you will use the Point to Point Protocol PPP to establish the connection e Not Using PPPoE if you will establish the connection based on IP addressing Untrusted Interface Configuration Using PPPoE allows user to select using PPPoE or not PPPoE requires a username and password PPPoE Service Name requires a name Default is for any PPPoE Timer requires a specific duration in seconds or the default permanent setting The IP address and Subnet Mask define the IP address and network of the interface This information is required in order to use NAT The Default Gateway is the IP address of the next hop router Network Address Translation NAT makes all connections appear to originate
95. tion to each computer when the computer boots up To configure DHCP 1 Click DHCP in the left navigation pane of the Router Information window This displays the DHCP Configuration page This page shows the current settings as well as provides a means to change the current settings DHCP Configuration Trusted Interface DHCP Server States Trusted Interface DHCP Server Status IP Addresses Posi Setting Current DACP Leases List 2 To change the server status select Enable or Disable from LAN DHCP Server Status Disabled the router will not act as a DHCP server Click Apply 4 When a PC boots and asks for an IP address the DHCP server assigns it an address from a pool of addresses assigned to the subnetwork where the client request originated To specify the start and ending SIEMENS 35 SIEMENS 5881 Broadband Internet Router Chapter 5 Advanced Setup User s Guide DHCP address range of the IP address pool enter the starting address in First IP Address and the ending address in Last IP Address 5 Click Apply Note that a list of network clients that are currently leasing their IP addresses from the pool are shown in Current DHCP Leases List From left to right the following information is presented for each client Client IP The leased IP address assigned to the specific client State Whether the IP address is enabled or disabled Host Name Name of the host leasing the specific IP address Expires mm
96. to each role e Manually select the management activity you want to assign to this user account For each management activity class click to select Read Read Write privileges for the user or select None for no privilege 4 In Allow Access From specify one or more of the following e Ethernet 0 Can access from the LAN side Ethernet 1 Can access from the WAN side Console Can access from a console User access verification is performed if the user account is verified during user authentication User access verifies that the user account can access the router through the connectivity method being used such as over the LAN or through a console 5 Click Enabled for Account Access to enable this account By default accounts are disabled when added This must be manually selected before the account is accessible to the user 6 Click Apply to add modify the user account SIEMENS 22 SIEMENS 5881 Broadband Internet Router Chapter 4 User Setup User s Guide User Management Deleting A User Account To delete a user account 1 Select the name of the account you want to delete in the Select User list on the User Management page then click Delete User 2 When prompted click OK to confirm the account deletion SIEMENS 23 SIEMENS 5881 Broadband Internet Router Chapter 4 User Setup User s Guide User Management User Lookup User authentication verification is performed when an access request is made to the s
97. trusted interface information protocol and other network settings e Wireless Status Displays the status of the wireless LAN In the left navigation pane of this page there are configuration diagnostic and status and statistic options for the router In this document these features are grouped according to User Access Control Advanced Router Functions Security and Monitoring Health and Status Use the table below to locate detailed instructions for the desired function To do this Perform Easy Setup Configure users on the router Configure advanced features Configure security features Configure wireless settings Monitor the health of the router Manage router using Command Line Interface Refer to Chapter titled Easy Setup Chapter titled User Setup Chapter titled Advanced Setup Chapter titled Security Setup Chapter titled Wireless Setup Chapter titled Monitoring Router Command Line Interface Guide SIEMENS 16 Chapter 3 Easy Setup This chapter describes how to define router configuration settings using the Easy Setup Wizard These settings control access to the Wide Area Network WAN and Local Area Network LAN During the Easy Setup procedure you will be prompted to specify configuration parameters that may require information from your service provider Access Easy Setup Wizard To access the Easy Setup Wizard click Easy Setup in the left navigation pane of the Router Informa
98. tup User s Guide Firewall Scripts Firewall Scripts A firewall is any combination of hardware and software that secures a network and traffic to prevent interception or intrusion The router has built in firewall capabilities to secure your network and data communications The router is equipped with predefined scripts that can be modified or used as is to construct firewalls All network security efforts including firewall configurations should be performed by an experienced and qualified network security technician who is familiar with the unique architecture and requirements of their network Siemens Subscriber Networks cannot be liable for security violations due to inadequate or incorrect firewall configurations To load a firewall script perform the following 1 Click Firewall Scripts on the left navigation pane of the Secure Shell SSH Configuration List page This displays the Run a Firewall Script page Run a Firewall Script Firewall Strength C Maximum Medium Minimum None Apply Output Window 2 Select the desired Firewall Strength This can be one of the following e Maximum Establishes a firewall with the most restrictive policies for maximum network security e Medium Establishes a firewall with flexible policies for a moderate level of network security e Minimum Establishes a firewall with a basic set of policies for a minimum level of network security e None No firewall is established 3
99. ually be the subnet mask assigned to the network local to your router 9 In Destination IP Address enter the IP address of the remote private network to which your router will connect using this policy SIEMENS 72 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide IKE IPSec Configuration 10 In Destination Subnet Mask enter the subnet mask of the remote private network to which your router will connect using this policy 11 In Source Port enter the port that will be the source of TCP UDP traffic under this policy You can specify All ports a port number or an IP application associated with a particular port Because port numbers are TCP and UDP specific a port filter is effective only when the protocol filter is TCP or UDP 12 In Destination Port enter the port that will be the destination of TCP UDP traffic under this policy You can specify All ports a port number or an IP application associated with a particular port 13 From the Default Tunnel drop down menu select the tunnel you want to search last Only one tunnel can be specified as the default tunnel 14 Click Apply SIEMENS 73 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide VPN Log On VPN Log On VPN Log On starts an IPSec session IPSec sessions are initiated through Security Associations SAs which allow peers to negotiate a common set of security attributes that assures source authent
100. ug in power adapter and connect to wall outlet UNTRUSTED WAN port Connect to WAN device using RJ 45 cable 1 With the PC powered off connect your PC directly to any of the router s Ethernet ports on the back panel labeled TRUSTED using one of the RJ 45 cables provided You may also connect additional Ethernet devices to the router s Ethernet ports using additional RJ 45 cables not provided 2 Connect the other end of the Ethernet cable to the Ethernet port on the PC Connect your Ethernet Interface WAN device broadband modem or similar to the Ethernet port labeled UNTRUSTED using another RJ 45 cable 4 Optionally connect the MGMT port to one of the following e Your PC serial port using another RJ 45 cable and the supplied adapter for router access via the command line interface e An external using an RJ 11 cable to provide for dial backup Connect the power adapter to the rear of the router 5 6 Plug the power adapter into the electrical wall outlet 7 Flip the power switch on the router 8 Power on all connected computers You can now configure the TCP IP settings as detailed in the PC Configuration section SIEMENS 7 SIEMENS 5881 Broadband Internet Router Chapter 2 Installation User s Guide PC Configuration PC Configuration Your PC must be configured to use the TCP IP protocol suite over the Internet and to accept Dynamic Host Configuration Protocol address assignments from the router Alth
101. vigation pane of the IKE IPSec Information page This displays the Advanced IKE IPSec Configuration page This page shows the current configuration and includes a Create button for each category to create new IKE and IPSec definitions Advanced IKE IPSec Configuration Advanced IKE IPSec Configuration IKE Peers Create Easy IKE IPSec Setup IPSec Main Page No IKE Peers defined Home IKE Proposals Create No IKE Proposals defined IKE IPSec Proposals Create No IPSec Proposals defined IKE IPSec Policies Create No IPSec Policies defined This section describes how to perform the following tasks IKE Peers Create IKE peers IKE peers are those devices known to your ADSL Internal Modem as capable of participating in IKE connections IKE Proposals Create IKE proposals IKE proposals specify how packets will be encrypted authenticated for Phase l IKE IPSec Proposals Create IKE IPSec proposals IKE IPSec proposals specify how packets will be encrypted authenticated for the final SA IKE IPSec Policies Create IKE IPSec policies IPSec policies are criteria for packets that IPSec will recognize and actions that IPSec will take upon recognition SIEMENS 67 SIEMENS 5881 Broadband Internet Router Chapter 6 Security Setup User s Guide IKE IPSec Configuration IKE Peers Definition IKE peers are those devices known to your internal modem as capable of participating in IKE connections To define a n
102. will be tested upon receipt by Siemens Subscriber Networks Products that pass all functional tests will be returned to the end user D Siemens Subscriber Networks will return the repaired or replacement Product to the end user at the address provided by the end user atSiemens Subscriber Networks s expense For Products shipped within the United States of America Siemens Subscriber Networks will use reasonable efforts to ensure delivery within five 5 business days from the date received by Siemens Subscriber Networks Expedited service is available at additional cost to the end user E Upon request from Siemens Subscriber Networks the end user must prove the date of the original purchase of the product by a dated bill of sale or dated itemized receipt 5 Limitations The end user shall have no coverage or benefits under this limited warranty if the product has been subject to abnormal use abnormal conditions improper storage exposure to moisture or dampness unauthorized modifications unauthorized repair misuse neglect abuse accident alteration improper installation or other acts which are not the fault of Siemens Subscriber Networks including acts of nature and damage caused by shipping Siemens Subscriber Networks will not honor and will not consider the warranty voided if 1 the seal or serial number on the Product have been tampered with or 2 there has been any attempted or actual repair or modification of the Product by anyon
103. ystem The router checks the user database to verify the user account by username and password supplied by the user when making the access request You can specify where user authentication identification is performed from the User Lookup Configuration page You can specify both a primary and secondary database to use to identify users if you desire If you specify both a primary and secondary database and the user is not found in the primary database the secondary database is searched To configure where user s are authenticated identified 1 Click User Lookup Config on the left navigation pane of the User Management page This displays the User Lookup Configuration page User Lookup Configuration User Lookup Configuration User Menagessesa Main Page Home 2 Specify one of the following databases for Primary and for Secondary If the user is not found in the Primary database the Secondary database is searched e Local Searches the local database for user login identification Either the primary or secondary lookup must be Local e Radius Searches the Radius database for user login identification e Tacplus Searches the Tacplus database for user login identification e None Searches no database SIEMENS 24 SIEMENS 5881 Broadband Internet Router Chapter 4 User Setup User s Guide User Management Secure Mode Configuration You can enable secure mode to control whether an interface is trusted or untrusted To
Download Pdf Manuals
Related Search