Allied Telesis AT-iMG634 - R2 User guide

iMG/RG Gateway
Release 3-7-04
Software Reference Manual
Document Issue 1.4
iMG/RG Software Reference Manual
i
ii
iMG/RG Software Reference Manual
i. Preface
I Introduction
I.I Purpose of this manual
The Allied Telesis Gateway product set delivers multiple IP-based broadband services to home over high speed,
always-on broadband connection. This family of devices enables the delivery of voice, data, and video to customer premises, offering benefits both to service providers and to final users. Service providers can quickly
deliver to their customers advanced services such as fast Internet, VoIP, and video on demand in a full scalable
way that is remotely manageable. End users get the benefit of a unique device interconnecting all peripherals,
computers, and telephones using a single uplink broadband connection.
This manual is the complete reference to the configuration, management, and operation of the AT-Gateway family of devices. It includes detailed descriptions of all management commands.
It is assumed that the reader is familiar with:
•
The topology of the network in which the Intelligent Business Gateway is to be used.
•
Basic principles of computer networking, protocols and routing, and interfaces.
•
Administration and operation of a computer network.
II Intended audience
This manual is intended for the system administrator, network manager or communications technician who will
configure and maintain AT-iMG600 devices, or who manages a network of AT-iMG600 Gateways.
It is assumed that the reader is familiar with:
•
The topology of the network in which the intelligent Multiservice Gateway is to be used;
•
Basic principles of computer networking, protocols and routing, and interfaces;
•
Administration and operation of a computer network.
iMG/RG Software Reference Manual (Preface)
i-1
III How this Document is Organized
This preface provides an overview of the supported devices and the documentation sections that are relevant
to these devices. Using this preface, the customer should be able to see where the device fits within the ATI
iMG portfolio - and at a high level - how it is different from the other members of the family. This Preface has
four main subsections:
1.
A description of the different types of devices, grouped by Network Interface Technology (ADSL, Active
Fiber, EPON, Modular).
2.
A detailed list of the individual models supported - including the type of Network Interface, Number of
Ethernet LAN interfaces and the number and type of Telephony ports.
3.
A list of functional groupings of devices that describes the unique traits of this set of devices - exclusive of
network interfaces.
4.
A list of the different sections within the document and based on the above defined grouping - an indication
of which sections apply.
The intent of the functional groupings is to allow the customers to use the appropriate group to determine
which sections within the document apply to that set of devices, as well as identify what specific differences
there may be between the different groupings when discussing a specific topic - such as File System structure or
Switch functionality.
i-2
iMG/RG Software Reference Manual (Preface)
IV Allied Telesis Gateway Family Feature Summary
IV.I VLAN OPERATION
This family of devices supports IEEE 802.1Q tagged VLAN operation across its all switch ports. It therefore
offers a powerful combination of wirespeed Layer 2 switching between VLANs as well as high performance
Layer 3 routing between VLANs in one highly cost effective unit.
IV.II FIREWALL
This family of devices integrates a Stateful Inspection Firewall with Network Address Translation (NAT) and
Denial of Service intrusion detection and blocking for protecting customer networks. Each VLAN can be
configured to be external, internal, or DMZ. With the Virtual Server features, a web or e-mail server can sit
beyond the NAT and appear like being on the public interface. The NAT implementation supports the most
popular protocols and applications including NetMeeting (H.323 and SIP), IPSec and PPPtp.
IV.III PORT RATE LIMITING
This family of devices offers the possibility to limit the egress and ingress bandwidth on each port. This feature
allows the Service Operator to offer differentiated services to each customer and protect its network from
malicious packet flooding.
IV.IV VOICE OVER IP (VOIP)
This family of devices offer a choice of Voice over IP signaling methods, namely SIP and MGCP including NCS
1.0 profile. SIP and MGCP are optimized for operation over IP networks. This multiple protocol support
provides maximum flexibility for service providers, allowing them to provide an IP telephony service based on
cost and feature set, rather than being limited by the protocol used.
Similarly, a choice of different voice and data encoding algorithms is also available comprising G.711 A-law, μ-law (64kbps),
G.729 (8kbps,) and T.38, so that maximum VoIP interworking is assured with carrier class IP Gateways and network
switches. Quality of Service is provided through mechanisms such as the Type of Service (ToS) field in the IP packet, priority
tagging of voice traffic using IEEE 802.1p, as well as silence suppression and local generation of comfort noise – the result is
excellent voice quality.
Class 5 services are supported and the VoIP inter-operability has been certified versus major soft-switch
vendors.
IV.V VIDEO STREAMING
Video Streaming offers unique features to optimize the delivery of Video contents to customers, namely VLAN,
IGMP snooping, and proxying. This family of devices supports full IGMP snooping capability (v1/v2), and
individual LAN ports can receive different multicast transmissions e.g. different movies or TV channels. The
gateway ‘snoops’ IGMP packets in-transit, so it knows which port to forward the particular multicast data to.
iMG/RG Software Reference Manual (Preface)
i-3
This results in high-quality, high-bandwidth video streaming without affecting Internet surfing or IP telephony
on adjacent ports. The gateway also supports IGMP proxying to allow forwarding of multicast packets at Layer
3 with or without NAT.
IV.VI MANAGEMENT & CONFIGURATION
This family of devices is designed for high volume deployment, this is reflected in the Zero Touch Configuration
model, whereby no user intervention is required when installing a unit. ZTC provides intelligent and automatic
configuration of remote RG units. It analyses incoming status information from each RG unit and dynamically
creates the appropriate configuration file or operating system download as required, it then selects the
appropriate download mechanism (e.g. TFTP,HTTP, HTTPS etc.) to complete the process. The ZTC client in
the RG initiates the download process on power up, or on expiry of its DHCP lease timer. ZTC provides
secure authentication of client devices, resilience through distributed server operation and in-built scalability
for very large networks.
i-4
iMG/RG Software Reference Manual (Preface)
V Gateway Types
V.I ADSL Gateways
Asymmetric Digital Subscriber Line (ADSL) is used to provide cost-effective, high speed local loop access for
Internet and other applications where data flows downstream to end users faster that it does upstream from
end users. ADSL provides asymmetric transmission over one pair of copper telephone wires with downstream
data transmission rates ranging from 32 Kbps to 26 Mbps with ADSL2+. One single telephone line can be used
simultaneously for voice and data transmission.
The ADSL interface is designed to meet the following standards:
•
ANSI T1.413 (8 Mbps)
•
ITU G.992.1Annex A also known as G.dmt (10 Mbps)
•
ITU G.992.2 also known as G.lite (4Mbps)
•
ITU G.992.3/4 also known as ADSL2 or G.dmt.bis (12Mbps)
•
ITU G.992.5 also known as ADSL2+ (24 Mbps).
These gateways typically support 4 Ethernet 10/100TX ports plus 2 Voice ports.:
V.II Active Fiber Gateways
Allied Telesis Active Fiber Gateways offer a full range of optical interfaces to fit the requirements of FTTx
applications. In full compliance with the optical performance requirements of 100 Base-FX version of IEEE
802.3u, both multi-mode and single-mode fibers are available. In addition, the bi-directional optical interface
over a single fiber, allows the best exploitation of the cabling infrastructure.
TABLE i-1
Active Fiber Gateways
OPTICAL PARAMETER
SH
LH
BD
Fiber type
Multi-mode
Single-mode
Single-mode
Operating wavelength
1300 nm
1300 nm
TX 1310 nm
RX 1550 nm
These gateways support from 3 to 6 Ethernet 10/100TX ports plus 2 to 4 voice ports and are available in both
indoor and outdoor versions.
iMG/RG Software Reference Manual (Preface)
i-5
There is also a subset of this family of devices that support RF Overlay. These are derivations of base models with an “RF” suffix in the model name. This is supported by the addition of a second fiber and an optical
module that supports Analog Fiber to RF Conversion. The devices are connected to the WAN via a dual
single-mode fibre optical interface: one fibre delivers triple-play services similarly to the iMG613BD, the second
fibre receives the video broadcast channels.
TABLE i-2
Active Fiber Gateways with RF Overlay
OPTICAL PARAMETER
Fiber to Eth/VoIP
Fiber-to-RF
Fiber type
Single-mode
Single-mode
Operating wavelength
TX 1310 nm
RX 1550 nm
RX 1550 nm
The separated passive unit named RG001 where the optical cable is terminated, allows easy installation,
maintenance and replacement thanks to a plug-and-play optical connection.
V.III Passive Optical Network Fiber Gateways
Allied Telesyn has expanded the portfolio to include an EPON Active Fiber Outdoor Gateway. This device is
an evolution of the Active Fiber Outdoor Gateway - supporting 6 Ethernet 10/100TX ports and 4 voice ports.
A passive optical network (PON) is a point-to-multipoint, fiber to the premises network architecture in which
unpowered optical splitters are used to enable a single optical fiber to serve multiple premises, typically 32-128.
A PON consists of an Optical Line Terminal (OLT) at the service provider's central office and a number of
Optical Network Units (ONUs) near end users. A PON configuration reduces the amount of fiber and central
office equipment required compared with point to point architectures.
Downstream signals are broadcast to each premises sharing a fiber. Encryption is used to prevent
eavesdropping.
Upstream signals are combined using a multiple access protocol, invariably time division multiple access
(TDMA). The OLTs “range” the ONUs in order to provide time slot assignments for upstream
communication.
V.IV Active Fiber Business Gateways
Allied Telesyn Active Fiber Business Gateways offer a full range of optical interfaces via an SFP or 100M TX
interface to fit the requirements of FTTx or MDU applications. This family boasts higher performance and a
larger number of Voip interfaces. Being AC Powered - it is perfectly adapted for installation in business or
MDU applications:
i-6
iMG/RG Software Reference Manual (Preface)
V.V Modular Gateways
Allied Telesyn Modular Outdoor Gateways offer a full suite of choices to the customer - for both WAN
interfaces and for LAN interfaces. This hardened device is designed for ease of installation - and long lasting
robust service. It allows the customer to select a Base platform for deployment and management - that can be
enhanced as needs evolve. This base platform supports 2 or 4 Voice ports and 6 10/100M TX Ports.
The following Modular WAN interfaces are supported:
•
100M Active Fiber
•
1000M Active Fiber
•
EPON Fiber
The following Modular LAN interfaces are Supported in addition.
•
1000M Copper Ethernet
•
T1/E1 Circuit Emulation
•
HPNA V3.1
iMG/RG Software Reference Manual (Preface)
i-7
VI Supported Products
The following table lists all the Gateway Series devices supported by this software release along with information indication the types of interfaces available.
TABLE i-3
Type
Fiber
iMG/iBG Modela
RG613TX
BD/LH/SH
RG656BD
Networkc
SM, SF
2-5
RG600
3-5
-
3-6
-
3-7
RG600E
SM, SF
RG600
-
-
RG6x6E
SM, SF
RG600
-
-
RG6x6E
SM, SF
-
iMG616E
-
iMG616E
SM, SF
-
iMG616E
-
iMG616E
SM, SF
-
-
-
iMG616W
SM, SF
RG600
-
-
RG6x6E
SM, SF
RG600
-
-
RG6x6E
EPONd
RG600
-
-
RG6x6E
SFP/TX
-
-
-
iBG915FX
-
-
iMG624A
iMG624B
iMG634A
iMG634B
-
-
FXS=2,
LAN=4
LAN=4
ADSL2+ (A/
B)
ADSL2+
(A/B)
ADSL2+(A)
-
iMG634A-R2
iMG634B-R2
FXS=2,
LAN=4
ADSL2+ (A/
B)
-
-
-
iMG634WA
iMG634WB
FXS=2,
LAN=4,
802.11b/g
ADSL2+ (A/
B)
-
iMG634W
A
iMG634WB
-
iMG624A
iMG624B
iMG634A
iMG634B
iMG624AR2
iMG634AR2
iMG634BR2
iMG634W
A
iMG634WB
iMG606BD
LH/SH
iMG616BD
LH/SH
iMG616RF, RF+,
iMG616SRF, SRF+
iMG616W
iMG646BD
LH/SH
iMG646BD-ON
iMG646PX-ON
iBG915-FX
ADSL
i-8
RG/iMG Models
iMG624A
iMG624B
iMG634A
iMG634B
iMG624A-R2
Customerb
FXS=2,
LAN=3
FXS=3,
LAN=6
LAN=6
FXS=2,
LAN=6
FXS=2,
LAN=6, RF
O’lay
FXS=2,
LAN=6, RF
O’lay,
802.11b/g
FXS=4,
LAN=6
FXS=4,
LAN=6
FXS=4,
LAN=6
FXS=8,
LAN=5
LAN=4
iMG/RG Software Reference Manual (Preface)
-
-
TABLE i-3
Type
Modular
iMG/iBG Modela
iMG634WA-R2
iMG634WB-R2
Customerb
FXS=2,
LAN=4
802.11b/g
Networkc
ADSL2+ (A/
B)
2-5
-
3-5
-
3-6
-
iBG910A
FXS=4,
ISDN=2,
LAN=8
FXS=4 or 2,
LAN=6,
HPNA/T1.
FXS=4 or 2,
LAN=6,
Gig Lan=1,
HPNA/T1.
ADSL2+(A)
-
-
iBG910A
3-7
iMG634W
A-R2
iMG634WB
-R2
iBG910A
BD, PON
-
-
iMG626
iMG646
iMG626
iMG646
100M-BD,
1000M-BD
PON
-
-
-
iMG726
iMG746
iMG646MOD
iMG626MOD
iMG746MOD
iMG726MOD
a.
b.
c.
d.
RG/iMG Models
iMG = intelligent Multiservice Gateway, iBG = Business Gateway
FXS = Foreign eXchange Subscriber, connection to phone/modem/FAX
SM = Single Mode, MM = Multi-Mode, SF = Single Fiber, BD = SM/SF, TX = Copper
Refer to the iMAP User Guide for configuring the EPON2 card and Optical Network Unit (ONU).
iMG/RG Software Reference Manual (Preface)
i-9
VII Functional Groupings
Below is a table that lists all the iMG models that are supported in 3-7. They are grouped by distinguishing
characteristics - such as hardware resources available on the device. There is also a column which identifies
what is unique regarding this grouping.
TABLE i-4
iMG Models Supported in 3-7
Group
Model
Load Name
Characteristics
Uniqueness
Fiber A
rg613TX, BD, LH, SH
rg600E
4/16 Meg Flash/Ram
Initial product offering
Kendin Switch
Ni-210 Processor
Fiber B
rg656BD, LH, SH
RG6x6E
4/16 Meg Flash/Ram
iMG606BD, LH, SH
Broadcom Switch
iMG646BD, LH, SH
Ni-210 Processor
iMG646BD-ON/PX-ON
Fiber C
iMG616BD, LH, SH
iMG616E
iMG616RF, RF+,
Broadcom Switch
iMG616SRF, SRF+
Fiber D
iMG616W
4/16 Meg Flash/Ram
8/32 Meg Flash/RAM
Solos Processor
iBG915FX
iBG915
8/32 Meg Flash/RAM
Marvell Switch
He-520 Processor
Modular
ADSL A
ADSL B
iMG626MOD
iMG626
8/32 Meg Flash/RAM
iMG646MOD
iMG646
Marvell Switch
iMG726MOD
iMG726
He-520 Processor
iMG746MOD
iMG746
iMG624A/B
iMG624A/B
8/32 Meg Flash/RAM
iMG634A/B
iMG634A/B
Kendin Switch
iMG634WA/B
iMG634WA/B
Argon Processor
iMG624A-R2
iMG624A-R2
8/32 Meg Flash/RAM
iMG634A/B-R2
iMG634A/B-R2
Marvell Switch
Solos Processor
ADSL C
iBG910A/B
iBG910A/B
8/32 Meg Flash/RAM
Marvell Switch
Argon Processor
i-10
Base Platform that provides
capability for RF overlay.
Ni-210 Processor
iMG616W
Broadcom Switch
Fiber E
More efficient routing
when VLANs configured.Similar service offering
to Modular Devices
iMG/RG Software Reference Manual (Preface)
New indoor wireless product - greater processing
capacity - plus wireless support
New Multi port Tel port
offering. SFP provides for
WAN flexibility.
Modular outdoor devices provide support for different WAN services - and
additional LAN interfaces.
Second Generation ADSL
CPE.
Third Generation ADSL
CPE - Greater performance
- able to support 2 INP.
Multi-line ADSL Gateway
supporting both ISDN and
POTS.
VIII Documentation Structure
In the table below is a high level index of the remainder of the document - along with columns for each of the
groupings defined above. Where a section applies to that group of devices, an X is placed in the cell. If it is left
blank, then that section does not apply. Minor differences are managed via note sections within the different
sections.
TABLE i-5
Main Features and where they apply to Product Type
Fiber
Chapter
1 “System Configuration”
Section
“ System Management” page 1
“ Webserver” page 36
“ Emergency” page 47
“ Software update” page 54
“ ZTC” page 74
“ SNMP” page 84
2 “Switching”
“ Switching” page 1
“ BRIDGE” page 37
“ VLAN” page 84
3 “IGMP”
“ IGMP snooping” page 1
4 “IPNetwork Functions”
“ IP” page 1
“ Security” page 57
“ Firewall” page 105
“ Network address translation - NAT” page 134
5 “System Administration”
“ Dynamic Host Configuration Protocol” page 1
“ Domain name system - DNS” page 83
“ SNTP” page 93
6 “Voice Service”
“ VoIP MGCP” page 1
“ VoIP SIP” page 16
“ VoIP phone ports” page 59
“ Common VoIP attributes: QoS, Media and DTMF-Relay” page 120
7 “Quality of Service”
Modular
ADSL
D E
x x
x x
x
x
A B C
x x
x x x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x x x x x
x x x x x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
A
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
B
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
C
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
“ QOS” page 1 - Includes Classifier, Meter, and Scheduler for Ingress
“ Classifying packets” page 3
“ Meter” page 5
“ Scheduler” page 9
“ L2Filter” page 60
8 “ADSL Port”
x
x x
“ ADSL System description” page 2
“ Port a1” page 5
“ Bridge” page 36
“ Transports” page 49
“ Ethernet” page 58
x
“ PPPoE” page 62
“ PPPoA” page 114
“ RFC1483” page 151
9 “Wireless”
“ Wireless Interface” page 1
iMG/RG Software Reference Manual (Preface)
x
i-11
TABLE i-5
Main Features and where they apply to Product Type
Fiber
Chapter
Section
10 “LAN Module Management” “ HPNA LAN Module” page 2
“ HPNA Command Reference” page 3
“ CES LAN Module” page 8
“ Circuit Emulation Command Reference” page 9
i-12
iMG/RG Software Reference Manual (Preface)
Modular
A B C D E
ADSL
A B C
x
x
x
x
IX Reason for Update
The following table lists the updates that have occurred for this release, due to hardware, software, and
document changes.
Note:
Document errors have also been corrected where necessary.
TABLE i-6
Feature
3-7-03 and Before
3-7-04
Notes
QoS functions for iMG
devices
Present on Ethernet-based
devices
Includes the:
Refer to TABLE i-5
iMG634-A/B
iMG634-WA/WB
iMG624-A/B
iMG624-A R2
iMG634-A/B R2
Split Management
Not available
Provides
Refer to 1.1.2.3
AT-616W
Not available, but documented
Available
Refer to TABLE i-4
Fast UDP Support
Supported in 3-5
Removed
Removed from document
Time Zone
Supported
EDT is no longer displayed
and cannot be set.
Time that is set depends on
time zone, date, and daylight savings time setting
Customer Products and
Wireless Features
Refer to the Release Notes
for any compatibility issues.
Features are listed in 9.1.1.
Configuring EPS
Note added on using SECURITY ADD ALG. Refer to
6.2.3.
iMG/RG Software Reference Manual (Preface)
i-13
TABLE i-6
PPPoE and TCP MSS
On the iMG or the PPPoE
value S
concentrator/RA should
be configured to clamp
the maximum TCP MSS
value. Refer to 8.7.2.5
SIP EPS Configuration
Note that each EPS allows a
maximum of three calls per
line.
The number of SIP users
and media port limit is clarified. Refer to 6.2.3
IGMP
Included is a description of
the new IGMP functionality
(including also extended
IGMP messages flow charts)
plus the description of the
old IGMP functionality.
Changes to default values
are included
Refer to 3.1.
i-14
iMG/RG Software Reference Manual (Preface)
Table of Contents
i Preface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - i-1
1 System Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - -1-1
1.1 System Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-1
1.1.1 System Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-1
1.1.1.1 Access to the Gateway - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-1
1.1.1.2 Default Factory Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-1
1.1.1.3 Minimal Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-2
1.1.2 Command Line Interface and Console - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-3
1.1.2.1 Access permissions to CLI - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-3
1.1.2.2 Access permissions to WEB interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-4
1.1.2.3 Split management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-5
1.1.3 File system - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-5
1.1.3.1 Gateway with 4Mbytes of FLASH - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-6
1.1.3.2 Gateway with 8MBytes of FLASH with and without EEPROM - - - - - - - - - - 1-7
1.1.3.3 Boot partition - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-8
1.1.3.4 Recovery partition - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-8
1.1.3.5 Main partition - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-9
1.1.3.6 Configuration partitions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-9
1.1.4 Configuration Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-9
1.1.4.1 Configuration File Saving and Backup Process- - - - - - - - - - - - - - - - - - - - - 1-10
1.1.5 System command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-12
1.1.5.1 System CLI commands- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-12
1.2 Webserver - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1.2.1 Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1.2.2 Web pages- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1.2.2.1 Home page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1.2.2.2 Configuration page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1.2.2.3 Security page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1.2.2.4 Services page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1.2.2.5 Admin page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1.2.3 Webserver command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1.2.3.1 Webserver CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1-36
1-36
1-36
1-36
1-37
1-37
1-37
1-37
1-38
1-38
1.3 Emergency - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-47
1.3.1 Introduction- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-47
iMG/RG Software Reference Manual (Table of Contents)
1.3.2 Emergency configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-47
1.3.3 Save and activate emergency configuration.- - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-48
1.3.4 -Emergency command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-49
1.3.4.1 Emergency CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-49
1.4 Software update - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-54
1.4.1 Windows™ Loader - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-57
1.4.2 Upgrade via Web Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-58
1.4.3 SwUpdate module - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-60
1.4.3.1 Start Time scheduling - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-63
1.4.3.2 Retry Period scheduling - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-64
1.4.3.3 Stop Time scheduling - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-64
1.4.3.4 Manually enabling SwUpdate - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-66
1.4.3.5 Plug-and-play- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-66
1.4.3.6 Server access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-67
1.4.4 SwUpdate command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-68
1.4.4.1 SwUpdate commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-68
1.5 ZTC - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-74
1.5.1 Functional blocks - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-75
1.5.1.1 ZTC network architecture - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-75
1.5.2 ZTC Client - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-76
1.5.2.1 Storing unit configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-77
1.5.2.2 Pull-at-startup - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-77
1.5.2.3 Scheduled-pull - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-78
1.5.3 ZTC command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-81
1.5.3.1 ZTC Client commands- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-81
1.6 SNMP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-84
1.6.1 SNMP configuration within the SNMPv3 administration framework - - - - - - - - - - - 1-86
1.6.1.1 Security- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-86
1.6.1.2 Mechanisms used by SNMPv3 security - - - - - - - - - - - - - - - - - - - - - - - - - - 1-86
1.6.1.3 Local configuration datastore - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-88
1.6.1.4 Configuration file format - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-88
1.6.1.5 Configuration for all SNMPv3 entities - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-88
1.6.2 Additional configuration for SNMPv3 agent entities - - - - - - - - - - - - - - - - - - - - - - 1-92
1.6.2.1 Configuring view-based access control- - - - - - - - - - - - - - - - - - - - - - - - - - - 1-92
1.6.2.2 Defining families of view subtrees- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-92
1.6.2.3 Defining groups and access rights - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-94
1.6.2.4 Assigning principals to groups - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-95
1.6.3 Configuring notifications - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-96
1.6.3.1 Defining notifications - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-96
1.6.3.2 Defining target addresses - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-97
1.6.3.3 Defining target parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-98
TOC-2
iMG/RG Software Reference Manual (Table of Contents)
1.6.4 Configuring notification filters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-99
1.6.4.1 Creating a notification filter- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-99
1.6.4.2 Associating a filter with a notification parameter - - - - - - - - - - - - - - - - - - 1-101
1.6.5 Configuring source address checking- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-101
1.6.5.1 Matching exactly one source address - - - - - - - - - - - - - - - - - - - - - - - - - - 1-103
1.6.5.2 Matching any source address - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-103
1.6.5.3 Matching a source address in a subnet- - - - - - - - - - - - - - - - - - - - - - - - - - 1-104
1.6.6 Examples - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-105
1.6.6.1 noAuthNoPriv SNMPv3 users - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-105
1.6.7 authNoPriv SNMPv3 users - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-106
1.6.8 Additional configuration for SNMPv3 agent entities - - - - - - - - - - - - - - - - - - - - 1-107
1.6.8.1 Configuring context names - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-107
1.6.9 Additional configuration for SNMPv1 and SNMPv2 agent entities- - - - - - - - - - - 1-108
1.6.9.1 Configuring communities - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-108
1.6.9.2 Examples - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-109
1.6.10 MIB - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-110
1.6.10.1 Standard (public) MIB - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-110
1.6.10.2 Standard traps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-114
1.6.10.3 Enterprise (private) MIB - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-115
2 Switching - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -2-1
2.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-1
2.1.1 Layer 2 Switching in the Network- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-1
2.1.2 Documentation Structure - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-1
2.2 Switching- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.2 Layer 2 switch functional description - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.2.1 Port Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.2.2 Ingress Filtering - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.2.3 Address management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.2.4 Rate limiting support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.2.5 Loop Detection - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.2.6 Layer 3 Routing Rate Limiting - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.2.7 Quality of Service Classification - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.2.8 Power Conservation Mode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.2.9 Port Diagnostics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.3 Functional Differences for Switching in Product Categories - - - - - - - - - - - - - - - - 2.2.4 Switch command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.2.4.1 Switch CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2-1
2-1
2-2
2-2
2-2
2-3
2-3
2-3
2-4
2-4
2-6
2-7
2-7
2-9
2-9
2.3 BRIDGE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-37
2.3.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-37
iMG/RG Software Reference Manual (Table of Contents)
TOC-3
2.3.2 Bridge Functional Description - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-37
2.3.2.1 Source MAC based forwarding - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-37
2.3.2.2 Destination MAC based forwarding - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-37
2.3.2.3 Port based forwarding - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-38
2.3.2.4 Traffic Prioritization - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-38
2.3.2.5 Multicast Traffic- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-39
2.3.2.6 Learning - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-39
2.3.3 Functional Differences in Product Categories- - - - - - - - - - - - - - - - - - - - - - - - - - - 2-40
2.3.4 Bridge command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-40
2.3.4.1 Bridge commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-41
2.4 VLAN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-84
2.4.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-84
2.4.1.1 VLAN tagging - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-85
2.4.2 VLAN Functional Description- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-88
2.4.2.1 VLAN support on Ethernet interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-88
2.4.2.2 VLAN support on ADSL interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-89
2.4.2.3 VLAN versus IP interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-90
2.4.2.4 VLAN Translations- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-91
2.4.3 Functional Differences in Product Categories- - - - - - - - - - - - - - - - - - - - - - - - - - - 2-92
2.4.4 VLAN command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-93
2.4.4.1 VLAN CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-93
3 IGMP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3-1
3.1 IGMP snooping- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3-1
3.1.1 Multicasting overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3-1
3.1.1.1 Multicast Group addresses- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3-1
3.1.1.2 IGMP protocol - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3-2
3.1.1.3 Multicast MAC addresses - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3-2
3.1.2 IGMP snooping Functional Overview (Includes New Functionality) - - - - - - - - - - - -3-3
3.1.2.1 Multicast router port discovery - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3-4
3.1.2.2 Snoop-Only Operation Mode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3-4
3.1.2.3 Proxy Operational Mode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3-6
3.1.3 Old IGMP Snooping Functionality - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3-13
3.1.3.1 Multicast router port discovery - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3-13
3.1.3.2 Snoop-Only Operation Mode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3-13
3.1.3.3 Proxy Operation Mode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3-14
3.1.3.4 IP source address masking – Secondary IP Interface - - - - - - - - - - - - - - - - - 3-15
3.1.3.5 IGMP snooping security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3-15
3.1.3.6 Routed IGMP proxy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3-15
3.1.4 Functional Differences in Product Categories- - - - - - - - - - - - - - - - - - - - - - - - - - - 3-16
3.1.5 IGMP Snooping command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3-16
3.1.5.1 IGMP snooping CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3-17
TOC-4
iMG/RG Software Reference Manual (Table of Contents)
4 IPNetwork Functions - - - - - - - - - - - - - - - - - - - - - - - - - - -4-1
4.1 IP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.2 IP Interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.3 IP support on AT-iMG Models - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.3.1 Adding and attaching IP interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.3.2 IP stack and incoming packets - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.3.3 Locally received packets - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.3.4 Forwarding packets - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.4 Unconfigured interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.5 Unnumbered interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.5.1 Unconfigured interfaces vs unnumbered interfaces - - - - - - - - - - - - - - - - - - 4.1.5.2 Configuring unnumbered interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.5.3 Creating a route - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.6 Virtual interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.6.1 Configuring virtual interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.6.2 Similarities between virtual interfaces and real interfaces - - - - - - - - - - - - - - 4.1.6.3 Differences between virtual interfaces and real interfaces- - - - - - - - - - - - - - 4.1.7 Secondary IP addresses - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.7.1 Configuring secondary IP addresses - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.7.2 Functionality of secondary IP addresses - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.8 TCP/IP command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.8.1 IP Tracing commands- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.1.8.2 IP CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2 Security- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.2 Security support on AT-iMG Models - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.3 Security interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.3.1 Security Triggers - Dynamic Port Opening - - - - - - - - - - - - - - - - - - - - - - 4.2.4 Intrusion Detection Settings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.4.1 Port Scan Attacks - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.4.2 How Port Scanning works - Configuring Port Scanning - - - - - - - - - - - - - - 4.2.4.3 Denial of Service (DoS) Attacks - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.4.4 IDS Trojan Database - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.5 Management stations - Remote Management - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.6 Security logging- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.7 Security command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.2.7.1 Command Set - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.3 Firewall - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.3.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.3.1.1 Policy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4.3.1.2 Portfilter- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
iMG/RG Software Reference Manual (Table of Contents)
4-1
4-1
4-1
4-2
4-2
4-3
4-3
4-3
4-4
4-4
4-4
4-5
4-5
4-6
4-6
4-7
4-7
4-7
4-8
4-8
4-8
4-8
4-9
4-57
4-57
4-58
4-58
4-60
4-62
4-63
4-64
4-64
4-67
4-67
4-68
4-68
4-68
4-105
4-105
4-106
4-106
TOC-5
4.3.2 Firewall command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-106
4.4 Network address translation - NAT- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-134
4.4.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-134
4.4.2 NAT support on AT-iMG Models - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-135
4.4.2.1 Reserved mappings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-136
4.4.2.2 Application level gateways (ALGs) - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-136
4.4.3 Interactions of NAT and other security features - - - - - - - - - - - - - - - - - - - - - - - - 4-136
4.4.3.1 Firewall filters and reserved mappings. - - - - - - - - - - - - - - - - - - - - - - - - - 4-136
4.4.3.2 NAT and dynamic port opening - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-137
4.4.4 NAT and secondary IP addresses - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-137
4.4.5 NAT command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-137
4.4.5.1 NAT CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-137
5 System Administration - - - - - - - - - - - - - - - - - - - - - - - - - - 5-1
5.1 Dynamic Host Configuration Protocol - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-1
5.1.1 DHCP support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-1
5.1.2 DHCP server - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-2
5.1.2.1 Example - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-2
5.1.3 DHCP client - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-4
5.1.3.1 Lease requirements and requests - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-5
5.1.3.2 Support for AutoIP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-6
5.1.3.3 Additional DHCP client modes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-6
5.1.3.4 Propagating DNS server information - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-6
5.1.3.5 Automatically setting up a DHCP server- - - - - - - - - - - - - - - - - - - - - - - - - - -5-6
5.1.3.6 Example - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-7
5.1.4 DHCP Relay- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-8
5.1.5 DHCP Server command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-8
5.1.5.1 DHCP server CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-8
5.1.6 DHCP Client command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-55
5.1.6.1 DHCP client CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-55
5.1.7 DHCP Relay Command Reference- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-79
5.1.7.1 DHCP relay CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-80
5.2 Domain name system - DNS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-83
5.2.1 DNS Relay - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-84
5.2.2 DNS Client- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-84
5.2.3 DNS Relay command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-84
5.2.3.1 DNS Relay CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-84
5.2.4 DNS Client command reference- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-89
5.2.4.1 DNS Client CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-89
5.3 SNTP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-93
TOC-6
iMG/RG Software Reference Manual (Table of Contents)
5.3.1 SNTP features - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5.3.2 Time zones and daylight savings (summer time) conversion - - - - - - - - - - - - - - - 5.3.3 SNTP command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5.3.3.1 SNTP CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5-93
5-94
5-94
5-94
6 Voice Service - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -6-1
6.1 VoIP MGCP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.1.1 MGCP Functional Description - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.1.1.1 Endpoints - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.1.1.2 Custom endpoints syntax - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.1.2 Piggyback - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.1.3 Wildcard - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.1.4 Heartbeat - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.1.5 Call Agent Failover - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.1.6 Functional Differences for VoIP MGCP in Product Categories - - - - - - - - - - - - - - 6.1.7 VOIP MGCP command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.1.7.1 VoIP MGCP CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.1.7.2 VOIP MGCP PROTOCOL SET ENDPOINT-SYNTAX - - - - - - - - - - - - - - 6.2 VoIP SIP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.1 iMG SIP Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.1.1 iMG call processes- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.1.2 Calls involving another terminal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.1.3 Calls Involving a Terminal and a SIP Endpoint - - - - - - - - - - - - - - - - - - - 6.2.2 VoIP SIP Servers, Users & the Forwarding Database - - - - - - - - - - - - - - - - - - - - 6.2.2.1 SIP servers - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.2.2 Users - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.2.3 Forwarding database (FDB) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.3 VoIP SIP Embedded Proxy Server- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.4 VoIP SIP command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.4.1 VoIP SIP protocol CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.5 VoIP SIP Locationserver command reference - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.5.1 VoIP SIP Locationserver CLI commands - - - - - - - - - - - - - - - - - - - - - - - 6.2.6 VoIP SIP Proxyserver command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.6.1 VoIP SIP Proxyserver CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.7 VoIP SIP Embeddedserver command reference - - - - - - - - - - - - - - - - - - - - - - - - 6.2.7.1 VoIP SIP Embeddedserver CLI commands - - - - - - - - - - - - - - - - - - - - - - 6.2.8 VoIP SIP User command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.8.1 VoIP SIP User CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.9 VoIP SIP FDB command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6.2.9.1 VoIP SIP FDB CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
iMG/RG Software Reference Manual (Table of Contents)
6-1
6-1
6-1
6-2
6-2
6-3
6-3
6-4
6-4
6-5
6-5
6-8
6-16
6-16
6-16
6-16
6-17
6-18
6-19
6-20
6-22
6-24
6-24
6-24
6-37
6-37
6-41
6-41
6-44
6-44
6-48
6-48
6-54
6-54
TOC-7
6.2.10 VoIP SIP ALERTINFO command reference- - - - - - - - - - - - - - - - - - - - - - - - - - - 6-57
6.2.10.1 VoIP SIP ALERTINFO CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - 6-57
6.3 VoIP phone ports- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-59
6.3.1 Port configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-60
6.3.1.1 Digit map - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-62
6.3.1.2 Dial mask - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-63
6.3.1.3 Voice coder/decoder - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-63
6.3.1.4 Voice quality management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-64
6.3.1.5 Country-specific telecom tones - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-66
6.3.1.6 Port enable/disable - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-67
6.3.2 VoIP ADMIN Command Reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-67
6.3.2.1 VoIP ADMIN commands- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-67
6.3.3 VoIP EP command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-75
6.3.3.1 VoIP EP CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-75
6.4 Common VoIP attributes: QoS, Media and DTMF-Relay - - - - - - - - - - - - - - - - - - - - 6-120
6.4.1 QoS- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-120
6.4.2 Media - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-120
6.4.2.1 Media Timeout - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-121
6.4.3 DTMF-RELAY - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-121
6.4.4 Functional Differences for Common VoIP attributes in Product Categories - - - - - - 6-121
6.4.5 VOIP QOS command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-122
6.4.5.1 VoIP QoS CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-122
6.4.6 VoIP Media command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-126
6.4.6.1 VoIP Media CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-126
6.4.7 VoIP DTMF-RELAY command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-129
6.4.7.1 VoIP DTMF-RELAY CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - 6-129
7 Quality of Service- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-1
7.1 QOS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -7-1
7.1.1 Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -7-1
7.1.2 QoS architecture overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -7-1
7.1.3 QoS implementation for DIFFSERV- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -7-2
7.1.3.1 The Classifier- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -7-2
7.1.3.2 Classifying packets - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -7-3
7.1.3.3 Meter - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -7-5
7.1.3.4 Scheduler - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -7-9
7.1.4 ATM QoS Feature - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-15
7.1.4.1 ATM Packet Prioritization - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-15
7.1.4.2 How ATM packet prioritization works - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-16
7.1.4.3 Configuring priority handling support - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-17
TOC-8
iMG/RG Software Reference Manual (Table of Contents)
7.1.5 Classifier command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7.1.5.1 Classifier CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7.1.6 Meter command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7.1.6.1 Meter CLI commands- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7.1.6.2 Scheduler CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7-17
7-17
7-42
7-42
7-51
7.2 L2Filter- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7.2.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7.2.1.1 Packet Flow - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7.2.2 L2Filter Command Reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7.2.2.1 L2 Filter CLI commands- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7-60
7-60
7-60
7-61
7-61
8 ADSL Port- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -8-1
8.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-1
8.1.1 ADSL upload interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-1
8.1.2 Documentation Structure - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-1
8.2 ADSL System description - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8.2.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8.2.2 ADSL connection via RFC1483 bridged mode - - - - - - - - - - - - - - - - - - - - - - - - - 8.2.3 ADSL connection via RFC1483 routed mode - - - - - - - - - - - - - - - - - - - - - - - - - - 8.2.4 ADSL connection via Point to Point Protocol over ATM (PPPOA)- - - - - - - - - - - - -
8-2
8-2
8-2
8-4
8-4
8.3 Port a1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-5
8.3.1 Port a1 command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-5
8.3.1.1 Port a1 CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-5
8.4 Bridge - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8.4.1 Basic bridge configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8.4.2 Multiple VLAN support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8.4.3 Bridge command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8.4.3.1 Bridge CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8-36
8-36
8-38
8-39
8-39
8.5 Transports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-49
8.5.1 Transports command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-50
8.5.1.1 Transports CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-50
8.6 Ethernet - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-58
8.6.1 Ethernet command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-58
8.6.1.1 Ethernet CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-59
8.7 PPPoE- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-62
8.7.1 PPPoE Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-62
iMG/RG Software Reference Manual (Table of Contents)
TOC-9
8.7.2 PPPoE Functional Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-64
8.7.2.1 PPPoE Connections- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-64
8.7.2.2 PPPoE connections over ATM - VLAN Unaware - - - - - - - - - - - - - - - - - - - 8-65
8.7.2.3 PPPoE connections - VLAN Aware - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-65
8.7.2.4 Populating automatically routing table and DNS server table - - - - - - - - - - - - 8-66
8.7.2.5 Configuration Option to Clamp Maximum TCP MSS Value - - - - - - - - - - - - 8-67
8.7.3 Functional Differences in Product Categories- - - - - - - - - - - - - - - - - - - - - - - - - - - 8-67
8.7.4 PPPoE command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-67
8.7.4.1 PPPoE CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-67
8.8 PPPoA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-114
8.8.1 PPPoA command reference- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-114
8.8.1.1 PPPoA CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-114
8.9 RFC1483 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-151
8.9.1 RFC1483 command reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-151
8.9.1.1 RFC1483 CLI command - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-151
9 Wireless - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-1
9.1 Wireless Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -9-1
9.1.1 Wireless LAN module - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -9-1
9.1.2 Layer 2 switch on wireless port - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -9-1
9.1.2.1 Layer 2 CPE Configuration for ADSL A group wireless products- - - - - - - - - -9-2
9.1.2.2 Layer 2 CPE Configuration for ADSL B group wireless products- - - - - - - - - -9-6
9.1.3 Layer 3 routing on wireless port- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-10
9.1.3.1 Layer 3 CPE Configuration for ADSL A group wireless products- - - - - - - - - 9-11
9.1.3.2 Layer 3 CPE Configuration for ADSL B group wireless products- - - - - - - - - 9-15
9.1.4 Authentication Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-18
9.1.4.1 Open Authentication Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-18
9.1.4.2 Shared Authentication Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-19
9.1.4.3 WPA-PSK Authentication and TKIP Encryption - - - - - - - - - - - - - - - - - - - - 9-20
9.1.4.4 WPA2-PSK Authentication and AES_CCMP Encryption - - - - - - - - - - - - - - 9-21
9.1.4.5 WPA2 Mixed Mode Authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-21
9.1.5 Summary of wireless attribute and configurations- - - - - - - - - - - - - - - - - - - - - - - - 9-21
9.1.6 Wireless Interface CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-22
9.1.6.1 802.1x Authenticator commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-22
9.1.6.2 Port Wireless commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-25
9.1.6.3 WPA Commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-35
10 LAN Module Management - - - - - - - - - - - - - - - - - - - - - - 10-1
10.1 System Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-1
TOC-10
iMG/RG Software Reference Manual (Table of Contents)
10.1.1
10.1.2
10.1.3
10.1.4
Default Factory Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-1
Adding/Removing & Changing LAN Modules - - - - - - - - - - - - - - - - - - - - - - - - 10-1
Device and Module Compatibility - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-1
Functional Differences for LAN Modules Management in Product Categories - - - 10-2
10.2 HPNA LAN Module - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-2
10.2.1 HPNA Deployment Model - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-2
10.3 HPNA Command Reference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-3
10.3.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-3
0.0.1 System CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-3
10.4 CES LAN Module - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-8
10.4.1 CES Deployment Model - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-8
10.5 Circuit Emulation Command Reference- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-9
10.5.1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-9
10.5.1.1 CES CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-9
iMG/RG Software Reference Manual (Table of Contents)
TOC-11
TOC-12
iMG/RG Software Reference Manual (Table of Contents)
List of Tables
Table i-1 Active Fiber Gateways - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - i-5
Table i-2 Active Fiber Gateways with RF Overlay - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - i-6
Table i-3 RG/iMG Models - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - i-8
Table i-4 iMG Models Supported in 3-7 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - i-10
Table i-5 Main Features and where they apply to Product Type - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - i-11
Table i-6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - i-13
Table 1-1 System Commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1-13
Table 1-2 Webserver Commands Provided by the CLI - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1-39
Table 1-3 Emergency CLI Commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1-50
Table 1-4 SwUpdate Commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1-69
Table 1-5 ZTC Client Commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1-81
Table 2-1 Functional Mapping for Switching- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-7
Table 2-2 Switch commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-9
Table 2-3 Functional Mapping for Bridge - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -2-40
Table 2-4 Bridge commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -2-41
Table 2-5 Reserved VID Values - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -2-88
Table 2-6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -2-92
Table 3-1 Functional Mapping for Bridge - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3-16
Table 3-2 Bridge IGMP Snooping Commands- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -3-17
Table 4-1 IP CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-9
Table 4-2 Security Commands and Product Category - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -4-68
Table 4-3 Firewall commands and Product Type - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-107
Table 4-4 Default Policies Enabled in the Firewall - High Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-111
Table 4-5 Default Policies Enabled in the Firewall - Medium Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-112
Table 4-6 Default Policies Enabled in the Firewall - Low Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-112
Table 4-7 NAT CLI Commands and Product Category - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-138
Table 5-1 DHCP server CLI commands
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-9
Table 5-2 DHCP client CLI commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-55
Table 5-3 DHCP Relay Commands
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-80
Table 5-4 DNS Relay Commands
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-85
Table 5-5 DNS Client Commands
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-90
Table 5-6 DNS Client Commands
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-95
Table 5-7 Time Abbreviations when Setting Timezone Difference - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -5-98
Table 6-1 Functional Mapping for VoIP MGCP- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-5
Table 6-2 VoIP MGCP commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-5
Table 6-3 Possible Combinations for MGCP Profile - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-9
Table 6-4 VoIP SIP Protocol CLI Commands
iMG/RG Software Reference Manual - List of Tables
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-25
Table 6-5 VoIP SIP Location Server CLI Commands
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-38
Table 6-6 Commands for VoIP Proxy Server - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-41
Table 6-7 Commands for VoIP Embeddedserver
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-44
Table 6-8 Commands for VoIP SIP User
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-48
Table 6-9 VoIP SIP SDB CLI Commands
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-54
Table 6-10 VoIP SIP Alertinfo CLI commands
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-58
Table 6-11 Codecs Available for iMGs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-64
Table 6-12 Country-specific Telecom tones - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-66
Table 6-13 Commands for VoIP Admin- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-68
Table 6-14 Commands for VoIP EP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-76
Table 6-15 Functional Mapping for Common VoIP attributes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-122
Table 6-16 VoIP QoS commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-122
Table 6-17 VoIP Media commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-126
Table 6-18 Commands for VoIP DTMF - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-129
Table 7-1 Classifier commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-17
Table 7-2 Meter commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-42
Table 7-3 Scheduler commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-51
Table 7-4 L2filter commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-61
Table 8-1 Port a1 Commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-5
Table 8-2 Options for ADSL Port Attributes- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-7
Table 8-3 Bridge commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-39
Table 8-4 Transport commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-50
Table 8-5 Ethernet commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-59
Table 8-6 Functional Mapping for PPPoE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-67
Table 8-7 PPPoE commands provided by the CLI - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-68
Table 8-8 PPPOA Command - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-114
Table 8-9 RFC1883 Commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-151
Table 9-1 Summary of wireless port attributes versus wireless security schemes - - - - - - - - - - - - - - - - - - - - - - - 9-22
Table 9-2 802.1x Authenticator Commands
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-23
Table 9-3 Port Wireless Commands
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-25
Table 9-4 Port Wireless Commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-36
Table 10-1 Functions for Modular iMGs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-2
Table 10-2 HPNA Commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-4
Table 10-3 CES commands - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-10
TOC-2
iMG/RG Software Reference Manual (Table of Contents)
List of Figures
Figure 1-1 4 MByte Flash Memory partitions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-6
Figure 1-2 8 MByte Flash Memory partition - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-8
Figure 1-3 Configuration files backup process - example - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-11
Figure 1-4 The Windows™ Loader - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-58
Figure 1-5 The Web Interface main page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-59
Figure 1-6 The Web Interface Firmware Update page- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-60
Figure 1-7 Normal SwUpdate operation mode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-62
Figure 1-8 SwUpdate scheduling example 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-65
Figure 1-9 SwUpdate scheduling example 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-66
Figure 1-10 ZTC network architecture - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-75
Figure 1-11 Pull-at-Startup ZTC phase - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-78
Figure 1-12 Scheduled-pull ZTC phase - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-80
Figure 1-13 A manager Entity- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-85
Figure 1-14 An agent Entity - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-85
Figure 1-15 hmac expression - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-87
Figure 1-16 vacmViewTreeFamilyMask- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-94
Figure 1-17 vacmViewTreeFamilyMask (continued) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-94
Figure 1-18 snmpNotifyFilterMask - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-100
Figure 1-19 snmpNotifyFilterMask (continued) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-100
Figure 1-20 snmpTargetAddrTMask - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-103
Figure 1-21 snmpTargetAddrTMask (continued) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-104
Figure 1-22 snmpTargetAddrTMask (continued) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-104
Figure 1-23 snmpTargetAddrTMask (continued) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-104
Figure 1-24 snmpTargetAddrTMask (continued) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1-105
Figure 2-1 IP packet overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-6
Figure 2-2 Tagged frame format according to IEEE 802.3ac standard - - - - - - - - - - - - - - - - - - - - 2-86
Figure 2-3 IP interface over LAN - first steps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2-91
Figure 3-1 IGMP messages flow when Snoop-Only mode is active- - - - - - - - - - - - - - - - - - - - - - - 3-5
Figure 3-2 Two Hosts Join Two Different Mulitcast Channels - - - - - - - - - - - - - - - - - - - - - - - - - - 3-8
Figure 3-3 Two Hosts Join Two Different Multicast Channels - - - - - - - - - - - - - - - - - - - - - - - - - 3-10
Figure 3-4 Host Disconnects - No Leave Message - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3-11
Figure 3-5 One and Two Hosts Leave the Same Multicast Stream - - - - - - - - - - - - - - - - - - - - - - 3-12
Figure 4-1 Security modules on AT-iMG Models - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-58
Figure 4-2 Security interfaces on AT-iMG Models- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-59
Figure 4-3 Address Conservation Using NAT - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4-135
Figure 5-1 Domain Name System - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5-83
Figure 6-1 Phone --> iMG(A) --> iMG(B) --> Phone - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-17
Figure 6-2 Phone --> iMG(A) --> SIP IP Phone- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-18
Figure 6-3 VoIP subsystem configuration - basic steps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-19
iMG/RG Software Reference Manual - List of Figures
LOF-1
Figure 6-4 VoIP subsystem configuration - basic steps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6-61
Figure 7-1 Gateway Architecture - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-2
Figure 7-2 Metering for Traffic Control - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-8
Figure 7-3 Overview of Scheduler Functionality - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-10
Figure 7-4 Scheduling Process for Packet Enqueuing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-13
Figure 7-5 Scheduling Process for Packet Dequeuing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-14
Figure 7-6 The ADSL Driver - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7-16
Figure 8-1 ADSL upload interface module - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-2
Figure 8-2 Basic software bridge configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-37
Figure 8-3 Example of system architecture to support multiple vlan management - - - - - - - - - - - - 8-38
Figure 8-4 Example of PPPoE connection - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8-64
Figure 9-1 Wireless interface usage on a bridged scenario- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-2
Figure 9-2 Wireless interface usage on a routed scenario - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9-11
Figure 10-1 HPNA Section of LAN Module Diagram - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-3
Figure 10-2 Typical CES Deployment Model:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10-8
LOF-2
iMG/RG Software Reference Manual - List of Figures
System Configuration
System Management
1. System Configuration
1.1 System Management
This section provides information regarding access to the gateway, the login process, command line interface
(CLI) and the different types of user access.
1.1.1 System Configuration
1.1.1.1 Access to the Gateway
The gateway can be configured in different ways,either through the CLI or using the web interface.
The CLI is accessible through the serial interface, Telnet, or an SSH connection.
The web interface is accessible through the Microsoft Internet Explorer WEB browser.
Each different gateway family has a different configuration and access capability according to the following table:
Group
Serial interface
Telnet
SSH
WEB
Fiber A
NO
YES
NO
NO
Fiber B
YES
YES
NO
YES
Fiber C
YES
YES
NO
NO
Fiber D
YES
YES
YES
YES
Fiber E
YES
YES
YES
YES
Modular
YES
YES
YES
YES
ADSL A
NO
YES
YES
YES
ADSL B
YES
YES
YES
YES
1.1.1.2 Default Factory Configuration
The default configuration stored on the gateway when delivered to the customer is called “factory”.
iMG/RG Software Reference Manual (System Configuration)
1-1
System Management
System Configuration
The default “factory” configuration has the DHCP client enabled on all interfaces, including xDSL in the xDSLbased modem with a bridged RFC1483 over PVC 0.35.
The IP management interface is set dynamically at startup.
It is possible to connect remotely to the gateway using Telnet of SS4 once an IP address has been assigned to
the gateway.
In order to access the gateway, the user is required to enter a username and password.
The following default values give super-user access to the CLI commands and must be used only by administrators to configure the system and create user access with restricted privileges:
•
•
•
•
IP address:
dynamically assigned by the DHCP server
Telnet port:
23
Login:
manager
Password:
friend
For gateways with a serial interface, it is possible to connect using a suitable cable and serial terminal program.
The following configuration parameters must be set on the terminal program for serial access:
•
•
•
•
•
Baud rate:
38400
Data:
8 bit
Parity:
none
Stop:
1 bit
Flow control:
none
Serial access uses the same security credentials as for remote access.
1.1.1.3 Minimal Configuration
To access the gateway CLI when no DHCP server is available on the network, it is possible to load the gateway
with a well known configuration - called the “minimal” configuration.
A default minimal configuration exists on the gateway. This can be customized or replaced with a minimal configuration created by the customer.
The minimal configuration is accessible from the serial interface. To start the gateway using the minimal configuration, first power-off the unit. Then keep the “R” button pressed on the PC keyboard for at least 30 seconds
was the unit is powered-on.
If the default minimal configuration has not been replaced by a customised version, once the system has completed the bootstrap phase it will be possible to connect remotely (via Telnet or SSH) and serially to the gateway using the following parameters:
• IP address:
1-2
192.168.1.1
iMG/RG Software Reference Manual (System Configuration)
Command Line Interface and Console
System Management
• Login:
manager
• Password:
friend
• To install a custom minimal configuration on the gateway see the section related to the software update
module.
1.1.2 Command Line Interface and Console
On the gateway two types of consoles are available:
• Standard CLI (Command Line Interface): this is used to configure and manage the system. It provides full
access to the system modules included in this manual.
• Debug console: this is a special console (also named simply as console), available to users with super-user
rights for access to hidden debug commands that are not available in the standard command line. Console
commands are not documented in this administration guide. Access to console is possible only from inside
a CLI session.
1.1.2.1 Access permissions to CLI
There are three CLI access levels (via local craft interface, telnet or SSH), each providing different levels of
allowed operations:
• Default user - can use CLI commands. Only “show” and “list” commands are available. Cannot access console commands.
• Engineer user - can use most of CLI commands without restriction. Cannot create or modify CLI users.
Cannot access console commands.
• Super user - can use all CLI commands without restriction. Can create or modify CLI users, changing their
passwords. Can access console commands without restriction.
The following table maps the user properties to the corresponding CLI credentials. User properties can be configured via CLI commands by setting the user access level (default, engineer, administrator) and the mayconfigure
flag (enabled, disabled)
access
level
mayConfigure
Allowed CLI operations
default
disabled
No access to CLI
default
enabled
Limited CLI commands access (only read operations)
engineer
disabled
No access to CLI
engineer
enabled
Full CLI commands access except user creation/modify
and debug console
iMG/RG Software Reference Manual (System Configuration)
1-3
System Management
Command Line Interface and Console
access
level
mayConfigure
Allowed CLI operations
superuser
disabled
No access to CLI
superuser
enabled
Full CLI commands access (read and write operations)
To create new user accounts, use the SYSTEM ADD USER or SYSTEM ADD LOGIN commands. The accounts created
by these commands default to low privileges.
To change user privileges, use the SYSTEM SET USER ACCESS or SYSTEM SET LOGIN ACCESS commands.
To list the current user or login accounts, use the SYSTEM LIST USER or SYSTEM LIST LOGIN commands, respectively.
The user-related commands are details in Section 1.1.5
1.1.2.2 Access permissions to WEB interface
Similarly to CLI permission, the access to WEB interface is controlled by the user access level and by the mayconfigureweb flag:
• Default user - can access to Status pages, Wireless configuration and user password settings. Cannot access
to the other configuration pages.
• Engineer or Super user - can access to Status , Wireless configuration, Security configuration, firmware
upgrade pages.
The following table maps the user properties to the corresponding WEB credentials. User properties can be
configured via CLI commands by setting the user access level (default, engineer, administrator) and the mayconfigureweb flag (enabled, disabled).
access
level
mayConfigureWeb
Allowed CLI operations
default
disabled
No access to WEB interface
default
enabled
Status pages,
Statistics,
Wireless settings (basic & advanced),
User password change
Configuration saving
engineer/
superuser
1-4
disabled
No access to WEB interface
iMG/RG Software Reference Manual (System Configuration)
File system
System Management
access
level
engineer/
superuser
mayConfigureWeb
enabled
Allowed CLI operations
Status pages,
Statistics,
Wireless settings (basic & advanced),
Security (NAT and Firewall) Settings
DHCP server settings
Routing configuration
User password change
Firmware Upgrade
Configuration saving
1.1.2.3 Split management
Split management is part of the NMS provisioning framework.
Split management allows the end-user to perform configurations via WEB interface while the management of
the system is kept under the network administrator control (NMS).
When split management is enabled, a login user is created with login “admin” and default password “admin”.
The end-user can access to WEB pages to configure wireless parameters and to change his own password.
The end-user cannot configure other system parameters like security, dhcpserver and he cannot execute firmware upgrade. These configuration changes are still under the network administrator control.
When split management is disabled, the end-user doesn’t have access to the system WEB pages at all.
1.1.3 File system
The file system differs according to the gateway memory capacity and the presence or absence of an EEPROM.
There are three different file system cofigurations:
• Gateways with 4Mbytes of FLASH (Fiber A, Fiber B, Fiber C)
• Gateways with 8MBytes of FLASH with EEPROM (Modular, ADSL A)
• Gateways with 8MBytes of FLASH without EEPROM (Fiber E, ADSL B, ADSL C)
iMG/RG Software Reference Manual (System Configuration)
1-5
System Management
File system
The software running on the gateway is a multi thread application where each task typically needs to load configuration information when it starts, and store configuration changes for future use.
To support the above requirements, two dedicated file systems are provided. These are called the In Store
File System and the Flash File System. The two file systems provide a standard file interface to application
processes. These two file systems are referred to as isfs and flashfs respectively in this document. The isfs
provides volatile run-time file storage whereas the flashfs provides non-volatile file storage. The flash memory
is partitioned according to sections Section 1.1.3.1 and Section 1.1.3.2
1.1.3.1 Gateway with 4Mbytes of FLASH
The file system on the gateway with 4 Mbytes fo FLASH is depicted in the Figure 1-1
Main Partition
(3200 KByte)
Recovery Partition
(768 KByte)
Boot Partition
(128 KByte)
FIGURE 1-1
4 MByte Flash Memory partitions
1.1.3.1.1 Boot partition
The Boot ROM program resides in a special partition (the Boot Partition) on the flash device. This is the first code
that runs when the system is started and provides self-test code as well as the ability to load the main run-time
images.
The boot partition cannot be read or written by the flashfs process, and typically doesn’t require upgrade. The
boot partition is automatically over-written when the gateway is upgraded using a flash image. In all other cases
the boot ROM program and boot partition are never altered.
1.1.3.1.2 Recovery partition
The Recovery Partition is a reserved partition on the flash device where a minimal operating system named
Recovery Application code is installed. This operating system runs only if the boot ROM code is not able to
1-6
iMG/RG Software Reference Manual (System Configuration)
File system
System Management
start the main application code because, if for example the main partition has been corrupted by a system
power-off during software upgrade.
Services available in the Recovery Application Code are a subset of those available in the Main Application
Code: for example VoIP modules, SSH and SNMP access are not available.
Note:
Recovery Application Code uses the same configuration file as the Main Application Code. Configuration
parameters for modules not available on Recovery Application Code are simply ignored when the CPE
runs in recovery mode.
1.1.3.1.3 Main partition
The gateway operating system is named Main Application code and is stored in a third flashfs partition area (the
Main Partition) that provides permanent storage for the Main Application code, and for files that are normally used
only during system bootstrap.
During the system bootstrap the files stored in the main partition are copied into isfs in order to make them
available to all application processes. Processes typically use the isfs to store temporary configuration data.
The configuration is stored within the main partition.
1.1.3.2 Gateway with 8MBytes of FLASH with and without EEPROM
The main difference between models with and without the EEPROM is the location of unit-specific information
like MAC address, serial number, model name etc.
Figure 1-2 below depicts the two different partitions side-by-side. 8 MByte Flash Memory partitioned with and
without EEPROM
iMG/RG Software Reference Manual (System Configuration)
1-7
System Management
File system
Configuration Partition 1
(256 KByte)
Configuration Partition 2
(128 KByte)
Main Partition
(3200 KByte)
Recovery Partition
(768 KByte)
Boot Partition
(128 KByte)
FIGURE 1-2
8 MByte Flash Memory partition
1.1.3.3 Boot partition
The Boot ROM program resides in a special partition (the Boot Partition) on the flash device. This is the first
code that runs when the system is booted and provides self-test code as well as the ability to load the main
run-time images.
The boot partition cannot be read or written by the flashfs process and typically doesn’t require upgrade. The
boot partition is automatically over-written when the gateway is upgraded using a flash image. In all the other
cases the boot ROM program and boot partition are never altered.
1.1.3.4 Recovery partition
The Recovery Partition is a reserved partition on the flash device where a minimal operating system named
Recovery Application code is installed. This operating system runs only if the boot ROM code is not able to
start the main application code if for example, because the main partition has been corrupted by a system
power-off during software upgrade.
Services available in Recovery Application Code are a subset of those available in the Main Application Code:
for example VoIP modules, SSH and SNMP access are not available.
1-8
iMG/RG Software Reference Manual (System Configuration)
Configuration Management
Note:
System Management
Recovery Application Code uses the same configuration file used by Main Application Code.
Configuration parameters for modules not available on Recovery Application Code are simply ignored
when the CPE runs in recovery mode.
1.1.3.5 Main partition
The gateway operating system is named Main Application code and is stored in a third flashfs partition area (the
Main Partition) that provides permanent storage for the Main Application code and for files that are normally used
only during system bootstrap.
During the system bootstrap, the files stored in the main partition are copied into isfs in order to make them
available to all application processes. Processes typicallyuse the isfs to store temporary configuration data.
1.1.3.6 Configuration partitions
This gateway adopts a partition architecture based on two Configuration Partitions.
One configuration partition is used to backup the other one in case of flash corruption during configuration
update. Any time a configuration partition needs to be changed, an identical backup copy is created.
To increase system robustness and avoid loss of configuration when the CPE runs in recovery or is rebooted
during a configuration save process, configuration files are saved in separate partitions from the main application
code.
Note:
The Command Line Interface doesn't allow access to the flashfs file system or to the isfs in store file
system because this is not typically required by user.
The Flash file system flashfs, in store file system isfs and special debug functions are available only
through the debug console command line.
1.1.4 Configuration Management
Each active gateway configuration can be saved as configuration file for future reference, or as bootstrap configuration file.
Up to two custom configuration files can be permanently stored in the system, with one of them marked as the
active configuration file to be executed during the bootstrap phase.
Configurations are not stored as a sequence of commands but in a proprietary format.
The format of the configuration files follows the Information Model used by the main application code where a
typical object tree representation is used to categorize and map system objects attributes.
The following example shows a snapshot of a generic configuration file.
# Information Model configuration file
version 4
N ImGwaAdmins ImGwaAdmins
N ImGwaAdmin ImGwaAdmins.gwa_admin
A Profile none
iMG/RG Software Reference Manual (System Configuration)
1-9
System Management
Configuration Management
N ImGwaSips ImGwaSips
N ImGwaSip ImGwaSips.gwa
A ControlProtocol SIP
A Enable true
A Authentication proxy
A DefaultPort 5060
A KeepAlive disabled
A KeepAlive_Time 300
A NAT none
A NetInterface ip0
A RTT 500
A SE 1800
A Support none
A TimerB 32
To create a configuration that stores the current running system configuration, simply use the system config
create command. This command will create a file with the filename specified by the user in the Information
Model format and will save it permanently in the flash.
To extend configuration flexibility, it is possible at bootstrap time to force the gateway to execute a configuration file written in standard CLI syntax. As it is not possible to save a running configuration directly into a file in
CLI syntax, a special set of commands has been provided that allow the loading of a configuration file (written
in CLI syntax) from a remote ftp or tftp server.
To set a configuration file as the bootstrap configuration file (irrespective of whether it has been written in
Information Model format or CLI syntax), use the system config set command.
To display the list of the existing configuration files use the system config list command.
To retrieve the bootstrap configuration filename or to display the content of a configuration file use the system config show command.
It is also possible set the gateway to a default factory configuration (see Section 1.1.5.1.10) using the system
config set factory command and then restarting the gateway.
It is possible set the gateway to a minimal configuration (see Section 1.1.5.1.10) using the system config
set none command, and then restart the device.
1.1.4.1 Configuration File Saving and Backup Process
On the units with 8 MBytes of FLASH configuration partitions are duplicated to support redundancy. Each configuration partition includes the same files as its peer partition.
A special file named “version” is present within each configuration partition. This stores an incremental number
that differs between the two partitions by one. During the bootstrap phase the configuration partition having
the version file with the higher value is nominated to be the active configuration partition while the other is
assumed to be the backup partition.
1-10
iMG/RG Software Reference Manual (System Configuration)
Configuration Management
System Management
Figure 1-3 details the backup process executed when a configuration file is created and set as bootstrap configuration.
Phase A
Phase B
FIGURE 1-3
1st Configuration Partition
(256 KByte)
(active)
im.conf, cm.boot,
version (10)
2nd Configuration Partition
(256 KByte)
(back-up)
im.conf, cm.boot,
version (9)
> system config create boot2
1st Configuration Partition
(256 KByte)
(back-up)
im.conf, cm.boot,
version (10)
2nd Configuration Partition
(256 KByte)
(active)
im.conf, cm.boot,
cm.boot2 version (11)
> system config create boot2
1st Configuration Partition
(256 KByte)
(active)
im.conf, cm.boot,
cm.boot2 version (12)
2nd Configuration Partition
(256 KByte)
(back-up)
im.conf, cm.boot,
cm.boot2 version (11)
Configuration files backup process - example
At the bootstrap phase the gateway activates the configuration stored in the active configuration partition,
based on the higher value stored in the “version” file available on both the two configuration partitions.
In Figure 1-3, when the configuration file “boot2” is generated via the system config create command
(phase A), the backup process first copies the content of the active configuration partition to the current
backup configuration partition. It then updates the backup configuration partition with the new configuration file
“boot2” and increments the content of file version in the backup configuration partition to be one value higher
than the active configuration partition.
At this point, if the gateway restarts the role of the two partitions is swapped. The second partition will be the
active configuration partition while the other will be the backup.
Note also that if during the system config create command the gateway restarts or power-cycles, only
the backup configuration partition (the second in the example) will be corrupted, leaving the first configuration
partition responsible for configuring the gateway.
iMG/RG Software Reference Manual (System Configuration)
1-11
System Management
System command reference
Following the example in Figure 1-4; when the configuration file “boot2” is set to be the bootstrap configuration file via the system config set command (phase B), the backup process first copies the content of
the active configuration partition (now the second partition) to the backup configuration partition (the first
partition). It then updates the im.conf file in the backup configuration partition to be a copy of the new configuration file “boot2” and increments the content of file version in the backup config partition to be one value
higher than the active configuration partition.
At this point, if the gateway restarts the rule of the two partitions are swapped yet again. The first partition will
be the active configuration partition while the second will be the backup.
If during the system config set command, the gateway restarts or power-cycles, only the backup configuration
partition (the first in the example) will be corrupted, leaving the second configuration partition responsible for
configuring the gateway and preserving the original bootstrap configuration file as well as the newly generated
(from Phase A) configuration file.
Note:
When a configuration partition is corrupted, the first system config create or set command will cause the
backup process to format and restore the invalid partition so it can receive a copy of the current active
configuration partition.
1.1.5 System command reference
This section describes the commands available on the gateway to configure and manage the system module.
1.1.5.1 System CLI commands
Table 1-1 lists all system commands provided by the CLI:
1-12
iMG/RG Software Reference Manual (System Configuration)
System command reference
TABLE 1-1
System Management
System Commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
SYSTEM ADD USER
X
X
X
X
X
X
X
X
X
SYSTEM ADD LOGIN
X
X
X
X
X
X
X
X
X
SYSTEM CONFIG CREATE
X
X
X
X
X
X
X
X
X
SYSTEM CONFIG DELETE
X
X
X
X
X
X
X
X
X
SYSTEM CONFIG GET
X
X
X
X
X
X
X
X
X
SYSTEM CONFIG HELP
X
X
X
X
X
X
X
X
X
SYSTEM CONFIG LIST
X
X
X
X
X
X
X
X
X
SYSTEM CONFIG PUT
X
X
X
X
X
X
X
X
X
SYSTEM CONFIG RESTORE
X
X
X
X
X
X
X
X
X
SYSTEM CONFIG SET
X
X
X
X
X
X
X
X
X
SYSTEM CONFIG SHOW
X
X
X
X
X
X
X
X
X
SYSTEM CONTACT
X
X
X
X
X
X
X
X
X
SYSTEM CPULOAD
X
X
X
X
X
X
X
X
SYSTEM DELETE USER
X
X
X
X
X
X
X
X
X
SYSTEM INFO
X
X
X
X
X
X
X
X
X
SYSTEM LEGAL
X
X
X
X
X
X
X
X
X
SYSTEM LIST ERRORS
X
X
X
X
X
X
X
X
X
SYSTEM LIST OPENFILES
X
X
X
X
X
X
X
X
X
SYSTEM LIST USERS
X
X
X
X
X
X
X
X
X
SYSTEM LIST LOGINS
X
X
X
X
X
X
X
X
X
SYSTEM LOCATION
X
X
X
X
X
X
X
X
X
SYSTEM LOG
X
X
X
X
X
X
X
X
X
SYSTEM LOG ENABLE|DISABLE
X
X
X
X
X
X
X
X
X
SYSTEM LOG LIST
X
X
X
X
X
X
X
X
X
Option
iMG/RG Software Reference Manual (System Configuration)
1-13
System Management
System command reference
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
SYSTEM NAME
X
X
X
X
X
X
X
X
X
--> system name AT-iMG616BD-Routed
X
X
X
X
X
X
X
X
X
SYSTEM LOCATION
X
X
X
X
X
X
X
X
X
SYSTEM RESTART
X
X
X
X
X
X
X
X
X
SYSTEM SET LOGIN ACCESS
X
X
X
X
X
X
X
X
X
SYSTEM SET LOGIN MAYCONFIGURE
X
X
X
X
X
X
X
X
X
SYSTEM SET LOGIN MAYCONFIGUREWEB
X
X
X
X
X
X
X
X
X
SYSTEM SET LOGIN MAYDIALIN
X
X
X
X
X
X
X
X
X
SYSTEM SET USER ACCESS
X
X
X
X
X
X
X
X
X
SYSTEM SET USER MAYCONFIGURE
X
X
X
X
X
X
X
X
X
SYSTEM SET USER MAYDIALIN
X
X
X
X
X
X
X
X
X
SYSTEM SET USER PASSWORD
X
X
X
X
X
X
X
X
X
Option
1.1.5.1.1 SYSTEM ADD USER
Syntax
SYSTEM ADD USER <name> ["comment"]
Description
This command adds a user to the system. Only a user with superuser rights can use this
command. This command is typically used to create a PPP user on the system.
The default settings in the table below are applied to new accounts that are added using
the SYSTEM ADD USER command. (A different set of defaults is applied to a new
account added using the SYSTEM ADD LOGIN command.)
New account settings
1-14
Default Value
Dialing to the system
Enabled
Login to the system
Disabled
Login to the
Disabled
Access permissions
default user
iMG/RG Software Reference Manual (System Configuration)
System command reference
Options
System Management
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
NAME
A unique user name made up of more than one character that identifies an individual user and lets the user
access the system.
N/A
COMMENT
An optional comment about the user that is displayed
when you type the commands SYSTEM LIST USERS
and SYSTEM LIST LOGINS.
No comment
added
Example
--> system add user ckearns "Typical user"
See also
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SET USER ACCESS
SET USER MAYDIALIN
SET USER MAYCONFIGURE
LIST USERS
DELETE USER
1.1.5.1.2 SYSTEM ADD LOGIN
Syntax
SYSTEM ADD LOGIN <name> ["comment"]
Description
This command adds a user to the system. Only a a user with superuser rights can use this
command.
The default settings in the table below are applied to new accounts that are added using
the SYSTEM ADD LOGIN command. (A different set of defaults is applied to a new
account added using the SYSTEM ADD USER command.)
New account settings
Options
Default Value
Dialing to the system
Disabled
Login to the system
Enabled
Login to the web pages
Enabled
Access permissions
default user
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Configuration)
1-15
System Management
System command reference
Option
Description
Default Value
NAME
A unique login name made up of more than one character that identifies an individual user and lets the user
access the system.
N/A
COMMENT
An optional comment about the user that is displayed
when you type the commands SYSTEM LIST USERS and
SYSTEM LIST LOGINS.
Blank (No comment added)
Example
--> system add login ckearns "temporary contractor"
See also
SYSTEM DELETE LOGIN
SYSTEM LIST LOGINS
1.1.5.1.3 SYSTEM CONFIG CREATE
Syntax
SYSTEM CONFIG CREATE <filename>
Description
This command creates a configuration file named <filename> storing the current running
system configuration and save permanently it in the flash.
It is possible create up to two configuration files. If a configuration with the same name
already exists, the new one will overwrite the previous configuration file without warning.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
FILENAME
Description
The name of the file where the current running configuration is saved. The following filenames are reserved and
cannot be used:
factory
none
Example
--> system config create myfile
See also
SYSTEM CONFIG DELETE
SYSTEM CONFIG GET
SYSTEM CONFIG LIST
1-16
iMG/RG Software Reference Manual (System Configuration)
Default Value
N/A
System command reference
System Management
SYSTEM CONFIG SET
SYSTEM CONFIG SHOW
1.1.5.1.4 SYSTEM CONFIG DELETE
Syntax
SYSTEM CONFIG DELETE <filename>
Description
This command deletes the configuration file named <filename> from the flash.
It’s not possible delete a configuration file that has been set as bootstrap configuration
file. In this case it’s necessary change the bootstrap configuration file (for example setting
it to none) before deleting it.
To retrieve the configuration file list use the SYSTEM CONFIG LIST command. To display the current bootstrap configuration file use the SYSTEM CONFIG SHOW command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
The name of an existing configuration file. The following
filenames are reserved and cannot be used:
FILENAME
Default Value
N/A
factory
none
Example
--> system config delete myfile.cfg
See also
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
CONFIG
CONFIG
CONFIG
CONFIG
CONFIG
CREATE
GET
LIST
SET
SHOW
1.1.5.1.5 SYSTEM CONFIG GET
Syntax
SYSTEM CONFIG GET <url>
Description
This command retrieves a configuration file from a remote TFTP or FTP server and save
it permanently in the configuration file list.
If the retrieved configuration file has the same filename as an existing file, the new file will
overwrite the old one even if it is the bootstrap configuration file without warning. On a
iMG/RG Software Reference Manual (System Configuration)
1-17
System Management
System command reference
device can be present a maximum of two configuration files (factory + two more configuration files).
The address of the remote file to be downloaded is expressed accordingly to the following url syntax depending by the protocol used for the remote connection: ftp or tftp.
If tftp protocol is used, the url format is the following:
tftp://host[:port]/path/filename
If ftp protocol is used, the url format is the following:
ftp://login:password@host[:port]/path/filename
Where:
Options
•
host is the address of the TFTP / FTP server. Can be used expressed as hostname or
as IPv4 address.
•
port is the port where the TFTP / FTP server is listening for incoming connections.
•
path is the relative path on the TFTP / FTP server root directory where the configuration file is stored.
•
login and password are the username and password to get access on the FTP server.
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
URL
Description
The name of the file and address of the remote server where
the configuration file must be downloaded.
Default Value
N/A
The url format depends by the protocol used for the remote
connection: ftp or tftp.
If tftp protocol is used, the url format is the following:
tftp://host[:port]/path/filename
In ftp protocol is used, the url format is the following:
ftp://login:password@host[:port]/path/filename
Example
The following command retrieves a configuration file named myconf.cfg from the TFTP
server 192.168.1.100 located in the directory iMG600, and saves it into the flash memory:
--> system config get tftp://192.168.1.100/img600/myconf.cfg
1-18
iMG/RG Software Reference Manual (System Configuration)
System command reference
System Management
The following command retrieves a configuration file named myconf.cfg from the TFTP
server tftp.atkk.com root directory:
-->system config get tftp://tftp.atkk.com/myconf.cfg
The following command retrieves the configuration file named my.cfg from the FTP
server ftp.atkk.it. User “manager” and password “friend” are used to log on the FTP
server:
--> system config get ftp://manager:friend@ftp.atkk.it/
my.cfg
See also
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
CONFIG
CONFIG
CONFIG
CONFIG
CONFIG
CREATE
DELETE
LIST
SET
SHOW
1.1.5.1.6 SYSTEM CONFIG HELP
Syntax
SYSTEM CONFIG HELP
Description
This command show the help for the system config commands
Example
--> system config help
1.1.5.1.7 SYSTEM CONFIG LIST
Syntax
SYSTEM CONFIG LIST
Description
This command lists all the configuration files stored in flash memory.
Example
--> system config list
Configuration Management file list:
ID |
Size
|
Name
-----|------------|---------------------------------------------1 |
669 | factory
2 |
7343 | bootstrap.cfg
3 |
10177 | mgcp.cfg
----------------------------------------------------------------See also
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
CONFIG
CONFIG
CONFIG
CONFIG
CONFIG
CREATE
DELETE
LIST
SET
SHOW
iMG/RG Software Reference Manual (System Configuration)
1-19
System Management
System command reference
1.1.5.1.8 SYSTEM CONFIG PUT
Syntax
SYSTEM CONFIG PUT <filename> <url>
Description
This command store a configuration file on a remote TFTP server.
filename is the name of the local file
url is the address of the remote server accordingly to the following url syntax.
tftp://host[:port]/path/filename
Where:
Options
•
host is the address of the TFTP server. Can be used expressed as hostname or IPv4
address.
•
port is the port where the TFTP server is listening for incoming connections.
•
path is the relative path on the TFTP server root directory where the configuration
file is stored.
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Example
Description
Default Value
FILENAME
The name of the file to be saved on the remote server
N/A
URL
The name of the file and address of the remote server
where the configuration file must be downloaded.
N/A
The following command writes a configuration file named myconf.cfg from the gateway
to a TFTP server 192.168.1.100 on a directory iMG600:
--> system config put myconf.cfg tftp://192.168.1.100/img600/
The following command writes a configuration file named myconf.cfg on TFTP server
tftp.atkk.com root directory:
-->system config put myconf.cgf tftp://tftp.atkk.com/
See also
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
CONFIG
CONFIG
CONFIG
CONFIG
CONFIG
CREATE
DELETE
LIST
SET
SHOW
1.1.5.1.9 SYSTEM CONFIG RESTORE
Syntax
1-20
SYSTEM CONFIG RESTORE <factory>
iMG/RG Software Reference Manual (System Configuration)
System command reference
Description
System Management
This command tries to restore the configuration to factory without the need to reboot
the units.
1.1.5.1.10 SYSTEM CONFIG SET
Syntax
SYSTEM CONFIG SET { <filename> | factory | none }
Description
This command set one of the existing configuration files as bootstrap configuration file. If
factory is selected, the gateway is set to the default factory configuration (see Section
1.1.1.2).
If none is selected, the CPE is set to the minimal configuration (see Section 1.1.1.3).
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
Example
Description
Default Value
FILENAME
The name of an existing configuration file. To retrieve the
configuration file list use the SYSTEM CONFIG LIST command.
NA
FACTORY
When factory is selected the CPE is set to the default factory configuration having the management IP interface
(ip0) with a dynamic IP address.
NA
NONE
When none is selected the CPE is set to the minimal configuration having the management IP interface (ip0) a static
ip address: 192.168.1.1/24
NA
The following command set the configuration file named myconf as bootstrap configuration file:
--> system config set myconf
The following command restores the bootstrap configuration file to the default factory:
--> system config set factory
See also
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
CONFIG
CONFIG
CONFIG
CONFIG
CONFIG
CREATE
DELETE
GET
LIST
SHOW
iMG/RG Software Reference Manual (System Configuration)
1-21
System Management
System command reference
1.1.5.1.11 SYSTEM CONFIG SHOW
Syntax
SYSTEM CONFIG SHOW [ <filename> ]
Description
This command returns the name of the bootstrap configuration file. If filename is specified the command displays the contents of the configuration file.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
The name of an existing configuration file to be displayed. To retrieve the configuration file list use the SYSTEM CONFIG LIST command.
FILENAME
Example
--> system config show myconf.cfg
See also
SYSTEM
SYSTEM
SYSTEM
SYSTEM
SYSTEM
CONFIG
CONFIG
CONFIG
CONFIG
CONFIG
Default Value
NA
CREATE
DELETE
GET
LIST
SET
1.1.5.1.12 SYSTEM CONTACT
Syntax
SYSTEM CONTACT <NONE/sys-contact>
Description
This command set the system contact information on the gateway
Example
--> system contact info@company.com
1.1.5.1.13 SYSTEM CPULOAD
Syntax
SYSTEM CPULOAD
Description
This command displays the cpu usage details of the system that you are using.
Example
--> system cpuload
cpu usage: PP 3%, NP 1%
See also
SYSTEM INFO
1.1.5.1.14 SYSTEM DELETE USER
Syntax
1-22
SYSTEM DELETE USER <name>
iMG/RG Software Reference Manual (System Configuration)
System command reference
System Management
Description
This command deletes a user that has been added to the system using the SYSTEM ADD
USER command or the SYSTEM ADD LOGIN command. Only a Super user can use this
command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
NAME
Description
The name of an existing user.
Example
--> system delete user ckearns
See also
SYSTEM ADD USER
SYSTEM ADD LOGIN
Default Value
N/A
1.1.5.1.15 SYSTEM INFO
Syntax
SYSTEM INFO
Description
This command displays the vendor ID, URL, base MAC address and hardware and software version details of the current gateway system.
Example
--> system info
Global System Configuration:
Vendor : Allied Telesis
URL : http://www.alliedtelesis.com
MAC address : 00:0d:da:45:16:14
Build : RG6X6E-MAIN
Hardware ver : RG606BD
Software ver : 3-7_01_26
Recovery ver : 2-2_19
Dsp clock : 98 Mhz
Build type : RELEASE
System Name
: dt-905S-Routed
System Location : Inter AT labs
System Contact : admin@his_desk
System Uptime
: 04:19:36
1.1.5.1.16 SYSTEM LEGAL
Syntax
SYSTEM LEGAL
iMG/RG Software Reference Manual (System Configuration)
1-23
System Management
System command reference
Description
This command displays copyright information about the software that you are using.
Example
--> system legal
(C) Copyright 2009 Allied Telesis Holdings K.K. - All rights
reserved.
1.1.5.1.17 SYSTEM LIST ERRORS
Syntax
SYSTEM LIST ERRORS
Description
This command displays a system error log. The error log contains the following information:
Example
•
The time (in minutes) that an error occurred, calculated from the start of your login
session
•
The module that was affected by the error
•
A brief description of the error itself
--> system list errors
Error log:
When
|
Who
|
What
------------|------------|------------------------------------------------104 | webserver | webserver:Failed to create node type 'ImRfc1483'
104 | webserver | webserver:Invalid argument: Failed to open port a4
(may already be in use, or invalid port name)
---------------------------------------------------------------------------
See also
SYSTEM LIST USERS
SYSTEM LIST LOGINS
1.1.5.1.18 SYSTEM LIST OPENFILES
Syntax
SYSTEM LIST OPENFILES <name>
Description
This command allows you to display low-level debug information about specific open file
handles.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
NAME
1-24
Description
The name of a file that has open file handles associated
with it.
iMG/RG Software Reference Manual (System Configuration)
Default Value
N/A
System command reference
Example
--> system list openfiles bun
qid
console
console
console
See also
System Management
devuse
0000004b
00000027
00000003
appuse
00000000
00000000
00000000
colour
00400000
00400000
00400000
flags
3
5
5
lasterrno
0
0
0
SYSTEM LOG ENABLE|DISABLE
1.1.5.1.19 SYSTEM LIST USERS
Syntax
SYSTEM LIST USERS
Description
This command displays a list of users and logins added to the system using the SYSTEM
ADD USER and SYSTEM ADD LOGIN commands. The same information is displayed by
the SYSTEM LIST LOGINS command.
The list contains the following information:
Example
•
user ID number
•
user name
•
configuration permissions (enabled or disabled)
•
engineer or customer web pages configuration permissions (enabled or disabled)
•
dialing permissions (enabled or disabled)
•
access level (default, engineer or super user)
•
comment (any comments that were included when the user was added to the system)
--> system list users
Users:
May
May Conf May
ID | Name | Conf.
| web
| Dialin
| Level
| Comment
-----|-------|---------|---------|----------|--------- -|-----------1 | admin | ENABLED | ENABLED | disabled | superuser | Admin user
---------------------------------------------------------------------
See also
SYSTEM LIST ERRORS
SYSTEM LIST LOGINS
1.1.5.1.20 SYSTEM LIST LOGINS
Syntax
SYSTEM LIST LOGINS
iMG/RG Software Reference Manual (System Configuration)
1-25
System Management
Description
System command reference
This command displays a list of logins and users added to the system using the SYSTEM
ADD LOGIN and SYSTEM ADD USER commands. The same information is displayed by
the SYSTEM LIST USERS command.
The list contains the following information:
Example
•
user ID number
•
user name
•
configuration permissions (enabled or disabled)
•
engineer or customer web pages configuration permissions (enabled or disabled)
•
dialin permissions (enabled or disabled)
•
access level (default, engineer or super user)
•
comment (any comments that were included when the user was added to the system)
--> system list users
Users:
May
May Conf May
ID | Name | Conf.
| web
| Dialin
| Level
| Comment
-----|-------|---------|---------|----------|--------- -|-----------1 | admin | ENABLED | ENABLED | disabled | superuser | Admin user
---------------------------------------------------------------------
See also
SYSTEM LIST ERRORS
SYSTEM LIST LOGINS
1.1.5.1.21 SYSTEM LOCATION
Syntax
SYSTEM LOCATION <NONE/sys-location>
Description
This command sets the location info for the gateway.
Example
--> system location milan
1.1.5.1.22 SYSTEM LOG
Syntax
SYSTEM LOG {NOTHING|WARNINGS|INFO|TRACE|ENTRYEXIT|ALL}
Description
This command sets the level of output that is displayed by the CLI for various modules.
Setting a level also implicitly displays the level(s) below it.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
1-26
iMG/RG Software Reference Manual (System Configuration)
System command reference
System Management
Option
Description
Default Value
NOTHING
No extra output is displayed.
N/A
WARNINGS
Non-fatal errors are displayed.
N/A
INFO
Certain program messages are displayed. Also displays the values for the warnings option.
N/A
TRACE
Detailed trace output is displayed. Also displays the
values for info and warnings options.
N/A
ENTRYEXIT
A message is displayed every time a function call is
entered or left. Also displays the values for trace,
info and warnings options.
N/A
All output is displayed. Also displays the values for
N/A
ALL
entryexit, trace, info and warnings options.
Example
--> system log all
1.1.5.1.23 SYSTEM LOG ENABLE|DISABLE
Syntax
SYSTEM LOG {ENABLE|DISABLE} RIP {ERRORS|RX|TX}
SYSTEM LOG {ENABLE|DISABLE} IP {ICMP|RAWIP|UDP|TCP|ARP|SOCKET}
SYSTEM LOG {ENABLE|DISABLE} VOIP {DEP|SEP|CA|MGCP-TRACE|MGCPEVENT|MGCP-MSG|SIP-TRACE|SIP-EVENT|SIP-MSG|SIP-EPS|GWADRV|MEP}
Description
This command enables/disables the tracing support output that is displayed by the CLI for
a specific module and module category. The command is used for debugging purposes.
The values available for module and category are displayed by the SYSTEM LOG LIST
command. The current list of supported modules is RIP and IP.
Each individual module has its own specific module category (see Examples). The output
produced when a particular option is enabled depends on that option, and on the trace
statements in the module that are executed. The general purpose of this tracing is to:
•
Show how data packets pass through the system
•
Demonstrate how packets are processed and what they contain
•
Display any error conditions that occur
For example IP RAWIP tracing shows that an IP packet has been received, sent or discarded due to an error. Brief details of the packet are displayed to identify it.
iMG/RG Software Reference Manual (System Configuration)
1-27
System Management
System command reference
The RIP and IP modules provide separate categories that are enabled and disabled independently. For example, if you enable IP RAWIP, it does not affect IP UDP, and so on.
To display a list of modules and categories and their enable/disable status, see SYSTEM
LOG LIST.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
ENABLE
Enables tracing support output for a specified specific
module and module category.
Disable
DISABLE
Disables tracing support output for a specified specific module and module category.
Disable
Example
--> system log enable rip rx
enabled logging for the receiving of RIP packets
See also
SYSTEM LOG LIST
SYSTEM LOG
1.1.5.1.24 SYSTEM LOG LIST
Syntax
SYSTEM LOG LIST [<module>]
Description
The system log list command displays the tracing options for the modules available in the
current image that you are using. The SYSTEM LOG LIST MODULE command displays
the tracing options for an individual module specified in the command. Both commands
display the current status of the tracing options set using the command SYSTEM LOG
ENABLE|DISABLE.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
MODULE
Example
The name of a module that exists in your current
image build. This can be either RIP or IP.
--> system log list
--> sys log list
ip
arp
1-28
Description
(disabled)
iMG/RG Software Reference Manual (System Configuration)
Default Value
N/A
System command reference
ip
ip
ip
ip
ip
ip
ip
ip
isdn
isdn
isdn
isdn
isdn
isdn
isdn
isdn
isdn
isdn
rip
rip
rip
snmp
sshd
sshd
sshd
sshd
sshd
sshd
sshd
sshd
upload
upload
upload
voip
voip
voip
voip
voip
voip
voip
voip
voip
voip
config
icmp
l2cyan
rawip
socket
tcp
udperr
udp
aft
aftbg
aux00
iapi
indtol4
isdnmod
msgh
msgnisdn
ss
statin
errors
rx
tx
packet
fatal
error
info
verbose
debug
debug1
debug2
debug3
info
preserve
get
aep
ca
dep
gwadrv
mep
mgcp-event
mgcp-msg
mgcp-trace
mod
sep
System Management
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(ENABLED)
(ENABLED)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
iMG/RG Software Reference Manual (System Configuration)
1-29
System Management
voip
voip
voip
webserver
webserver
Example
voip
voip
voip
voip
voip
voip
voip
voip
voip
voip
voip
voip
voip
See also
System command reference
sip-event
sip-msg
sip-trace
access
file
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
--> system log list voip
aep
ca
dep
gwadrv
mep
mgcp-event
mgcp-msg
mgcp-trace
mod
sep
sip-event
sip-msg
sip-trace
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
(disabled)
SYSTEM LOG
SYSTEM LOG ENABLE|DISABLE
1.1.5.1.25 SYSTEM NAME
Syntax
SYSTEM NAME [<sys-name>]
Description
This command sets the system name.
To show the current system name use the system info command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
SYS-NAME
Example
Description
The name of the system.
--> system name AT-iMG616BD-Routed
1.1.5.1.26 SYSTEM CONTACT
Syntax
1-30
SYSTEM CONTACT [<sys-contact>]
iMG/RG Software Reference Manual (System Configuration)
Default Value
none
System command reference
System Management
Description
This command sets the system contact reported by system info command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
SYS-CONTACT
Example
Description
Usually a reference to some contacts.
Default Value
none
--> system contact admin@his_desk
1.1.5.1.27 SYSTEM LOCATION
Syntax
SYSTEM LOCATION [<sys-location>]
Description
This command sets the system location reported by system info command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
SYS-LOCATION
Example
Description
Usually a reference to the location where the system is installed.
Default Value
none
--> system location “Inter AT labs”
1.1.5.1.28 SYSTEM RESTART
Syntax
SYSTEM RESTART
Description
This command forces a warm restart on the gateway
Example
--> system restart
1.1.5.1.29 SYSTEM SET LOGIN ACCESS
Syntax
SYSTEM SET LOGIN <name> ACCESS {DEFAULT|ENGINEER|SUPERUSER}
Description
This command sets the access permissions of a user who has been added to the system
using the SYSTEM ADD LOGIN command. Only a Super user can use this command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Configuration)
1-31
System Management
System command reference
Option
Description
Default Value
NAME
The name of an existing user.
N/A
DEFAULT/
ENGINEER/
SUPERUSER
Access permissions for a user.
Default
Example
--> system set login ckearns access engineer
See also
SYSTEM SET LOGIN MAYCONFIGURE
SYSTEM SET LOGIN MAYDIALIN
For more information on the types of user access permissions, see Section 1.1.2.1.
1.1.5.1.30 SYSTEM SET LOGIN MAYCONFIGURE
Syntax
SYSTEM SET LOGIN <name> MAYCONFIGURE {ENABLED|DISABLED}
Description
This command sets configuration permissions for a user who has been added to the system using the ADD SYSTEM LOGIN or the ADD SYSTEM USER command. Only a
Super user can use this command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
NAME
The name of an existing user.
N/A
ENABLED/
DISABLED
Determines whether a user can configure the system.
enabled
Example
--> system set login ckearns mayconfigure disabled
See also
SYSTEM SET LOGIN ACCESS
SYSTEM SET LOGIN MAYDIALIN
1.1.5.1.31 SYSTEM SET LOGIN MAYCONFIGUREWEB
Syntax
1-32
SYSTEM SET LOGIN <name> MAYCONFIGUREWEB {ENABLED|DISABLED}
iMG/RG Software Reference Manual (System Configuration)
System command reference
System Management
Description
This command sets configuration permissions for a user who has been added to the system using the SYSTEM ADD LOGIN or the SYSTEM ADD USER command. Only a
Super user can use this command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
NAME
The name of an existing user.
N/A
ENABLED/
DISABLED
Determines whether or not a user can configure the system via the Engineer or Customer web pages.
enabled
Example
--> system set login ckearns mayconfigure disabled
See also
SYSTEM SET LOGIN ACCESS
SYSTEM SET LOGIN MAYDIALIN
1.1.5.1.32 SYSTEM SET LOGIN MAYDIALIN
Syntax
SYSTEM SET LOGIN <name> MAYDIALIN {ENABLED|DISABLED}
Description
This command sets dial in permissions for a user who has been added to the system using
the SYSTEM ADD LOGIN command. Only a Super user can use this command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
NAME
The name of an existing user.
N/A
ENABLED/
DISABLED
Determines whether a user can dial in to the system.
disabled
Example
--> system set login ckearns maydialin enabled
See also
SYSTEM SET LOGIN ACCESS
SYSTEM SET LOGIN MAYCONFIGURE
iMG/RG Software Reference Manual (System Configuration)
1-33
System Management
System command reference
1.1.5.1.33 SYSTEM SET USER ACCESS
Syntax
SYSTEM SET USER <name> ACCESS {DEFAULT|ENGINEER|SUPERUSER}
Description
This command sets the access permissions of a user who has been added to the system
using the SYSTEM ADD USER command. Only a Super user can use this command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
NAME
The name of an existing user.
N/A
DEFAULT/
ENGINEER/
SUPERUSER
Lets you to set the access permissions for a user.
default
Example
--> system set user ckearns access default
See also
SYSTEM SET USER MAYCONFIGURE
SYSTEM SET USER MAYDIALIN
1.1.5.1.34 SYSTEM SET USER MAYCONFIGURE
Syntax
SYSTEM SET USER <name> MAYCONFIGURE {ENABLED|DISABLED}
Description
This command sets configuration permissions for a user who has been added to the system using the ADD SYSTEM USER command. Only a Super user can use this command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
NAME
The name of an existing user.
N/A
ENABLED/
DISABLED
Determines whether a user can configure the system.
disabled
Example
--> system set user ckearns mayconfigure enabled
See also
SYSTEM SET USER ACCESS
SYSTEM SET USER MAYDIALIN
1-34
Default Value
iMG/RG Software Reference Manual (System Configuration)
System command reference
System Management
1.1.5.1.35 SYSTEM SET USER MAYDIALIN
Syntax
SYSTEM SET USER <name> MAYDIALIN {ENABLED|DISABLED}
Description
This command sets dial in permissions for a user who has been added to the system using
the SYSTEM ADD USER command. Only a Super user can use this command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
NAME
The name of an existing user.
N/A
ENABLED/
DISABLED
Determines whether a user can dialin to the system (functionality not available on current software version).
enabled
Example
--> system set user ckearns maydialin enabled
See also
SYSTEM SET USER ACCESS
SYSTEM SET USER MAYCONFIGURE
1.1.5.1.36 SYSTEM SET USER PASSWORD
Syntax
SYSTEM SET USER <name> PASSWORD <password>
Description
This command sets the user password that was previously created using the user password command. Only a Super user can use this command..
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
NAME
The name of an existing user.
N/A
PASSWORD
The password for the user
N/A
iMG/RG Software Reference Manual (System Configuration)
1-35
Webserver
Introduction
1.2 Webserver
1.2.1 Introduction
The gateway also offers an alternative management interface to the one depicted in the sections above, and the
process in charge of managing this access (parsing CLI commands and remote management using Telnet, SSH
and SNMP) is the webserver.
The webserver module can be use to mange and restrict access to the gateway modifying the configuration of
the main services, including changing the default access port or restricting the access to specific IP address or
subnet.
1.2.2 Web pages
Access to WEB pages can be controlled by means of user access level and mayconfigureweb flag as described in
Section 1.1.2.2.
WEB pages are organized in 6 main sections. A menu on the left frame can be used to navigate through them:
•
•
•
•
•
•
Home
Configuration
Security
Services
Port Statistics
Admin
1.2.2.1 Home page
The Home page section summarizes basic and advanced informations about the operative status of the system.
Basic information are::
•
•
•
•
Model type
Main Application code version
WAN Upstream/Downstream speed (only for ADSL devices)
Wireless status and wireless network name
Advanced informations are:
1-36
iMG/RG Software Reference Manual (System Configuration)
Web pages
•
•
•
•
Webserver
Recovery Application code version
System Name, Location and Contact
Routing and ARP table
Wireless stations
1.2.2.2 Configuration page
The Configuration page is used to access Wireless and DHCP Server configuration parameters.
On the Wireless configuration pages it’s possible to specify both Basic and Advanced parameters.
•
•
•
•
Wireless Mode
Network Name and preferred channels
Authentication and Encryption protocols
MAC adddress filtering (white and black list)
On the DHCP Server configuration page it’s possible configure the dhcp server address ranges, fixed hosts and
additional dhcp options.
1.2.2.3 Security page
The Security page includes settings related to Firewall rules, NAT reserved mapping rules and Domain Filtering.
It’s possible therefore enable or disable the firewall and define for the three available policies the traffic blocking
rules separately.
It’s also possible configure NAT reserved mapping schemes to allow specific and-user programs to accept
incoming connections even if behind the NAT engine.
It’s also possible configure a virtual server that can abe accessed from public network keeping protected the
internal end-user network from external attacks.
1.2.2.4 Services page
The Services page allows to configure the routing table.
It’s possible enter manually static routes or enable the RIP support over the existing IP interfaces.
1.2.2.5 Admin page
The Admin page is used to perform the following operations:
• Firmware upgrade (Main Application code or Recovery Application code)
iMG/RG Software Reference Manual (System Configuration)
1-37
Webserver
Webserver command reference
• Configuration save
• Users password settings
• System date and time setting
1.2.3 Webserver command reference
This section describes the commands available on the gateway to configure and manage the webserver module.
1.2.3.1 Webserver CLI commands
The table below lists all webserver commands provided by the CLI:
1-38
iMG/RG Software Reference Manual (System Configuration)
Webserver command reference
TABLE 1-2
Webserver
Webserver Commands Provided by the CLI
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
WEBSERVER ENABLE/DISABLE
X
X
X
X
X
X
X
X
X
WEBSERVER ADD MANAGEMENTSUBNET
X
X
X
X
X
X
X
X
X
WEBSERVER LIST MANAGEMENTSUBNETS
X
X
X
X
X
X
X
X
X
WEBSERVER CLEAR MANAGEMENTSUBNET
X
X
X
X
X
X
X
X
X
WEBSERVER DELETE MANAGEMENTSUBNET
X
X
X
X
X
X
X
X
X
WEBSERVER CLEAR STATS
X
X
X
X
X
X
X
X
X
WEBSERVER SET MANAGEMENTIP
X
X
X
X
X
X
X
X
X
WEBSERVER SET INTERFACE
X
X
X
X
X
X
X
X
X
WEBSERVER SET TELNET
X
X
X
X
X
X
X
X
X
WEBSERVER SET PORT
X
X
X
X
X
X
X
X
X
WEBSERVER SET TELNETPORT
X
X
X
X
X
X
X
X
X
WEBSERVER SET SECCLASSES
X
X
X
X
X
X
X
X
X
WEBSERVER SET TELNETSECCLASSES
X
X
X
X
X
X
X
X
X
WEBSERVER SHOW INFO
X
X
X
X
X
X
X
X
X
WEBSERVER SHOW STATS
X
X
X
X
X
X
X
X
X
WEBSERVER SHOW MANAGEMENTSUBNETS
X
X
X
X
X
X
X
X
X
WEBSERVER SHOW MEMORY
X
X
X
X
X
X
X
X
X
Option
1.2.3.1.1 WEBSERVER ENABLE/DISABLE
Syntax
WEBSERVER {ENABLE|DISABLE}
Description
This command enables or disables the Web Server process. By default, the Web Server
process is enabled. The webserver does not control only the web interface, disabling it
causes serious problem to the gateway.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Configuration)
1-39
Webserver
Webserver command reference
Option
Example
Description
ENABLE
Enables the Web Server process.
DISABLE
Disables the Web Server process.
Default Value
enable
--> webserver disable
WebServer is disabled
See also
WEBSERVER SHOW INFO
1.2.3.1.2 WEBSERVER ADD MANAGEMENTSUBNET
Syntax
WEBSERVER ADD MANAGEMENTSUBNET <NAME> <IPADDRESS> <NETMASK>
<STARTADDR> <ENDADDR>
Description
This command restricts the telnet access to the gateway only on the specified IP
addresses. It is possible to define a subnet or a list of subnets that are allowed to telnet
to the gateway, denying attempts from all other subnets.
Example
--> webserver add managementsubnet fortelnet 192.168.1.0
255.255.255.0 192.168.1.10 192.168.1.100
See also
WEBSERVER LIST MANAGEMENTSUBNET
1.2.3.1.3 WEBSERVER LIST MANAGEMENTSUBNETS
Syntax
WEBSERVER LIST MANAGEMENTSUBNETS
Description
This command lists all the managementsubnets configured.
Example
--> webserver list managementsubnets
Webserver trusted subnets:
ID
|
IP Address
|
Netmask
|
StartAddr
|
EndAddr
|
-----|-----------------|-----------------|-----------------|------------|
1
| 192.168.1.0
| 255.255.255.0
| 192.168.1.10
|192.168.1.110|
-------------------------------------------------------------------------
See also
WEBSERVER ADD MANAGEMENTSUBNETS
1.2.3.1.4 WEBSERVER CLEAR MANAGEMENTSUBNET
Syntax
1-40
WEBSERVER CLEAR MANAGEMENTSUBNET
iMG/RG Software Reference Manual (System Configuration)
Webserver command reference
Description
This command delete all the active management subnets
Example
--> webserver clear managementsubnet
See also
WEBSERVER LIST MANAGEMENTSUBNET
Webserver
1.2.3.1.5 WEBSERVER DELETE MANAGEMENTSUBNET
Syntax
WEBSERVER DELETE MANAGEMENTSUBNET <NAME>
Description
This command delete a specific management subnet
Example
--> webserver delete managementsubnet fortelent
See also
WEBSERVER LIST MANAGEMENTSUBNET
1.2.3.1.6 WEBSERVER CLEAR STATS
Syntax
WEBSERVER CLEAR STATS
Description
This command delete all the statistics related to any management subnet
Example
--> webserver clear stats
See also
WEBSERVER LIST MANAGEMENTSUBNET
1.2.3.1.7 WEBSERVER SET MANAGEMENTIP
Syntax
WEBSERVER SET MANAGEMENTIP <IPADDRESS>
Description
This command allows connection requests to be restricted to only one IP address, (e.g.
from an IP address that is used by a management entity) or from any IP address (by setting the IP address to 0.0.0.0).
This command has been superseded by webserver add managementsubnets command
that extends configuration flexibility.
Example
--> webserver set managementip 192.168.1.10
See also
WEBSERVER ADD MANAGEMENTSUBNETS
1.2.3.1.8 WEBSERVER SET INTERFACE
Syntax
WEBSERVER SET INTERFACE <INTERFACE>
Description
This command specifies the name of an IP interface that an ISOS IGD (Internet Gateway
Device) will use for UPnP (Universal Plug and Play) communication with other devices on
the local area network. By default, your system creates an IP interface with an Ethernet
transport attached to it. This interface is called iplan, and it is the default interface that
UPnP uses for its communication. Once you have set the UPnP interface, the IGD moni-
iMG/RG Software Reference Manual (System Configuration)
1-41
Webserver
Webserver command reference
tors the interface. The IGD can handle changes to the interface definition (for example, if
the IP address changes through a DHCP update, the IGD will use the newly assigned
address)
This command has been superseded by webserver add managementsubnets
command that extends configuration flexibility.
Example
--> webserver set interface ip0
See also
WEBSERVER ADD MANAGEMENTSUBNETS
1.2.3.1.9 WEBSERVER SET TELNET
Syntax
WEBSERVER SET TELNET { ENABLED | DISABLED }
Description
This command enable or disable the telnet service on the gateway. Once disabled, only
remote access via SSH is available.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
ENABLED
Enable telnet access to the CPE.
ENABLED
DISABLED
Disable totally the telnet access to the CPE.
N/A
Example
--> webserver set telnet disabled
See also
WEBSERVER SHOW INFO
WEBSERVER SET TELNETSECCLASSES
1.2.3.1.10 WEBSERVER SET PORT
Syntax
WEBSERVER SET PORT <PORT>
Description
This command sets the HTTP port number that the Web Server process will use to
transfer data.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
PORT
1-42
Description
A valid port number that must be between 0 and 65535.
iMG/RG Software Reference Manual (System Configuration)
Default Value
80
Webserver command reference
Example
Webserver
--> webserver set port 1080
1.2.3.1.11 WEBSERVER SET TELNETPORT
Syntax
WEBSERVER SET TELNETPORT <PORT>
Description
This command sets the telnet port number that the Web Server process will use to
answer telent connection requests.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
PORT
Example
Description
A valid port number that must be between 0 and 65535.
Default Value
23
--> webserver set port 24
1.2.3.1.12 WEBSERVER SET SECCLASSES
Syntax
WEBSERVER SET SECCLASSES <SECCLASSES>
Description
This command allows you to set the security class(es) associated with the HTTP AppService. Entering this command will overwrite any existing security class(es) configured for
the HTTP AppService. This has the same effect as entering the command ip set appservice http secclasses <secclasses>.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Configuration)
1-43
Webserver
Webserver command reference
Option
SECCLASSES
Description
Supported secclasses values are as follows:
Default Value
all
all- allows access to the HTTP AppService via all existing security interfaces
none- prevents access to the HTTP AppService via any
existing security interface
internal- allows access to the HTTP AppService via the
existing internal security interface
external- allows access to the HTTP AppService via the
existing external security interface
dmz - allows access to the HTTP AppService via the
existing dmz security interface
To allow access to the HTTP AppService via two security interface types, type the secclass values separated
by a comma (for example, internal, external) or separated by a space and enclosed in double-quotation
marks (for example, “internal external”).
To specify all three internal, external and dmz secclasses, use the all value.
Example
--> webserver set secclasses external
See also
WEBSERVER SHOW INFO
1.2.3.1.13 WEBSERVER SET TELNETSECCLASSES
Syntax
WEBSERVER SET TELNETSECCLASSES <SECCLASSES>
Description
This command allows you to set the security class(es) associated with the Telnet AppService. Entering this command will overwrite any existing security class(es) configured
for the Telnet AppService. This has the same effect as entering the command ip set appservice telnet secclasses <secclasses>.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
1-44
iMG/RG Software Reference Manual (System Configuration)
Webserver command reference
Webserver
Option
SECCLASSES
Description
all- allows access to the Telnet AppService via all
existing security interfaces
Default Value
all
none- prevents access to the Telnet AppService via
any existing security interface
internal- allows access to the Telnet AppService via
the existing internal security interface
external- allows access to the Telnet AppService via
the existing external security interface
dmz - allows access to the Telnet AppService via
the existing dmz security interface
To allow access to the Telnet AppService via two
security interface types, type the secclass values
separated by a comma (for example, internal, external) or separated by a space and enclosed in doublequotation marks (for example, “internal external”).
To specify all three internal, external and dmz secclasses, use the all value.
Example
--> webserver set telnetsecclasses external
See also
WEBSERVER SHOW INFO
1.2.3.1.14 WEBSERVER SHOW INFO
Syntax
WEBSERVER SHOW INFO
Description
This command displays the following information about the Web Server process:
•
EmWeb (Embedded Web Server) release details
•
Web Server enabled status (true or false)
•
Archive file set
•
Interface set
•
HTTP port set
•
UPnP port set
•
Telnet port set
•
Auxiliary HTTP port setting
iMG/RG Software Reference Manual (System Configuration)
1-45
Webserver
Webserver command reference
•
Permitted HTTP Security Classes
•
Permitted UPnP Security Classes
•
Permitted Telnet security Classes
•
Management IP address
1.2.3.1.15 WEBSERVER SHOW STATS
Syntax
WEBSERVER SHOW STATS
Description
This command tells you how many bytes have been transmitted and received by the
Web Server.
Bytes transmitted: bytes sent by the webserver.
Bytes received: bytes received by the webserver.
Example
--> webserver show stats
Web Server statistics:
Bytes transmitted: 2122
Bytes received: 0
See also
WEBSERVER SHOW INFO
1.2.3.1.16 WEBSERVER SHOW MANAGEMENTSUBNETS
Syntax
WEBSERVER SHOW MANAGEMENTSUBNETS <NAME>
Description
This command tells you the information on a specific management subnet
Bytes received: bytes received by the webserver.
Example
--> webserver show smanagementsubnet fortelnet
See also
WEBSERVER SHOW INFO
1.2.3.1.17 WEBSERVER SHOW MEMORY
Syntax
WEBSERVER SHOW MEMORY
Description
This command displays the memory allocation from variable and fixed buffer pools for
the webserver.
total pool size: The total size of variable or fixed memory pool.
free: Free memory in the variable or fixed memory pool.
Allocated: Memory allocated to variable or fixed memory pool.
1-46
iMG/RG Software Reference Manual (System Configuration)
Introduction
Emergency
mean alloc chunk: Mean of the allocated chunk to variable or fixed memory pool.
max free chunk: Maximum free chunk available in variable or fixed memory pool.
Example
--> webserver show memory
Variable allocation pool:
total pool size139968
free57840
allocated82128
mean alloc chunk82
max free chunk55088
Buffer pool:
total pool size25568
free 24480
allocated 1088
mean alloc chunk217
max free chunk 24464
See also
WEBSERVER SHOW INFO
1.3 Emergency
This chapter describes the AT-iMG600 emergency module used to configure the system connectivity when the
intelligent Multiservice Gateway runs in recovery mode. Emergency module is available only on AT-RG613 and
AT-iMG616.
1.3.1 Introduction
If the intelligent Multiservice Gateway flash file system is corrupted, the system will start running a minimal
operating system simply named recovery.
From the recovery mode, it’s possible load remotely the complete system application image and any additional
file to recover the unit into a full operative default system configuration.
1.3.2 Emergency configuration
The connectivity between the intelligent Multiservice Gateway and the remote network operation centre
(NOC) can operate both via any intelligent Multiservice Gateway Ethernet port and via the ADSL port.
iMG/RG Software Reference Manual (System Configuration)
1-47
Emergency
Save and activate emergency configuration.
When Ethernet connection is used, the intelligent Multiservice Gateway Ethernet ports are set to belong to
the default vlan as untagged port. When running in recovery mode, there is no support to tagged VLANs on
the Ethernet interfaces.
When ADSL connection is used, the intelligent Multiservice Gateway tries to connect to the remote NOC via
an RFC1483 LLC/SNAP Bridged connection type with VPI/VCI = 0/35 without any tagging scheme.
It’s possible configure the IP address used to connect remotely to the intelligent Multiservice Gateway when
recovery application is running.
To set a static IP address use the EMERGENCY SET IPINTERFACE IPADDRESS NETMASK command
and to set the default gateway use the EMERGENCY SET IPINTERFACE GATEWAY command.
To set a dynamic IP address uses the EMERGENCY SET DHCP ENABLE command. The intelligent Multiservice Gateway will get the IP address from any external DHCP server as well as the interface subnet and the
default gateway.
Note:
Note that if no DHCP server is discovered, the intelligent Multiservice Gateway will use the autoip
feature to autonomously assign a random IP address in the range 169.254.0.0/16. If a DHCP server
becoms available later, the IP interface will then change the IP address to the value offered by the DHCP
server.
1.3.3 Save and activate emergency configuration.
The emergency configuration data set in the previous section is not active until saved permanently in the intelligent Multiservice Gateway e2prom. Emergency configuration data are saved in an e2prom instead in the
flashfs filesystem to increase the system robustness to any flashfs failure.
To save emergency configuration data in e2prom use the EMERGENCY UPDATE command.
Emergency configuration data is also saved in the system configuration any time the command SYSTEM CONFIG CREATE or SYSTEM CONFIG SET are entered. In this way the information is stored in two different areas: the e2prom and the file bootstrap configuration file in the main partition.
In the case where the system starts in recovery mode because the main application partition is considered corrupted, only the information stored in the e2prom will be used to configure the recovery application.
During normal system bootstrap initialization the recovery configuration data stored in the bootstrap configuration file is considered the current emergency settings. This information is also stored automatically in the
e2prom to be immediately active.
To display the active recovery configuration data use the EMERGENCY SHOW command.
To avoid any misalignment between the configuration stored in the E2PROM and the configuration reported in
the bootstrap configuration file, the following situations are managed during the system bootstrap:
1-48
iMG/RG Software Reference Manual (System Configuration)
Emergency command reference
Emergency
Optione2prom recovery config. data Î
bootstrap file recovery config. data Ð
NOT AVAILABLE
AVAILABLE
1.3.4
NOT AVAILABLE
AVAILABLE
If the system restarts
in recovery mode,
the recovery application will then use the
default configuration
data coded within
the recovery application.
The e2prom recovery configuration
data is removed and
if the system restarts
in recovery mode,
the recovery application will then use the
default configuration
data coded within
the recovery application.
The im.conf recovery
configuration data is
copied into the
e2prom. In this way,
if the system restarts
in recovery mode,
the recovery application will then use the
same configuration
data reported by the
im.conf recovery
configuration data.
The im.conf recovery
configuration data is
copied into the
e2prom overriding
any previous configuration present in the
e2prom. In this way,
if the system restarts
in recovery mode,
the recovery application will then use the
same configuration
data reported by the
im.conf recovery
configuration data.
Emergency command reference
This chapter describes the Emergency CLI module commands.
1.3.4.1 Emergency CLI commands
The table below lists the Emergency commands provided by the CLI:
iMG/RG Software Reference Manual (System Configuration)
1-49
Emergency
Emergency command reference
TABLE 1-3
Emergency CLI Commands
Fiber
A
Option
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
EMERGENCY ADD
EMERGENCY CREATE
EMERGENCY DELETE
EMERGENCY SET DHCP
EMERGENCY SET IPINTERFACE GATEWAY
EMERGENCY SET IPINTERFACE IPADDRESS
EMERGENCY SHOW
EMERGENCY UPDATE
1.3.4.1.1 EMERGENCY ADD
Syntax
EMERGENCY ADD VLAN <vlan_vid> PORT <port_name> FRAME TAGGED
Description
This command adds and tags an Ethernet port to the specified vlan. The vlan must be
already defined in the Emergency module using the EMERGENCY CREATE VLAN command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
vlan_id
The vlan identifier (VID) previously created with the
EMERGENCY CREATE VLAN command. To display
the existing vlan, use the EMERGENCY SHOW command.
N/A
port_name
The name of an Ethernet port. Available values are:
lan1, lan2, lan3 and lan4.
N/A
Option Description Default Value
Example
Example .. emergency add vlan 2 port lan4 frame tagged
See also
EMERGENCY CREATE
EMERGENCY SHOW
EMERGENCY UPDATE
1-50
iMG/RG Software Reference Manual (System Configuration)
Emergency command reference
Emergency
1.3.4.1.2 EMERGENCY CREATE
Syntax
EMERGENCY CREATE LAN <vlan_vid>
Description
This command defines a new vlan on which will be attached the ip interface used to reach
the system when running in recovery mode. Creating a new vlan requires also the definition of which Ethernet port must be tagged for this vlan. To add an Ethernet port to the
new vlan, use the EMERGENCY ADD command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option Description Default Value
Option
vlan_id
Description
The vlan identifier (VID) of the new vlan to be created.
Default Value
N/A
Only tagged frame with this VID will be processed
by the upper layer (IP layer) when recovery application runs.
Example
emergency create vlan 2
See also
EMERGENCY ADD
EMERGENCY SHOW
EMERGENCY UPDATE
1.3.4.1.3 EMERGENCY DELETE
Syntax
EMERGENCY DELETE VLAN <vlan_vid> [ PORT <port_name> ]
Description
This command is used to delete an Ethernet port from a previously created vlan and
delete any vlan different from the default. It’s not possible delete a vlan if an Ethernet
port is assigned to this vlan as tagged port. In this case it’s necessary delete first the
Ethernet port with the command EMERGENCY DELETE VLAN PORT and then remove
the vlan with the command EMERGENCY DELETE VLAN.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
vlan_id
Description
he vlan identifier (VID) of the vlan used when recovery application runs.
iMG/RG Software Reference Manual (System Configuration)
Default Value
N/A
1-51
Emergency
Emergency command reference
Option
port_name
Description
The name of an Ethernet port. Available values are:
lan1, lan2, lan3 and lan4. To display the current tagged
port configured in the emergency module, use the
EMERGENCY SHOW command.
Default Value
N/A
Option Description Default Value
Example
emergency delete vlan 2 port lan4
emergency delete vlan 2
See also
EMERGENCY ADD
EMERGENCY SHOW
EMERGENCY UPDATE
1.3.4.1.4 EMERGENCY SET DHCP
Syntax
Syntax EMERGENCY SET DHCP { ENABLE | DISABLE }
Description
This command is used to set the ip interface address used when the system runs in
recovery mode to be dynamic or static. If the interface is set statically and no ipaddress
is set with the command EMERGENCY SET IPINTERFACE command, the recovery
default ip address 192.168.1.1/24 will be used.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
ENABLE
Set the recovery ip interface address dynamically. If no
DHCP server is available or cannot be reached, the ip
address will get an autoip address in the subnet
169.254.0.0.
N/A
DISABLE
Turn off the dhcpclient on the recovery ip interface.
N/A
Example
emergency set dhcp enable
See also
EMERGENCY SET IPINTERFACE IPADDRESS
EMERGENCY SHOW
EMERGENCY UPDATE
1-52
Default Value
iMG/RG Software Reference Manual (System Configuration)
Emergency command reference
Emergency
1.3.4.1.5 EMERGENCY SET IPINTERFACE GATEWAY
Syntax
Syntax EMERGENCY SET IPINTERFACE GATEWAY <ip_address>
Description
This command sets the default gateway ip address to be used when the system runs in
recovery mode.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
ip_address
Description
The default gateway ipaddress in IPv4 format (e.g.
192.168.1.254)
Example
emergency set ipinterface gateway 192.168.1.254
See also
EMERGENCY SET IPINTERFACE
EMERGENCY SHOW
EMERGENCY UPDATE
Default Value
N/A
1.3.4.1.6 EMERGENCY SET IPINTERFACE IPADDRESS
Syntax
EMERGENCY SET IPINTERFACE IPADDRESS <ip_address> NETMASK <netmask>
Description
This command sets the ip interface address and netmask to be used when the system
runs in recovery mode.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
p_address
The ip interface address in IPv4 format (e.g.
192.168.1.1)
N/A
netmask
Network for the interface
N/A
Option Description Default Value
Example
emergency set ipinterface ipaddress 192.168.1.1 netmask
255.255.255.0
iMG/RG Software Reference Manual (System Configuration)
1-53
Software update
See also
Emergency command reference
EMERGENCY SET IPINTERFACE GATEWAY
EMERGENCY SHOW
EMERGENCY UPDATE
1.3.4.1.7 EMERGENCY SHOW
Syntax
EMERGENCY SHOW
Description
This command displays the current emergency configuration settings. These settings are not active
until the EMERGENCY UPDATE command is entered or the Residential Gateway configuration is
saved and then the system is restarted.
Example
emergency show
EMERGENCY CONFIGURATION
- GENERAL PARAMETERS
device ip address: 192.168.1.1
device netmask: 255.255.255.0
gateway ip address: 192.168.1.254
vlan tag id: 2
vlan tagged port: LAN4
Syntax
EMERGENCY UPDATE
1.3.4.1.8 EMERGENCY UPDATE
Syntax
EMERGENCY UPDATE
Description
This command update the Residential Gateway e2prom with the new emergency configuration data. To display the current emergency configuration settings use the EMERGENCY SHOW command.
Example
emergency update
See also
EMERGENCY SHOW
1.4 Software update
Gateway software consists of the Main Application code plus additional support files and the Recovery Application code. All these files are stored permanently into the flash memory under the main partition or recovery
partition depending on the file type.
To upgrade software or simply load into the gateway a specific file, it's possible use one of the following solutions depending on the type of upgrade requested:
• Web Interface, when available is designed to update the Main Application code or the Recovery Application
code. Web interface is available only on the main code (not on recovery)
1-54
iMG/RG Software Reference Manual (System Configuration)
Emergency command reference
Software update
• SwUpdate module, available both on Main Application code and Recovery Application Code designed to
update the Main Application code or the Recovery Application code and to upload any configuration file
Product Name
Loader
SwUpdate
Web Interface
AT-RG613
Loader_RG600E_x-y_z.exe
rg600E-x-y_z.zip
N/A
AT-iMG616
Loader_IMG616E_x-y_z.exe
iMG616E-x-y_z.zip
N/A
AT-iMG634A
N/A
iMG634A-x-y_z.zip
iMG634A-main-x-y_z.bin
N/A
iMG634B-x-y_z.zip
iMG634B-main-x-y_z.bin
AT-iMG624A
N/A
iMG624A-x-y_z.zip
iMG624A-main-x-y_z.bin
AT-iMG624B
N/A
iMG624B-x-y_z.zip
iMG624B-main-x-y_z.bin
AT-iMG634A-R2
N/A
iMG634A-R2-x-y_z.zip
iMG634A-R2-main-x-y_z.bin
N/A
iMG634B-R2-x-y_z.zip
iMG634B-R2-main-x-y_z.bin
AT-iMG624A-R2
N/A
iMG624A-R2-x-y_z.zip
iMG624A-R2-main-x-y_z.bin
AT-iMG626MOD
N/A
iMG626-x-y_z.zip
iMG626-main-x-y-z.bin
AT-iMG646MOD
N/A
iMG646-x-y_z.zip
iMG646-main-x-y-z.bin
AT-iMG726MOD
N/A
iMG726-x-y_z.zip
iMG726-main-x-y-z.bin
AT-iMG746MOD
N/A
iMG746-x-y_z.zip
iMG746-main-x-y-z.bin
AT-iBG915FX
N/A
iBG915FX-x-y_z.zip
iBG915FX-main-x-y-z.bin
AT-iMG634WA
AT-iMG634B
AT-iMG634WB
AT-iMG634WA-R2
AT-iMG634B-R2
AT-iMG634WB-R2
iMG/RG Software Reference Manual (System Configuration)
1-55
Software update
Emergency command reference
• Recovery Application Software Naming Convention table
Product Name
Loader
SwUpdate
Web Interface
AT-RG613
RecLoader_RG600_ab_c.exe
rg6xx-rec-a-b_c.zip
N/A
AT-iMG616
RecLoader_IMG616E_ab_c.exe
iMG616E-rec-a-b_c.zip
N/A
AT-iMG634A
N/A
iMG634A-rec-a-b_c.zip
iMG634A-recovery-a-b_c.bin
N/A
iMG634B-rec-a-b_c.zip
iMG634B-recovery-a-b_c.bin
AT-iMG624A
N/A
iMG624A-rec-a-b_c.zip
iMG624A-recovery-a-b_c.bin
AT-iMG624B
N/A
iMG624B-rec-a-b_c.zip
iMG624B-recovery-a-b_c.bin
AT-iMG634A-R2
N/A
iMG634A-R2-rec-ab_c.zip
iMG634A-R2-recovery-ab_c.bin
N/A
iMG634B-R2-rec-ab_c.zip
iMG634B-R2-recovery-ab_c.bin
AT-iMG624A-R2
N/A
iMG624A-R2-rec-ab_c.zip
iMG624A-R2-recovery-ab_c.bin
AT-iMG626MOD
N/A
iMG626-rec-a-b_c.zip
iMG626-recovery-a-b_c.bin
AT-iMG646MOD
N/A
iMG646-rec-a-b_c.zip
iMG646-recovery-a-b_c.bin
AT-iMG726MOD
N/A
iMG726-rec-a-b_c.zip
iMG726-recovery-a-b_c.bin
AT-iMG746MOD
N/A
iMG746-rec-a-b_c.zip
iMG746-recovery-a-b_c.bin
AT-iBG915FX
N/A
iBG915FX-rec-a-b_c.zip
iBG915FX-recovery-a-b_c.bin
AT-iMG634WA
AT-iMG634B
AT-iMG634WB
AT-iMG634WA-R2
AT-iMG634B-R2
AT-iMG634WB-R2
1-56
iMG/RG Software Reference Manual (System Configuration)
Windows™ Loader
Software update
• FLASH image Naming Convention table
Product Name
Flash Image
AT-RG613
rg600E-image-2-2_y-3-7_x.bin
AT-iMG616
iMG616E-image-2-2_y-3-7_x.bin
AT-iMG634A
iMG634A-image-3-7_x.bin
AT-iMG634WA
AT-iMG634B
iMG634B-image-3-7_x.bin
AT-iMG634WB
AT-iMG624A
iMG624A-image-3-7_x.bin
AT-iMG624B
iMG624B-image-3-7_x.bin
AT-iMG634A-R2
iMG634A-R2-image-3-7_x.bin
AT-iMG634WA-R2
AT-iMG634B-R2
iMG634B-R2-image-3-7_x.bin
AT-iMG634WB-R2
AT-iMG624A-R2
iMG624A-R2-image-3-7_x.bin
AT-iMG626MOD
iMG626-image-3-7_x.bin
AT-iMG646MOD
iMG646-image-3-7_x.bin
AT-iMG726MOD
iMG726-image-3-7_x.bin
AT-iMG746MOD
iMG726-image-3-7_x.bin
AT-iBG915FX
iBG915FX-image-3-7_x.bin
1.4.1 Windows™ Loader
To upgrade the AT-RG600 Residential Gateway, a special Windows™ based application has been developed, the
Loader.
iMG/RG Software Reference Manual (System Configuration)
1-57
Software update
Upgrade via Web Interface
The loader uses the TFTP services provided by the gateway to download on the unit the application file plus all
other support files avoiding the user to download each file separately.
The loader can be used to upgrade an existing software version or can be used to download a new complete
software release if the gateway is running in recovery mode.
When the Loader is used to upgrade the gateway from a previous software release, all the existing configuration files are kept.
Note:
Starting with release 3-1-0, a special Loader application has been developed to also upgrade the
recovery application code installed in the recovery partition. The graphical interface is the same as that
used for the main application code.
When using the Loader, the IP address of the residential Gateway must be selected and the SNMPv2 community write name is requested as session password.
FIGURE 1-4
The Windows™ Loader
1.4.2 Upgrade via Web Interface
Some gateways provide a web interface to load the Main Application code or the Recovery Application code.
Figure 1-4 shows the Web Interface main page. To load a software, click the Firmware Update menu.
On the Firmware Update page (See Figure 1-6) push the “Browse” button, select the software file to be
uploaded and click OK:
• iMG634xxx-main-x-y_z.bin to load the Main Application code.
1-58
iMG/RG Software Reference Manual (System Configuration)
Upgrade via Web Interface
Software update
• iMG634xxx-recovery-x-y_z.bin to load the Recovery Application code.
• After the file has been selected, the software will be uploaded and written on the device. A progress bar will
be displayed on the web interface. When the process is finished the web interface will display a “Restart”
button. Click it to restart the device and run the loaded software version.
FIGURE 1-5
The Web Interface main page
iMG/RG Software Reference Manual (System Configuration)
1-59
Software update
SwUpdate module
FIGURE 1-6
The Web Interface Firmware Update page
1.4.3 SwUpdate module
SwUpdate module is a basic FTP/TFTP client module running on the gateway that contacts periodically a predefined FTP/TFTP server and retrieves from it the required software or support files.
SwUpdate can retrieve the IP address of the FTP server dynamically, resolving the FTP server name through
look-up requests to an existing DNS server, or can be configured statically accordingly to network design
implementation.
When working in the TFTP mode, SwUpdate retrieves the TFTP Server address from the value of a specific
dhcp option (option 66 ‘tftp-server-name’) passed by the external DHCP server to the gateway IP interface. It
then uses the path passed as filename string to navigate into the TFTP server.
1-60
iMG/RG Software Reference Manual (System Configuration)
SwUpdate module
Software update
In order to distinguish the correct DHCP Offer (in case more than one DHCP server is present in the network), the gateway will consider only DHCP Offers that include the option 60 (‘dhcp-class-identifier’) with one
of the following possible values depending on the product code:
Product code
Legacy RG
Product code
Ethernet Uplink
Product code
ADSL Uplink
Product code Outdoor
and Business
AT-RG613
AT-iMG606TX
AT-iMG624A
AT-iMG646MOD
AT-RG623
AT-iMG606BD
AT-iMG624B
AT-iMG626MOD
AT-RG613TXJ
AT-iMG606LH
AT-iMG634A
AT-iMG746MOD
AT-RG656
AT-iMG606SH
AT-iMG634B
AT-iMG726MOD
AT-RG613LH
AT-iMG616RF
AT-iMG634WA
AT-iBG915FX
AT-RG613SH
AT-iMG616BD
AT-iMG634WB
AT-iMG646BD-ON
AT-RG623LH
AT-iMG616LH
AT-RG623SH
AT-iMG616SH
AT-RG613BD
AT-iMG616SRF
AT-iMG646PX-ON
AT-iMG616RF+
AT-RG624A
AT-iMG616SRF+
AT-iMG624A-R2
AT-RG624B
AT-iMG616W
AT-iMG624B-R2
AT-RG634A
AT-iMG616CRFW
AT-iMG634A-R2
AT-RG634B
AT-iMG616TX
AT-iMG634B-R2
AT-RG656LH
AT-iMG634WA-R2
AT-RG656SH
AT-iMG634WB-R2
AT-RG656TX
AT-RG646BD
AT-RG613RF
SwUpdate is designed to download only the files that differ or are not present into the file-system.
iMG/RG Software Reference Manual (System Configuration)
1-61
Software update
SwUpdate module
Residential
Gateway
DNS
Server
FTP
Server
NULL
Unit
Bootstrap
DNS Lookup:
<FTP server hostname>
Retrieve FTP list file: MD5SUM
FTP fileS: image, derivedata.dat, im.conf, ...
Unit
Restart
FIGURE 1-7
Normal SwUpdate operation mode
In order to inform the SwUpdate module about which files it must download from the FTP/TFTP server, a special file named MD5SUM must be created on the FTP/TFTP server.
When the SwUpdate module connects to the FTP/TFTP server, it retrieves immediately this file and then it
downloads each file reported in this list.
The MD5SUM file is a list of filenames where each file name has associated the MD5 value.
To create the MD5SUM file it's possible use the md5sum command available under standard Linux platforms
(free md5sum applications are available also under Windows™ Operating System).
If a file reported in the MD5SUM list is already present into the gateway file-system with the same MD5 value,
the SwUpdate skip this download, otherwise it will download it.
Example
Assuming the all the files included in the current directory must be downloaded into the gateway; the following
command must be used to generate the MD5SUM file:
root# md5sum * > MD5SUM
the MD5SUM file will list the following informations:
1-62
iMG/RG Software Reference Manual (System Configuration)
SwUpdate module
Software update
d99f017e2652516d9146dd14f787f16e
7e722ffb74af07265b3e22d51496d1c3
d90657f8851b761d8336fbd0b34156df
ec6fc5ddc6adaa1e7943ce463de283c3
iMG616BD-recovery-4-4_25.bin
iMG616BD-main-3-7-01_26.bin
snmpd.cnf.orig
snmpinit
The above procedure is valid both for upgrade the Main Application code, the Recovery Application code and
any configuration file requested by the CPE. The swupdate module is able to detect based on the file type, on
which flash partition the file will be stored.
1.4.3.1 Start Time scheduling
It is possible set the SwUpdate starting time at any minute/hour/day/week of the year.
The Start Time command uses syntax similar to the crontab files syntax
The Start Time is composed of five time and date fields (minute, hour, day-of-month, month, day-of-week
respectively). The SwUpdate is started when the minute, hour and month of year fields match the current gateway time and when at least one of the two day fields (day-of-month or day-of-week) match the current gateway
time.
Field
Allowed Values
MINUTE
0-59
HOUR
0-23
DAY-OF-MONTH
1-31
MONTH
1-12
DAY-OF-WEEK
0-7 (0 or 7 is Sunday)
A field may be an asterisk (‘*’), which always stands for ‘first-last’.
Ranges of numbers are allowed. Ranges are two numbers separated by a hyphen. The specified range is inclusive.
For example, 8-11 for the ‘hours’ entry specifies execution at hours 8, 9, 10 and 11.
Lists are allowed. A list is a set of numbers (or ranges) separated by commas.
Examples: ‘1,2,5,9’, ‘0-4,8-12.
When the local gateway time equals the start time, SwUpdate executes the following actions:
It retrieves the list of files available into the non-volatile memory and for each file calculates the MD5 value.
iMG/RG Software Reference Manual (System Configuration)
1-63
Software update
SwUpdate module
It then connects to the FTP/TFTP server and retrieves a file named MD5SUM from the directory defined by the
path parameter (and eventually by the MAC parameter). This file contains a list of all files available on the
server, with the corresponding MD5 value that the SwUpdate module must retrieve from the FTP server.
It compares the MD5SUM file downloaded from the server with the local MD5 file calculated on the current
flash file system.
For each file in the MD5SUM file that differ from the list in the local MD5 file or it not present, the SwUpdate
retrieves it from the FT/TFTP server.
When all the files have been downloaded, they are saved permanently into the gateway file-system and the gateway is restarted. The next time it starts, the gateway will use the new files.
Non-existing times, such as ‘missing hours’ during daylight savings conversion, will never match, causing SwUpdate scheduled during the ‘missing times’ not to be started.
1.4.3.2 Retry Period scheduling
If SwUpdate fails a download, it reschedules the next request using the retry-period timeout.
The retry-period timeout specifies the Maximum time within the SwUpdate will reschedule the next request.
The exact time when the SwUpdate will perform the next request is randomly selected between 15secs and
the retry-period timeout. This computation is performed every time SwUpdate fails and a new request must be
scheduled.
When the download finishes successfully, SwUpdate is rescheduled using the start timetable. If the current time
is in the time window between two consecutive start and stop time, the SwUpdate suspends any download.
The start time has precedence over the Retry Period schedule. If the start time happens while the Retry Period
is running, SwUpdate starts immediately the download and only if it fails, it will reschedule the download.
1.4.3.3 Stop Time scheduling
It is possible stop SwUpdate at any minute/hour/day/week of the year.
Stop time is typically used when SwUpdate fails a download and as result a new request has been scheduled
prior to the next start time.
To prevent continuous re-transmissions, stop time forces the SwUpdate to stop any scheduled retry during
specific (configurable) time of day or day of week.
SwUpdate will be active only in timeslots defined by two consecutive start and stop times.
The time period between a stop time and the consecutive start time is the inactive (idle) period where SwUpdate does NOT contacts any server.
If the retry-period timer was running before the stop time, this timer is stopped when the local time match the
stop time.
1-64
iMG/RG Software Reference Manual (System Configuration)
SwUpdate module
Software update
Start Time 0
0, 6, 12
x
x
x
Stop Time 0
minute
minute
hours
hours
day-of-month
day-of-month
month
month
day-of-week
day-of-week
00:00
06:00
04:00
4, 10, 16
12:00
10:00
x
x
x
00:00
16:00
Monday
Thursday
00:00
06:00
Fall
Fall
Fall
Fall
04:00
random (15 secs - Retry-Period)
FIGURE 1-8
SwUpdate scheduling example 1
Figure 1-8 above shows a schedule example where the SwUpdate is started every day of the week at hours 0,
6, 12 and is stopped after 4 hours from each start time.
The following figure (Figure 1-9) shows a schedule example where the SwUpdate is started every day of the
week at hours 0, 6, 12 and is stopped in specific time of the day.
It the stop time is set inside an idle period, SwUpdate stay in the inactive state waiting for the next start time.
iMG/RG Software Reference Manual (System Configuration)
1-65
Software update
SwUpdate module
Start Time 0
0, 6, 12
x
x
x
Stop Time 0
minute
minute
hours
hours
day-of-month
day-of-month
month
month
day-of-week
day-of-week
00:00
06:00
4, 10, 16
12:00
10:00
x
x
x
00:00
16:00
20:00
Monday
Thursday
00:00
06:00
Fall
Fall
Fall
Fall
Fall
Fall
random (15 secs - Retry-Period)
FIGURE 1-9
SwUpdate scheduling example 2
1.4.3.4 Manually enabling SwUpdate
It is possible turn on (disable) and turn off the SwUpdate module manually using the swupdate start and
swupdate stop command.
If SwUpdate was disabled and the download finish successfully, SwUpdate returns to the disable state.
If SwUpdate was disabled and the download fails, SwUpdate stays enabled and scheduled with the same rules
defined in previous sections.
If SwUpdate was enabled and the download finish successfully, SwUpdate stays enabled with the schedule time
defined by the Start and Stop Time.
If SwUpdate was enabled and the download fails, SwUpdate stays enabled and scheduled with the same rules
defined in section previous sections.
1.4.3.5 Plug-and-play
Default operational mode
1-66
iMG/RG Software Reference Manual (System Configuration)
SwUpdate module
Software update
By default SwUpdate module is set to work in TFTP mode trying to get all the TFTP server parameters from
the DHCP parameters list option passed by the external DHCP server
When working in TFTP mode, the gateway requires that the IP interface connected to the swupdate network is
set dynamically. Swupdate will use the feature of the dhcpclient to request the DHCP option 66 (“tftp-filename”) and the DHCP option 60 (dhcp-class-identifier).
The swupdate module will then use the tftp-file-name option and the DHCP filename field value passed in the
DHCP ACK message to set the TFTP server address and the server path respectively.
During the interface IP address discover or renewal, the DHCP client notifies to the server the Residential gateway model type and MAC address in the dhcp-class-identifier and dhcp-client-identifier options respectively.
Notification of dhcp-class-identifier and dhcp-client-identifier options allow DHCP server to discover dynamically the type of unit and perform selective choice of TFTP server parameters (for example select a different
server path to download different code versions or different unit configuration files).
Note:
The swupdate module needs the dhcp-class-identifier option to be present in the DHCP ACK message
with the same value sent in the DHCP Discover and Request messages. If this value is different or the
option is not present, the swupdate doesn’t start.
1.4.3.6 Server access
FTP server account
SwUpdate is able to access FTP server using the server access login.
The FTP server login account and login password are configurable into the SwUpdate module.
FTP/TFTP working directory
SwUpdate is able to navigate into the FTP/TFTP server directory.
The working directory can be specified defining in the SwUpdate module a parameter named path. It identifies
the relative path respect the login home directory where the SwUpdate module expects to found the files.
For example if the home directory is:
/home/manager
and the gateway path address is set to:
at-iMG616BD-software-xxx
the working directory will be:
/home/manager/at-iMG616BD-software-xxx
The working directory can be specified also using the gateway MAC address in the format:
aa_bb_cc_dd_ee_ff.
In this case the working directory will be the login home directory plus the MAC address.
iMG/RG Software Reference Manual (System Configuration)
1-67
Software update
SwUpdate command reference
This feature is useful when network administrators need to create specific configuration for each residential
gateway.
To enable this feature a special flag named MAC can be used.
For example if the home directory is:
/home/manager
and the gateway MAC address is:
10:20:30:40:50:60
enabling the MAC field, the working directory will be:
/home/manager/10_20_30_40_50_60
If both the path field and the MAC flag are set, the working directory will be the login home directory plus the
path string plus MAC address.
For example if the home directory is:
/home/manager
and the gateway MAC address is:
10:20:30:40:50:60
and the gateway path address is set to:
at-iMG616BD-software-xxx
the working directory will be:
/home/manager/at-iMG616BD-software-xxx/10_20_30_40_50_60
1.4.4 SwUpdate command reference
This section describes the commands available on the gateway to configure and manage the SwUpdate module.
1.4.4.1 SwUpdate commands
The table below lists the SwUpdate commands provided by the CLI:
1-68
iMG/RG Software Reference Manual (System Configuration)
SwUpdate command reference
TABLE 1-4
Software update
SwUpdate Commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
SWUPDATE MAC
X
X
X
X
X
X
X
X
X
SWUPDATE SET LOGIN
X
X
X
X
X
X
X
X
X
SWUPDATE SET PASSWORD
X
X
X
X
X
X
X
X
X
SWUPDATE SET PATH
X
X
X
X
X
X
X
X
X
SWUPDATE SET RETRY PERIOD
X
X
X
X
X
X
X
X
X
SWUPDATE SET SERVER
X
X
X
X
X
X
X
X
X
SWUPDATE SHOW
X
X
X
X
X
X
X
X
X
SWUPDATE START
X
X
X
X
X
X
X
X
X
SWUPDATE START TIME
X
X
X
X
X
X
X
X
X
SWUPDATE STOP
X
X
X
X
X
X
X
X
X
SWUPDATE STOP TIME
X
X
X
X
X
X
X
X
X
Option
1.4.4.1.1 SWUPDATE MAC
Syntax
SWUPDATE MAC {ENABLE | DISABLE}
Description
This command forces the SwUpdate module to look for the MD5SUM file on the FTP
server into a directory having the same value as the unit MAC address.
The working directory is therefore the home directory followed by the unit MAC
address.
If the path value is set using SWUPDATE SET PATH command, the working directory is
the user home directory + the MAC address + the path.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
ENABLED
Description
Enable the use of MAC address as qualifier for the
working directory. The name of the working directory will be for example:00_20_30_40_50_60
iMG/RG Software Reference Manual (System Configuration)
Default Value
Enabled
1-69
Software update
SwUpdate command reference
Option
DISABLED
Description
Default Value
Disable the use of MAC address as qualifier for the
working directory.
Example
--> swupdate mac enable
See also
SWUPDATE SET PATH
SWUPDATE SHOW
1.4.4.1.2 SWUPDATE SET LOGIN
Syntax
SWUPDATE SET LOGIN < login>
Description
This command set the login name used when SwUpdate connects to an FTP server.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
LOGIN
Description
The login name used to access ftp server.
Example
--> swupdate set login administrator
See also
SWUPDATE SET PATH
SWUPDATE SET PASSWORD
SWUPDATE SHOW
Default Value
manager
1.4.4.1.3 SWUPDATE SET PASSWORD
Syntax
SWUPDATE SET PASSWORD < password>
Description
This command set the password key used when SwUpdate connects to an FTP server.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
PASSWORD
Example
1-70
Description
The password key used to access ftp server.
--> swupdate set password superuser
iMG/RG Software Reference Manual (System Configuration)
Default Value
friend
SwUpdate command reference
See also
Software update
SWUPDATE SET LOGIN
SWUPDATE SHOW
1.4.4.1.4 SWUPDATE SET PATH
Syntax
SWUPDATE SET PATH <path>
Description
This command set the path used when SwUpdate navigate into the FTP server.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
PATH
Description
The path used when SwUpdate navigate into the
FTP server. ‘none’ means no path is used.
Example
--> swupdate set path rel-x-y-z
See also
SWUPDATE MAC ENABLE
SWUPDATE SHOW
Default Value
none
1.4.4.1.5 SWUPDATE SET RETRY PERIOD
Syntax
SWUPDATE SET RETRY PERIOD <secs>
Description
This command set the maximum retry period when a download fails.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
SECS
Description
The maximum retry period (in secs) used when the
download fails and SwUpdate tries to contact the
FTP/TFTP server.
Example
--> swupdate set retry-period 120
See also
SWUPDATE SHOW
iMG/RG Software Reference Manual (System Configuration)
Default Value
60
1-71
Software update
SwUpdate command reference
1.4.4.1.6 SWUPDATE SET SERVER
Syntax
SWUPDATE SET SERVER <server_address>
Description
This command set the server address to which SwUpdate tries to connect.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
SERVER_ADDRESS
Description
The hostname or IPv4 address of the ftp server.
Host can be a maximum of 256 chars long (when
using hostname format).
Example
--> swupdate set server 10.17.90.101
See also
SWUPDATE SET PATH
SWUPDATE SET PASSWORD
SWUPDATE SHOW
Default Value
swupdate
1.4.4.1.7 SWUPDATE SHOW
Syntax
SWUPDATE SHOW
Description
This command displays the SwUpdate module configuration parameters.
Example
--> swupdate show
FTP SWUPDATE CONFIGURATION
- GENERAL PARAMETERS
Retry period set to: 40
start time passed to cron: 0-59 * * * *
stop time passed to cron: none
- FTP SERVER PARAMETERS
server address in use: swupdate
login: manager
password: friend
pathname: none
mac: false
See also
1-72
SWUPDATE SET PATH
SWUPDATE SET PASSWORD
iMG/RG Software Reference Manual (System Configuration)
SwUpdate command reference
Software update
1.4.4.1.8 SWUPDATE START
Syntax
SWUPDATE START
Description
This command forces the software update to start immediately and remain active until
the next stop command is sent or the download is executed successfully.
Example
--> swupdate start
See also
SWUPDATE STOP
1.4.4.1.9 SWUPDATE START TIME
Syntax
SWUPDATE START TIME {NONE | MINUTE <minute> HOUR <hour> DAY-OFMONTH <day-of-month> MONTH <month> DAY-OF-WEEK <day-of-week> }
Description
This command set the scheduled starting time. See the relative section about the syntax
used for the starting time.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
Description
Default Value
MINUTES
The minute(s) in the hour when swupdate must start.
N/A
HOUR
The hour(s) in the day when swupdate must start.
N/A
DAY-OF-MONTH
The day(s) in the month when swupdate must start.
N/A
MONTH
The month(s) in the year when swupdate must start.
N/A
DAY-OF-WEEK
The day(s) in the week when swupdate must start.
N/A
Example
--> swupdate set start_time minute * hour [0-7] day-of-month
* month * day-of-week *
See also
SWUPDATE SHOW
1.4.4.1.10 SWUPDATE STOP
Syntax
SWUPDATE STOP
Description
This command force the software update to stop immediately and remain in idle state
until a start command is set.
Example
--> swupdate stop
iMG/RG Software Reference Manual (System Configuration)
1-73
ZTC
SwUpdate command reference
See also
SWUPDATE START
1.4.4.1.11 SWUPDATE STOP TIME
Syntax
SWUPDATE STOP TIME {NONE | MINUTE <minute> HOUR <hour> DAY-OF-MONTH
<day-of-month> MONTH <month> DAY-OF-WEEK <day-of-week> }
Description
This command set the scheduled stop time. See the relative section about the syntax
used for the stop time.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
Description
Default Value
MINUTES
The minute(s) in the hour when swupdate must stop.
N/A
HOUR
The hour(s) in the day when swupdate must stop.
N/A
DAY-OF-MONTH
The day(s) in the month when swupdate must stop.
N/A
MONTH
The month(s) in the year when swupdate must stop.
N/A
DAY-OF-WEEK
The day(s) in the week when swupdate must stop.
N/A
Example
--> swupdate set stop_time minute 0 hour [21-24] day-ofmonth * month * day-of-week *
See also
SWUPDATE SHOW
1.5 ZTC
Wide Area Networks consist of a lot of components (hubs, switches, routers, residential gateways, set top
boxes, PCs) that need to be configured.
The number of components can be very high and often the configuration of these devices to get them up and
running requires a lot of work for network administrators.
As a result, network administrator operations can be very expensive with in-field configuration taking a lot of
time.
The Zero Touch Configurator (ZTC) is a tool designed to enable a network administrator to configure and
manage network devices remotely and automatically without end-user intervention.
The Zero Touch Configurator is able to update image software and unit configuration on multiple devices
simultaneously, so administrators can avoid having to connect to each device separately and repeat the same
sequence of actions for each of them.
1-74
iMG/RG Software Reference Manual (System Configuration)
Functional blocks
ZTC
1.5.1 Functional blocks
The ZTC is a component-based application, which consists of different logical blocks that can be distributed on
independent runtime environments or machines (see Figure 1-10).
WEB Browser
WEB Interface
HTTP
ZTC Server
RMI
LDAP Database
LDAP
Residential
Gateway
TFTP
FIGURE 1-10
TFTP
Server
ZTC network architecture
1.5.1.1 ZTC network architecture
The ZTC Network Architecture consists of the following parts:
•
•
•
•
•
•
•
•
•
An LDAP Directory Service in which data is stored.
The ZTC Server, that contains all the application logic for:
User authentication and authorization
Data consistency and syntax checking when requesting to add a new device configuration
Application logic for creating new configuration scripts
Application logic to execute commands on the device
Data Access Object layer to access the data tier
Several protocols for supporting different kind of clients
The ZTC WEB Interface. This application lest users interact with the ZTC Server. Through this interface they
can view or update existing configurations, or add new ones.
iMG/RG Software Reference Manual (System Configuration)
1-75
ZTC
ZTC Client
• The ZTC Embedded Client. This client is installed on the devices to communicate with the ZTC Server. Typically, the devices connect to ZTC Server to perform the following operations:
• Communicate their actual configuration to ZTC Server
• Download, if existing, new configurations from ZTC Server
The components of ZTC are independent, and they can run on different machines and platforms, in a threetiered architecture fashion.
The core of the application is the ZTC Server. It manages the dialogue with the directory service backend and
performs all operations on data. The ZTC WEB Interface, used to interact with the ZTC Server, is decoupled
from the ZTC server, and can run on different machines.
1.5.2 ZTC Client
The ZTC Embedded Client, or, shortly, the ZTC Client, is the module running on the gateway in charge to
communicate with the ZTC server.
ZTC client works accordingly to the so-called Configuration PULL method. ZTC Client is in charge to contact the ZTC server passing the current configuration, the unit identifier and retrieves the new configuration if
necessary. ZTC server has the responsibility to allow the download only of the correct configuration file
depending on the unit identifier (the unit MAC address) and on the configuration rules defined inside the ZTC
Server.
The following three ZTC Clients – ZTC Server communication phases are possible:
• Pull-at-startup – This phase is executed when the unit startup
• Scheduled-pull - This phase is executed every time the ztcclient polling timeout expires
ZTC Client and ZTC Server communicate through TFTP protocol.
The ZTC Server IP address can be configured in the ZTC Client module in two ways: either statically or dynamically.
When a static configuration is used, the ZTC Server IPv4 address is defined explicitly using the ZTCCLIENT
command. This command set the server IP address that will be used by all the
next queries and also turns on the ztcclient module forcing the module to query the server to retrieve the unit
configuration file.
ENABLE STATIC ZTCSERVERADDR
When a dynamic configuration is used, the ZTC client module is bind to an existing IP interface using the
ZTCCLIENT ENABLE DYNAMIC LISTENINTERFACE command.
In this way the ZTC client module uses the facilities offered by the dhcpclient module to force the IP interface to
ask to an external DHCP server the ZTC Server address. When the ZTC Client needs to know the ZTC
Server address, a DHCP request is generated by the IP interface requesting a value for option 67 ‘bootfilename’. The ZTC Client module as ZTC Server IP address uses the value returned by the DHCP server for
option 67.
1-76
iMG/RG Software Reference Manual (System Configuration)
ZTC Client
ZTC
Similarly to the static configuration, ZTCCLIENT ENABLE DYNAMIC LISTENINTERFACE command turns on
the ztcclient module forcing the module to query the server to retrieve the unit configuration file.
Note:
ZTC client can be enabled dynamically only if the IP interface where it is bind, it's a dynamic IP interface.
Attempting to enable ZTC client module dynamically on a static IP interface results is an error.
1.5.2.1 Storing unit configuration
The configuration file downloaded from ZTC Server is never stored permanently into the unit flash file system.
This solution prevents memory flash failure when too many write requests are executed.
If the unit restarts, it loses the previous downloaded configuration and starts from the bootstrap configuration.
This behavior allows network administrator to control the unit configuration based only on the configuration
file defined by the ZTC Server framework.
When ZTC Client is enabled, the current running configuration is the result of the bootstrap configuration plus
the unit configuration downloaded from ZTC Server. Any action that save permanently the configuration (e.g.
the system configuration save command) could change the bootstrap configuration file and therefore the resulting configuration when ZTC Client runs could be unpredictable.
Note:
When ZTC client is enabled, any CLI commands that can cause a change in the system configuration are
inhibited. To enter these types of commands, it’s necessary disable the ZTC client with the ZTCCLIENT
DISABLE command.
1.5.2.2 Pull-at-startup
Figure 1-11 shows the Pull-at-startup phase executed by the ZTC client module when the gateway bootstraps.
Considering a scenario where ZTC Client is bind to a dynamic IP interface, during the bootstrap process, the
gateway uses the facilities provided by the DHCP client module to setup the IP interface configuration.
The dynamic IP interface receives the new network configuration and the ZTC Server address in the ‘bootfilename’ DHCP option.
As soon the network is configured, the ZTC Client runs.
The ZTC Client contacts the ZTC Server, passing in the parameters list the Residential Gateway's MAC
address, the application filename and a value derived from the current running configuration (that, at bootstrap,
it is null). This information defines the current device status.
The ZTC Server checks if there is a configuration for the gateway looking for the device MAC address into the
LDAP server, and if necessary, it returns the configuration file to the device.
The device executes the configuration file and starts the ZTC Client timeout. The timeout defines the polling
period before ZTC Server will be contacted.
When the timeout expires the Scheduled-pull phase is executed.
iMG/RG Software Reference Manual (System Configuration)
1-77
ZTC
ZTC Client
Residential Gateway
DHCP Server
ZTC Server
LDAP Database
NULL
Unit
Bootstrap
Setup Dyn
Interface
Start
ZTC Client
Run New
Configuration
Start ZTC
Timeout
ZTC Idle
FIGURE 1-11
Pull-at-Startup ZTC phase
1.5.2.3 Scheduled-pull
Figure 1-11 shows the Scheduled-pull phase executed by the ZTC client module when the ztcclient polling
timeout expires.
1-78
iMG/RG Software Reference Manual (System Configuration)
ZTC Client
ZTC
The ZTC Client contacts the ZTC Server, passing in the parameters list the Residential gateway MAC address,
the application filename and the hash key derived from the current running configuration. This information
defines the actual state of the device.
The ZTC Server checks whether there is a configuration for the gateway looking for the device MAC address
into the LDAP server, and if necessary, it returns the configuration file to the device.
When the device receives the new configuration, it reboots in order to execute the new configuration starting
from a "well known" status: the bootstrap configuration.
Since the gateway never stores the configuration downloaded from ZTC Server, the ZTC Client contacts again
the ZTC Server and execute exactly the same procedure defined in the Pull-at-startup phase.
iMG/RG Software Reference Manual (System Configuration)
1-79
ZTC
ZTC Client
Residential Gateway
ZTC Server
LDAP Database
ZTC Idle
ZTC Timeout
Expires
Start ZTC
Client
Compare Client Config
with LDAP Config
Abort TFTP
Yes
Is it the
same?
No
Unit
Restart
Start ZTC
Client
Run New
Configuration
Start ZTC
Timeout
ZTC Idle
FIGURE 1-12
1-80
Scheduled-pull ZTC phase
iMG/RG Software Reference Manual (System Configuration)
ZTC command reference
ZTC
1.5.3 ZTC command reference
This section describes the commands available on the gateways to configure and manage the ZTC Client module.
1.5.3.1 ZTC Client commands
The table below lists the ztcclient commands provided by the CLI:
TABLE 1-5
ZTC Client Commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
ZTCCLIENT ENABLE DYNAMIC
X
X
X
X
X
X
X
X
X
ZTCCLIENT ENABLE STATIC
X
X
X
X
X
X
X
X
X
ZTCCLIENT DISABLE
X
X
X
X
X
X
X
X
X
ZTCCLIENT SHOW
X
X
X
X
X
X
X
X
X
ZTCCLIENT SET CONFIGTIMEOUT
X
X
X
X
X
X
X
X
X
ZTCCLIENT SET POLLINGTIMEOUT
X
X
X
X
X
X
X
X
X
ZTCCLIENT UPDATE
X
X
X
X
X
X
X
X
X
Option
1.5.3.1.1 ZTCCLIENT ENABLE DYNAMIC
Syntax
ZTCCLIENT ENABLE DYNAMIC LISTENINTERFACE <ipinterface>
Description
This command enables the ztcclient and binds it on an existing dynamic IP interface. This
command automatically creates a specific configuration rule that applies to the IP interface in order to force the dhcpclient module to request the ZTC server address inside
the option list of the DHCP discover request sent to the external DHCP server.
Note:
This command requires that <ipinterface> is defined as dynamic interface, thus it must have the DHCP
flag enabled.
To apply changes to the ZTC client module and turn on it, use the ZTCCLIENT UPDATE
command.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
iMG/RG Software Reference Manual (System Configuration)
1-81
ZTC
ZTC command reference
Option
IPINTERFACE
Description
The name of an existing IP interface.To see the
list of existing interfaces, use the IP LIST INTERFACE command.
Default Value
N/A
Example
--> ztcclient enable dynamic listeninterface ip0
See also
ZTCCLIENT DISABLE
1.5.3.1.2 ZTCCLIENT ENABLE STATIC
Syntax
ZTCCLIENT ENABLE STATIC ZTCSERVERADDR <ztcserveraddr>
Description
This command enables the ztcclient, and set the ZTC Server IP address.
To apply changes to the ZTC client module and turn on it, use the ZTCCLIENT
UPDATE command.
Options
The following table gives the range of values for each option that can be specified with
this command, and a default value (if applicable).
Option
ZTCSERVERADDR
Description
The IP address of the interface used to connect to
the ZTC Server. The IP address must be specified
in IPv4 format (e.g. 192.168.102.3)
Default Value
N/A
Example
--> ztcclient enable static ztcserveraddr 192.168.102.3
See also
ZTCCLIENT DISABLE
1.5.3.1.3 ZTCCLIENT DISABLE
Syntax
ZTCCLIENT DISABLE
Description
This command disables the ztcclient module.
Example
--> ztcclient disable
See also
ZTCCLIENT ENABLE
1-82
iMG/RG Software Reference Manual (System Configuration)
ZTC command reference
ZTC
1.5.3.1.4 ZTCCLIENT SHOW
Syntax
ZTCCLIENT SHOW
Description
This command shows the ZTC Client configuration parameters.
Example
The following example shows the ZTC client parameters when a dynamic configuration is
set.
ZTC CLIENT CONFIGURATION
- GENERAL PARAMETERS
enabled: false
dynamic: true
configuration timeout: 60 seconds
server address in use: 192.168.1.10
- DYNAMIC CONFIGURATION
interface: ip0
- STATIC CONFIGURATION
server address for static configuration:
0.0.0.0
1.5.3.1.5 ZTCCLIENT SET CONFIGTIMEOUT
Syntax
ZTCCLIENT SET CONFIGTIMEOUT <configtimeout>
Description
This command changes the value of the configtimeout, which is the polling time interval
used by the ztcclient when it check if new configurations are available on the ZTC server.
Options
The following table gives the range of values for each option that can be specified with
this command, and a default value (if applicable).
Option
CONFIGTIMEOUT
Description
The polling time (in minutes) used by the ztcclient
module when the gateway is already configured.
Default Value
1
Acceptable values are from 1 to 120 minutes,
Example
--> ztcclient set configtimeout 30
See also
ZTCCLIENT SHOW
1.5.3.1.6 ZTCCLIENT SET POLLINGTIMEOUT
Syntax
ZTCCLIENT SET POLLINGTIMEOUT <pollingtimeout>
iMG/RG Software Reference Manual (System Configuration)
1-83
SNMP
ZTC command reference
Description
This command changes the value of the pollingtimeout, which is the polling time interval
used by the ztcclient when it attempts the first synchronization. After the gateway is synchronized, the ztc client switches to the configtimeout polling time to check if new configurations are available on the ZTC server. The timer is used to force a fast
synchronization without generate high network traffic when the gateway is already configured.
Options
The following table gives the range of values for each option that can be specified with
this command, and a default value (if applicable).
Option
POLLINGTIMEOUT
Description
The polling time (in secs) used by the ztc client
module when it tries to make the first server synchronization.
Example
--> ztcclient set pollingtimeout 10
See also
ZTCCLIENT SHOW
Default Value
5
1.5.3.1.7 ZTCCLIENT UPDATE
Syntax
ZTCCLIENT UPDATE
Description
This command saves the changes made with ZTCCLIENT SET CONFIGTIMEOUT and
ZTCCLIENT ENABLE DYNAMIC or ZTCCLIENT ENABLE DYNAMIC commands and
turn on the polling timeout.
Example
--> ztcclient update
1.6 SNMP
This chapter introduces the configuration of SNMP module on the gateway.
To describe the SNMP configuration process the following terminology is used:
•
•
•
•
entity
a network management element that consists of an SNMP engine and one or more applications.
engine
a component of an SNMP entity that consists of a message processing subsystem, a security subsystem, an
access control subsystem (as appropriate), and a dispatcher.
• application
1-84
iMG/RG Software Reference Manual (System Configuration)
ZTC command reference
SNMP
• a component of an SNMP entity that determines the function of the entity. Applications include a command
generator, command responder, notification originator, notification receiver, proxy forwarder, etc.
The SNMP entity that is commonly called a MANAGER is an engine plus a command generator application and a
notification receiver application.
SNMP Entity
SNMP Engine indentified by snmpEngineID
Message
Processing
Subsystem
Dispatcher
Security
Subsystem
Application(s)
Command
Generator
FIGURE 1-13
Notification
Receiver
A manager Entity
SNMP Entity
SNMP Engine indentified by snmpEngineID
Dispatcher
Message
Processing
Subsystem
Security
Subsystem
Access
Control
Subsystem
Application(s)
Command
Responder
FIGURE 1-14
Notification
Originator
An agent Entity
The SNMP entity that is commonly called an AGENT is an engine plus a command responder and a notification
originator. Other types of entities are possible, because other combinations of engine and applications are viable.
iMG/RG Software Reference Manual (System Configuration)
1-85
SNMP
SNMP configuration within the SNMPv3 adminis-
1.6.1 SNMP configuration within the SNMPv3 administration framework
The SNMPv3 Administration Framework is a configuration infrastructure for SNMPv3 users, but it can also be
used to remotely configure and administer SNMPv1 and SNMPv2c community strings.
The SNMPv3 security administration framework provides a strong authentication mechanism, authorization
with fine granularity, complete access control, security level controls which include two authentication algorithms1 and an optional privacy protocol, and a MIB document for remote configuration.
1.6.1.1 Security
SNMPv3 provides advanced security mechanisms for protecting against threats to management operations.
These security mechanisms are not new: they are taken from the SNMPv2 Draft Standards. The following sections describe the potential threats and how SNMPv3 protects against these threats.
SNMPv3 addresses in particular the following four threats:
• MASQUERADE
the masquerade threat is when an unauthorized user attempts to carry out management operations by
assuming the identity of an authorized user. SNMPv3 can verify the identity of the originator of the SNMPv3
message.
• MODIFICATION OF INFORMATION
modification of information is the threat that a user will (by malice or error) alter a message in transit
between the source and the destination, thereby carrying out unauthorized management activity. SNMPv3
can verify that the SNMPv3 message was not altered in transit between the originator and the recipient.
• MESSAGE STREAM MODIFICATION
message stream modification occurs when (by malice or error) management messages are reordered,
replayed, or delayed. SNMPv3 can verify that a received message is timely.
1.6.1.2 Mechanisms used by SNMPv3 security
SNMPv3 security protects against masquerade, modification of information, and message stream modification
by using the Hash-based Message Authentication Code (HMAC) with MD5 Message Digest Algorithm (MD5) in
a symmetric, i.e. private, key mode. MD5, defined in RFC1321, takes “as input a message of arbitrary length and
produces as output a fingerprint or ‘message digest’ of the input.”
• Computes an MD5 hash (H)on the concatenation of
• The shared secret key (K), which has been xored with the hexadecimal value ‘36 ’(ipad),
• The SNMP message (text), which contains zero bytes in the digest field, to produce an intermediate
digest, and
• Computes an MD5 hash on the concatenation of
1. Trivial authentication requiring only a correct user names and strong authentication based on an MD5 hash algorithm.
1-86
iMG/RG Software Reference Manual (System Configuration)
SNMP configuration within the SNMPv3 administration framework
SNMP
• The shared secret key, which has been xored with the hexadecimal value ‘5C ’(opad),
• The intermediate digest to produce the final digest.
The HMAC function is summarized by the following expression:
⊗
⊗
FIGURE 1-15
hmac expression
HMAC is used in the following manner to protect against threats to management operations:
• The sender and intended recipient of the SNMPv3 message share a secret key.
• When the sender constructs the outgoing message, the sender’s notion of the SNMP agent’s time is inserted
into the message, and the digest field is padded with zeros. The HMAC function is then used to compute a
digest (“fingerprint”) over the concatenation of the sender‘s notion of the shared secret key and SNMPv3
message.
•
•
•
•
The digest is then inserted into the message at the position where the padding previously had been.
The message is then sent.
When the recipient receives the message, the digest in the incoming message is saved.
The recipient inserts zeros into the incoming message at the position where the shared secret key previously had been.
• In the same manner as the sender, the recipient uses HMAC to compute a digest of the incoming message
(with padding instead of a digest) and the recipient’s notion of the shared secret key.
The recipient then compares:
• The digest computed over the incoming message,
• The digest that was saved from the incoming message.
If the shared secret key has not been compromised2, and if the two digests above exactly match, then there is a
high degree of confidence3 that the following statements about the message are true:
• The message origin is authentic. That is, the user that claims to have sent the message did in fact send it.
Otherwise, the digests would have been different.
• The message contents have not been altered in transit. Otherwise, the digests would have been different.
2. SNMPv3 cannot protect against the threat of compromised keys. If an unauthorized user knows a shared secret key, then
that user can masquerade as another user, modify messages in transit, and modify the message stream.
3. It is computationally infeasible to threaten a system by trying all possible keys, especially if the administration policy for
the system includes a periodic changing of the keys which are configured.
iMG/RG Software Reference Manual (System Configuration)
1-87
SNMP
SNMP configuration within the SNMPv3 adminis-
When an SNMP agent receives a message, it verifies that the received message is timely by comparing the time
value inside the packet with the current time. If the time value from the packet is within a “safe”window of the
actual current time, the packet is accepted. If the time value from the packet is not within the specified window,
a Report PDU containing the agent’s notion of current time is transmitted to the sender of the received packet,
and the agent discards the received packet.
If the original message was authentic, then the sender of the original message has the ability to resend the
request. The sender of the original message will update its notion of the SNMP agent’s time using the time value
from the Report PDU. Then, the HMAC calculations will be performed again to obtain the digest for the same
request packet containing an updated time value.
If the original message was the result of message stream modification, and if the shared secret key has not been
compromised, then the sender would not find the time value from the Report PDU to be useful. Without the
secret key, the packet digest cannot be correctly recalculated.
1.6.1.3 Local configuration datastore
SNMP configuration information must be stored locally on the gateway filesystem in a plain ASCII text file
named snmpd.cnf.
It's possible upload such file via a ftp session (using the ftp daemon facility available on the Residential Gateway)
or via the swupdate feature.
1.6.1.4 Configuration file format
Each line of the configuration file has the format <TAG> <VALUE> where <TAG> is a keyword and <VALUE>
is a valid configuration value.
Entries may be continued across multiple lines by using a backslash ( \). White space (tabs, spaces, line-feeds/
carriage-returns) and blank lines in the file are ignored. Values that are strings containing white space must be
delimited with quotation marks (").
1.6.1.5 Configuration for all SNMPv3 entities
1.6.1.5.1 Configuring SNMPv3 users
Configuration for at least one SNMPv3 user must be provided for an SNMP engine to send or receive SNMPv3
messages on behalf of certain SNMP applications.
To configure an SNMPv3 user, add an usmUserEntry definition in the snmpd.cnf file accordingly the following syntax:
usmUserEntry <usmUserEngineID> <usmUserName> <usmUserAuthProtocol>
<usmUserStorageType> <usmTargetTag> <AuthKey>
1-88
iMG/RG Software Reference Manual (System Configuration)
SNMP configuration within the SNMPv3 administration framework
SNMP
usmUserEngineID
is an OctetString which is the authoritative SNMP engine’s administratively-unique identifier. For a detailed
explanation of snmpEngineID, refer to the next section.
For Get, GetNext, GetBulk, and Set requests, the SNMP entity containing the command responder
application is authoritative. Therefore, the value of the usmUserEngineID field of the usmUserEntry in
the agent ’s configuration file will be localSnmpID.
For Trap messages, the SNMP entity containing the notification generator application is authoritative. Therefore, the value of the usmUserEngineID field of the usmUserEntry in the agent’s configuration file will be
localSnmpID.
usmUserName
is a human readable string representing the name of the user. This is the user-based security model dependent
security ID.
UsmUserAuthProtocol
is an OBJECT IDENTIFIER that indicates whether messages sent on behalf of this user to or from the SNMP
engine identified by usmUserEngineID can be authenticated, and if so, the type of authentication protocol
which is used. The value of usm-UserAuthProtocol can be usmNoAuthProtocol or
usmHMACMD5AuthProtocol.
usmUserPrivProtocol
is an OBJECT IDENTIFIER that indicates whether messages sent on behalf of this user to or from the SNMP
engine identified by usmUserEngineID can be protected from disclosure, and if so, the type of privacy protocol which is used. The value of usmUserPrivProtocol must be usmNoPrivProtocol.
UsmUserStorageType
is nonVolatile, permanent, or readOnly.
usmTargetTag
is a human readable string that is used to select a set of entries in the snmpTargetAddrTable for source
address checking. If the SNMP entity should not perform source address checking, then this field should contain
a dash (-).
AuthKey
is an OctetString represented as a sequence of hexadecimal numbers separated by colons. Each octet is
within the range 0x00 through 0x. If usmUserAuthProtocol is usmNoAuthProtocol, this user does
not have an AuthKey, and this field should contain a dash (-).
This field can also be set to a human readable string representing the user’s authentication password; the password will be converted to a key at run time.
It's possible define more than one SNMPv3 user. The list of all the SNMPv3 user entries is named usmUserTable.
iMG/RG Software Reference Manual (System Configuration)
1-89
SNMP
SNMP configuration within the SNMPv3 adminis-
1.6.1.5.2 Breakdown of an snmpEngineID
An snmpEngineID is a globally unique identifier for an SNMP entity. All SNMPv3 entities must possess an
snmpEngineID. The snmpEngineID of an SNMP agent can be retrieved by sending a Get request to the
agent for the MIB object snmpEngineID.
The following snmpEngineID are registered for Allied gateways models:
Model
1-90
OID
Model
OID
AT-RG613
1.3.6.1.4.1.207.1.17.1
AT-iMG634B
1.3.6.1.4.1.207.1.17.45
AT-RG623
1.3.6.1.4.1.207.1.17.4
AT-iMG634WA
1.3.6.1.4.1.207.1.17.46
AT-RG613TXJ
1.3.6.1.4.1.207.1.17.5
AT-iMG634WB
1.3.6.1.4.1.207.1.17.47
AT-RG656
1.3.6.1.4.1.207.1.17.6
AT-iMG664WA
1.3.6.1.4.1.207.1.17.50
AT-RG613LH
1.3.6.1.4.1.207.1.17.7
AT-iMG664WB
1.3.6.1.4.1.207.1.17.51
AT-RG613SH
1.3.6.1.4.1.207.1.17.8
AT-iMG664A
1.3.6.1.4.1.207.1.17.48
AT-RG623LH
1.3.6.1.4.1.207.1.17.9
AT-iMG664B
1.3.6.1.4.1.207.1.17.49
AT-RG623SH
1.3.6.1.4.1.207.1.17.10
AT-iMG616RF+
1.3.6.1.4.1.207.1.17.54
AT-RG613BD
1.3.6.1.4.1.207.1.17.11
AT-iMG646MOD
1.3.6.1.4.1.207.1.17.55
AT-RG623BD
1.3.6.1.4.1.207.1.17.12
AT-iMG626MOD
1.3.6.1.4.1.207.1.17.64
AT-RG624A
1.3.6.1.4.1.207.1.17.13
AT-iMG616SRF
1.3.6.1.4.1.207.1.17.62
AT-RG624B
1.3.6.1.4.1.207.1.17.14
AT-iMG616SRF+
1.3.6.1.4.1.207.1.17.63
AT-RG634A
1.3.6.1.4.1.207.1.17.15
AT-iBG915FX
1.3.6.1.4.1.207.1.17.65
AT-RG634B
1.3.6.1.4.1.207.1.17.16
AT-iMG624A-R2
1.3.6.1.4.1.207.1.17.66
AT-RG656LH
1.3.6.1.4.1.207.1.17.17
AT-iMG624B-R2
1.3.6.1.4.1.207.1.17.67
AT-RG656SH
1.3.6.1.4.1.207.1.17.18
AT-iMG634A-R2
1.3.6.1.4.1.207.1.17.68
AT-RG656TX
1.3.6.1.4.1.207.1.17.19
AT-iMG634B-R2
1.3.6.1.4.1.207.1.17.69
AT-RG644A
1.3.6.1.4.1.207.1.17.20
AT-iMG634WA-R2
1.3.6.1.4.1.207.1.17.70
AT-RG644B
1.3.6.1.4.1.207.1.17.21
AT-iMG634WB-R2
1.3.6.1.4.1.207.1.17.71
AT-RG646BD
1.3.6.1.4.1.207.1.17.24
AT-iMG616W
1.3.6.1.4.1.207.1.17.72
AT-RG632SA
1.3.6.1.4.1.207.1.17.25
AT-iMG616CRF
1.3.6.1.4.1.207.1.17.73
AT-RG632SB
1.3.6.1.4.1.207.1.17.26
AT-iMG616CRFW
1.3.6.1.4.1.207.1.17.74
AT-RG613RF
1.3.6.1.4.1.207.1.17.30
AT-iMG616TX
1.3.6.1.4.1.207.1.17.75
iMG/RG Software Reference Manual (System Configuration)
SNMP configuration within the SNMPv3 administration framework
Model
OID
SNMP
Model
OID
AT-iMG606TX
1.3.6.1.4.1.207.1.17.31
AT-iMG616TXW
1.3.6.1.4.1.207.1.17.76
AT-iMG606BD
1.3.6.1.4.1.207.1.17.32
AT-iMG616LHW
1.3.6.1.4.1.207.1.17.77
AT-iMG606LH
1.3.6.1.4.1.207.1.17.33
AT-iMG616BD-R2
1.3.6.1.4.1.207.1.17.78
AT-iMG606SH
1.3.6.1.4.1.207.1.17.34
AT-iMG616LH-R2
1.3.6.1.4.1.207.1.17.79
AT-iMG646BD-ON
1.3.6.1.4.1.207.1.17.35
AT-iMG606W
1.3.6.1.4.1.207.1.17.80
AT-iMG646PX-ON
1.3.6.1.4.1.207.1.17.36
AT-iMG606CRF
1.3.6.1.4.1.207.1.17.81
AT-iMG616RF
1.3.6.1.4.1.207.1.17.38
AT-iMG606TX-R2
1.3.6.1.4.1.207.1.17.82
AT-iMG616BD
1.3.6.1.4.1.207.1.17.39
AT-iMG606TXW
1.3.6.1.4.1.207.1.17.83
AT-iMG616LH
1.3.6.1.4.1.207.1.17.40
AT-iMG606LHW
1.3.6.1.4.1.207.1.17.84
AT-iMG616SH
1.3.6.1.4.1.207.1.17.41
AT-iMG606BD-R2
1.3.6.1.4.1.207.1.17.85
AT-iMG624A
1.3.6.1.4.1.207.1.17.42
AT-iMG606LH-R2
1.3.6.1.4.1.207.1.17.86
AT-iMG624B
1.3.6.1.4.1.207.1.17.43
AT-iMG746MOD
1.3.6.1.4.1.207.1.17.72
AT-iMG634A
1.3.6.1.4.1.207.1.17.44
AT-iMG726MOD
1.3.6.1.4.1.207.1.17.73
1.6.1.5.3 Configuring an agent to receive requests and send traps
This section describes how to configure SNMPv3 user information only. Additional configuration is required for
an SNMP agent to actually receive SNMP requests and send SNMP Traps.
When an SNMP agent receives an SNMPv3 request from an SNMP manager, the user sending the message must
be known to the agent’s SNMP engine. If the request is sent in a secure packet, the agent must use the use’s
security key to authenticate the message. For this operation, the keys must be pre-configured in the
snmpd.cnf con figuration file.
When an SNMP agent sends an SNMPv3 Trap to an SNMP manager, the recipient user must be known to the
agent’s SNMP engine. If the Trap is sent in a secure packet, the agent must use the user’s security key to compute an authentication digest for the message. For this operation, the keys must be pre-configured in the
snmpd.cnf configuration file.
Note:
For each the following examples, the snmpEngineID for the agent is used (localSnmpID),
because the receiving SNMP engine is authoritative for the security of SNMP request messages, and the
sending SNMP engine is authoritative for the security of SNMP Trap messages.
1.6.1.5.4 Configuration for authentication
The following usmUserEntry configures an SNMP agent engine with information about an SNMPv3 user
whose name is “myV3AuthNoPrivUser”. This entry contains the user’s authentication password. An SNMP
iMG/RG Software Reference Manual (System Configuration)
1-91
SNMP
Additional configuration for SNMPv3 agent enti-
request message from this user (originating from another SNMP entity) can be received if the message was sent
using no security or using MD5 authentication. The SNMP agent can send Trap messages to this user using no
security or using MD5 authentication.
usmUserEntry localSnmpID myV3AuthNoPrivUser usmHMACMD5AuthProtocol
usmNoPrivProtocol nonVolatile whereValidRequestsOriginate
myV3UserAuthPassword
1.6.1.5.5 Configuration for no authentication
The following usmUserEntry configures an SNMP agent engine with information about an SNMPv3 user
whose name is “myV3NoAuthNoPrivUser”. This user does not have an authentication password, so the last
field contains a dash (-). An SNMP request message from this user (originating from another SNMP entity) can
be received if the message was sent using no security.
The SNMP agent can send Trap messages to this user using no security.
usmUserEntry localSnmpID myV3NoAuthNoPrivUser usmNoAuthProtocol usmNoPrivProtocol nonVolatile whereValidRequestsOriginate –
1.6.2 Additional configuration for SNMPv3 agent entities
Certain SNMP applications (which are normally associated with an SNMP entity acting in the "agent” role)
require more information in addition to the information about SNMPv3 users.
1.6.2.1 Configuring view-based access control
Configuration of view-based access control must be provided for the SNMP engine to correctly process
SNMPv1, SNMPv2c, or SNMPv3 messages. Configuring view-based access control is a process that requires
three steps:
• Define a family of view subtrees.
• Define a group and its associated access rights.
• Assign an SNMPv3 user (or SNMPv1 community string, etc.) to the group defined in step2.
The following sections describe each step of this process in more detail.
1.6.2.2 Defining families of view subtrees
To configure an view tree family, add an vacmViewTreeFamily definition in the snmpd.cnf file accordingly the following syntax:
vacmViewTreeFamily <vacmViewTreeFamilyViewName> <vacmViewTreeFamilySubtree> <vacmViewTreeFamilyMask> <vacmViewTreeFamilyType> <vacmViewTreeFamilyStorageType>
1-92
iMG/RG Software Reference Manual (System Configuration)
Additional configuration for SNMPv3 agent entities
SNMP
vacmViewTreeFamilyViewName
is a human readable string representing the name of this family of view subtrees.
vacmViewTreeFamilySubtree
is an OBJECT IDENTIFIER that identifies a subtree of the MIB; e.g. enterprises.207. This value and vacmViewTreeFamilyMask are used to determine if an OBJECT IDENTIFIER is in this family of view subtrees.
vacmViewTreeFamilyMask
is an OctetString represented as a sequence of hexadecimal numbers separated by colons. Each octet is
within the range 0x00 through 0xFF. A zero length OctetString is represented with a dash (-).
vacmViewTreeFamilyType
is included or excluded and indicates if the vacmViewTreeFamilySubtree is explicitly accessible or not
accessible in this family of view subtrees.
VacmViewTreeFamilyStorageType
is nonVolatile, permanent, or readOnly.
It's possible define more than one vacmTreeFamily. The list of all the vacmTreeFamily entries is named
vacmTreeFamilyTable.
Example:
vacmViewTreeFamilyEntry All iso - included non-Volatile
defines a subtree for the view named “All” that includes the entire set of MIB objects (iso is the root node of
the MIB tree).
The vacmViewTreeFamilyMask field allows restriction of the MIB view at a finer granularity than that of
the vacmViewTreeFamilySubtree and vacmViewTreeFamilyType pair. For instance, a view can be
restricted to one row of a table (see the example below).
The value - causes the corresponding vacmViewTreeFamilyMask to be a NULL string, which in turn
allows all entries ‘below’ the vacmViewTreeFamilySubtree entry to be visible, unless cancelled by
another vacmViewTreeFamilyEntry.
The vacmViewTreeFamilyMask is built using octets that correspond to the OID being restricted. For
example, one may wish to restrict a user’s view of the ifTable to only the second row, all columns. The OID
for ifEntry.0.2 is:
1.3.6.1.2.1.2.2.1.0.2
The vacmViewTreeFamilyMask is a series of ones and zeros used for masking out parts of the tree. A
zero indicates a WILD CARD (i.e, matches anything), and a one indicates an exact match must be made. So:
iMG/RG Software Reference Manual (System Configuration)
1-93
SNMP
Additional configuration for SNMPv3 agent enti-
OID
vacmViewTreeFamilyMask
1 . 3 . 6 . 1 . 2 . 1 . 2 . 2 . 1 . 0 . 2
1 1 1 1 1 1 1 1 1 0 1
FIGURE 1-16
vacmViewTreeFamilyMask
would require an exact match on all fields except the table column (i.e., the 0 in ifEntry.0.2).
Using the above example, the bits of the vacmViewTreeFamilyMask would be grouped into bytes, and
then the right end padded with ones if necessary to fill out the last byte:
byte 1
byte 2
1111
1111
1111
1111
original mask
1111
1111
1111
1111
padded with 1’s
ff
FIGURE 1-17
bf
hex value
vacmViewTreeFamilyMask (continued)
So the vacmViewTreeFamilyMask entry would be:
ff:bf
1.6.2.3 Defining groups and access rights
To configure a group and its associated access rights, add a vacmAccessEntry definition in the
snmpd.cnf file accordingly the following syntax:
vacmAccessEntry <vacmGroupName> <vacmAccessContextPrefix> <vacmAccessSecurityModel> <vacmAccessSecurityLevel> <vacmAccessContextMatch> <vacmAccessReadViewName> <vacmAccessWriteViewName>
<vacmAccessNotifyViewName> <vacmAccessStorageType>
vacmGroupName
is a human readable string which is the groupname.
vacmAccessContextPrefix
is a human readable string which is an entire or partial context name used to match the context name in (or
derived from) a management request. A dash (-) represents the default context.
vacmAccessSecurityModel
is snmpv1 for SNMPv1, snmpv2c for SNMPv2c, or usm for SNMPv3.
1-94
iMG/RG Software Reference Manual (System Configuration)
Additional configuration for SNMPv3 agent entities
SNMP
vacmAccessSecurityLevel
is noAuthNoPriv for no authentication and no privacy, and authNoPriv is for MD5 authentication with
no privacy.
vacmAccessContextMatch
is exact or prefix to indicate how the context of a request must match vacmAccessContextPrefix.
For example, if an authenticated management request is sent in context “AT-iMG646MOD", and if the value of
vacmAccessContextPrefix and vacmAccessContextMatch are “AT-iMG646MOD” and "prefix”,
then the context name in (or derived from) the request is determined to be a correct match to the values in
this vacmAccessEntry.
vacmAccessReadViewName
is a vacmViewTreeFamilyViewName (defined by at least one vacmViewTreeFamilyEntry) identifying the view subtrees accessible for Get, GetNext, and GetBulk requests.
vacmAccessWriteViewName
is a vacmViewTreeFamilyViewName (defined by at least one vacmViewTreeFamilyEntry) identifying the view subtrees accessible for Set requests.
vacmAccessNotifyViewName
is a vacmViewTreeFamilyViewName (defined by at least one vacmViewTreeFamilyEntry) identifying the view subtrees from which objects may be included as VarBinds in Trap messages and Inform
requests.
vacmAccessStorageType
is nonVolatile, permanent, or readOnly.
1.6.2.4 Assigning principals to groups
A PRINCIPAL is generic term to refer to an SNMPv3 user or an SNMPv2c or SNMPv1 community string (see
RFC2571).
To assign a principal to a group, add one or more vacmSecurityToGroupEntry definition in the
snmpd.cnf file accordingly the following syntax:
vacmSecurityToGroupEntry <vacmSecurityModel> <vacmSecurityName> <vacmGroupName> <vacmSecurityToGroupStorageType>
vacmSecurityModel
is snmpv1 for SNMPv1, snmpv2c for SNMPv2c, or usm for SNMPv3.
vacmSecurityName
is a human readable string which is the principal.
vacmGroupName
is a human readable string which is the groupname. The groupname must be defined by at least one vacmAccessEntry.
iMG/RG Software Reference Manual (System Configuration)
1-95
SNMP
Configuring notifications
vacmSecurityToGroupStorageType
is nonVolatile, permanent, or readOnly.
It's possible define more than one vacmSecurityToGroupEntry. The list of all the vacmSecurityToGroupEntry entries is named vacmSecurityToGroupTable.
1.6.3 Configuring notifications
SNMP agent is designed to support SNMPv1 Traps, SNMPv2c Traps, or SNMPv3 Traps. To send TRAPs, it's necessary perform some basic SNMP engine configuration as defined in the following sections.
Configuring notification is a process that requires four steps:
•
•
•
•
Define a notification.
Define a set of network addresses to which a notification should be sent.
Define parameters to use when sending notifications to each of the target addressed identified in step2.
Optionally, define notification filters to reduce the amount of traps sent to the target addresses.
The following sections describe each step of this process in more detail.
1.6.3.1 Defining notifications
To configure a notification, add an snmpNotifyEntry definition in the snmpd.cnf file accordingly the following syntax:
snmpNotifyEntry <snmpNotifyName> <snmpNotifyTag> <snmpNotifyType>
<snmpNotifyStorageType>
snmpNotifyName
is a human readable string representing the name of this notification.
snmpNotifyTag
is a human readable string that is used to select a set of entries in the snmpTargetAddrTable.
snmpNotifyType
is 1(trap) or 2(inform).
nmpNotifyStorageType
is nonVolatile, permanent or readOnly.
It's possible define more than one notification. The list of all the notification entries is named snmpNotifyTable.
Example:
snmpNotifyEntry myFirstNotify myFirstNotifyTag 1 nonVolatile
snmpNotifyEntry mySecondNotify mySecondNotifyTag 1 nonVolatile
1-96
iMG/RG Software Reference Manual (System Configuration)
Configuring notifications
SNMP
1.6.3.2 Defining target addresses
To configure a target address (to which a notification should be sent), add one or more snmpTargetAddrEntry definition in the snmpd.cnf file accordingly the following syntax:
snmpTargetAddrEntry <snmpTargetAddrName> <snmpTargetAddrTDomain>
<snmpTargetAddrTAddress> <snmpTargetAddrTimeout> <snmpTargetAddrRetryCount> <snmpTargetAddrTagList> <snmpTargetAddrParams> <snmpTargetAddrStorageType> <snmpTargetAddrTMask> <snmpTargetAddrMMS>
snmpTargetAddrName
is a human readable string representing the name of this target.
snmpTargetAddrTDomain
is an OID which indicates the network type (UDP/IP,IPX,etc.). For UDP/IP transport type, the OID value (in
dotted format) is 1.3.6.1.6.1.1 or equivalent (in English name) snmpUDPDomain.
snmpTargetAddrTAddress
is a valid address in the snmpTargetAddrTDomain. For snmpTargetAddrTDomain equal to snmpUDPDomain, a valid address would be 192.147.142.35:0, where the value after the colon is the UDP port
number. This address is used as the destination address for outgoing notifications.
Note:
If the port number is specified as zero, the actual destination port used for the outgoing notification
message is set to the default 162
snmpTargetAddrTimeout
is an integer which identifies the expected maximum round-trip time (in hundredths of seconds) for communicating with the snmpTargetAddrTAddress.
When an Inform is sent to this address, and a response is not received within this time period, the SNMP entity
will assume that the response will not be delivered. The default value of 1500 (15 seconds) is suggested by
RFC2573. If the outgoing message type is not Inform then this field is ignored.
snmpTargetAddrRetryCount
is an integer which identifies the number of times the SNMP entity will attempt to retransmit an Inform when a
response is not received. The default value of 3 is suggested by RFC2573. If the outgoing message type is not
Inform, then this field is ignored.
snmpTargetAddrTagList
is a quoted string containing one or more (space-separated) tags. These tags correspond to the value of snmpNotifyTag in the snmpNotifyTable. A notification defined in the snmpNotifyTable will be sent to
the address specified in snmpTargetAddrTDomain if the notification’s snmpNotifyTag appears in this
list of tags.
snmpTargetAddrParams
is a human readable string that is used to select a set of entries in the snmpTargetParamsTable
snmpTargetAddrStorageType
is nonVolatile, permanent, or readOnly.
iMG/RG Software Reference Manual (System Configuration)
1-97
SNMP
Configuring notifications
snmpTargetAddrTMask
is a bitfield mask for the snmpTargetAddrTAddress and appears in the snmpd.cnf file in the same format as the snmpTargetAddrTAddress For notifications, the value must be 255.255.255.255:0 to indicate
that the Trap or Inform message will be sent to a specific address.
Note:
SNMP does not allow for the broadcasting of notifications. However, a notification may be sent to more
than one specific address by configuring more than one snmpTargetAddrEntry with the same tag(s)in
the snmpTargetAddrTagListfield
snmpTargetAddrMMS
is an integer which is the maximum message size (in bytes)that can be transmitted between the local host and
the host with address snmpTargetAddrTAddress without risk of fragmentation. The default value is 2048.
1.6.3.3 Defining target parameters
To configure parameters to be used when sending notifications, add one or more snmpTargetParamsEntry definition in the snmpd.cnf file accordingly the following syntax:
snmpTargetParamsEntry <snmpTargetParamsName> <snmpTargetParamsMPModel> <snmpTargetParamsSecurityModel> <snmpTargetParamsSecurityName> <snmpTargetParamsSecurityLevel>
<snmpTargetParamsStorageType>
snmpTargetParamsName
is a human readable string representing the name of this parameter.
snmpTargetParamsMPModel
is 0 for SNMPv1, 1 for SNMPv2c, or 3 for SNMPv3.The value of this field together with the value of
snmpTargetParamsSecurityModel indicates which type of notification should be sent.
snmpTargetParamsSecurityModel
is snmpv1 for SNMPv1, snmpv2c for SNMPv2c, or usm for SNMPv3.The value of this field together with
the value of snmpTargetParamsMPModel indicates which type of notification should be sent.
snmpTargetParamsSecurityName
is a human readable string which is the principal (an SNMPv3 user, or an SNMPv2c or SNMPv1 community
string) to be used in the notification.
snmpTargetParamsSecurityLevel
identifies the security level of the notification to send. When an SNMPv1 or SNMPv2c notification is configured, the only valid value is noAuthNoPriv. When an SNMPv3 notification is configured, the value of this
field is noAuthNoPriv for no authentication and no privacy, or authNoPriv for authentication without
privacy.
snmpTargetParamsStorageType
is nonVolatile, permanent or readOnly.
1-98
iMG/RG Software Reference Manual (System Configuration)
Configuring notification filters
SNMP
1.6.4 Configuring notification filters
After the SNMP entity has been properly configured to send notifications, the SNMP engine will dutifully send
SNMPv1, SNMPv2c, and SNMPv3 notification messages on behalf of the notification generator application.
Depending upon the nature of the specific notification generator application, this may result in the sending of
few or many notifications.
A well-designed notification generator application will send enough notifications to be useful to a notification
receiver application, but not too many notifications that it produces “noise”.
The SNMPv3 administration framework allows an SNMP entity which contains both a notification receiver application and a command generator application to “turn down the noise” by filtering notifications at the source.
In the SNMP entity containing the notification originator, there are two MIB tables which control notification filtering: the snmpNotifyFilterProfileTable and the snmpNotifyFilterTable. By sending SNMP
Set requests to create new rows in these tables, the SNMP entity with the notification receiver application can
specify what kinds of notifications should not be sent to it.
This section describes the snmpNotifyFilterProfileTable and the snmpNotifyFilterTable in
terms of the corresponding entries in the snmpd.cnf file. Using this information, some notification filters can
be pre-configured before the AGENT entity is launched.
Configuring a notification filter is a process that requires two steps:
• Create a notification filter.
• Associate the notification filter with one or more notification parameters.
1.6.4.1 Creating a notification filter
To create a notification filter, add one or more snmpNotifyFilterEntry definition in the snmpd.cnf file
accordingly the following syntax:
snmpNotifyFilterEntry.<snmpNotifyFilterProfileName> <snmpNotifyFilterSubtree> <snmpNotifyFilterMask> <snmpNotifyFilterType> <snmpNotifyFilterStorageType>
snmpNotifyFilterProfileName
is a human readable string representing the name of this notification filter.
snmpNotifyFilterSubtree
is an OID which specifies the MIB sub-tree containing notifications objects to be filtered. The value of this OID
may be specified in dotted-decimal format or by the English name.
snmpNotifyFilterMask
modifies the set of notifications and objects identified by snmpNotifyFilterSubtree (a detailed explanation follows).This object is an OctetString represented as a sequence of hexadecimal numbers separated by
iMG/RG Software Reference Manual (System Configuration)
1-99
SNMP
Configuring notification filters
colons. Each octet is within the range 0x00 through 0xff. A zero-length OctetString is represented with a
dash (-).
snmpNotifyFilterType
is included or excluded. This object indicates whether the family of filter sub-trees defined by this entry are
included in or excluded from a filter.
snmpNotifyFilterStorageType
is nonVolatile, permanent, or readOnly.
The snmpNotifyFilterMaskfield allows filtering of MIB view at a finer granularity than that of the
snmpNotifyFilterSubtree and snmpNotifyFilterType pair alone. For instance, a filter can be
made to apply to one row of a table only (see the example below).
The value causes the corresponding snmpNotifyFilterMask to be a NULL string, which in turn allows all
objects ‘below’ the snmpNotifyFilterSubtree entry to be filtered.
The snmpNotifyFilterMask is built using octets that correspond to the OID being filtered.
For example, one may wish to restrict a filter of the ifTable to only the second row, all columns. The OID
for ifEntry.0.2 is: 1.3.6.1.2.1.2.2.1.0.2
The snmpNotifyFilterMask is a series of ones and zeros used for masking out parts of the filter.
A zero indicates a WILD CARD (i.e. matches anything), and a one indicates an exact match must be made. So:
OID
snmpNotifyFilterMask
1 . 3 . 6 . 1 . 2 . 1 . 2 . 2 . 1 . 0 . 2
1 1 1 1 1 1 1 1 1 0 1
FIGURE 1-18
snmpNotifyFilterMask
would require an exact match on all fields except the table column (i.e. the 0 in ifEntry.0.2).
Using the above example, the bits of the snmpNotifyFilterMask would be grouped into bytes, and then
the right end padded with ones if necessary to fill out the last byte:
byte 1
1111
1111
original mask
1111
1111
padded with 1’s
ff
FIGURE 1-19
1-100
byte 2
bf
hex value
snmpNotifyFilterMask (continued)
iMG/RG Software Reference Manual (System Configuration)
Configuring source address checking
SNMP
So the snmpNotifyFilterMask entry would be
ff:bf
With this value for snmpNotifyFilterMask and all other appropriate entries in the con figuration file, a
notification containing values from any of the following ifTable objects would match the filter and would not
be sent:
ifIndex.2
ifDescr.2
ifType.2
ifMtu.2
ifSpeed.2
ifPhysAddress.2
ifAdminStatus.2
ifOperStatus.2
ifLastChange.2
ifInUcastPkts.2
ifInErrors.2
ifOutUcastPkts.2
ifOutErrors.2
ifOutQLen.2
ifSpecific.2
1.6.4.2 Associating a filter with a notification parameter
To create a notification filter, add one or more snmpNotifyFilterProfileEntry definition in the
snmpd.cnf file accordingly the following syntax:
snmpNotifyFilterProfileEntry <snmpTargetParamsName> <snmpNotifyFilterProfileName> <snmpNotifyFilterProfileStorageType>
snmpTargetParamsName
is a snmpTargetParamsName defined in the snmpTargetParamsTable
snmpNotifyFilterProfileName
is a snmpNotifyFilterProfileName defined in the snmpNotifyFilterTable
snmpNotifyFilterProfileStorageType
is nonVolatile, permanent, or readOnly.
1.6.5 Configuring source address checking
A feature of SNMP Research software allows the SNMP engine to perform additional authentication of an
incoming SNMPv1, SNMPv2c, or SNMPv3 message by checking the source address of the message.
iMG/RG Software Reference Manual (System Configuration)
1-101
SNMP
Configuring source address checking
To configure a source address (from which a message will be received), add one or more snmpTargetAddrEntry definition in the snmpd.cnf file accordingly the following syntax:
snmpTargetAddrEntry <snmpTargetAddrName> <snmpTargetAddrTDomain>
<snmpTargetAddrTAddress> <snmpTargetAddrTimeout> <snmpTargetAddrRetryCount> <snmpTargetAddrTagList> <snmpTargetAddrParams> <snmpTargetAddrStorageType> <snmpTargetAddrTMask> <snmpTargetAddrMMS>
snmpTargetAddrName
is a human readable string representing the name of this target.
snmpTargetAddrTDomain
is an OID which indicates the network type (UDP/IP, IPX, etc.). For UDP/IP transport type, the OID value (in
dotted format) is 1.3.6.1.6.1.1 or equivalent (in English name) snmpUDPDomain.
snmpTargetAddrTAddress
is a valid address in the snmpTargetAddrTDomain. For example, if the snmpTargetAddrTDomain is
snmpUDPDomain, a valid address would be 192.147.142.35:0. This address is compared to the source
address of an incoming message to determine if the message should be received or rejected. The scope of this
comparison is controlled by the value of snmpTargetAddrTMask (see below).
snmpTargetAddrTimeout
is an integer which must be present but is ignored by the SNMP engine. This field should be set to zero.
snmpTargetAddrRetryCount
is an integer which must be present but is ignored by the SNMP engine. This field should be set to zero.
snmpTargetAddrTagList
is a quoted string containing one or more (space-separated) tags. These tags correspond to the value of
usmTargetTag in the usmUserTable and to the value of snmpCommunityTransportTag in the
snmpCommunityTable.
An incoming SNMPv1 or SNMPv2c message will not be rejected if:
• The community string in the incoming message matches a con figured snmpcommunityname, and
• The snmpcommunityentry has a snmpcommunitytransporttag with one or more corresponding tag(s) in the snmptargetaddrtable, and
• The source address of the incoming message is validated by snmptargetaddrtaddress (masked by
snmptargetaddrtmask) of a corresponding snmptargetaddrentry
An incoming SNMPv3 message will not be rejected if:
• The user identified by the incoming message matches a configured usmusername, and
• The usmuserentry has a usmtargettag with one or more corresponding tag(s) in the snmptargetaddrtable,
• The source address of the incoming message is validated by snmptargetaddrtaddress (masked by snmptargetaddrtmask) of a corresponding snmptargetaddrentry
1-102
iMG/RG Software Reference Manual (System Configuration)
Configuring source address checking
SNMP
snmpTargetAddrParams
is a human readable string which must be present but is ignored by the SNMP engine. This field should be set to
a dash (-).
snmpTargetAddrStorageType
is nonVolatile, permanent, or readOnly.
snmpTargetAddrTMask
is a bit field mask for the snmpTargetAddrTAddress and appears in the snmpd.cnf file in the same format as the snmpTargetAddrTAddress. For example, if snmpTargetAddrTDomain is
‘snmpUDPDomain ‘, a valid mask would be 255.255.255.0:0. This mask is used in conjunction with the
snmpTargetAddrTAddress to determine if an incoming request has arrived from an authorized address.
Note:
The value trailing the colon should ALWAYS be zero
The value of snmpTargetAddrTMask identifies which bits of the source address should be compared to the
value of snmpTargetAddrTAddress. A bit value of ‘1’in the mask means that the corresponding bit in the
source address should be compared to the corresponding bit in the value of snmpTargetAddrTAddress. A
bit value of 0 in the mask means that corresponding bit in the source address is a “don’t care” case in the comparison.
snmpTargetAddrMMS
is an integer which is the maximum message size (in bytes) that can be transmitted between the local host and
the host with address snmpTargetAddrTAddress without risk of fragmentation. The default value is 2048.
1.6.5.1 Matching exactly one source address
If snmpTargetAddrTMask is 255.255.255.255:0, then all bits have ‘1’ as value
byte 1
byte 2
255
1111
byte 3
255
1111
1111
byte 4
1111
255
1111
decimal
255
1111
FIGURE 1-20
1111
1111
1111
1111
binary
1111
snmpTargetAddrTMask
This indicates that the source address must exactly match the value of snmpTargetAddrTAddress, or the
incoming SNMP request will be rejected.
1.6.5.2 Matching any source address
If snmpTargetAddrTMask is 0.0.0.0:0, then all bits have ‘0’ as value:
iMG/RG Software Reference Manual (System Configuration)
1-103
SNMP
Configuring source address checking
byte 1
byte 2
byte 3
byte 4
1111
0
0
0
0
1111
decimal
01
01
01
0
1
0000
01
01
01
0
1
0000
FIGURE 1-21
01
01
01
0
1
0000
01
01
01
0
1
0000
binary
1111
snmpTargetAddrTMask (continued)
This indicates that none of the bits of the source address will be compared to the value of snmpTargetAddrTAddress, and consequently, an incoming SNMP request will not be reject based on its source address.
1.6.5.3 Matching a source address in a subnet
If the high-order bits of snmpTargetAddrTMask are set to ‘1’ and the low-order bits are set to ‘0’, the
mask can be used to reject an SNMP request that does not come from a particular subnet. For example, if
snmpTargetAddrTMask is 255.255.255.128:0, then only the most significant 25 bits of the source
address must match the most significant 25 bits of the value of snmpTargetAddrTAddress.
byte 1
byte 2
byte 3
byte 4
1111
255
255
255
128
1111
decimal
1111
1111
1111
1111
FIGURE 1-22
1111
1111
01
01
0
11
0000
binary
1111
snmpTargetAddrTMask (continued)
Consider the case where the value of snmpTargetAddrTAddress is 192.147.142.35:
byte 1
byte 2
byte 3
byte 4
1111
192
147
142
35
1111
decimal
01
0
111
0000
10
10
11
0011
FIGURE 1-23
01
01
0
11
1110
01
011
0
1
0011
binary
1111
snmpTargetAddrTMask (continued)
in order not to be rejected, the source address of an incoming SNMP request must begin with 192.147.142
In the fourth byte, only the first bit will be compared to the same bit of the value of snmpTargetAddrTAddress. The remaining bits are “don’t care” cases (shown in Figure 1-24).
1-104
iMG/RG Software Reference Manual (System Configuration)
Examples
SNMP
byte 4
1111
01
011
0
1
0011
1111
snmpTargetAddrTMask
(binary)
01
011
0
1
0011
1111
snmpTargetAddrTAddress
(binary)
1
01
?1
?1
?
????
1 1 1 1address of SNMP request
source
FIGURE 1-24
snmpTargetAddrTMask (continued)
Therefore, to not be rejected, the source address of an incoming SNMP request must be 192.147.142.xxx
where ‘xxx’ is a value between 0 (expressed as ‘00000000’in binary) and 127 (expressed as ‘01111111’ in
binary).
1.6.6 Examples
This section contains examples of SNMP configuration for SNMP agent entities.
1.6.6.1 noAuthNoPriv SNMPv3 users
To authorize the receipt of SNMPv3 noAuthNoPriv Get and Set4 requests from the user
"myV3NoAuthNoPrivUser” from exactly one manager station (one IP address), add the following lines to
the snmpd.cnf configuration file together with the usmUserEntry for the user
“myV3NoAuthNoPrivUser”.
vacmAccessEntry myV3NoAuthNoPrivGroup -usm noAuthNoPriv exact All All
-nonVolatile
vacmSecurityToGroupEntry usm myV3NoAuthNoPrivUser
myV3NoAuthNoPrivGroup nonVolatile
vacmViewTreeFamilyEntry All iso -included nonVolatile
snmpTargetAddrEntry myV3Manager_allRequests snmpUDPDomain
192.147.142.35:0 0 0 whereValidRequestsOriginate -nonVolatile
255.255.255.255:0 2048
To relax the agent configuration so that this user can access the MIB objects from additional hosts, change the
snmpTargetAddrTMask to perform wildcard matching of the source address of the incoming request message.
To relax the agent configuration so that this user can access the MIB objects from any host, change
“whereValidRequestsOriginate” in the usmUserEntry to a dash (-).
usmUserEntry localSnmpID myV3NoAuthNoPrivUser usmNoAuthProtocol usmNoPrivProtocol nonVolatile - - 4. To authorize Get request without authorizing Set requests, the fields “All All –" in the vacmAccessEntry should be
changed to "All - - "
iMG/RG Software Reference Manual (System Configuration)
1-105
SNMP
authNoPriv SNMPv3 users
To authorize the sending of SNMPv3 noAuthNoPriv Trap messages to a user at exactly one SNMP manager station (one IP address), add the following lines to the snmpd.cnf configuration file together with the
usmUserEntry for the user “myV3NoAuthNoPrivUser”.
vacmAccessEntry myV3NoAuthNoPrivGroup -usm noAuthNoPriv exact - - All
nonVolatile
vacmSecurityToGroupEntry usm myV3NoAuthNoPrivUser
myV3NoAuthNoPrivGroup nonVolatile
vacmViewTreeFamilyEntry All iso -included nonVolatile
snmpNotifyEntry myTrap whereMyNotificationsGo trap nonVolatile
snmpTargetAddrEntry myV3Manager_noAuthNoPrivNotifications snmpUDPDomain 192.147.142.35:0 100 3 whereMyNotificationsGo
myV3NoAuthNoPrivParams nonVolatile 1.2.3.4:0 2048
snmpTargetParamsEntry myV3NoAuthNoPrivParams 3 usm
myV3NoAuthNoPrivUser noAuthNoPriv non-Volatile
To configure additional Trap destinations (additional IP addresses where the user is authorized to operate a
management station), add additional snmpTargetAddrEntry entries to the snmpd.cnf configuration file.
For example, to authorize 192.147.142.111 as an additional Trap destination, add the following line to the
snmpd.cnf configuration file.
snmpTargetAddrEntry anotherV3Manager_noAuthNoPrivNotifications snmpUDPDomain 192.147.142.111:0 100 3 whereMyNotificationsGo
myV3NoAuthNoPrivParams nonVolatile 1.2.3.4:0 2048
1.6.7 authNoPriv SNMPv3 users
To authorize the receipt of SNMPv3 authNoPriv Get and Set5 requests from the user
"myV3AuthNoPrivUser” from exactly one manager station (one IP address), add the following lines to the
snmpd.cnf configuration file together with the usmUserEntry for the user "myV3AuthNoPrivUser”.
vacmAccessEntry myV3AuthNoPrivGroup -usm authNoPriv exact All All nonVolatile
vacmSecurityToGroupEntry usm myV3AuthNoPrivUser myV3AuthNoPrivGroup
nonVolatile
vacmViewTreeFamilyEntry All iso -included nonVolatile
snmpTargetAddrEntry myV3Manager_allRequests snmpUDPDomain
192.147.142.35:0 0 0 whereValidRequestsOriginate -nonVolatile
255.255.255.255:0 2048
5. To authorize Get request without authorizing Set requests, the fields "All All –" in the vacmAccessEntry should be
changed to "All - - "
1-106
iMG/RG Software Reference Manual (System Configuration)
Additional configuration for SNMPv3 agent entities
SNMP
To relax the agent configuration so that this user can access the MIB objects from additional hosts, change the
snmpTargetAddrTMask to perform wildcard matching of the source address of the incoming request message.
To relax the agent configuration so that this user can access the MIB objects from any host, change
“whereValidRequestsOriginate” in the usmUserEntry to a dash (-).
To authorize the sending of SNMPv3 authNoPriv Trap messages to a user at exactly one SNMP manager
station (one IP address), add the following lines to the snmpd.cnf configuration file together with the
usmUserEntry for the user “myV3AuthNoPrivUser”.
vacmAccessEntry myV3AuthNoPrivGroup -usm authNoPriv exact - - All
nonVolatile
vacmSecurityToGroupEntry usm myV3AuthNoPrivUser myV3AuthNoPrivGroup
nonVolatile
vacmViewTreeFamilyEntry All iso -included nonVolatile
snmpNotifyEntry myTrap whereMyNotificationsGo trap nonVolatile
snmpTargetAddrEntry myV3Manager_authNoPrivNotifications snmpUDPDomain
192.147.142.35:0 100 3 whereMyNotificationsGo myV3AuthNoPrivParams
nonVolatile 1.2.3.4:0 2048
snmpTargetParamsEntry myV3AuthNoPrivParams 3 usm myV3AuthNoPrivUser
authNoPriv non-Volatile
To configure additional Trap destinations (additional IP addresses where the user is authorized to operate a
management station), add additional snmpTargetAddrEntry entries to the snmpd.cnf configuration file. For
example, to authorize 192.147.142.111 as an additional Trap destination, add the following line to the
snmpd.cnf configuration file.
snmpTargetAddrEntry anotherV3Manager_authNoPrivNotifications snmpUDPDomain 192.147.142.111:0 100 3 whereMyNotificationsGo
myV3AuthNoPrivParams nonVolatile 1.2.3.4:0 2048
1.6.8 Additional configuration for SNMPv3 agent entities
1.6.8.1 Configuring context names
A context is a collection MIB objects. An SNMP entity can potentially provide access to many contexts and a
particular MIB object instance can exist in multiple contexts. A context is often associated with a particular
physical or logical device, so a context name is an identifier to distinguish MIB object instances for one device
from MIB object instances for another device.
When a management request is sent to an SNMP agent, the context name which appears in the SNMPv3 message (or which is derived from the SNMPv1 or SNMPv2c message) must exist in the agent, or the command
responder application will return a noSuchContext error.
iMG/RG Software Reference Manual (System Configuration)
1-107
SNMP
Additional configuration for SNMPv1 and
The configuration of context names is static and must be performed before the SNMP agent is launched for the
first time.
To configure a context name, add a vacmContextEntry line to the snmpd.cnf file accordingly the
following syntax:
vacmContextEntry <vacmContextName>
vacmContextName
is a human readable string representing the name of a context to be supported by this configuration.
Note:
Note that the default context is always supported by an SNMPv3 agent.
1.6.9 Additional configuration for SNMPv1 and SNMPv2 agent entities
This section describes SNMP configuration that is required for SNMP entities that support SNMPv1 and/or
SNMPv2c in addition to SNMPv3.
1.6.9.1 Configuring communities
Configuration of at least one community string must be provided for an SNMP engine to send or receive
SNMPv1 or SNMPv2c messages. To configure an SNMPv1 or SNMPv2c community, add a snmpCommunityEntry line to the snmpd.cnf file accordingly the following syntax:
snmpCommunityEntry <snmpCommunityIndex> <snmpCommunityName> <snmpCommunitySecurityName> <snmpCommunityContextEngineID> <snmpCommunityContextName> <snmpCommunityTransportTag> <snmpCommunityStorageType>
snmpCommunityIndex
is a human readable string which is an arbitrary index. The value of this field is unimportant, other than it must
unique from other values in this field in other snmpCommunityEntry entries.
snmpCommunityName
is the community string, which may be a human readable string or a hexadecimal representation containing
unprintable characters.
For example, if the community string was the word “public” with an unprintable ‘bell' character (ASCII code 7)
at the end, then the value of this field would be 70:75:62:6c:69:63:07 (the ASCII codes for
‘p,’‘u,’‘b,’‘l,’‘i,’‘c,’ and ‘bell').
snmpCommunitySecurityName
is a human readable string which identifies the security name for this community string. This string should
appear in at least one vacmSecurityToGroupEntry to assign the community string (principal) to an
access control group.
snmpCommunityContextEngineID
is an OctetString, usually “localSnmpID”.
snmpCommunityContextName
is the SNMPv3 context implied by the community string. A dash (-) in this field represents the default context.
1-108
iMG/RG Software Reference Manual (System Configuration)
Additional configuration for SNMPv1 and SNMPv2 agent entities
SNMP
snmpCommunityTransportTag
is a human readable string that is used to select a set of entries in the snmpTargetAddrTable for source
address checking. Entries in the snmpTargetAddrTable are selected if the value of snmpCommunityTransportTag appears in the list of (space-separated) tags in snmpTargetAddrTagList. If the SNMP
entity should not perform source address checking, then this field should contain a dash (-).
snmpCommunityStorageType
is nonVolatile, permanent, or readOnly.
1.6.9.2 Examples
To receive SNMPv1 requests from exactly one SNMP manager station:
snmpCommunityEntry 61 targetV1Community targetV1Community localSnmpID
- whereValidRequestsOriginate nonVolatile vacmAccessEntry myV1Group snmpv1 noAuthNoPriv exact All All All nonVolatile
vacmSecurityToGroupEntry snmpv1 targetV1Community myV1Group nonVolatile
vacmViewTreeFamilyEntry All iso -included nonVolatile
snmpTargetAddrEntry myV1Manager_allRequests snmpUDPDomain
192.147.142.35:0 0 0 whereValidRequestsOriginate -nonVolatile
255.255.255.255:0 2048
To send SNMPv1 Trap messages to exactly one SNMP manager station:
vacmAccessEntry myV1Group -snmpv1 noAuthNoPriv exact All All All nonVolatile
vacmSecurityToGroupEntry snmpv1 targetV1Community myV1Group nonVolatile
vacmViewTreeFamilyEntry All iso -included nonVolatile
snmpNotifyEntry myTrap whereMyNotificationsGo trap nonVolatile
snmpTargetAddrEntry myV1Manager_allNotifications snmpUDPDomain
192.147.142.35:0 100 3 whereMyNotificationsGo myV1ExampleParams nonVolatile 1.2.3.4:0 2048
snmpTargetParamsEntry myV1ExampleParams 0 snmpv1 targetV1Community
noAuthNoPriv non-Volatile
To receive SNMPv2c requests from exactly one SNMP manager station:
snmpCommunityEntry 62 targetV2cCommunity targetV2cCommunity localSnmpID - whereValidRequestsOriginate nonVolatile
vacmAccessEntry myV2cGroup -snmpv2c noAuthNoPriv exact All All All
nonVolatile
vacmSecurityToGroupEntry snmpv2c targetV2cCommunity myV2cGroup nonVolatile
vacmViewTreeFamilyEntry All iso -included nonVolatile
iMG/RG Software Reference Manual (System Configuration)
1-109
SNMP
MIB
snmpTargetAddrEntry myV2cManager_allRequests snmpUDPDomain
192.147.142.35:0 0 0 whereValidRequestsOriginate -nonVolatile
255.255.255.255:0 2048
To send SNMPv2c Trap messages to exactly one SNMP manager station:
vacmAccessEntry myV2cGroup -snmpv2c noAuthNoPriv exact All All All
nonVolatile
vacmSecurityToGroupEntry snmpv2c targetV2cCommunity myV2cGroup nonVolatile
vacmViewTreeFamilyEntry All iso -included nonVolatile
snmpNotifyEntry myTrap whereMyNotificationsGo trap nonVolatile
snmpTargetAddrEntry myV2cManager_allNotifications snmpUDPDomain
192.147.142.35:0 100 3 whereMyNotificationsGo myV2cExampleParams nonVolatile 1.2.3.4:0 2048
snmpTargetParamsEntry myV2cExampleParams 1 snmpv2c targetV2cCommunity
noAuthNoPriv nonVolatile
1.6.10 MIB
Beginning with software release 2-0-0, the AT-RG600 Series supports SNMP v1, v2c and v3 for configuration
commands. Notification messages are restricted to SNMP v1.
1.6.10.1 Standard (public) MIB
The gateway supports the standard MIB defined in RFC 1213 (RFC1213-MIB) with the following limitations:
[report here a table that details which public objects are supported by each family]
OID
1-110
RFC1213
Implementation
SYSDESCR
Read-Only
Read-Only
SYSOBJECTID
Read-Only
Read-Only
SYSUPTIME
Read-Only
Read-Only
SYSCONTACT
Read-Write
Read-Write
SYSNAME
Read-Write
Read-Write
SYSLOCATION
Read-Write
Read-Write
SYSSERVICES
Read-Only
Read-Only
IFDESCR
Read-Only
Read-Only
IFTYPE
Read-Only
Read-Only
iMG/RG Software Reference Manual (System Configuration)
MIB
SNMP
OID
RFC1213
Implementation
IFMTU
Read-Only
Read-Only
IFSPEED
Read-Only
Read-Only
IFPHYSADDRESS
Read-Only
Read-Only
IFADMINSTATUS
Read-Write
Read-Write
IFOPERSTATUS
Read-Only
Read-Only
IFLASTCHANGE
Read-Only
Read-Only
IFINOCTETS
Read-Only
Read-Only
IFINUCASTPKTS
Read-Only
Read-Only
IFINNUCASTPKTS
Read-Only
Read-Only
IFINDISCARDS
Read-Only
Read-Only
IFINERRORS
Read-Only
Read-Only
IFINUNKNOWNPROTOS
Read-Only
Read-Only
IFOUTOCTETS
Read-Only
Read-Only
IFOUTUCASTPKTS
Read-Only
Read-Only
IFOUTNUCASTPKTS
Read-Only
Read-Only
IFOUTDISCARDS
Read-Only
Read-Only
IFOUTERRORS
Read-Only
Read-Only
IFOUTQLEN
Read-Only
Read-Only
IFSPECIFIC
Read-Only
Read-Only
ATPHYSADDRESS
Read-Write
Read-Only
ATNETADDRESSS
Read-Write
Read-Only
IPFORWARDING
Read-Write
Read-Only
IPDEFAULTTTL
Read-Write
Read-Only
IPINRECEIVES
Read-Only
Read-Only
IPINHDRERRORS
Read-Only
Read-Only
IPINADDRERRORS
Read-Only
Read-Only
IPFORWDATAGRAMS
Read-Only
Read-Only
iMG/RG Software Reference Manual (System Configuration)
1-111
SNMP
MIB
OID
1-112
RFC1213
Implementation
IPINUNKNOWNPROTOS
Read-Only
Read-Only
IPINDISCARDS
Read-Only
Read-Only
IPINDELIVERS
Read-Only
Read-Only
IPOUTREQUESTS
Read-Only
Read-Only
IPOUTDISCARDS
Read-Only
Read-Only
IPOUTNOROUTES
Read-Only
Read-Only
IPREASMTIMEOUT
Read-Only
Read-Only
IPREASMREQDS
Read-Only
Read-Only
IPREASMOKS
Read-Only
Read-Only
IPREASMFAILS
Read-Only
Read-Only
IPFRAGOKS
Read-Only
Read-Only
IPFRAGFAILS
Read-Only
Read-Only
IPFRAGCREATES
Read-Only
Read-Only
IPADENTADDR
Read-Only
Read-Only
IPADENTIFINDEX
Read-Only
Read-Only
IPADENTNETMASK
Read-Only
Read-Only
IPADENTBCASTADDR
Read-Only
Read-Only
IPADENTREASMMAXSIZE
Read-Only
Read-Only
IPROUTEDEST
Read-Write
Read-Only
IPROUTEIFINDEX
Read-Write
Read-Only
IPROUTEMET1RIC1
Read-Write
Read-Only
IPROUTEMETRIC2
Read-Write
Read-Only
IPROUTEMETRIC3
Read-Write
Read-Only
IPROUTEMETRIC4
Read-Write
Read-Only
IPROUTENEXTHOP
Read-Write
Read-Only
IPROUTETYPE
Read-Write
Read-Only
IPROUTEPROTO
Read-Only
Read-Only
iMG/RG Software Reference Manual (System Configuration)
MIB
SNMP
OID
RFC1213
Implementation
IPROUTEAGE
Read-Write
Read-Only
IPROUTEMASK
Read-Write
Read-Only
IPROUTEMETRIC5
Read-Write
Read-Only
IPROUTEINFO
Read-Write
Read-Only
IPNETTOMEDIAIFINDEX
Read-Write
Read-Only
IPNETTOMEDIAPHYSADDRESS
Read-Write
Read-Only
IPNETTOMEDIANETADDRESS
Read-Write
Read-Only
IPNETTOMEDIATYPE
Read-Write
Read-Only
IPROUTINGDISCARDS
Read-Only
Read-Only
ICMPINMSGS
Read-Only
Read-Only
ICMPINERRORS
Read-Only
Read-Only
ICMPINDESTUNREACHS
Read-Only
Read-Only
ICMPINTIMEEXCDS
Read-Only
Read-Only
ICMPINPARMPROBS
Read-Only
Read-Only
ICMPINSRCQUENCHS
Read-Only
Read-Only
ICMPINREDIRECTS
Read-Only
Read-Only
ICMPINECHOS
Read-Only
Read-Only
ICMPINECHOREPS
Read-Only
Read-Only
ICMPINTIMESTAMPS
Read-Only
Read-Only
ICMPINTIMESTAMPREPS
Read-Only
Read-Only
ICMPINADDRMASKS
Read-Only
Read-Only
ICMPINADDRMASKREPS
Read-Only
Read-Only
ICMPOUTMSGS
Read-Only
Read-Only
ICMPOUTERRORS
Read-Only
Read-Only
ICMPOUTDESTUNREACHS
Read-Only
Read-Only
ICMPOUTTIMEEXCDS
Read-Only
Read-Only
ICMPOUTPARMPROBS
Read-Only
Read-Only
iMG/RG Software Reference Manual (System Configuration)
1-113
SNMP
MIB
OID
RFC1213
Implementation
ICMPOUTSRCQUENCHS
Read-Only
Read-Only
ICMPOUTREDIRECTS
Read-Only
Read-Only
ICMPOUTECHOS
Read-Only
Read-Only
ICMPOUTECHOREPS
Read-Only
Read-Only
ICMPOUTTIMESTAMPS
Read-Only
Read-Only
ICMPOUTTIMESTAMPREPS
Read-Only
Read-Only
ICMPOUTADDRMASKS
Read-Only
Read-Only
ICMPOUTADDRMASKREPS
Read-Only
Read-Only
TCPRTOALGORITHM
Read-Only
Read-Only
TCPRTOMIN
Read-Only
Read-Only
Read-Write
Read-Only
TCPRTOMAX
TCPMAXCONN
TCPACTIVEOPENS
TCPPASSIVEOPENS
TCPATTEMPTFAILS
TCPESTABRESETS
TCPCURRESTAB
TCPINSEGS
TCPOUTSEGS
TCPRETRANSSEGS
TCPCONNSTATE
1.6.10.2 Standard traps
Only the standard ColdStart TRAP is supported.
Note:
1-114
Standard ColdStart TRAP can be sent only in SNMPv1 format. It is therefore necessary that the
snmpd.cnf file is correcty configured to generate this trap using the SNMPv1 protocol.
iMG/RG Software Reference Manual (System Configuration)
MIB
SNMP
1.6.10.3 Enterprise (private) MIB
The gateway implements private objects in order to give access to specific unit configuration parameters that
are not mapped in any standard MIB.
All the private MIB objects are located under the following OID: enterprise.207.8.44.
The following private objects are available starting from software release 2-0-0:
sysInfo group
This group collects generic information about the unit
OID
Max-Access
Description
SYSVENDOR
Read-Only
The vendor company name
SYSURL
Read-Only
The vendor company URL
SYSMAC
Read-Only
The unit MAC address
SYSHARDWARE
Read-Only
The unit Hardware version
SYSSOFTWARE
Read-Only
The unit Software version
sysUsers group
This group collects the list of the users defined in the system and the login/password for each user.
OID
Max-Access
Description
SYSUSERNAMER
Read-Only
The user name/login
SYSUSERCONFIG
Read-Write
The user may configure
SYSUSERACCESS
Read-Write
The user may configure
SYSUSERCOMMENT
Read-Write
Additional comment associated with this user
SYSUSERPASSWORD
Read-Write
The user password
sysAdmin group
This group collects basic objects used to force a unit restart, configuration saving, power status (only on ATRG656 models) and a special object (sysAdminCLIEntry) that acts like a shell where is possible send CLI-like
commands.
iMG/RG Software Reference Manual (System Configuration)
1-115
SNMP
MIB
OID
Max-Access
Description
SYSRESTART
Read-Write
If set to 1 (true), this object force a
system restart. The value returned by
get requests is always 2 (false)
SYSCONFIGSAVE
Read-Write
If set to 1 (true) this object force a
system configuration save. The value
returned by get requests is always 2
(false)
SYSPOWERBACKUPSYSTEM
Read-Only
The object returns the value 1 if the
backup battery system is present otherwise it returns a value of 2.
SYSPOWERBACKUPBATTERYSTATUS
Read-Only
The object returns the value 1 if the
battery is charged otherwise it
returns a value of 3.
SYSPOWERBACKUPPRIMARYSUPPLY
Read-Only
The object returns the value 1 if the
backup battery system is correctly
externally powered, otherwise it
returns a value of 2.
1.6.10.3.1 Private traps
The following private (enterprise specific) traps are generated:
OID
1-116
Specific Trap
Code
Description
POWERBACKPUPBATTERYON
1
This trap indicates that the external
backup power supply is disconnected.
POWERBACKPUPBATTERYMISSING
2
This trap indicates that the battery
backup system is disconnected.
POWERBACKPUPBATTERYLOW
3
This trap indicates that the battery is
low or missing.
VOIPMGCPPROTOCOLENABLETRAP
4
This trap indicates that MGCP protocol has been enabled.
VOIPMGCPPROTOCOLDISABLETRAP
5
This trap indicates that MGCP protocol has been disabled.
iMG/RG Software Reference Manual (System Configuration)
MIB
SNMP
OID
Specific Trap
Code
VOIPMGCPPROTOCOLRESTARTTRAP
6
This trap indicates that MGCP protocol has been restarted.
VOIPMGCPENDPOINTPH0RESTARTTR
7
This trap indicates that MGCP endpoint #1 has been restarted.
8
This trap indicates that MGCP endpoint #2 has been restarted.
9
This trap indicates that MGCP endpoint #3 has been restarted.
IGMPSNOOPINGVLANENABLETRAP
10
This trap indicates that igmp snooping
has been enabled on a VLAN. The
VLAN VID is reported inside the variable-binding field.
IGMPSNOOPINGVLANDISABLETRAP
11
This trap indicates that igmp snooping
has been disabled on a VLAN. The
VLAN VID is reported inside the variable-binding field.
IGMPSNOOPINGGROUPJOINTRAP
12
This trap indicates that a new multicast group has been joined. The multicast group address is reported inside
the variable-binding field.
IGMPSNOOPINGGROUPLEAVETRAP
13
This trap indicates that a multicast
group has been left. The multicast
group address is reported inside the
variable-binding field.
AP
VOIPMGCPENDPOINTPH1RESTARTTR
AP
VOIPMGCPENDPOINTPH2RESTARTTR
AP
Note:
Description
Private TRAPs can only be sent in SNMPv1 format. It is therefore necessary that the snmpd.cnf file is
correctly configured to generate this trap using the SNMPv1 protocol.
iMG/RG Software Reference Manual (System Configuration)
1-117
SNMP
1-118
MIB
iMG/RG Software Reference Manual (System Configuration)
Layer 2 Switching in the Network
Overview
2. Switching
2.1 Overview
2.1.1 Layer 2 Switching in the Network
The System consists of a Layer 2 switch coupled to a Network Processor. The aggregate is viewable as a single
Layer 2 switch, but this functionality is spread across the two devices - switch and the bridge - with interconnectivity being provided by the CPU port.
Rate Limiting, QOS - and VLAN Tag management is provided at the edge of the system - via port configuration.
By default - all traffic flows in one single VLAN - however an extension to this model is to use VLANs to segregate traffic flows to certain ports.
2.1.2 Documentation Structure
The Preface listed all of the iMG/RG/iBG devices and to which product category they belong. Keeping this in
mind, the user can better use the remainder of this section, which is organized as follows:
• An overview of an area and its main attributes.
• The functions within an area. These are explained in some detail, usually with accompanying figures.
• A table that lists these functions and to which product category they apply. Notes help the user understand
why a function may or may not be relevant.
• A table that lists the commands and to which product category they apply.
• A command reference for each command and its parameters.
Note:
The command reference subsection is generic for all product categories. The user should refer
to the the function and command tables to see how a command or parameter applies to a
specific product.
2.2 Switching
2.2.1 Overview
The iMG/RG/iBG product includes an integrated layer 2 managed switch providing Fast Ethernet transceivers
supporting 10Base-T, 100Base-TX and 1000Base-TX modes, high performance memory bandwidth (wire speed)
and an extensive feature set including Rate Limiting, QoS priority, VLAN tagging and MIB counters.
iMG/RG Software Reference Manual (Switching)
2-1
Switching
Layer 2 switch functional description
The layer 2 switch uses one additional l 00Mbps or 1000Mbps port as an internal port to communicate to the
central processor in order to access layer 3 services such as routing, VoIP protocols, firewall and NAT security
modules.
The following is the complete set of features available in the switch module:
•
•
•
•
•
•
•
•
•
IEEE 802.1q tag based VLAN (up to 16 VLANs)
VLAN ID tag/untag options, per port basis
Programmable rate limiting, ingress port, egress port, per port basis.
IGMP v1/v2 snooping for multicast packet filtering
QoS packet prioritization support: per port, IEEE 802.1p and DiffServ based
Integrated look-up engine with dedicated 1 K unicast MAC addresses
Automatic address learning, address aging and address migration
Full duplex IEEE 802. flow control
Automatic MDI/MDI-X crossover for plug-and-play on all the ports
2.2.2 Layer 2 switch functional description
A summary of the general switch functions is included below.
2.2.2.1 Port Management
All ports on the switch are numbered sequentially from “lan1” up to the max number of Lan based 10/100
Ethernet ports. For the available number, please see the summary table in the preface. There can be special
function LAN interfaces - such as HPNA - that are addressed where that function is discussed. The admin status of the port can be set - as well as the Port Status and Counter value being displayed.
The port speed can also be set - as one of the following options: 100MFull, 100MHalf, 10MFull, 10MHalf, Auto,
Coax. The Coax mode is used when connecting an Ethernet to Coax Balun to the device.
2.2.2.2 Ingress Filtering
The infiltering parameter enables or disables Ingress Filtering of frames admitted on the ports.
If a port has only TAGGED VLANs associated with it - then when InFiltering is set to:
• ON - Only TAGGED packets with a VLAN ID matching VLANs associated with the port are admitted.
UNTAGGED Packets are not admitted.
• OFF - Both TAGGED packets with a VLAN ID Matching VLANS associated with the port are admitted - as
well as UNTAGGED packets. UNTAGGED Packets are tagged with the Default VLAN ID.
2-2
iMG/RG Software Reference Manual (Switching)
Layer 2 switch functional description
Switching
2.2.2.3 Address management
The primary function of the layer 2 switch is to receive good packets from the ports, process them and forward
them to the appropriate ports for transmission. This frame processing involves the Ingress Policy, Queue Controller, Output Queues and Egress Policy.
The normal packet flow involves learning how to switch packets only to the correct ports. The switch learns
which port and end station is connected to by remembering each packet's Source Address along with the port
number on which the packet arrived - and the vlan that it is on.
When a packet is directed to a new, unlearned MAC address, the packet is flooded out of all the ports (as long
as they belong on the same VLAN) except for the one on which it arrived. Once a MAC address/port number is
learned, all future packets directed to that end station's MAC addresses are directed to the learned port number only. This ensures that the packet is sent to the correct end station. This table can be displayed via the CLI
The address database is stored in the embedded switch memory and has a default aging time of about 300 seconds (5 minutes). If no packets are received from that MAC Address during that aging interval, then the address
is purged from the database. If a MAC Address is received from a different port during this time, then the MAC
address is learned on that new port and all traffic is then routed to that new port.
The number of MAC addresses that can be learned differs between devices. (Kendin, BCM, Marvell, Marvell Gig)
2.2.2.4 Rate limiting support
The integrated layer 2 switch supports hardware rate limiting on receive and transmit independently on a per
port basis. The rate limiting applies to all the frame types: unicast, broadcast and multicast.
Some devices do provide the ability to rate limit the Multicast and Broadcast traffic. (BCM and Gig Marvell)
If the number of bytes exceeds the programmed limit, the switch will stop receiving or transmitting packets on
the port. In the transmit direction, extra packets are placed in one or more FIFO queues and sent as soon as
possible given the configured limit. Note that when multiple queues are configured, the highest priority queue is
emptied first.
In the receive direction, on some devices, there is an option provided for flow control to prevent packet loss. In
this case, if the configured limit is reached, and Flow Control is enabled, then a PAUSE frame will be sent to the
peer device. This will stop transmission of packets until the Gateway is ready to receive packets again.
2.2.2.5 Loop Detection
Loop detection is a feature available at layer 2 used to disable automatically one or more switch ports when a
loop is verified on one or more of these ports.
Ethernet loops are likely to happen when a Ethernet-to-Coax balun is used in installations where there are
appliances connected to coax cable that need to the6 ethernet ports. In this case, if the coax cable is not properly terminated, a signal reflection is generated on the coax cable segment and then reported to the ethernet
segment too causing high network degradation.
iMG/RG Software Reference Manual (Switching)
2-3
Switching
Layer 2 switch functional description
To detect a loop on ethernet ports, the Gateway periodically sends a “special” ping message. If the gateway
receives the same ping message back, it means that a loop is present. In this case the Gateway disables all the
traffic to/from the port (except the “special” ping) until the loop has been removed.
2.2.2.6 Layer 3 Routing Rate Limiting
The integrated layer 2 switch can limit traffic that goes to the Gateway network processor where routing tasks
need to be performed.
Limitation on the maximum routing rate is necessary to preserve system resources for high priority tasks like
VoIP and IGMP.
If the number of frames per seconds that need to be routed to the network processor are higher than the
selected maximum rate, the layer 2 switch discards packets addressed to the network processor in order to
force the average traffic rate to be below the target rate.
2.2.2.7 Quality of Service Classification
QoS switching policy is performed by the Queue Controller. The priority of a frame is determined in priority
order by:
• The IEEE 802.3ac Tag containing IEEE 802.1p priority information: this IEEE 802.1p priority information is
used in determining frame priority when IEEE 802.3ac tagging is enabled on the port.
• The IPv4 Type of Service (TOS)/DiffServ field when enabled on the port. IPv4 priority classification can be
configured on a port basis to have a higher priority then IEEE Tag.
The user can enable these classification individually or in combination.
All untagged frames entering a port have their priority set to the port's default priority. This priority is then
used to manage the traffic from that port.
There are two different models in place:
1.
A two Queue scheme- where by the user specifies which Priority settings go into the high priority queue and
which go into the low queue.
2.
A four Queue scheme where the user actually maps the different priority values to one of the four queues.
Highest priority queues are emptied first before the lower priority queues…and as such, it is possible for the
low priority traffic to get starved out.
The integrated layer 2 switch supports two Class of Service (CoS) mechanisms: IEEE 802.1p tagging (Layer 2)
and Differentiated Services (DS) as an advanced architecture of ToS (Layer 3).
2.2.2.7.1 802.1p traffic priority
The IEEE 802.1p signalling technique is an IEEE endorsed specification for prioritizing network traffic at the
data-link/MAC sub-layer (OSI Reference Model Layer 2).
2-4
iMG/RG Software Reference Manual (Switching)
Layer 2 switch functional description
Switching
IEEE 802.1p is a spin-off of the IEEE 802.1q (VLAN tagging) standard and they work in tandem (see Figure 1).
The 802.1q standard specifies a VLAN tag that appends to a MAC frame. The VLAN tag carries VLAN information. The VLAN tag has two parts: The VLAN ID (12-bit) and User Priority (3-bit). The User Priority field was
never defined in the VLAN standard. The 802.1q implementation defines this prioritizing field.
Switches, routers, servers, even desktop systems, can set these priority bits in the three-bit user priority field,
which allows packets to be grouped into various traffic classes. If a packet is received that does not have this tag
added, then the switch adds it to the packet and uses the default priority associated with the port.
In the two queue systems, the user priority field in the TAG header is compared with an internal value inthe
switch called the base priority - and all values equal or greater to this base priority are put into the high priority
egress queue - while all others are put into the low priority queue.
In the four queue systems, the value in the user priority is used to determine which queue to place the packet
into directly. This mapping is configurable.
2.2.2.7.2 Differentiated services code point (DSCP)
The IEEE 802.1p signalling technique is an IEEE endorsed specification for prioritizing network traffic.
The DSCP octet in the IP header classifies the packet service level. The DSCP replaces the ToS Octet in the
IPv4 header (see Figure 2-1).
Currently, only the first six bits are used. Two bits of the DSCP are reserved for future definitions. This allows
up to 64 different classifications for service levels.
In the two queue systems, the DSCP field is compared with an internal value in the switch called the base priority - and all values equal or greater to this base priority are put into the high priority egress queue - while all
others are put into the low priority queue.
In the four queue systems, the value in the user priority used to determine which queue to place the packet into
directly. This mapping is configurable.
iMG/RG Software Reference Manual (Switching)
2-5
Switching
Layer 2 switch functional description
7
PREMB
1
START FRAME
6
DESTINATION
6
SOURCE
2
LENGTH/TYPE =
2
TAG CONTROL
2
MAC CLIENT
MAC
TA head
IP
User
User
IP
CF
Versio
TO
Preceden
42 - octect
IP
T
D
R
M O
Total
Identificati
FRAME CHECK
Flag
Fragment
TT
Protoc
Header
Protoc
Source IP
Destination IP
FIGURE 2-1
IP packet overview
2.2.2.8 Power Conservation Mode
In order to provide longer back-up battery life during power-failure situations, some devices support a mode in
which -30 minutes after an AC Power failure is detected, all but the Lan1 interface will be powered off. This
enables the device to reduce battery consuption.
2-6
iMG/RG Software Reference Manual (Switching)
Functional Differences for Switching in Product Categories
Switching
2.2.2.9 Port Diagnostics
On some devices, it is possible to perform diagnostics on the physical wiring that is connected to the Gateway’s
ethernet port. This is in effect a TDR mechanism - that can detect opens, shorts or good connections - and can
also determine the distance to the terminating point.
2.2.3 Functional Differences for Switching in Product Categories
The table below is intended to identify what is common amongst the product families - as well as where there
are differences - to highlite those differences. To determine which family your device belongs to - please refer to
the preface.
TABLE 2-1
Functional Mapping for Switching
Option
Fiber
A
Fiber
B
Fiber
C
Fiber
D
15, 12 15, 21 12, 15
Fiber E
Modular
ADSL
A
ADSL
B
ADSL
C
12, 15,
18
12, 15, 16
15, 17
12, 15,
17
12, 15
Port Management
15
Ingress Filtering
13
X
X
X
X
X
13
X
X
Address management
1
3
3
3
2
2
1
2
2
Rate limiting support
10
7, 14,
19
11, 14,
19
7, 14,
19
8, 9
7, 8, 9, 14,
20, 22
10
8, 9
8, 9
Loop Detection
X
X
X
Layer 3 Routing Rate Limiting
6
Quality of Service Classification
4
5
5
5
5
5
4
5
5
802.1p traffic priority
X
X
X
X
X
23
X
X
X
Differentiated services code point
(DSCP)
X
X
X
X
X
X
X
X
X
Power Conservation Mode
X
Port Diagnostics
1.
Supports 1K MAC Addresses
2.
Supports 2K MAC Addresses
3.
Supports 4K MAC Addresses
4.
Supports 2 Queues
iMG/RG Software Reference Manual (Switching)
X
X
2-7
Switching
Functional Differences for Switching in Product
5.
Supports 4 Queues
6.
Fixed value that is not provisionable - only supported on 7x6MOD
7.
Up to thirty different rate limits are supported: 128Kbps, 256Kbps, 512Kbps, 756Kbps, 1Mbps, 1.5Mbps
2Mbps, 3Mbps, 4 Mbps, 5Mbps, 6Mbps, 7Mbps, 8Mbps, 9Mbps, 10Mbps, 12Mbps, 14Mbps, 16Mbps,
18Mbps, 20Mbps, 25Mbps 30Mbps, 35Mbps, 40Mbps, 45Mbps, 50Mbps, 60Mbps, 70Mbps, 80Mbps
and 90Mbps independently on each port and on the frame direction: Tx or Rx
8.
On non-gig capable versions - Up to seven different rate limits are supported: 128Kbps, 256Kbps,
512Kbps, 1Mbps, 2Mbps, 4 Mbps and 8Mbps independently on each port and on the frame direction: Tx
or Rx. If additional granularity or higher limits are needed, please see the section on Network Processor
Based Rate Limiting.
9.
On Non Gig capable versions - If it is necessary to rate limit TCP traffic - then it is recommended to use
the Network Processor Based Rate Limiting. Rate Limiting in the RX direction can result in packet loss which results in lower throughput than configured for TCP sessions.
10.
Rate limiting on these devices is based on 64Kb granularity - the user is able to enter values between 0
and 100Mbps
11.
Rate limiting on these devices is based on 64Kb granularity - the user is able to enter values between 0
and 100Mbps.
12.
Coax Mode is not supported.
13.
When assigning VLANs - these ports can be defined as TAGGED or UNTAGGED - it is not possible to
support both.
14.
Supports BroadCast Rate Limiting and MultiCast Rate Limiting
15.
Ports supported are from Lan1 up to a max of LAN6 - depending on the number of Ethernet ports available.
16.
Additional ports can be present depending on the Module added - for example hpna - if the HPNA Lan
module is present; CESC and CESD if the T1/E1 Circuit emulation module is present; Glan if the Gig
WAN Module is present. All these ports can be managed like a normal LAN port - but it is not recommended that any changes be made to the CESC port.
17.
It is possible ot use the LAN4 port as a WAN port.
18.
It is possible to use the LAN6 port as a Wan port - if the Fiber port is not being used.
19.
Supported Rate Limits for Broadcast and multicast data are 3.5%, 5%, 10% and 20% or the total port
capacity.
20.
On Gig Enabled devices, Supported Rate Limits for Broadcast and Multicast data are 128Kbps,
256Kbps, 512Kbps, 756Kbps, 1Mbps, 1.5Mbps, 2Mbps, 3Mbps, 4Mbps, 5Mbps, 6Mbps, 7Mbps,
8Mbps, 9Mbps, 10Mbps 12Mbps, 14Mbps, 16Mbps, 18Mbps, 20Mbps, 25Mbps, 30Mbps, 35Mbps,
40Mbps, 45Mbps, 50Mbps, 60Mbps, 70Mbps, 80Mbps, 90Mbps.
21.
Supports FLOW and JAMMING Control of flow-control options.
22.
On Gig Ports the same rates are supported below 100Mbps. In addtion the following rates are supported: 100Mbps, 150MBps, 200Mbps, 250Mbps, 300Mbps, 350MBps, 400Mbps, 450Mbps,
500Mbps, 600Mbps, 700Mbps, 800Mbps, 900Mbps.
2-8
iMG/RG Software Reference Manual (Switching)
Switch command reference
23.
Switching
For 6x6MOD and 7x6MOD devices when 802.1P is Disabled, the P-Bit Setting on any received
packet is converted to 0. So if a packet is received with a P-Bit setting of 3 - the P-Bit of the packet
when transmitted is 0. To assist in managing the implications of this - the default setting for the
WAN and the CPU port 802.1p port attributes is Enabled.
2.2.4 Switch command reference
This section describes the commands available on configure and manage switch ports and the address look up
table.
Throughout are references back to 2.2.3
2.2.4.1 Switch CLI commands
The table below lists the switch commands provided by the CLI:
TABLE 2-2
Commands
Switch commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
C
X
X
X
X
X
X
X
X
X
SWITCH DIAGNOSE PORT
SWITCH DISABLE AGEINGTIMER
X
X
X
SWITCH DISABLE LEARNING
X
X
X
SWITCH DISABLE LOOPDETECTION
X
X
X
SWITCH DISABLE PORT
X
X
X
SWITCH ENABLE AGEINGTIMER
X
X
X
SWITCH ENABLE LEARNING
X
X
X
SWITCH ENABLE LOOPDETECTION
X
X
X
SWITCH ENABLE PORT
X
X
X
X
SWITCH LIST PORTS
SWITCH RESET
X
SWITCH RESET COUNTERS
X
SWITCH RESET PORT
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
SWITCH SET 802.1P PRIORITY
SWITCH SET AGE-TIMER
ADSL
B
X
iMG/RG Software Reference Manual (Switching)
2-9
Switching
Switch command reference
TABLE 2-2
Switch commands (Continued)
Commands
Fiber
A
X
Fiber
D
Fiber
E
Modular
X
X
X
X
X
SWITCH SET LEARNING
SWITCH SET LOOPDETECTION
Fiber
C
X
SWITCH SET AGING-TIME
SWITCH SET AGINGTIMER
Fiber
B
X
ADSL
A
ADSL
B
ADSL
C
X
X
X
X
X
X
X
X
X
X
X
X
SWITCH SET PORT 802.1P
X
X
SWITCH SET PORT BROADCASTLIMIT
X
X
X
X
X
X
SWITCH SET PORT DEFAULTPRIORITY
X
X
X
X
X
X
X
X
X
SWITCH SET PORT DEFAULTVID
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
SWITCH SET PORT DSCP
SWITCH SET PORT DSCP/NODSCP
X
SWITCH SET PORT FLOW
X
X
SWITCH SET PORT MULTICASTLIMIT
X
X
X
SWITCH SET PORT FLOWCONTROL
SWITCH SET PORT INFILTERING
X
X
X
X
X
X
X
X
X
X
X
X
X
X
SWITCH SET PORT QOS/NOQOS
X
X
SWITCH SET PORT RCVLIMIT
X
SWITCH SET PORT RCVLIMIT-HIGH
X
X
SWITCH SET PORT RCVLIMIT-LOW
X
X
SWITCH SET PORT SPEED
X
X
X
X
X
X
SWITCH SET PORT STATUS
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
SWITCH SET PORT TRSLIMIT
X
SWITCH SET PORT TRSLIMIT-HIGH
X
X
SWITCH SET PORT TRSLIMIT-LOW
X
X
SWITCH SET PORT TRSLIMIT-HIGH
X
X
X
X
SWITCH SET QOS 802.1P
X
X
X
X
X
X
SWITCH SET QOS DSCP
X
X
X
X
X
X
2-10
iMG/RG Software Reference Manual (Switching)
Switch command reference
TABLE 2-2
Switching
Switch commands (Continued)
Fiber
A
Commands
SWITCH SET QOS PRIORITY
Fiber
B
X
Fiber
D
Fiber
E
Modular
X
ADSL
A
ADSL
B
ADSL
C
X
X
SWITCH SET ROUTING-LIMIT
X
SWITCH SHOW
Fiber
C
X
X
X
X
X
X
X
X
X
SWITCH SHOW 802.1P
SWITCH SHOW FDB
A
B
A
B
B
B
A
B
B
SWITCH SHOW PORT
X
X
X
X
X
X
X
X
X
SWITCH SHOW QOS
X
X
X
SWITCH SHOW QOS 802.1P
X
X
X
X
X
X
SWITCH SHOW QOS DSCP
X
X
X
X
X
X
2.2.4.1.1 SWITCH DIAGNOSE PORT
Syntax
SWITCH DIAGNOSE PORT
Description
This command executes the Time Domain Reflection test - that is used to determine
whether or not an Etherenet Cable connected to the port has a fault..
The results are whether or not there is an “open”, “short” or “good term”.for each pair.
It also prints the distance to the fault if the result is not “good term”. The accuracy is to
within approximately 10%.
Options
None.
Example
--> switch diagnose port lan6
Port 2 Tx: open [0ft] Rx: open [0ft]
2.2.4.1.2 SWITCH DISABLE AGEINGTIMER
Syntax
SWITCH DISABLE AGEINGTIMER
Description
This command stops the aging timer used by the look up engine to remove expired FDB
entries.
If the ageing timer is disabled the look up entries in the FDB are kept permanently until
the SWITCH ENABLE AGEINGTIMER command entered or the switch is reset.
To show the current switch status, use the SWITCH SHOW command.
iMG/RG Software Reference Manual (Switching)
2-11
Switching
Switch command reference
Example
switch disable ageingtimer
See also
SWITCH ENABLE AGEINGTIMER
SWITCH SHOW
2.2.4.1.3 SWITCH DISABLE LEARNING
Syntax
SWITCH DISABLE LEARNING
Description
This command stops the learning engine used to update the look up table when frame
are received from new Source Addresses.
To restore the learning process, use the SWITCH ENABLE LEARNING command.
To show the current switch status, use the SWITCH SHOW command.
Example
switch disable learning
See also
SWITCH ENABLE LEARNING
SWITCH SHOW
2.2.4.1.4 SWITCH DISABLE LOOPDETECTION
Syntax
SWITCH DISABLE LOOPDETECTION
Description
This command stops the loop detection on the Ethernet ports. Special “ping” messages
used to detect loop are stopped.
Any port that was set to coax mode still remain configured in this mode forcing the port
speed to 10M Full Duplex.
To show the current port status, use the SWITCH SHOW command.
Example
switch disable loopdetection
See also
SWITCH ENABLE LOOPDETECTION
SWITCH SHOW
2.2.4.1.5 SWITCH DISABLE PORT
Syntax
SWITCH DISABLE PORT <port-name> [FLOW JAMMING]
Description
This command disables the selected switch port, or disables a flow control mechanism
on the port.
If jamming is specified the jamming signal used for flow control on half duplex ports will
be disabled.
To show the current port status, use the SWITCH SHOW PORT command.
2-12
iMG/RG Software Reference Manual (Switching)
Switch command reference
Switching
Please see notes under Port management for the applicability of the FLOW and JAMMING options.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
Port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
Example
switch disable port lan1
See also
SWITCH ENABLE PORT
SWITCH SHOW PORT
2.2.4.1.6 SWITCH ENABLE AGEINGTIMER
Syntax
SWITCH ENABLE AGEINGTIMER
Description
This command restarts the aging timer used by the look up engine to update the aging of
FDB entries.
To show the current switch status, use the SWITCH SHOW command.
Example
switch enable ageingtimer
See also
SWITCH DISABLE AGEINGTIMER
SWITCH SHOW
2.2.4.1.7 SWITCH ENABLE LEARNING
Syntax
SWITCH ENABLE LEARNING
Description
This command restarts the learning process used by the look up engine to update the
FDB when frames from new addresses are received.
To show the current switch status, use the SWITCH SHOW command.
Example
switch enable learning
See also
SWITCH DISABLE LEARNING
SWITCH SHOW
iMG/RG Software Reference Manual (Switching)
2-13
Switching
Switch command reference
2.2.4.1.8 SWITCH ENABLE LOOPDETECTION
Syntax
SWITCH ENABLE LOOPDETECTION
Description
This command turns on the loop detection feature on the switch. The Residential Gateway will start sending special “ping” messages to all the switch ports configured as
“coax”.
All the switch ports having a speed valued different from “coax” will not be involved in
the loop detection process.
To add an Ethernet port to the list of ports where loop detection is controlled, use the
SWITCH SET PORT SPEED COAX command.
Example
switch enable loopdetection
See also
SWITCH DISABLE LOOPDETECTION
SWITCH SHOW
2.2.4.1.9 SWITCH ENABLE PORT
Syntax
SWITCH ENABLE PORT <port-name> [FLOW [JAMMING] ]
Description
This command enables the selected switch port.
If SWITCH ENABLE PORT FLOW is entered, pause flow control is enabled when the port
speed is configured to full duplex.
If SWITCH ENABLE PORT FLOW JAMMING is entered, jamming flow control is enabled when
the port speed is configured to half duplex.
To show the current port status, use the SWITCH SHOW PORT command.
Please see notes under Port management for the applicability of the FLOW and JAMMING options.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
Port-name
The name of the switch port to be configured. See
Section 2.3 for a list of possible port names.
N/A
2.2.4.1.10 SWITCH LIST PORTS
Syntax
2-14
SWITCH LIST PORTS
iMG/RG Software Reference Manual (Switching)
Switch command reference
Description
Switching
This command current status of all the Ethernet Ports on the device.
The port ID and current state are also displayed - this allows the user to gather a broad
view of the state of the system.
Options
None.
Example--> switch list ports
Switch Ports:
Name
| Port ID
|
State
| Connected |
Speed
-----------|-----------|-----------|-----------|----------lan1
| 4
| Enabled
| false
| N/C
lan2
| 1
| Enabled
| false
| N/C
lan3
| 5
| Enabled
| false
| N/C
lan4
| 0
| Enabled
| false
| N/C
lan5
| 3
| Enabled
| false
| N/C
lan6
| 2
| Enabled
| false
| N/C
cpu
| 6
| Enabled
| true
| 100F
----------------------------------------------------------2.2.4.1.11 SWITCH RESET
Syntax
SWITCH RESET [PORT <port-name> [COUNTERS]]
Description
This command resets completely the switch .
All internal switch counters are reset and FDB entries removed.
Options
None.
Example
switch reset
--> switch reset
2.2.4.1.12 SWITCH RESET COUNTERS
Syntax
SWITCH RESET COUNTERS
Description
This command resets completely the switch counters.
Options
None
Example
switch reset counters
2.2.4.1.13 SWITCH RESET PORT
Syntax
SWITCH RESET PORT <port-name> COUNTERS
iMG/RG Software Reference Manual (Switching)
2-15
Switching
Description
Switch command reference
This command resets the counters of the switch port if a port is specified.
Only the counters related to the selected port are reset without removing any FDB
entries.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
Port-name
The name of the switch port to be configured. See
Section 2.3 for a list of possible port names.
N/A
Example
switch reset port lan1 counters
See also
switch show
2.2.4.1.14 SWITCH SET 802.1P PRIORITY
Syntax
SWITCH SET 802.1P <802.1P_value> PRIORITY <queue>
Description
This command is used to map an incoming tagged frame with a specific 802.1p value in
the priority field of the tag header into one of the four egress queues available on the
switch. To show the current 802.1p value/queue mapping, use the SWITCH SHOW
802.1p command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)..
Option
Description
Default Value
802.1P_value
The value of the 802.1p field used to map
incoming frames into a well defined outgoing
queue. Possible values are from 0 to 7.
N/A
queue
The name of the egress priority queue where
frame will be forwarded. Allowed values are:
low for 802.1p
values 0 to 3
low (lowest priority queue)
high for 802.1p
values 4 to 7
med-low
med-high
high (highest priority queue).
Example
2-16
swtich set 802.1P 0 PRIORITY
iMG/RG Software Reference Manual (Switching)
Switch command reference
Switching
2.2.4.1.15 SWITCH SET AGE-TIMER
Syntax
SWITCH SET AGE-TIME <agetimer>
Description
This command sets the value of the ageing timer, after which an un-refreshed dynamic
entry in the Forwarding Database is automatically removed.
Acceptable values are from 16 secs to 4080 secs.
To show the current switch status, use the SWITCH SHOW command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
Agetimer
Number of seconds. (16 to 4080)
304 (secs)
Example
--> switch set ageingtimer 180
See also
switch show
See also
SWITCH SHOW PORT
2.2.4.1.16 SWITCH SET AGING-TIME
Syntax
SWITCH SET AGING-TIME { Enabled | Disabled }
Description
This command enables or disables the aging time process. Once disabled all the FDB
entries already learned are kept until aging-time is re-enabled or a switch reset command
is entered.
To show the current switch status, use the SWITCH SHOW command.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
Description
Default Value
Enabled | Disabled
When Enabled, the aging time process will flush
out any entry older than the age-timer value.
Enabled
When Disabled, the aging time process keep all
the entries already learned. No additional entries
are learned in this status.
Example
--> switch set aging-time disabled
See also
switch show
iMG/RG Software Reference Manual (Switching)
2-17
Switching
Switch command reference
2.2.4.1.17 SWITCH SET AGINGTIMER
Syntax
SWITCH SET AGINGTIMER [fast|normal|value] <agetimer>
Description
This command sets the value of the ageing timer, after which an un-refreshed dynamic
entry in the Forwarding Database is automatically removed.
FAST sets the aging timer to 800 µSec, while NORMAL sets the aging timer to 300 Sec
Acceptable values are from 16 secs to 4080 secs.
To show the current switch status, use the SWITCH SHOW command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
Agetimer
Number of seconds. (16 to 4080)
none
Example
--> switch set ageingtimer 180
See also
switch show
2.2.4.1.18 SWITCH SET LEARNING
Syntax
SWITCH SET LEARNING { Enabled | Disabled }
Description
This command enables or disables the learning process on the switch.
When learning is disabled, any frame having a new source mac address will not be stored
on the switch fdb. The existing fdb entries instead will be flushed out accordingly to the
age-timer value.
To show the current switch status, use the SWITCH SHOW command.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
Enabled | Disabled
When Enabled, the learning engine learns source
addresses of incoming frames.
Enabled
When Disabled, no learning process will take place.
Example
--> switch set learning disabled
2.2.4.1.19 SWITCH SET LOOPDETECTION
Syntax
2-18
SWITCH SET LOOPDETECTION POLLINGTIME <polling-time>
iMG/RG Software Reference Manual (Switching)
Switch command reference
Description
Switching
This command changes the rate of the “special” ping messages used to detect loop condition on one or more Ethernet ports.
If more then one port is configured for loop detection, each port will generate a “ping”
message rate equal to the polling time multiplied by the number of “coax” ports.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
Description
Default Value
polling-time
The loop detection “ping” rate in milliseconds. Available values are between 50msec up to 5000 msec.
50
Example
switch set loopdetection pollingtime 100
See also
switch show
2.2.4.1.20 SWITCH SET PORT 802.1P
Syntax
SWITCH SET PORT <portname>
Description
This command enables the support of 802.1p priority field on the incoming frames.
802.1P { Enabled | Disabled }
This command is usually used in conjunction with the switch set qos 802.1p command to
specify on which egress queue an incoming tagged frames having a specific value on the
priority field will be forwarded.
When 802.1p is is disabled, no specific forwarding policy is applied on incoming tagged
frames except the normal forwarding process.
To show the current port status, use the SWITCH SHOW PORT command.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
iMG/RG Software Reference Manual (Switching)
2-19
Switching
Switch command reference
Option
Description
Default Value
Enabled | Disabled
When Enabled, the incoming packets are placed in
the appropriate priority queue based on the P-Bit
setting.
Disabled
When Disabled, there is no prioritization based on
P-Bit.
default_vlanid
The VLAN identifier to be associated to untagged
frames that arrive to this port. This valid range is
from 1 to 4095.
Example
--> switch set port lan1 802.1p Enabled
See also
SWITCH SHOW PORT
Disabled
2.2.4.1.21 SWITCH SET PORT BROADCASTLIMIT
Syntax
SWITCH SET PORT <portname> BROADCASTLIMIT < bcastlimit >
This command specifies the ingress data rate limit for broadcast traffic. These limits apply
only to broadcast frame types entering on the selected switch port.
To show the current port status, use the SWITCH SHOW PORT command.
Options
Example
2-20
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
bcastlimit
The maximum bit rate for broadcast traffic that is
allowed on a switch port in the receive direction.
See Section 2.3 for a list of possible values depending on product family.
None
--> switch set port lan8 broadcastlimit 4Mbps
iMG/RG Software Reference Manual (Switching)
Switch command reference
Switching
2.2.4.1.22 SWITCH SET PORT DEFAULTPRIORITY
Syntax
SWITCH SET PORT <portname> DEFAULTPRIORITY <priority>
Description
This command sets the priority value on the 802.1p priority field for all the frames that
arrive on the switch port as untagged frames.
This command works only if the 802.1p support has been previously enabled via the
switch set port 802.1p enable command.
When an untagged frame arrives to a port where the default priority value has not been
specified, and the egress port is tagged, the 802.1p priority field of the outgoing frame
frame will be set to 0.
This command can be used to set the port priority, with the priority queue for the specified port depending on the queue that the port is associated with. This association is
shown using the SWITCH SHOW 802.1p command. Refer to the example, below, where
using the example command switch set port lan1 defaultopriority 5, the
port priority for lan1 will be set for 5. To know the priority queue for lan1, use the command SWITCH SHOW 802.1p. This shows that the queue associated to the value 5 is H
(high priority) so lan1 port outgoing packets will be put in the high priority queue.
To show the current port status, use the SWITCH SHOW PORT command.
Options
Example
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
defaultpriority
The default priority value to be set when untagged
frames are forwarded to a tagged egress port.
Valid range is 0 to 7.
0
--> switch set port lan1 defaultopriority 5
-> switch show 802.1p
802.1p Queue Map
------------------------------------------------------------------PID
| 0 1 2 3 4 5 6 7
----------------QUEUE | . . . . H H H H
------------------------------------------------------------------See also
SWITCH SHOW PORT
iMG/RG Software Reference Manual (Switching)
2-21
Switching
Switch command reference
2.2.4.1.23 SWITCH SET PORT DEFAULTVID
Syntax
SWITCH SET PORT <portname> DEFAULTVID { default_vlanid }
Description
This command specifies the vlan identifier used as IEEE Tagged VID added during egress
to untagged frames that arrived at this port. Frames will be processed as frames.
To show the current port status, use the SWITCH SHOW PORT command.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
default_vlanid
The VLAN identifier to be associated to untagged
frames that arrive to this port. This valid range is
from 1 to 4095.
N/A
Example
--> switch set port lan1 defaultvid 100
See also
SWITCH SHOW PORT
2.2.4.1.24 SWITCH SET PORT DSCP
Syntax
SWITCH SET PORT <portname>
Description
This command enable the support of DSCP IP field on the incoming frames.
DSCP { Enabled | Disabled }
This command is usually used in conjunction with the switch set qos dscp command to
specify on which egress queue an incoming frames having a specific value on the DSCP
field will be forwarded.
When DSCP support is disabled, no specific forwarding policy is applied on incoming
frames except the normal forwarding process.
To show the current port status, use the SWITCH SHOW PORT command.
2-22
iMG/RG Software Reference Manual (Switching)
Switch command reference
Options
Switching
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
Enabled | Disabled
When Enabled, the support of DSCP IP field management is active.
Disabled
When Disabled, any QoS policy based on DSCP
field is disabled.
Example
--> switch set port lan1 DSCP Enabled
2.2.4.1.25 SWITCH SET PORT DSCP/NODSCP
Syntax
SWITCH SET PORT <portname>
Description
This command enable/disable the DSCP based priority on the selected switch port .
{ dscp | nodscp }
When DSCP based priority is enabled, the DSCP value of each incoming frame is search
in the switch DSCP table to check if the frame must be forwarded to High or Low Priority egress queue. If the switch DSCP table reports that for a specific DSCP value the
frame must be managed as high priority frame, than the switch will forward the frame to
the high priority queue otherwise the frame will be forwarded to the low priority queue.
To change the switch DSCP table use the SWITCH SET QOS PRIORITY command.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
dscp | nodscp
When dscp, the support of DSCP IP field management is active.
nodscp
When nodscp, any QoS policy based on DSCP field
is disabled.
Example
switch set port wan dscp
See also
SWITCH SHOW PORT
SWITCH SET QOS PRIORITY
iMG/RG Software Reference Manual (Switching)
2-23
Switching
Switch command reference
2.2.4.1.26 SWITCH SET PORT FLOW
Syntax
SWITCH SET PORT <portname> FLOW { Enabled | Disabled }
Description
This command enables/disables full duplex flow control on the selected switch port.
To show the current port status, use the SWITCH SHOW PORT command.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
When Enabled, the flow control support is active.
Enabled
Enabled | Disabled
When Disabled, the flow control support is deactivated.
Example
--> switch set port wan flow Enabled
See also
SWITCH SHOW PORT
2.2.4.1.27 SWITCH SET PORT FLOWCONTROL
Syntax
SWITCH SET PORT <portname> FLOWCONTROL { Enabled | Disabled }
Description
This command enables/disables full duplex flow control on the selected switch port.
To show the current port status, use the SWITCH SHOW PORT command.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
Enabled | Disabled
When Enabled, the flow control support is active.
Enabled
When Disabled, the flow control support is deactivated.
Example
--> switch set port wan flowcontrol enabled
See also
See also
2-24
SWITCH SHOW PORT
iMG/RG Software Reference Manual (Switching)
Switch command reference
Switching
2.2.4.1.28 SWITCH SET PORT INFILTERING
Syntax
SWITCH SET PORT <portname> INFILTERING { Enabled | Disabled }
Description
This command enables/disables the infiltering process on incoming tagged frames.
When infiltering is enabled, an incoming tagged frame having a VLAN identifier different
from the vlan where the switch port is configured will be dropped.
When infiltering is disabled, an incoming tagged frame having a VLAN identifier different
from the vlan where the switch port is configured is accepted and will be processed
accordingly to the standard forwarding process.
To show the current port status, use the SWITCH SHOW PORT command.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
Enabled | Disabled
When Enabled, ingress filtering support is active.
Enabled
When Disabled, ingress filtering is deactivated.
Example
--> switch set port lan1 infiltering disabled
See also
SWITCH SHOW PORT
2.2.4.1.29 SWITCH SET PORT MULTICASTLIMIT
Syntax
SWITCH SET PORT <portname> MULTICASTLIMIT < mcastlimit >
Description
This command specifies the ingress data rate limit for multicast traffic. These limits apply
only to multicast frame types entering on the selected switch port.
To show the current port status, use the SWITCH SHOW PORT command.
iMG/RG Software Reference Manual (Switching)
2-25
Switching
Options
Switch command reference
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
mcastlimit
The maximum rate if ingress multicast traffic that will
be accepted on the switch port.
none
See Section 2.3 for a list of possible values - depending on product family.
2.2.4.1.30 SWITCH SET PORT QOS/NOQOS
Syntax
SWITCH SET PORT <portname> {QOS | NOQOS}
Description
This command enables/disables the 802.1p scheme priority on the selected switch port.
When 802.1p scheme priority is enabled, the 802.1p priority field value of each incoming
frame is compared with the switch base priority. If it is higher, the switch will forward the
frame to the high priority queue otherwise the frame will be forwarded to the low priority queue.
To change the switch base priority use the SWITCH SET PRIORITY command.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
qos | noqos
When qos, the support of 802.1p IP field management is active.
noqos
When noqos, any QoS policy based on 802.1p field
is disabled.
Example
--> switch set port wan qos
See also
SWITCH SHOW PORT
SWITCH SET PRIORITY
2.2.4.1.31 SWITCH SET PORT RCVLIMIT
Syntax
2-26
SWITCH SET PORT <portname> RCVLIMIT < rcvlimit >
iMG/RG Software Reference Manual (Switching)
Switch command reference
Description
Switching
This command specifies the ingress data rate limit. These limits apply to all frame types
entering on the selected switch port.
To show the current port status, use the SWITCH SHOW PORT command.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
rcvlimit
The maximum bit rate allowed on a switch port in
the receive direction. See Section 2.3 for a list of
possible values - depending on product family.
None
--> switch set port lan8 rcvlimit 4Mbps
2.2.4.1.32 SWITCH SET PORT RCVLIMIT-HIGH
Syntax
SWITCH SET PORT <portname> RCVLIMIT-HIGH < rcvlimit >
Description
This command specifies the ingress data rate limit for high priority traffic. These limits
apply to all frame types entering on the selected switch port that are high priority.
To show the current port status, use the SWITCH SHOW PORT command.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
rcvlimit
The maximum bit rate allowed on a switch port in
the receive direction. See Section 2.3 for a list of
possible values - depending on product family.
None
--> switch set port lan8 rcvlimit-high 4Mbps
2.2.4.1.33 SWITCH SET PORT RCVLIMIT-LOW
Syntax
SWITCH SET PORT <portname> RCVLIMIT-LOW < rcvlimit >
iMG/RG Software Reference Manual (Switching)
2-27
Switching
Description
Switch command reference
This command specifies the ingress data rate limitfor the low priority traffic. These limits
apply to all frame types entering on the selected switch port that are categorized as low
prirority.
To show the current port status, use the SWITCH SHOW PORT command.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
port-name
The name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
rcvlimit
The maximum bit rate allowed on a switch port in
the receive direction. See Section 2.3 for a list of
possible values - depending on product family.
None
--> switch set port lan8 rcvlimit-low 4Mbps
2.2.4.1.34 SWITCH SET PORT SPEED
Syntax
SWITCH SET PORT <portname> SPEED <port-speed>
Description
This command set the speed value and mode on the selected switch port.
To show the current port status, use the SWITCH SHOW PORT command.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
Port-name
The name of the switch port to be configured. See
Section 2.3 for a list of possible port names.
N/A
port-speed
The port speed and mode. Allowed values are:
AUTO
AUTO (Autonegotiate)
COAX (10Mbps Half Duplex)
10H (10Mbps Half Duplex)
10F (10Mbps Full Duplex)
100H (100Mbps Half Duplex)
100F (100Mbps Full Duplex)
1000H (1000Mbps Half Duplex)
1000F (1000Mbps Full Duplex)
2-28
iMG/RG Software Reference Manual (Switching)
Switch command reference
Switching
Example
--> switch set port lan1 speed 10F
See also
SWITCH SHOW PORT
2.2.4.1.35 SWITCH SET PORT STATUS
Syntax
SWITCH SET PORT <portname> STATUS { Enabled | Disabled }
Description
This command disables or enables the switch port.
To show the current port status, use the SWITCH SHOW PORT command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
portname
he name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
Enabled | Disabled
When Enabled, the link is up and traffic can be sent
or received to/from the switch port.
Enabled
When Disabled, the link is forced to be down.
Example
--> switch set port lan1 status Disabled
2.2.4.1.36 SWITCH SET PORT TRSLIMIT
Syntax
SWITCH SET PORT <portname> TRSLIMIT < trslimit >
Description
This command specifies the ingress data rate limit. These limits apply to all frame types
entering on the selected switch port.
To show the current port status, use the SWITCH SHOW PORT command.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
portname
he name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
trslimit
The maximum bit rate allowed on a switch port in
the transmit direction. See Section 2.3 for a list of
possible values - depending on product family.
None
--> switch set port lan1 trslimit 8Mbps
iMG/RG Software Reference Manual (Switching)
2-29
Switching
Switch command reference
2.2.4.1.37 SWITCH SET PORT TRSLIMIT-HIGH
Syntax
SWITCH SET PORT <portname> TRSLIMIT-HIGH < trslimit >
Description
This command specifies the ingress data rate limit for high priority packets. These limits
apply to all frame types entering on the selected switch port that are high priority.
To show the current port status, use the SWITCH SHOW PORT command.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
portname
he name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
trslimit
The maximum bit rate allowed on a switch port in
the transmit direction. See Section 2.3 for a list of
possible values - depending on product family.
None
--> switch set port lan1 trslimit-high 8Mbps
2.2.4.1.38 SWITCH SET PORT TRSLIMIT-LOW
Syntax
SWITCH SET PORT <portname> TRSLIMIT-LOW < trslimit >
Description
This command specifies the ingress data rate limit for low priority packets. These limits
apply to all frame types entering on the selected switch port that are low priority.
To show the current port status, use the SWITCH SHOW PORT command.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
portname
he name of the switch port to be configured.
See Section 2.3 for a list of possible port names.
N/A
trslimit
The maximum bit rate allowed on a switch port in
the transmit direction. See Section 2.3 for a list of
possible values - depending on product family.
None
--> switch set port lan1 trslimit-low 8Mbps
2.2.4.1.39 SWITCH SET PRIORITY
Syntax
2-30
SWITCH SET PRIORITY <802.1p_base_priority>
iMG/RG Software Reference Manual (Switching)
Switch command reference
Switching
Description
This command sets the switch base priority. If an 802.1p bit value is higher than or equal
to this value - then it goes into the high priority queue. Otherwise - it goes into the low
priority queue.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
802.1p_base_priority
The system priority value. Available values are in
the range 0 to 7.
4
--> switch set priority 7
2.2.4.1.40 SWITCH SET QOS 802.1P
Syntax
SWITCH SET QOS 802.1P < 802.1p_value > PRIORITY < queue >
Description
This command is used to map an incoming tagged frame with a specific 802.1p value in
the priority field of the tag header into one of the four egress queues available on the
switch.
To show the current port status, use the SWITCH SHOW PORT command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
802.1p_value
The value of the 802.1p field used to map incoming
frames into a well defined outgoing queue.
N/A
Possible values are from 0 to 7.
queue
The name of the egress priority queue where frame
will be forwarded.
P0
Allowed values are:
P0 (lowest priority queue)
P1
P2
P3 (highest priority queue).
Example
--> switch set qos 24,37 priority high
2.2.4.1.41 SWITCH SET QOS DSCP
Syntax
SWITCH SET QOS DSCP < dscp_value > PRIORITY < queue >
iMG/RG Software Reference Manual (Switching)
2-31
Switching
Description
Switch command reference
This command is used to map an incoming frame with a specific TOS/DiffServ/Traffic
class value in the IP header into one of the four egress queues available on the switch.
To show the current port status, use the SWITCH SHOW PORT command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
dscp_value
The value of the TOS/DiffServ/Traffic class field used
to map incoming frames into a well defined outgoing
queue.
N/A
Possible values are from 0 to 6.
queue
The name of the egress priority queue where frame
will be forwarded.
P0
Allowed values are:
P0 (lowest priority queue)
P1
P2
P3 (highest priority queue).
2.2.4.1.42 SWITCH SET QOS PRIORITY
Syntax
SWITCH SET QOS <dscpcode> PRIORITY {HIGH | LOW}
Description
This command maps the priority levels for Quality of Service.
The six-bit TOS field in the IP header is decoded as 64 entries and for each one it is possible to specify the priority.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
dscpcode
dscpcode-list is a comma-separate list of numbers in
the range 0-63 which represent the DSCP (Differentiated Service Code Point) value in the most significant 6
bits of the TOS field in IPv4 header.
N/A
To set the high priority for DSCP values 24 and 37, use the command:
switch set qos 24,37 priority high
2-32
iMG/RG Software Reference Manual (Switching)
Switch command reference
Switching
2.2.4.1.43 SWITCH SET ROUTING-LIMIT
Syntax
SWITCH SET ROUTING-LIMIT <limit>
Description
This command set the maximum number of frame per seconds that the layer 2 switch
forward to the Residential Gateway network processor for routing purposes.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
limit
It's the traffic maximum rate (frame per seconds)
sent to the network processor. Available values are:
none
1.0Kfps
1.5Kfps
2.0Kfps
2.5Kfps
3.0Kfps
3.5Kfps
4.0Kfps
4.5Kfps
5.0Kfps
5.5Kfps
6.0Kfps
None
(disable the routing limit)
2.2.4.1.44 SWITCH SHOW
Syntax
SWITCH SHOW
Description
This command shows a summary of the switch parameters:
Example
--> switch show
Actual configuration:
Switch MAC:
Status:
Aging Time:
Age Timer:
Learning Status:
Status summary:
00:0d:da:08:78:d4
Enabled
Enabled
304
Enabled
iMG/RG Software Reference Manual (Switching)
2-33
Switching
Switch command reference
Max Ports:
Max VLANS:
Max Queues:
See also
10
16
4
SWITCH SHOW PORT
2.2.4.1.45 SWITCH SHOW 802.1P
Syntax
SWITCh SHOW 802.1P
Description
This command displays the current mapping of the switch egress queues respect the
802.1p priority field value of the tag header of the an incoming tagged frame. Please note
that the four queues are shown in the following way:
Example
•
low queue --> .
•
med-low queue --> L
•
med-high queue --> M
•
high queue --> H
switch show 802.1p
802.1p Queue Map
-----------------------------------------------------------------PID
| 0 1 2 3 4 5 6 7
----------------QUEUE | . . . . H H H H
-----------------------------------------------------------------2.2.4.1.46 SWITCH SHOW FDB
Syntax
(A) SWITCH SHOW FDB [ADDRESS <mac-address>|PORT <port-name> | vlan
<vlan-id>
(B) SWITCH SHOW FDB
Description
This command displays the whole contents of the Forwarding Database (ordered by
VLAN identifier).
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
2-34
Option
Description
Default Value
mac-address
The MAC Address of the device that it is of interest
to see the FDB entry for.
N/A
iMG/RG Software Reference Manual (Switching)
Switch command reference
Example
Switching
Option
Description
Default Value
port-name
The name of the switch port to be that entries are
to be displayed for..
N/A
vlan-id
The VLAN Identifier that it is of interest to show all
the FDB entries for.
N/A
To display the FDB content:
--> switch show fdb
VLAN
MAC
204 00:0d:da:00:79:0f
204 00:0d:da:01:2c:68
204 00:0d:da:02:33:d2
204 00:0d:da:05:51:94
202 00:0d:da:01:2c:68
202 00:0d:da:06:f4:23
202 00:0d:da:08:6c:b6
202 00:30:84:ee:40:7e
1 00:30:84:ee:40:80
Port
lan8
lan8
lan8
lan8
lan8
lan8
cpu
lan8
lan8
Status
Dynamic
Dynamic
Dynamic
Dynamic
Dynamic
Dynamic
Dynamic
Dynamic
Dynamic
2.2.4.1.47 SWITCH SHOW PORT
Syntax
SWITCH SHOW PORT <port-name> [COUNTERS]
Description
This command displays the status of the selected switch port and eventually the value of
the associated counters.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
portname
The name of the switch port to be configured. See
Section 2.3 for a list of possible port names.
N/A
--> switch show port lan6
2.2.4.1.48 SWITCH SHOW QOS
Syntax
SWITCH SHOW QOS
iMG/RG Software Reference Manual (Switching)
2-35
Switching
Description
Switch command reference
This command displays the current mapping of user priority level to QOS egress queue
for the switch.
Switch Quality Of Service configuration
-------------------------------------------------------------------Priority Map:
Addr | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9
----------------------------------------------00 | . . . . . . . . . . . . . . . . . . . .
20 | . . . . . . . . . . . . . . . . . . . .
40 | H H H H H H H H H H H H H H H H H H H H
60 | H H H H
--------------------------------------------------------------------
2.2.4.1.49 SWITCH SHOW QOS 802.1P
Syntax
SWITCH SHOW QOS 802.1P
Description
This command displays the current mapping of the switch egress queues with respect to
the 802.1p priority field value of the tag header of the an incoming tagged frame.
Example
--> switch show qos 802.1p
Tag Que Map:
Queue Range: 0-3
PID
| 0
1
2
3
4
5
6
7
--------------------------------------QUEUE | 0
0
1
1
2
2
3
3
2.2.4.1.50 SWITCH SHOW QOS DSCP
Syntax
SWITCH SHOW QOS DSCP
Description
This command displays the current mapping of the switch egress queues respect the
TOS/DiffServ/Traffic class value in the IP header of the an incoming frame.
Example
--> switch show qos dscp
DSCPQue Map:
Queue Range: 0-3
DSCP
|
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
9
-------------------------------------------------------------------------------00
|
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
20
|
1
1
1
1
1
1
1
1
1
1
1
1
2
2
2
2
2
2
40
|
2
2
2
2
2
2
2
2
3
3
3
3
3
3
3
3
3
3
60
|
3
3
3
3
2-36
iMG/RG Software Reference Manual (Switching)
Overview
BRIDGE
2.3 BRIDGE
2.3.1 Overview
The Bridge module acts as an extension to the existing Layer 2 switch - providing connectivity between the
applications and services provided in the CPU and the devices connected to the LAN ports also provides support for virtual LANs in order to create multiple domains in which the packets are forwarded. The Bridge module also provides standard interfaces for attachment to the system TCP/IP Stack allowing the termination of IP
frames belonging to a specific VLAN to a well defined IP interface.
A key point of interest here is that the port associated with the Bridge is not the Ethernet Port from the switch
- there is a single interface between the switch and the bridge, and then additional connections to the different
functions - such as the ADSL interface - or the IP interface.
2.3.2 Bridge Functional Description
2.3.2.1 Source MAC based forwarding
The source based MAC forwarding entries are unicast entries configured to forward packets on the specified
port that is configured for the MAC address, which matches the destination MAC address of the packet. They
are also used to restrict forwarding of packets to the ports specified in the entry if MAC address and source
port matches the source MAC address of the packet and the port on which packet is received.
The source based MAC entries (named also static unicast entries source based) can be created/deleted by the
user through. These entries have higher priority over the dynamic entries, meaning that the learned entry does
not overwrite the static unicast entry with the same MAC address.
A static unicast entry serves the following purpose in packet forwarding:
• For a packet received from the port with its source MAC address and received port matching the static unicast entry’s MAC address and the source port respectively, then the packet will be forwarded to the respective ports as specified by the entry’s destination mask;
• For a packet received from a port with its source MAC address matching but withdifferent source port, the
packet will be discarded;
• For a packet received from a port with its destination MAC address matching a static unicast entry, the
packet will be forwarded to the source port of the entry.
2.3.2.2 Destination MAC based forwarding
The destination based MAC forwarding entries are configured to forward packets to the ports specified in the
entry whose MAC address matches the destination MAC address of the packet. In the absence of a static unicast entry or a dynamic entry, it provides the capability to forward unicast packets to the ports on which the
iMG/RG Software Reference Manual (Switching)
2-37
BRIDGE
Bridge Functional Description
particular destination might be present. It is also used to create multicast entries and forward multicast packets
to all ports listening for that particular multicast address.
The destination based MAC entries (named also static unicast entries destination based) can be created/deleted
by the user.
For a specific MAC address, there can exist either a static unicast entries source based or a destination unicast
entries source based. However, a destination based MAC entry is updated to be of type static + dynamic if a
packet is received with the source MAC address matching the destination based MAC entry’s MAC address. In
that case, the source port field that was unused for destination based MAC entry type is updated to the source
port on which the MAC address is learnt.
A destination based MAC entry serves the following purpose in packet forwarding:
• For a packet received from a port with its destination MAC address matching a destination based MAC
entry entry’s MAC address, the packet will be forwarded to the ports as specified by the entry’s destination
mask;
• For a packet received from a port with its destination MAC address matching a destination based MAC
entry + dynamic entry’s MAC address, the packet will be forwarded to the source port specified in the
entry;
2.3.2.3 Port based forwarding
Port based forwarding is an additional mechanism to forward packets based on the port on which the packets
are received. This forwarding applies to all packets received, irrespective of their source and destination MAC
addresses.
Port based forwarding is the first level of forwarding applied to the received packets. The destination mask is
set to the forwarding mask of the port on which the packets are received. It serves the following purpose in
packet forwarding:
• If a source based MAC entry or a dynamic MAC entry matching the destination MAC address is found, the
packet is forwarded to the specified source port only if the port exists in the port forwarding mask of the
port on which packet is received.
• If a source based MAC entry matching the source MAC address is found, the packet is forwarded to all the
ports that exist in the destination mask as well as the port forwarding mask of the port on which packet is
received.
• If a destination based MAC entry, matching the destination MAC address is found, the packet is forwarded
to the all the ports that exist in the destination mask of the entry as well as the port forwarding mask of the
port on which packet is received.
2.3.2.4 Traffic Prioritization
The bridge module provides support for traffic prioritization in conformance to the IEEE 802.1p specifications.
2-38
iMG/RG Software Reference Manual (Switching)
Bridge Functional Description
BRIDGE
To regenerate priority mapping, it can be configured for each port such that, whenever a tagged packet is
received with a specified priority in the tag header, it is mapped to the corresponding regenerated priority and
the tag header is reset with the new priority.
Additionally, it can be configured to prioritize traffic based on certain traffic classes defined for each outgoing
port. Based on these mappings, the regenerated priority is mapped to the corresponding traffic class priority,
which is set as the system buffer priority such that the transmitted packets are appropriately prioritized by the
lower layers. The actual priority transmission of packets is performed by the Scheduler device. The scheduler
device transmits packets with highest priority first, followed by lower priority packets and finally the lowest priority packets.
Priority handling has the following effect on the forwarding path:
• If the packet receive is untagged, assign the default priority of the port on which packet is received else
obtain the user priority from the tag header.
• Maps the user priority to the regenerated priority based on the configuration of the received port.
• If the packet is forwarded as tagged, it sets the regenerated priority in the tag header.
• If traffic class mapping is enabled, it obtains the traffic class mapping based on the configuration of the outgoing port and sets the priority in the system buffer.
2.3.2.5 Multicast Traffic
The system supports configuration and handling of multicast MAC forwarding entries, forward all and forward
unregistered entries. Forwarding of the multicast packets is done based on these entries. By default, multicast
traffic is forwarded to all ports. With the addition of support for IGMP snooping in the Bridge, multicast forwarding is further optimized, by intelligent forwarding of multicast traffic in the network..
Additionally, the system provides configuration of forward all and forward unregistered ports.
Forward all ports are the ports to which all multicast data will always be forwarded. Forward unregistered ports
are the ports to which the multicast data needs to be forwarded, for which there exists no multicast filtering
entry.
2.3.2.6 Learning
Learning is carried out for each unicast packet received by the bridge. Based on the source MAC address and
the source port on which the packet is received, the bridge updates it forwarding database so that whenever a
packet with destination as the learnt MAC address is received, it sends it to the appropriate port on which it
had learnt that MAC address.
The entries are aged out with a periodicity of filter age time configured by the user.
The entries are learnt only on those ports that are in either learning or forwarding state.
Learning is carried out in the following manner:
iMG/RG Software Reference Manual (Switching)
2-39
BRIDGE
Functional Differences in Product Categories
• If there already exists an Dynamic entry with MAC address that matches the source MAC address, it
updates the last seen time and the source port for the entry.
• If there exists a Static entry with MAC address that matches the source MAC address, it updates entry’s
source port field with the received port.
2.3.3 Functional Differences in Product Categories
A key difference between the different models is the incorporation of a VLAN Aware Bridge implementation.
As a part of this enhancement - additional flexibility was added to support MAC Filtering. Note that some commands described here - presume support for multiple VLANs w/in the Bridge. For more information on the
VLAN specific functions - please see the VLAN section.
It is not often that a user would need to manipulate the forwarding databases. This capability is there...but not
anticipated to be widely utilized.
TABLE 2-3
Commands
Functional Mapping for Bridge
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
Port based forwarding
X
X
X
X
X
X
Traffic Prioritization
X
X
X
X
X
X
Multicast Traffic
1
X
1
X
X
X
1
X
X
Learning
X
X
X
X
X
X
X
X
X
Note 1) On these devices - Multicast traffic is forwarded to all ports with no options for filtering/restriction.
Note 2) For these devices there is only one Forwarding DataBase - the DefaultFDB - for other devices - it is
possible to create multiple Forwarding Databases via the Bridge Add VLAN command.
Note 3) Dynamic Destination MAC based forwarding is the only mechanism supported here. The Bridge learns
which MAC addresses come from which ports - and forwards packets with that MAC as a Destination MAC to
those ports. There is no support for static configuration of MAC Addresses.
2.3.4 Bridge command reference
This section describes the commands available for Bridge.
2-40
iMG/RG Software Reference Manual (Switching)
Bridge command reference
BRIDGE
2.3.4.1 Bridge commands
The table below lists the Bridge commands provided by the CLI:
TABLE 2-4
Bridge commands
Commands
BRIDGE ADD FWDALLINTERFACE SHARED
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
ADSL ADSL ADSL
E
A
B
C
Modular
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
BRIDGE ADD FWDUNREGINTERFACE SHARED
BRIDGE ADD INTERFACE
BRIDGE ADD MCASTENTRY SHARED
X
X
X
X
X
X
BRIDGE ADD MCASTINTERFACE SHARED
X
X
X
X
X
X
BRIDGE ADD UCASTENTRY DEST
X
X
X
X
X
X
BRIDGE ADD UCASTENTRY SRC
X
X
X
X
X
X
BRIDGE ADD UCASTINTERFACE
X
X
X
X
X
X
BRIDGE ATTACH
X
X
X
X
X
X
X
X
X
BRIDGE CLEAR FWDALLINTERFACES SHARED
X
X
X
X
X
X
X
X
X
BRIDGE CLEAR INTERFACE STATS
X
X
X
X
X
X
X
X
X
BRIDGE CLEAR INTERFACES
X
X
X
X
X
X
X
X
X
BRIDGE CLEAR FWDUNREGINTERFACES SHARED
BRIDGE CLEAR MCASTENTRIES SHARED
X
X
X
X
X
X
BRIDGE CLEAR MCASTINTERFACES SHARED
X
X
X
X
X
X
BRIDGE CLEAR UCASTENTRIES
X
X
X
X
X
X
BRIDGE CLEAR UCASTINTERFACES
X
X
X
X
X
X
BRIDGE DELETE FWDALLINTERFACE SHARED
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
BRIDGE DELETE FWDUNREGINTERFACE SHARED
BRIDGE DELETE INTERFACE
BRIDGE DELETE MCASTENTRY SHARED
X
X
X
X
X
X
BRIDGE DELETE MCASTINTERFACE SHARED
X
X
X
X
X
X
iMG/RG Software Reference Manual (Switching)
2-41
BRIDGE
Bridge command reference
TABLE 2-4
Bridge commands (Continued)
Commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
ADSL ADSL ADSL
E
Modular
A
B
C
BRIDGE DELETE UCASTENTRY
X
X
X
X
X
X
BRIDGE DELETE UCASTINTERFACE
X
X
X
X
X
X
BRIDGE DETACH
X
X
X
X
X
X
X
X
X
BRIDGE FLUSH
X
X
X
X
X
X
X
X
X
BRIDGE LIST FDBS
X
X
X
X
X
X
BRIDGE LIST FWDALL SHARED
X
X
X
X
X
X
BRIDGE LIST FWDUNREG SHARED
BRIDGE LIST INTERFACE STATS
X
X
X
X
X
X
X
X
X
BRIDGE LIST INTERFACES
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
BRIDGE LIST STATIC MCASTENTRIES SHARED
X
X
X
X
X
X
BRIDGE LIST STATIC UCASTENTRIES
X
X
X
X
X
X
BRIDGE LIST MCASTENTRIES SHARED
BRIDGE LIST STATIC FWDALL SHARED
BRIDGE LIST STATIC FWDUNREG SHARED
BRIDGE LIST UCASTENTRIES
X
X
X
X
X
X
X
X
X
BRIDGE SET FILTERAGE
X
X
X
X
X
X
X
X
X
BRIDGE SET INTERFACE ACCEPTFRAMETYPE
X
X
X
X
X
X
BRIDGE SET INTERFACE DEFAULTUSERPRIORITY
X
X
X
X
X
X
X
X
X
X
X
BRIDGE SET INTERFACE FILTETYPE
X
X
X
X
BRIDGE SET INTERFACE INGRESSFILTERING
X
X
X
X
X
X
BRIDGE SET INTERFACE NUMTRAFFICCLASSES
X
X
X
X
X
X
X
X
X
X
X
BRIDGE SET INTERFACE NUMTRAFFICCLASSES
X
X
X
X
BRIDGE SET INTERFACE PVID
X
X
X
X
X
X
BRIDGE SET INTERFACE REGENPRIORITY
X
X
X
X
X
X
BRIDGE SET INTERFACE TRAFFICCLASSTATUS
X
X
X
X
X
X
2-42
iMG/RG Software Reference Manual (Switching)
Bridge command reference
TABLE 2-4
BRIDGE
Bridge commands (Continued)
Fiber
A
Fiber
B
Fiber
C
Fiber
D
BRIDGE SET INTERFACE TRAFFICCLASSTATUS
X
X
X
X
X
X
X
X
X
BRIDGE SET WANTOWANFORWARDING
X
X
X
X
X
X
X
X
X
BRIDGE SHOW
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Commands
X
BRIDGE SHOW FDB
BRIDGE SHOW INTERFACE
X
X
X
Fiber
ADSL ADSL ADSL
E
A
B
C
Modular
X
BRIDGE SHOW INTERFACE REGENPRIORITY
X
X
X
X
X
X
BRIDGE SHOW INTERFACE TRAFFICCLASSMAP
X
X
X
X
X
X
X
X
X
X
X
BRIDGE SHOW INTERFACESTATS
X
X
X
X
BRIDGE SHOW MCASTENTRY SHARED
X
X
X
X
X
X
BRIDGE SHOW UCASTENTRY
X
X
X
X
X
X
2.3.4.1.1 BRIDGE ADD FWDALLINTERFACE SHARED
Syntax
BRIDGE ADD FWDALLINTERFACE SHARED { <fdbname> | <fdbnumber> }
<interfacename>
Description
This command adds an interface to the egress interface list of the Forward All Group of the
named Filtering Database. The Forward All Group represents the set of interfaces to which all the
multicast frames would be forwarded.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Option
Description
Default Value
fdbname
The name of an existing Forwarding Database. See
bridge add vlan CLI command to configure a new Forwarding Database..
N/A
iMG/RG Software Reference Manual (Switching)
2-43
BRIDGE
Bridge command reference
Option
Description
Default Value
fdbnumber
A number that identifies an existing Forwarding Database. To display the list of FDBs, use the bridge list
fdbs command. The number appears in the first column under the heading ID.
N/A
interface name
The name of a bridge interface that has previously
been added and attached to a transport using the
bridge add interface and bridge attach
N/A
Example
bridge add fwdallinterface shared FDB_1 bridge1
See also
BRIDGE DELETE FWDALLINTERFACE SHARED
BRIDGE LIST FWDALL SHARED
2.3.4.1.2 BRIDGE ADD FWDUNREGINTERFACE SHARED
Syntax
BRIDGE ADD FWDUNREGINTERFACE SHARED { <fdbname> | <fdbnumber> }
<interfacename>
Description
This command adds an interface to the egress interface list of the Forward Unregistered
Group of the named Forwarding Database. The Forward Unregistered Group represents the set
of interfaces to which all the multicast frames would be forwarded whose respective destination
MAC addresses have no other forwarding information available..
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
2-44
Option
Description
fdbname
The name of an existing Forwarding Database. See
bridge add vlan CLI command to configure a new
Forwarding Database.
fdbnumber
A number that identifies an existing Forwarding
Database. To display the list of FDBs, use the bridge
list fdbs command. The number appears in the first
column under the heading ID.
interface name
The name of a bridge interface that has previously
been added and attached to a transport using the
bridge add interface and bridge attach CLI commands, respectively.
iMG/RG Software Reference Manual (Switching)
Default Value
Bridge command reference
BRIDGE
Example
bridge add fwdunreginterface shared FDB_1 bridge1
See also
BRIDGE ADD FWDALLINTERFACE
BRIDGE LIST FWDALL SHARED
2.3.4.1.3 BRIDGE ADD INTERFACE
Syntax
BRIDGE ADD INTERFACE < name >
Description
This command adds a named interface to the bridge.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
Name
An arbitrary name that identifies an object. It can be made
up of one or more letters or a combination of letters and
digits, but it cannot start with a digit..
N/A
Example
--> bridge add interface bridge1
See also
BRIDGE LIST INTERFACES
BRIDGE ATTACH
2.3.4.1.4 BRIDGE ADD MCASTENTRY SHARED
Syntax
BRIDGE ADD MCASTENTRY SHARED <name> { <fdbname> | <fdbnumber> } <mac>
Description
This command adds a multicast forwarding entry to a Forwarding Database. On receiving
a multicast frame, if the multicast MAC address matches the address given in this command, that frame is forwarded to all the interfaces in the egress interface list of this entry.
See bridge add mcastinterface shared to add an egress interface to a multicast
entry.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Option
Description
Default Value
name
An arbitrary name that identifies the entry. It can be
made up of one or more letters or a combination of letters and digits, but it cannot start with a digit
N/A
iMG/RG Software Reference Manual (Switching)
2-45
BRIDGE
Bridge command reference
fdbname
The name of an existing Forwarding Database. See bridge
add vlan CLI command to configure a new Filtering Database.
N/A
fdbnumber
A number that identifies an existing Forwarding Database. To display the list of FDBs, use the bridge list fdbs
command. The number appears in the first column
under the heading ID.
N/A
mac
A valid multicast Ethernet MAC address displayed in the following format: ##:##:##:##:##:##
N/A
Example
bridge add mcastentry shared MCAST_1 DefaultFdb 01:00:00:00:00:00
See also
BRIDGE DELETE MCASTENTRY SHARED
2.3.4.1.5 BRIDGE ADD MCASTINTERFACE SHARED
Syntax
BRIDGE ADD MCASTINTERFACE SHARED { <entryname> | <entrynumber> } { <fdbname> | <fdbnumber> } egress <interfacename>
Description
This command adds an interface to the egress interface list of the named multicast forwarding entry for the given Forwarding Database.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
2-46
iMG/RG Software Reference Manual (Switching)
Bridge command reference
BRIDGE
Name
Description
Dafault Value
entryname
Name of an existing Multicast Forwarding Entry. To
display the list of all statically configured multicast
entries, that the user can delete, use bridge list static
mcastentries. This command also displays the entire
egress interface list for that entry.
N/A
entrynumber
A number that identifies an existing Multicast Forwarding Entry. To display the list of statically configured multicast entries, use bridge list static mcastentries. The number
appears in the first column under the heading ID.
N/A
fdbname
The name of an existing Forwarding Database. See bridge
add vlan CLI command to configure a new Filtering Database.
N/A
fdbnumber
A number that identifies an existing Forwarding Database. To display the list of FDBs, use the bridge list fdbs
command. The number appears in the first column
under the heading ID.
N/A
interfacename
The name of a bridge interface that has previously been
added and attached to a transport using the bridge add
interface and bridge attach CLI commands, respectively.
N/A
Example
bridge add mcastinterface shared MCAST_1 FDB_1 egress bridge1
See also
BRIDGE CLEAR MCASTENTRIES SHARED
BRIDGE ADD MCASTENTRY SHARED
BRIDGE DELETE MCASTENTRY SHARED
2.3.4.1.6 BRIDGE ADD UCASTENTRY DEST
Syntax
BRIDGE ADD UCASTENTRY DEST <name> { <fdbname> | <fdbnumber> } <macaddress>
Description
This commands creates a destination MAC address based unicast forwarding entry in the
named forwarding database.
When the system receives an ethernet frame, the system examines the destination MAC address
of the frame. If the destination MAC address matches the address specified in this command, the system forwards the frame to the egress interfaces configured for this entry.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
iMG/RG Software Reference Manual (Switching)
2-47
BRIDGE
Bridge command reference
Name
Description
name
An arbitrary name that identifies the entry. It can be made
up of one or more letters or a combination of letters and
digits, but it cannot start with a digit
Dafault Value
The name has to be unique for all unicast entries (source
MAC and destination MAC based) in a Filtering Database.
fdbname
The name of an existing forwarding database to which the
entry will be added.
fdbn umber
A number that identifies an existing Forwarding Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under the
heading ID.
macaddress
A valid unicast Ethernet MAC address displayed in the following format: ##:##:##:##:##:##
Example
Example bridge add ucastentry dest UCAST_2 DefaultFdb 00:00:00:00:00:02
See also
BRIDGE ADD UCASTENTRY SRC
BRIDGE ADD UCASTENTRY DEST
BRIDGE LIST UCASTENTRIES
2.3.4.1.7 BRIDGE ADD UCASTENTRY SRC
Syntax
BRIDGE ADD UCASTENTRY SRC <name> {<fdbname>| <fdbn umber>)
<macaddress> <recvin terface>
Description
This commands creates a source MAC address based unicast filtering entry in the named
filtering database.
When the system receives an ethernet frame, the system examines the source MAC address of
the frame. If both the source MAC address and source interface matches the <macaddress> and
<recvinterface> specified in this command, the system forwards the frame to the egress interfaces
configured for this entry. .
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
2-48
iMG/RG Software Reference Manual (Switching)
Bridge command reference
BRIDGE
Option
Description
name
An arbitrary name that identifies the entry. It can be made up
of one or more letters or a combination of letters and digits,
but it cannot start with a digit
Default Value
The name has to be unique for all unicast entries (source MAC
and destination MAC based) in a Forwarding Database.
fdbname
The name of an existing forwarding database to which the
entry will be added.
fdbn umber
A number that identifies an existing Forwarding Database. To
display the list of FDBs, use the bridge list fdbs command.
The number appears in the first column under the heading
ID.
macaddress
A valid unicast Ethernet MAC address displayed in the following
format: ##:##:##:##:##:##
recvinterface
The name of the existing bridge interface that Ethernet frames
is received on. The interface must be attached to a valid transport. To display interface names and their transport attachment
details, use the bridge list interfaces command.
Example
-->bridge add ucastentry src UCAST_1 FDB_1 00:00:00:00:00:01 bridge1
See also
BRIDGE ADD UCASTENTRY DEST
BRIDGE LIST STATIS UCASTENTRIES
2.3.4.1.8 BRIDGE ADD UCASTINTERFACE
Syntax
BRIDGE ADD UCASTINTERFACE {<entryname>| <entryn umber>)
{<fdbname>| <fdbn umber>) <interfacename>
Description
This commands adds an interface to the egress interface list of a statically configured unicast forwarding entry. This command can be invoked multiple times to add more interfaces to the egress interface list of the entry.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Name
Description
entryname
Name of an existing unicast forwarding entry. To display the list
of statically configured unicast entries, use bridge list static ucastentries.
iMG/RG Software Reference Manual (Switching)
Default Value
2-49
BRIDGE
Bridge command reference
entryn umber
A number that identifies an existing unicast forwarding entry. To
display the list of statically configured unicast entries, use bridge
list static ucastentries. The number appears in the first column
under the heading ID.
fdbname
The name of an existing filtering database to which the filtering
entry will be added. See Note on filtering database in this command.
fdbn umber
A number that identifies an existing Filtering Database. To display the list of FDBs, use the bridge list fdbs command. The
number appears in the first column under the heading ID.
interfacename
The name of a bridge interface that has previously been
added and attached to a transport using the bridge add interface and bridge attach CLI commands, respectively.
Example
bridge add ucastinterface UCAST_1 DefaultFdb bridge
See also
BRIDGE ADD UCASTENTRY SRC
BRIDGE ADD UCASTENTRY DEST
BRIDGE LIST UCASTENTRIES
2.3.4.1.9 BRIDGE ATTACH
Syntax
BRIDGE ATTACH { <name> | <number> } <transport>
Description
This command attaches an existing transport to an existing bridge interface to allow data
to be bridged via the transport. Only one transport can be attached to an interface. If
you use this command when there is already a transport attached to the interface, the
previous transport is replaced by the new one.
This command implicitly enables the transport being attached. This command also adds
the interface to the untagged port list of the default VLAN.
Options
2-50
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
The name manually assigned to the object when it was created.
N/A
Number
The numerical identifier automatically assigned to the object
when it was created.
N/A
iMG/RG Software Reference Manual (Switching)
Bridge command reference
BRIDGE
Name
Description
Default Value
Transport
A name that identifies an existing transport. To display transport names, use the <transport type> list transports command.
N/A
Example
--> bridge attach bridge1 my1483
See also
BRIDGE LIST INTERFACES
2.3.4.1.10 BRIDGE CLEAR FWDALLINTERFACES SHARED
Syntax
ber>}
BRIDGE CLEAR FWDALLINTERFACES SHARED {<fdbname> | <fdbnum-
Description
This commands removes all the interfaces from the egress interface list of the Forward All
Group of the named Forwarding Database. The Forward All Group represents the set of interfaces to which all the multicast frames would be forwarded.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Name
Description
fdbname
The name of an existing Forwarding Database. See bridge add
vlan CLI command to configure a new Forwarding Database.
fdbnumber
A number that identifies an existing Forwarding Database. To
display the list of FDBs, use the bridge list fdbs command. The
number appears in the first column under the heading ID.
Example
bridge clear fwdallinterfaces shared FDB_1
See also
BRIDGE DELETE FWDALLINTERFACE SHARED
BRIDGE LIST FWDALL SHARED
Default Value
2.3.4.1.11 BRIDGE CLEAR FWDUNREGINTERFACES SHARED
Syntax
BRIDGE CLEAR FWDUNREGINTERFACES SHARED { <fdbname> | <fdbnumber> }
Description
This command removes all of the interfaces from the egress interface list of the Forward Unregistered Group of the named Forwarding Database (previously added using the bridge add fwdunreginterface shared CLI command). The Forward Unregistered Group represents the set of interfaces
to which all the multicast frames would be forwarded, whose respective destination MAC addresses
have no other forwarding information available.
iMG/RG Software Reference Manual (Switching)
2-51
BRIDGE
Bridge command reference
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Name
Description
fdbname
The name of an existing Forwarding Database. See bridge add vlan
CLI command to configure a new Forwarding Database.
fdbnumber
A number that identifies an existing Forwarding Database. To
display the list of FDBs, use the bridge list fdbs command. The
number appears in the first column under the heading ID.
Example
bridge clear fwdunreginterfaces shared FDB_1
See also
BRIDGE ADD FWDALLINTERFACE
BRIDGE LIST FWDALL SHARED
Default Value
2.3.4.1.12 BRIDGE CLEAR INTERFACE STATS
Syntax
BRIDGE CLEAR INTERFACE STATS [ < name | number > ]
Description
This command clears either the interface statistics for all interfaces or the interface statistics for a single specified interface. It resets all of the statistical information displayed by
bridge list interface stats CLI command to zero.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
The name manually assigned to the object when it was created.
N/A
Example
--> bridge clear interface stats
See also
BRIDGE ADD INTERFACE
BRIDGE ATTACH
BRIDGE LIST INTERFACE STATS
2.3.4.1.13 BRIDGE CLEAR INTERFACES
Syntax
BRIDGE CLEAR INTERFACES
Description
This command deletes all bridge interfaces previously created using the bridge add interface command.
All source/ destination MAC address based unicast forwarding entries associated with
the interfaces are also deleted by this command. The interfaces are also deleted from the
2-52
iMG/RG Software Reference Manual (Switching)
Bridge command reference
BRIDGE
egress interface list of all VLANs, multicast filtering entries and Forward All/Unregistered
group entries.
Example
--> bridge clear interfaces
See also
BRIDGE ADD INTERFACE
BRIDGE DELETE INTERFACE
2.3.4.1.14 BRIDGE CLEAR MCASTENTRIES SHARED
Syntax
BRIDGE CLEAR MCASTENTRIES SHARED { <fdbname> | <fdbnumber> )
Description
This command deletes the entire statically configured multicast forwarding entries from the
named Forwarding Database, that were added by bridge add mcastentry shared CLI command.
Also, all the interfaces in the egress interface list of entries (added by bridge add mcastinterface
shared CLI command) are deleted.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Name
Description
fdbname
The name of an existing Forwarding Database. See bridge add
vlan CLI command to configure a new Filtering Database.
fdbnumber
A number that identifies an existing Forwarding Database. To
display the list of FDBs, use the bridge list fdbs command. The
number appears in the first column under the heading ID.
Example
bridge clear mcastentries DefaultFdb
See also
BRIDGE ADD MCASTENTRY SHARED
BRIDGE DELETE MCASTENTRY SHARED
Default Value
2.3.4.1.15 BRIDGE CLEAR MCASTINTERFACES SHARED
Syntax
BRIDGE CLEAR MCASTINTERFACES SHARED {<entryname>| <entrynumber>) {<fdbname> | <fdbnumber>)
Description
This command deletes all the interfaces from the egress interface list of the named multicast Forwarding entry in the given Forwarding Database. T he following table gives the
range of values for each option that can be specified with this command and a defaultvalue (if applicable)
iMG/RG Software Reference Manual (Switching)
2-53
BRIDGE
Bridge command reference
Name
Description
entryname
Name of an existing Multicast Forwarding Entry. To display the list of all statically configured multicast entries,
that the user can delete, use bridge list static mcastentries. This command also displays the entire egress interface
list for that entry.
entrynumber
A number that identifies an existing Multicast Forwarding
Entry. To display the list of statically configured multicast
entries, use bridge list static mcastentries. The number
appears in the first column under the heading ID.
fdbname
The name of an existing Forwarding Database. See bridge add
vlan CLI command to configure a new Filtering Database.
fdbnumber
A number that identifies an existing Forwarding Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under the
Example
bridge clear mcastinterfaces shared MCAST_1 DefaultFDB
See also
BRIDGE ADD MCASTENTRY SHARED
BRIDGE DELETE MCASTENTRY SHARED
Default Value
2.3.4.1.16 BRIDGE CLEAR UCASTENTRIES
Syntax
BRIDGE CLEAR UCASTENTRIES{<fdbname>| <fdbn umber>}
Description
This commands deletes all the statically configured unicast forwarding entries in the
named forwarding database. For each unicast entry, it also deletes their egress interfaces.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
2-54
Name
Description
fdbname
The name of an existing forwarding database to which
the entry will be added.
fdbn umber
A number that identifies an existing Forwarding Database. To display the list of FDBs, use the bridge list
fdbs command. The number appears in the first col-
bridge clear ucastentries DefaultFdb
iMG/RG Software Reference Manual (Switching)
Default Value
Bridge command reference
See also
BRIDGE
BRIDGE ADD UCASTENTRY SRC
BRIDGE ADD UCASTENTRY DEST
2.3.4.1.17 BRIDGE CLEAR UCASTINTERFACES
Syntax
BRIDGE CLEAR UCASTINTERFACES {<entryname>| <entrynumber>)
{<fdbname>| <fdbnumber>)
Description
This command removes all the interfaces from the egress interface list of the named unicast forwarding entry.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Name
Description
entryname
Name of an existing unicast filtering entry. To display the
list of statically configured unicast entries, use bridge list
static ucastentries.
entryn umber
A number that identifies an existing unicast filtering entry. To
display the list of statically configured unicast entries, use
bridge list static ucastentries. The number appears in the
first column under the heading ID.
fdbname
The name of an existing filtering database to which the filtering entry will be added. See Note on filtering database
in this command.
fdbn umber
A number that identifies an existing Filtering Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under
the heading ID.
Example
bridge clear ucastinterfaces DefaultFdb
See also
BRIDGE ADD UCASTENTRY SRC
BRIDGE ADD UCASTENTRY DEST
BRIDGE LIST UCASTENTRIES
Default Value
2.3.4.1.18 BRIDGE DELETE FWDALLINTERFACE SHARED
Syntax
BRIDGE DELETE FWDALLINTERFACE SHARED {<fdbname>| <fdbnumber>}
<interfacename>
Description
This command removes an interface from the egress interface list of the Forward All Group of
the named Forwarding Database (previously added using the bridge add fwdallinterface shared
iMG/RG Software Reference Manual (Switching)
2-55
BRIDGE
Bridge command reference
CLI command). The Forward All Group represents the set of interfaces to which all the multicast
frames would be forwarded.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Name
Description
fdbname
The name of an existing Forwarding Database. See bridge
add vlan CLI command to configure a new Forwarding
Database.
fdbnumber
A number that identifies an existing Forwarding Database. To display the list of FDBs, use the bridge list fdbs
command. The number appears in the first column
under the heading ID.
interface name
The name of a bridge interface that has previously been
added and attached to a transport using the bridge add
interface and bridge attach CLI commands, respectively.
Example
bridge delete fwdallinterface shared FDB_1 bridge1
See also
BRIDGE ADD FWDALLINTERFACE SHARED
BRIDGE LIST FWDALL SHARED
Default Value
2.3.4.1.19 BRIDGE DELETE FWDUNREGINTERFACE SHARED
Syntax
BRIDGE DELETE FWDUNREGINTERFACE SHARED {<fdbname> | <fdbnumber>} <interfacename>
Description
This command removes an interface from the egress interface list of the Forward Unregistered Group of the named Forwarding Database which was added by bridge add fwdunreginterface shared CLI command. The Forward Unregistered Group represents the set of
interfaces to which all the multicast frames would be forwarded whose respective destination MAC
addresses have no other forwarding information available.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
2-56
Name
Description
fdbname
The name of an existing Forwarding Database. See bridge
add vlan CLI command to configure a new Forwarding
Database.
iMG/RG Software Reference Manual (Switching)
Default Value
Bridge command reference
BRIDGE
fdbnumber
A number that identifies an existing Forwarding Database. To display the list of FDBs, use the bridge list
fdbs command. The number appears in the first column under the heading ID.
interface name
The name of a bridge interface that has previously
been added and attached to a transport using the
bridge add interface and bridge attach CLI commands,
respectively.
Syntax
bridge delete fwdunreginterface shared FDB_1 bridge1
See also
BRIDGE ADD FWDALLINTERFACE
BRIDGE LIST FWDALL SHARED
2.3.4.1.20 BRIDGE DELETE INTERFACE
Syntax
BRIDGE DELETE INTERFACE < name | number >
Description
This command deletes a single interface from the bridge.
All source/ destination MAC address based unicast filtering entries associated with the
interfaces are also deleted by this command. The interface is also deleted from the egress
interface list of all VLANs, multicast filtering entries and Forward All/Unregistered group
entries.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
The name manually assigned to the object when it was
created.
N/A
Number
The numerical identifier automatically assigned to the
object when it was created.
N/A
Example
--> bridge delete interface qbridge1
See also
BRIDGE LIST INTERFACES
2.3.4.1.21 BRIDGE DELETE MCASTENTRY SHARED
Syntax
BRIDGE DELETE MCASTENTRY SHARED {<entryname>| <entrynumber>)
{<fdbname> | <fdbnumber>)
Description
This command deletes a single multicast forwarding entry created using the bridge add
mcastentry shared CLI command. Also, this command deletes all of the interfaces in the
iMG/RG Software Reference Manual (Switching)
2-57
BRIDGE
Bridge command reference
egress interface list of the entry (previously added using the bridge add mcastinterface
shared CLI command).
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)bridge list mcastentries shared
Name
Description
entryname
Name of an existing Multicast Forwarding Entry. To display the list of all statically configured multicast entries,
that the user can delete, use bridge list static mcastentries. This command also displays the entire egress interface
list for that entry.
entrynumber
A number that identifies an existing Multicast Forwarding
Entry. To display the list of statically configured multicast
entries, use bridge list static mcastentries. The number
appears in the first column under the heading ID.
fdbname
The name of an existing Forwarding Database. See bridge add
vlan CLI command to configure a new Filtering Database.
fdbnumber
A number that identifies an existing Forwarding Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under the
heading ID.
Example
bridge delete mcastentry shared MCAST_1 DefaultFDB
See also
BRIDGE CLEAR MCASTENTRIES SHARED
BRIDGE DELETE MCASTENTRY SHARED
Default Value
2.3.4.1.22 BRIDGE DELETE MCASTINTERFACE SHARED
Syntax
BRIDGE DELETE MCASTINTERFACE SHARED {<entryname>| <entrynumber>) {<fdbname>| <fdbnumber>) <interfacename>
Description
This command removes an interface from the egress interface list of a multicast Forwarding entry.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
2-58
iMG/RG Software Reference Manual (Switching)
Bridge command reference
BRIDGE
Name
Description
entryname
Name of an existing Multicast Forwarding Entry. To
display the list of all statically configured multicast
entries, that the user can delete, use bridge list static
mcastentries. This command also displays the entire
egress interface list for that entry.
entrynumber
A number that identifies an existing Multicast Forwarding Entry. To display the list of statically configured multicast entries, use bridge list static mcastentries. The number
appears in the first column under the heading ID.
fdbname
The name of an existing Forwarding Database. See bridge
add vlan CLI command to configure a new Filtering Database.
fdbnumber
A number that identifies an existing Forwarding Database. To display the list of FDBs, use the bridge list fdbs
command. The number appears in the first column
under the heading ID.
interface name
The name of a bridge interface that has previously been
added and attached to a transport using the bridge add
interface and bridge attach CLI commands, respectively.
Example
bridge delete mcastinterface shared MCAST_1 FDB_1 bridge1
See also
BRIDGE ADD MCASTENTRY SHARED
BRIDGE CLEAR MCASTENTRY SHARED
Default Value
2.3.4.1.23 BRIDGE DELETE UCASTENTRY
Syntax
BRIDGE DELETE UCASTENTRY {<entryname>| <entryn umber>)
{<fdbname>| <fdbnumber>)
Description
This command deletes a statically configured unicast forwarding entry. Also, all the egress
interfaces of the unicast entry are also deleted by this command.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
iMG/RG Software Reference Manual (Switching)
Default Value
2-59
BRIDGE
Bridge command reference
entryname
A name that identifies an existing unicast forwarding entry.
To display the list of statically configured unicast entries, use
bridge list static ucastentries. This command also displays
the egress interface list for each unicast entry.
entryn umber
A number that identifies an existing unicast forwarding entry.
To display the list of statically configured unicast entries, use
bridge list static ucastentries. The number appears in the
first column under the heading ID.
fdbname
The name of an existing forwarding database to which the
entry will be added.
fdbn umber
A number that identifies an existing Forwarding Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under the
heading ID.
Example
bridge delete ucastentry UCAST_1 DefaultFdb
See also
BRIDGE ADD UCASTENTRY DEST
BRIDGE LIST STATIS UCASTENTRIES
2.3.4.1.24 BRIDGE DELETE UCASTINTERFACE
Syntax
BRIDGE DELETE UCASTINTERFACE {<entryname>| <entryn umber>)
{<fdbname>| <fdbn umber>) <interfacename>
Description
This command removes an interface from the egress interface list of the named unicast
forwarding entry.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable
2-60
Name
Description
entryname
Name of an existing unicast forwarding entry. To display the
list of statically configured unicast entries, use bridge list static
ucastentries.
entryn umber
A number that identifies an existing unicast forwarding entry.
To display the list of statically configured unicast entries, use
bridge list static ucastentries. The number appears in the
first column under the heading ID.
fdbname
The name of an existing forwarding database to which the
entry will be added.
iMG/RG Software Reference Manual (Switching)
Default Value
Bridge command reference
BRIDGE
fdbnumber
A number that identifies an existing Forwarding Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under the
interfacename
The name of a bridge interface that has previously been
added and attached to a transport using the bridge add inter-
Example
bridge delete ucastinterface UCAST_1 FDB_1 bridge1
See also
bridge
bridge
bridge
bridge
bridge
add ucastentry
add ucastentry dest
add ucastinterface
list static ucastentries
list ucastentries
2.3.4.1.25 BRIDGE DETACH
Syntax
BRIDGE DETACH INTERFACE { <name> | <number> }
Description
This command detaches the transport that was attached to the bridge interface using the
bridge attach interface command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
The name manually assigned to the object when it was
created.
N/A
Number
The numerical identifier automatically assigned to the
object when it was created.
N/A
Example
--> bridge detach interface bridge1
See also
BRIDGE LIST INTERFACES
2.3.4.1.26 BRIDGE FLUSH
Syntax
BRIDGE FLUSH < portname >
Description
This command deletes all the dynamic unicast filtering entries across all filtering databases
for the given bridge interface.
iMG/RG Software Reference Manual (Switching)
2-61
BRIDGE
Bridge command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Portname
The name of a bridge interface that has previously been
added and attached to a transport using the bridge add
interface and bridge attach CLI commands respectively.
N/A
Example
--> bridge flush bridge1
See also
BRIDGE ADD INTERFACE
BRIDGE ATTACH
BRIDGE LIST INTERFACE STATS
2.3.4.1.27 BRIDGE LIST FDBS
Syntax
BRIDGE LIST FDBS
Description
This command displays statistical information of all the filtering databases in the bridge. It
displays the following information about the filtering database:
See also
•
Filtering database ID (FID)
•
Number of dynamic unicast entries within it
•
Number of VLANs associated with it
•
Number of frames discarded due to filtering database overflow
•
Type, indicating whether the filtering database is statically configured or dynamically
created (by default, FDBs are created statically using the bridge add vlan command)
BRIDGE ADD VLAN
2.3.4.1.28 BRIDGE LIST FWDALL SHARED
Syntax
BRIDGE LIST FWDALL SHARED {<fdbname>|<fdbnumber>}
Description
This command lists the statically added interfaces (See bridge add fwdallinterface shared CLI command) and dynamically learnt interfaces in the egress interface list of the Forward All Group for
the named Forwarding Database. The Forward All Group represents the set of interfaces to
which all the multicast frames would be forwarded.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
2-62
iMG/RG Software Reference Manual (Switching)
Bridge command reference
Example
BRIDGE
Name
Description
fdbname
The name of an existing Filtering Database. See bridge add
vlan CLI command to configure a new Filtering Database.
fdbnumber
A number that identifies an existing Filtering Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under
the heading ID.
Default Value
bridge list fwdall shared FDB_1
Forward All Egress Interfaces for : FDB_1
Egress Interfaces:bridge1
See also
BRIDGE ADD FWDALLINTERFACE
BRIDGE LIST FWDALL SHARED
2.3.4.1.29 BRIDGE LIST FWDUNREG SHARED
Syntax
BRIDGE LIST FWDUNREG SHARED {<fdbname>| <fdbnumber>}
Description
This command lists statically added (See bridge add fwdunreginterface shared CLI command) and dynamically learnt interfaces in the egress interface list of the Forward Unregistered
Group for the named Filtering Database. The Forward Unregistered Group represents the set of
interfaces to which all the multicast frames would be forwarded whose respective destination
MAC addresses have no other forwarding information available..
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Example
Name
Description
fdbname
The name of an existing Forwarding Database. See bridge
add vlan CLI command to configure a new Forwarding
Database.
fdbnumber
A number that identifies an existing Forwarding Database. To display the list of FDBs, use the bridge list
fdbs command. The number appears in the first column under the heading ID.
Default Value
bridge list fwdunreg shared FDB_1
iMG/RG Software Reference Manual (Switching)
2-63
BRIDGE
Bridge command reference
See also
BRIDGE ADD FWDALLINTERFACE
BRIDGE LIST FWDALL SHARED
2.3.4.1.30 BRIDGE LIST INTERFACE STATS
Syntax
BRIDGE LIST INTERFACE STATS
Description
This command displays the statistical information of all the configured bridge interfaces.
Example
•
ID: The numerical identifier automatically assigned to the object when it was created.
•
Name: The name manually assigned to the object when it was created.
•
Rx Frames: Number of frames received on the interface.
•
Tx Frames: Number of frames transmitted from the interface.
•
Transmit Delay Discards: Number of frames discarded due to transmit delay.
•
Buffer O/F Discards: Number of frames discarded due to buffer overflow.
•
Unknown VLAN Discards: Number of frames discarded due to unknown VLAN Id
in the frames.
•
Ingress Discards: Number of frames discarded due to ingress filtering.
•
Frame Type Discards: Number of frames discarded due to the acceptable frame type
setting on the interface.
--> bridge list interface stats
ID|Name| Rx
| Tx
| Transmit | Unknown |Buffer |Ingress |Frame Type
|
| Frames | Frames | Delay
| VLAN
| O/F
|Discards|Discards
|
|
|
| Discards |Discards |Discards|
|
--|----|--------|--------|----------|---------|--------|--------|-------1 |eth |3686117 |3236443 |0
|0
|0
|0
|0
2 |usb |0
|3236399 |0
|0
|0
|0
|0
-------------------------------------------------------------------------
See also
BRIDGE ADD INTERFACE
BRIDGE ATTACH
BRIDGE SHOW INTERFACESTATS
2.3.4.1.31 BRIDGE LIST INTERFACES
Syntax
BRIDGE LIST INTERFACES
Description
This command lists information about all of the bridge interfaces created using the bridge
add interface command.
Example
--> bridge list interfaces
2-64
iMG/RG Software Reference Manual (Switching)
Bridge command reference
BRIDGE
ID:
1
Name: defaulti
Filter| PVID | Accept
| Ingress
| User | Transport
Type |
| FrameType | Filtering | Prio |
------|-------|-----------|-----------|-------|-------------All
| 1
| ALL
| disabled | 0
| default
-------------------------------------------------------------
See also
BRIDGE
BRIDGE
BRIDGE
BRIDGE
BRIDGE
BRIDGE
BRIDGE
BRIDGE
SET
SET
SET
SET
SET
SET
SET
SET
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
INTERFACE
FILTERTYPE
PORTFILTER
PVID
INGRESSFILTERING
ACCEPTFRAMETYPE
DEFAULTUSERPRIORITY
NUMTRAFFICCLASSES
REGENPRIORITY
2.3.4.1.32 BRIDGE LIST MCASTENTRIES SHARED
Syntax
BRIDGE LIST MCASTENTRIES SHARED {<fdbname>| <fdbnumber>}
Description
This command displays all the statically configured and dynamically learnt multicast forwarding entries for the named Forwarding Database.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Example
Name
Description
fdbname
The name of an existing Forwarding Database. See bridge add
vlan CLI command to configure a new Filtering Database.
fdbn mber
A number that identifies an existing Forwarding Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under the
heading ID.
Default Value
bridge list mcastentries DefaultFdb
ID | Type|MAC Address| Egress Interfaces
1 | static|1:0:0:0:0:1| br1
See also
BRIDGE CLEAR MCASTENTRIES SHARED
BRIDGE ADD MCASTENTRY SHARED
BRIDGE DELETE MCASTENTRY SHARED
iMG/RG Software Reference Manual (Switching)
2-65
BRIDGE
Bridge command reference
2.3.4.1.33 BRIDGE LIST STATIC FWDALL SHARED
Syntax
BRIDGE LIST STATIC FWDALL SHARED {<fdbname>|<fdbnumber>}
Description
This command lists the interfaces added statically (See bridge add fwdallinterface shared CLI
command to add an egress interface) in the egress interface list of the Forward All Group for
the named Forwarding Database. The Forward All Group represents the set of interfaces to
which all the multicast frames would be forwarded.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Name
Description
fdbname
The name of an existing Forwarding Database. See bridge add
vlan CLI command to configure a new Filtering Database.
fdbnumber
A number that identifies an existing Forwarding Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under the
heading ID.
Example
bridge list static fwdall shared FDB_1
See also
BRIDGE ADD FWDALLINTERFACE
BRIDGE LIST FWDALL SHARED
Default Value
2.3.4.1.34 BRIDGE LIST STATIC FWDUNREG SHARED
Syntax
BRIDGE LIST STATIC FWDUNREG SHARED {<fdbname>| <fdbnumber>}
Description
This command lists the statically added interfaces (See bridge add fwdunreginterface shared CLI
command to add an egress interface) in the egress interface list of the Forward Unregistered
Group for the named Forwarding Database. The Forward Unregistered Group represents the
set of interfaces to which all the multicast frames would be forwarded whose respective destination MAC addresses have no other forwarding information available.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
2-66
Name
Description
fdbname
The name of an existing Forwarding Database. See bridge
add vlan CLI command to configure a new Forwarding
Database.
iMG/RG Software Reference Manual (Switching)
Default Value
Bridge command reference
BRIDGE
fdbnumber
A number that identifies an existing Forwarding Database. To display the list of FDBs, use the bridge list fdbs
command. The number appears in the first column
under the heading ID.
Example
bridge list static fwdunreg shared FDB_1
See also
BRIDGE ADD FWDALLINTERFACE
BRIDGE LIST FWDALL SHARED
2.3.4.1.35 BRIDGE LIST STATIC MCASTENTRIES SHARED
Syntax
BRIDGE LIST STATIC MCASTENTRIES SHARED {<fdbname>|<fdbnumber>}
Description
This command displays all the statically configured multicast forwarding entries along with
the forward all and forward unregistered groups in the named Filtering Database.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Name
Description
fdbname
The name of an existing Forwarding Database. See bridge
add vlan CLI command to configure a new Forwarding
Database.
fdbnumber
A number that identifies an existing Forwarding Database. To display the list of FDBs, use the bridge list fdbs
command. The number appears in the first column
under the heading ID.
bridge list static mcastentries shared DefaultFdb
Example
Multicast Entries for : DefaultFdb1
ID
| Name|
1
Default Value
MAC Address
| FWDALLMCAST|
00:00:00:00:00:FE
Egress Interfaces:
2
See also
| FWDUNREGMCAST|
00:00:00:00:00:FC
BRIDGE CLEAR MCASTENTRIES SHARED
BRIDGE ADD MCASTENTRY SHARED
BRIDGE DELETE MCASTENTRY SHARED
2.3.4.1.36 BRIDGE LIST STATIC UCASTENTRIES
Syntax
BRIDGE LIST STATIC UCASTENTRIES {<fdbname>|<fdbnumber>}
iMG/RG Software Reference Manual (Switching)
2-67
BRIDGE
Bridge command reference
Description
Options
This command displays information about the statically configured unicast forwarding
entries for the named Forwarding Database. The fields are listed below:
•
IDA number that identifies an existing unicast forwarding entry.
•
NameA name that identifies an existing unicast forwarding entry.
•
TypeIndicates whether the entry is a source MAC address or destination MAC
address based forwarding entry.
•
MAC AddressEthernet MAC address associated with the entry.
•
Receive PortReceive interface for source MAC address based entries. See the bridge
add ucastentry src for more information.
•
Egress InterfacesEgress interface list.
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Name
Description
fdbname
The name of an existing forwarding database to which the
entry will be added.
fdbn umber
A number that identifies an existing Forwarding Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under the
heading ID.
Default Value
bridge list static ucastentries DefaultFdb
.ID. | .Name........|.Type...........|.MAC Address...........| .Receive Port
--------------------------------------------------------------------..1..|.x............| .Dest Static. |.00:00:00:00:00:00...|
Egress Interfaces:
bridge1
.........................................................
See also
BRIDGE ADD UCASTENTRY SRC
BRIDGE ADD UCASTENTRY DEST
BRIDGE LIST UCASTENTRIES
2.3.4.1.37 BRIDGE LIST UCASTENTRIES
Syntax
BRIDGE LIST UCASTENTRIES <fdbname>
Description
This command displays all of the statically configured and dynamically learnt unicast filtering entries in the named filtering database.
2-68
iMG/RG Software Reference Manual (Switching)
Bridge command reference
Options
Example
BRIDGE
•
ID: The numerical identifier automatically assigned to the object when it was created.
•
Type: One of the following types:
•
source MAC address-based
•
destination MAC address-based, statically configured
•
destination MAC address-based, dynamically learnt
•
Special Entry
•
destination MAC address-based, statically configured and dynamically learnt.
•
MAC Address: Ethernet MAC address associated with the entry.
•
Receive Port: Receive port for source MAC address-based entries. See the bridge
add ucastentry src CLI command for more information.
•
Egress Interface: Egress interface list..
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Fdbname
The name of an existing filtering database.
N/A
--> bridge list ucastentries bridge1
Filtering entries for the FDB: FDB_1
ID| Type
| MAC Address | Receive Port
-------------------------------------------------------1| Dest Static| 0:0:0:0:0:0 |
Egress Interfaces: bridge1
--------------------------------------------------------See also
BRIDGE
BRIDGE
BRIDGE
BRIDGE
ADD UCASTENTRY SRC
ADD UCASTENTRY DEST
LIST STATIC UCASTENTRIES
ADD VLAN
2.3.4.1.38 BRIDGE SET FILTERAGE
Syntax
BRIDGE SET FILTERAGE < filterage >
Description
This command specifies the maximum age of filter table entries for the bridge. The filter
age for the bridge is displayed by the bridge show command.
iMG/RG Software Reference Manual (Switching)
2-69
BRIDGE
Bridge command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Filterage
The time (in seconds) after which MAC addresses are
removed from the filter table when there has been no
activity. The time may be an integer value between 10
and 100,000 seconds..
300
Example
--> bridge set filterage 1000
See also
BRIDGE SHOW
2.3.4.1.39 BRIDGE SET INTERFACE ACCEPTFRAMETYPE
Syntax
BRIDGE SET INTERFACE { <name>|number } ACCEPTFRAMETYPE {
acceptall | accepttaggedonly }
Description
This command specifies whether the bridge interface accepts only VLAN tagged frames
or it accepts all the incoming frames. If the interface accepts all incoming frames, it
assigns its PVID to the untagged or priority tagged frames.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
A name that identifies an existing bridge interface. To
display interface names, use the bridge list interfaces
command.
N/A
Number
A number that identifies an existing bridge interface.
To display interface names, use the bridge list interfaces command. The number appears in the first column under the heading ID.
N/A
Acceptall
Accepts all the incoming frames.
Acceptall
accepttaggedonly
Accepts only VLAN tagged frames. See the bridge
show interfacestats command. to know the incoming
frames discarded due to acceptable frame type filtering
Example
--> bridge set interface bridge1 acceptframetype acceptall
See also
BRIDGE SET INTERFACE PVID
BRIDGE LIST INTERFACES
2-70
iMG/RG Software Reference Manual (Switching)
Bridge command reference
BRIDGE
2.3.4.1.40 BRIDGE SET INTERFACE DEFAULTUSERPRIORITY
Syntax
BRIDGE SET INTERFACE {<name>|<number>} DEFAULTUSERPRIORITY
<defaultpriority>
Description
This command specifies the user priority that should be assigned to untagged frames,
received on the interface.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
An arbitrary name that identifies an object. It can be
made up of one or more letters or a combination of
letters and digits, but it cannot start with a digit.
N/A
Number
Number that identifies an existing bridge interface. To
display interface names, use the bridge list interfaces
command. The number appears in the first column
under the heading ID.
N/A
Defaultpriority
A value that assigns priority to untagged frames
received on the interface.
0
Example
--> bridge set interface bridge1 defaultuserpriority 4
See also
BRIDGE LIST INTERFACES
2.3.4.1.41 BRIDGE SET INTERFACE FILTETYPE
Syntax
| pppoe}
BRIDGE SET INTERFACE {<name> | <number>} FILTERTYPE {all | ip
Description
This command specifies the type of Ethernet filtering performed by the named bridge
interface.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
The name manually assigned to the object when it was
created..
N/A
Number
The numerical identifier automatically assigned to the
object when it was created.
N/A
All
Allows all types of ethernet packets through the port.
All
iMG/RG Software Reference Manual (Switching)
2-71
BRIDGE
Bridge command reference
Name
Description
IP
Allows only IP/ARP types of ethernet packets through
the port.
Pppoe
Allows only PPPoE type of ethernet packets through
the port.
Example
--> bridge set interface bridge1 filtertype ip
See also
BRIDGE LIST INTERFACES
Default Value
2.3.4.1.42 BRIDGE SET INTERFACE INGRESSFILTERING
Syntax
BRIDGE SET INTERFACE {<name>|<number>} INGRESSFILTERING
{disable|enable}
Description
This command adds a named interface to the bridge.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
An arbitrary name that identifies an object. It can be
made up of one or more letters or a combination of
letters and digits, but it cannot start with a digit.
N/A
Number
A number that identifies an existing bridge interface.
To display interface names, use the bridge list interfaces command. The number appears in the first column under the heading ID.
N/A
Disable
Accepts all incoming frames.
Disable
Enable
Accepts VLAN tagged frames, only if the VLAN Id in
the frame has this interface in its egress interface list.
See bridge show interfacestats to know the incoming
frames discarded due to ingress filtering.
Example
--> bridge set interface bridge1 ingressfiltering disable
See also
BRIDGE LIST INTERFACES
BRIDGE SHOW INTERFACESTATS
2.3.4.1.43 BRIDGE SET INTERFACE NUMTRAFFICCLASSES
Syntax
2-72
BRIDGE SET INTERFACE {<name>|<number>} NUMTRAFFICCLASSES
<numtrafficclasses>
iMG/RG Software Reference Manual (Switching)
Bridge command reference
BRIDGE
Description
This command specifies the number of traffic classes supported by the bridge interface.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
A name that identifies an existing bridge interface. To display
interface names, use the bridge list interfaces command.
N/A
Number
A number that identifies an existing bridge interface. To display
interface names, use the bridge list interfaces command. The
number appears in the first column under the heading ID.
N/A
pri0
The traffic class to which the regenerated priority of value 0 is
mapped.
0
pri1
The traffic class to which the regenerated priority of value 1 is
mapped.
1
pri2
The traffic class to which the regenerated priority of value 2 is
mapped.
2
pri3
The traffic class to which the regenerated priority of value 3 is
mapped.
3
pri4
The traffic class to which the regenerated priority of value 4 is
mapped.
4
pri5
The traffic class to which the regenerated priority of value 5 is
mapped.
5
pri6
The traffic class to which the regenerated priority of value 6 is
mapped.
6
pri7
The traffic class to which the regenerated priority of value 7 is
mapped.
7
Example
--> bridge set interface bridge1 trafficclassmap 7 6 5 4 3 2 1 0
See also
BRIDGE SHOW INTERFACE TRAFFICCLASSMAP
BRIDGE LIST INTERFACES
2.3.4.1.44 BRIDGE SET INTERFACE PORTFILTER
Syntax
BRIDGE SET INTERFACE {<name> | <number>} PORTFILTER {all | <port>}
Description
This command controls the bridge’s forwarding and broadcasting behavior. It allows you
to set a portfilter on a bridge interface to determine which port or ports unknown packets should be forwarded to. This command sets one destination port at a time. If you
iMG/RG Software Reference Manual (Switching)
2-73
BRIDGE
Bridge command reference
want to forward packets to several ports, enter a bridge set interface portfilter <port>
command for each port. If you want to forward packets to all ports, enter the command
and specify the all value.
If a unicast packet is received by an interface with a portfilter set to all, the portfilter rule
is ignored. The unicast packet is still only sent to one port. If the bridge itself is attached
to the router, the bridge itself will always forward to all ports and will always be forwarded to by all ports. Port Filter is not restored by the system config save command. If
the LAN to LAN forwarding is disabled, then no packet received on a lan side bridge
interface will be bridged to any other lan side bridge interface irrespective of the portfilter. If the WAN to WAN forwarding is disabled, then no packet received on a wan side
bridge interface will be bridged to any other wan side bridge interface irrespective of the
portfilter.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
The name manually assigned to the object when it was
created.
N/A
Number
The numerical identifier automatically assigned to the
object when it was created.
N/A
Port
The name of the existing port that you want packets,
received on a specified bridge interface, to be forwarded
to. To display port names, use the bridge list interfaces
CLI command.
All
All
Allows only IP/ARP types of ethernet packets through the
port.
Example
--> bridge set interface bridge1 portfilter ethernet
See also
BRIDGE LIST INTERFACES
BRIDGE SET LANTOLANFORWARDING ENABLE/DISABLE
BRIDGE SET WANTOWANFORWARDING ENABLE/DISABLE
2.3.4.1.45 BRIDGE SET INTERFACE PVID
Syntax
BRIDGE SET INTERFACE {<name>|<number>} PVID <pvid>
Description
This command specifies the VLAN Id, that should be assigned to untagged or prioritytagged frames received on this interface..
2-74
iMG/RG Software Reference Manual (Switching)
Bridge command reference
Options
BRIDGE
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
An arbitrary name that identifies an object. It can be made up
of one or more letters or a combination of letters and digits,
but it cannot start with a digit.
N/A
Number
A number that identifies an existing bridge interface. To display interface names, use the bridge list interfaces command.
The number appears in the first column under the heading
ID.
N/A
Pvid
The Id of the VLAN to which the user wants to associate the
untagged/priority-tagged frames received on the given interface. See bridge list vlans CLI command to find the VLAN Ids
for all the statically configured and dynamic VLANs.
1
Example
--> bridge set interface bridge1 pvid 2
See also
BRIDGE LIST INTERFACES
BRIDGE ADD VLAN
2.3.4.1.46 BRIDGE SET INTERFACE REGENPRIORITY
Syntax
BRIDGE SET INTERFACE {<name>|<number>} REGENPRIORITY <pri0>
<pri1> <pri2> <pri3> <pri4> <pri5> <pri6> <pri7>
Description
This command adds a named interface to the bridge.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
A name that identifies an existing bridge interface. To display
interface names, use the bridge list interfaces command.
N/A
Number
A number that identifies an existing bridge interface. To display interface names, use the bridge list interfaces command.
The number appears in the first column under the heading
ID.
N/A
pri0
The regenerated user-priority to which the user priority with
value 0 in the incoming frame should be mapped.
0
iMG/RG Software Reference Manual (Switching)
2-75
BRIDGE
Bridge command reference
Name
Description
Default Value
pri1
The regenerated user-priority to which the user priority with
value 1 in the incoming frame should be mapped.
1
pri2
The regenerated user-priority to which the user priority with
value 2 in the incoming frame should be mapped.
2
pri3
The regenerated user-priority to which the user priority with
value 3 in the incoming frame should be mapped.
3
pri4
The regenerated user-priority to which the user priority with
value 4 in the incoming frame should be mapped.
4
pri5
The regenerated user-priority to which the user priority with
value 5 in the incoming frame should be mapped.
5
pri6
The regenerated user-priority to which the user priority with
value 6 in the incoming frame should be mapped.
6
pri7
The regenerated user-priority to which the user priority with
value 7 in the incoming frame should be mapped.
7
Example
--> bridge set interface bridge1 regenpriority 3 2 4 0 0 0 0 0
See also
BRIDGE SHOW INTERFACE REGENPRIORITY
BRIDGE LIST INTERFACES
2.3.4.1.47 BRIDGE SET INTERFACE TRAFFICCLASSTATUS
Syntax
BRIDGE SET TRAFFICCLASSSTATUS { enable | disable | prioritybased }
Description
This command specifies the mapping of regenerated priority to their traffic class values.
See bridge show interface trafficclassmap to see the traffic class mapping.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
2-76
Name
Description
Default Value
Enable
Enable the mapping of regenerated priority to its traffic
class.
Disable
Disable
Disable the mapping of regenerated priority to its traffic
class.
Prioritybased
Traffic class mapping would happen only if traffic class has
not been already set.
--> bridge set trafficclassstatus enable
iMG/RG Software Reference Manual (Switching)
Bridge command reference
See also
BRIDGE
BRIDGE SET INTERFACE NUMTRAFFICCLASSES
BRIDGE SET INTERFACE TRAFFICCLASSMAP
BRIDGE SET INTERFACE REGENPRIORITY
2.3.4.1.48 BRIDGE SET LANTOLANFORWARDING
Syntax
BRIDGE SET LANTOLANFORWARDING ENABLE/DISABLE
Description
This command is used to enable/disable LAN to LAN forwarding (where data received on
a LANside bridge interface is forwarded to other LAN-side bridge interface.).
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Enable
Enables LAN to LAN forwarding on the bridge.
N/A
Disable
Disables LAN to LAN forwarding on the bridge.
N/A
Example
--> bridge set lantolanforwarding enable
See also
BRIDGE SET WANTOWANFORWARDING ENABLE/DISABLE
2.3.4.1.49 BRIDGE SET WANTOWANFORWARDING
Syntax
BRIDGE SET WANTOWANFORWARDING ENABLE/DISABLE
Description
This command is used to enable/disable WAN to WAN forwarding (where data received
on a WANside bridge interface is forwarded to other WAN-side bridge interface.)
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Enable
Enables WAN to WANforwarding on the bridge.
N/A
Disable
Disables WAN to WAN forwarding on the bridge.
N/A
Example
--> bridge set wantowanforwarding enable
See also
BRIDGE SET LANTOLANFORWARDING ENABLE/DISABLE
2.3.4.1.50 BRIDGE SHOW
Syntax
BRIDGE SHOW
iMG/RG Software Reference Manual (Switching)
2-77
BRIDGE
Bridge command reference
Description
This command displays the global configuration settings for the bridge.
Example
--> bridge show
See also
BRIDGE LIST INTERFACES
2.3.4.1.51 BRIDGE SHOW FDB
Syntax
BRIDGE SHOW FDB {<fdbname>|<fdbnumber>}
Description
This command displays the statistical information of a single user-configured filtering
database.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Name
Description
Default Value
Fdbname
The name of an existing Filtering Database. See bridge add
vlan CLI command to configure a new filtering database.
N/A
Fdbnumber
A number that identifies an existing filtering database. To display the list of FDBs, use the bridge list fdbs command. The
number appears in the first column under the heading ID.
N/A
--> bridge show fdb FDB_1
Filtering Database Statistics:
ID | FDB Name | FID | Num VLANs | Num Entries |Num Discards | Type
------------------------------------------------------------------------1 | FDB1
| 1
| 1
| 0
| 0
| static
See also
BRIDGE ADD VLAN
BRIDGE LIST FDBS
2.3.4.1.52 BRIDGE SHOW INTERFACE
Syntax
BRIDGE SHOW INTERFACE {<name>|<number>}
Description
This command displays configuration settings of a named bridge interface.
This command does not show the current contents of the bridge’s filter table. See the
CLI command bridge list ucastentries. If the LAN to LAN forwarding is disabled, then no
packet received on a lan side bridge interface will be bridged to any other lan side bridge
interface irrespective of the port-filter. If the WAN to WAN forwarding is disabled, then
no packet received on a wan side bridge interface will be bridged to any other wan side
bridge interface irrespective of the port-filter. Hence Port Filter should be interpreted
accordingly.
2-78
iMG/RG Software Reference Manual (Switching)
Bridge command reference
Options
Example
BRIDGE
•
Filter Type: The type of Ethernet filtering performed by the named bridge interface,
by default it is set to All.
•
Port Filter: The list of bridge interfaces that the frames can go through, if the frames
are received on this bridge interface.
•
Transport: The name of the transport attached to the bridge using the bridge attach
CLI command.
•
PVID: Port VLAN ID associated with the interface.
•
Acceptable Frame Type: Acceptable Frame Type Setting which is non-configurable
and always enabled, i.e. each bridge interface can be configured to accept all frames
or only tagged frames.
•
User Priority: Default User Priority.
•
Leave Mode: IGMP Snoop Leave Processing mode.
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
The name manually assigned to the object when it was
created.
N/A
Number
The numerical identifier automatically assigned to the object
when it was created.
N/A
--> bridge show interface bridge1
Filtering entries for the FDB: FDB_1
ID| Type
| MAC Address | Receive Port
-------------------------------------------------------1| Dest Static| 0:0:0:0:0:0 |
Egress Interfaces: bridge1
---------------------------------------------------------
See also
BRIDGE
BRIDGE
BRIDGE
BRIDGE
ADD UCASTENTRY SRC
ADD UCASTENTRY DEST
LIST STATIC UCASTENTRIES
ADD VLAN
2.3.4.1.53 BRIDGE SHOW INTERFACE REGENPRIORITY
Syntax
BRIDGE SHOW INTERFACE {<name>|<number>} REGENPRIORITY
Description
This command adds a named interface to the bridge.
iMG/RG Software Reference Manual (Switching)
2-79
BRIDGE
Bridge command reference
Options
Example
•
User Priority: It is the priority that comes in the VLAN tagged or priority tagged
incoming packets as per the 802.1p.
•
Regenerated priority:
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
A name that identifies an existing bridge interface. To display interface names, use the bridge list interfaces command.
N/A
Number
A number that identifies an existing bridge interface. To
display interface names, use the bridge list interfaces command. The number appears in the first column under the
heading ID.
N/A
--> bridge show interface bridge1 regenpriority
Bridge Interface: bridge1
-------------------------User | Regenerated
Priority | Priority
-----------|-------------0 | 0
1 | 1
2 | 2
3 | 3
4 | 4
5 | 5
6 | 6
7 | 7
See also
BRIDGE LIST INTERFACES
BRIDGE ATTACH
2.3.4.1.54 BRIDGE SHOW INTERFACE TRAFFICCLASSMAP
Syntax
BRIDGE SHOW INTERFACE {< name >|< number >} TRAFFICCLASSMAP
Description
This command displays the regenerated priority to traffic class mapping. It also displays
the number of traffic classes supported by the interface.
2-80
iMG/RG Software Reference Manual (Switching)
Bridge command reference
Options
Example
BRIDGE
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
A name that identifies an existing bridge interface. To display interface names, use the bridge list interfaces command.
N/A
Number
A number that identifies an existing bridge interface. To
display interface names, use the bridge list interfaces command. The number appears in the first column under the
heading ID.
N/A
--> bridge show interface bridge1 trafficclassmap
Bridge Interface: bridge1
Number of Traffic Classes: 8
-------------------------Regenerated| Traffic
Priority
| Class
-----------|-------------0 | 0
1 | 1
2 | 2
3 | 3
4 | 4
5 | 5
6 | 6
7 | 7
See also
BRIDGE
BRIDGE
BRIDGE
BRIDGE
BRIDGE
SET INTERFACE ACCEPTFRAMETYPE
SET INTERFACE DEFAULTUSERPRIORITY
SET INTERFACE NUMTRAFFICCLASSES
SET INTERFACE REGENPRIORITY
LIST INTERFACES
2.3.4.1.55 BRIDGE SHOW INTERFACESTATS
Syntax
BRIDGE SHOW INTERFACESTATS { < name > | < number > }
Description
This command displays the statistical information of one bridge interface configured by
the user.
•
Rx Frames: Number of frames received on the interface.
•
Tx Frames: Number of frames transmitted from the interface.
iMG/RG Software Reference Manual (Switching)
2-81
BRIDGE
Bridge command reference
Options
Example
•
Transmit Delay Discards: Number of frames discarded due to transmit delay.
•
Unknown VLAN Discards: Number of frames discarded due to unknown VLAN
•
Buffer O/F Discards: Number of frames discarded due to buffer overflow.
•
Ingress Discards: Number of frames discarded due to ingress filtering.
•
Frame Type Discards: Number of frames discarded due to the acceptable frame type
setting on the interface.
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
The name manually assigned to the object when it was created..
N/A
Number
The numerical identifier automatically assigned to the
object when it was created.
N/A
--> bridge show interfacestats 1
Bridge Interface: ethernet0
Rx Frames|Tx Frames|Transmit
|Unknown VLAN|Buffer O/F|Ingress |Frame Type
|
|Delay Discards|Discards
|Discards |Discards|Discards
---------|---------|--------------|------------|----------|--------|---------3686117 |3236443 |0
|0
|0
|0
|0
------------------------------------------------------------------------------
See also
BRIDGE ADD INTERFACE
BRIDGE ATTACH
BRIDGE LIST INTERFACE STATS
2.3.4.1.56 BRIDGE SHOW MCASTENTRY SHARED
Syntax
BRIDGE SHOW MCASTENTRY SHARED {<entryname>| <entrynumber>)
{<fdbname>| <fdbnumber>)
Description
This command displays a statically configured multicast Forwarding entry with the given
name in the named Forwarding Database.
Options
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
2-82
iMG/RG Software Reference Manual (Switching)
Bridge command reference
Example
BRIDGE
Name
Description
entryname
Name of an existing Multicast Forwarding Entry. To display the list of all statically configured multicast entries,
that the user can delete, use bridge list static mcastentries. This command also displays the entire egress interface
list for that entry.
entrynumber
A number that identifies an existing Multicast Forwarding
Entry. To display the list of statically configured multicast
entries, use bridge list static mcastentries. The number
appears in the first column under the heading ID.
fdbname
The name of an existing Forwarding Database. See bridge add
vlan CLI command to configure a new Filtering Database.
fdbnumber
A number that identifies an existing Forwarding Database.
To display the list of FDBs, use the bridge list fdbs command. The number appears in the first column under the
heading ID.
Default Value
bridge show mcasten try shared MCAST_1 DefaultFdb
Mcast Entry Name:MCAST_1
MAC Address:01:00:00:00:00:00
Egress Interfaces:bridge1
Description
BRIDGE CLEAR MCASTENTRIES SHARED
BRIDGE ADD MCASTENTRY SHARED
BRIDGE DELETE MCASTENTRY SHARED
2.3.4.1.57 BRIDGE SHOW UCASTENTRY
Syntax
BRIDGE SHOW UCASTENTRY {<entryname>| <entryn umber>) {<fdbname>|
<fdbn umber>)
Description
This command displays information about a statically configured, unicast filtering entry for
a given filtering database. The fields are listed below:
•
User Entry NameUser-configured filtering entry name.
•
TypeType, indicating if it is a source MAC address or destination MAC address based
filtering entry
•
TypeEthernet MAC address associated with the entry.
•
MAC AddressEthernet MAC address associated with the entry.
iMG/RG Software Reference Manual (Switching)
2-83
VLAN
Overview
Options
•
Receive InterfaceReceive interface for source MAC address based entries. See the
bridge add ucastentry src for more information.
•
Egress InterfacesEgress interface list.
T he following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Name
Description
entryname
A name that identifies an existing unicast forwarding entry. To
display the list of statically configured unicast entries, use
bridge list static ucastentries. This command also displays
the egress interface list for each unicast entry.
entrynumber
A number that identifies an existing unicast forwarding entry.
To display the list of statically configured unicast entries, use
bridge list static ucastentries. The number appears in the
first column under the heading ID.
fdbname
The name of an existing filtering database to which the filtering entry will be added. See Note on filtering database in
this command.
fdbn umber
A number that identifies an existing Filtering Database. To
display the list of FDBs, use the bridge list fdbs command.
The number appears in the first column under the heading
ID.
Default Value
bridge show ucastentry UCAST_1 FDB_1
Output Ucast Entry Name: UCAST_1
Type: Dest Static
MAC Address:00:00:00:00:00:01
Receive Interface:
Egress Interfaces:
See also
BRIDGE ADD UCASTENTRY SRC
BRIDGE ADD UCASTENTRY DEST
2.4 VLAN
2.4.1 Overview
VLAN is a networking technology that allows networks to be segmented logically without having to be physically rewired.
2-84
iMG/RG Software Reference Manual (Switching)
Overview
VLAN
Many Ethernet switches support virtual LAN (VLAN) technologies. By replacing hubs with VLAN switches, the
network administrator can create a virtual network within existing network. With VLAN, the network logical
topology is independent of the physical topology of the wiring. Each computer can be assigned a VLAN identification number (ID), and computers with the same VLAN ID can act and function as though they are all on the
same physical network.
So, the traffic on a VLAN is isolated and thus all communications remain within the VLAN. The assignment of
VLAN IDs is done by the switches and can be managed remotely using network management software.
VLAN switches can function in different ways. They can be switched at the data-link layer (layer 2 of the Open
Systems Interconnection reference model) or the network layer (layer 3), depending on the type of switching
technology used. The main advantage of using VLAN technologies is that users can be grouped together according to their need for network communication, regardless of their actual physical locations. This isolation will
help to reduce unnecessary traffic so better network performance. The disadvantage is that additional configuration is required to set up and establish the VLANs when implementing these switches.
2.4.1.1 VLAN tagging
VLAN technology introduces the following three basic types of frame:
• Untagged frames
• Priority-tagged frames
• VLAN-tagged frames
An untagged frame or a priority-tagged frame does not carry any identification of the VLAN to which it belongs.
Such frames are classified as belonging to a particular VLAN based on parameters associated with the receiving
port.
This classification mechanism requires the association of a specific VLAN ID, the Port VLAN Identifier, or PVID,
with each of the switch ports.
The PVID for a given port provides the VID for untagged and priority-tagged frames received through that port.
The PVID for each port shall contain a valid VID value, and shall not contain the value of the null VLAN ID (see
Table 8)
A VLAN-tagged frame carries an explicit identification of the VLAN to which it belongs; i.e., it carries a non-null
VID. Such a frame is classified as belonging to a particular VLAN based on the value of the VID that is included
in the tag header. The presence of a tag header carrying a non-null VID means that some other device, either
the originator of the frame or a VLAN-aware switch, has mapped this frame into a VLAN and has inserted the
appropriate VID.
Tagging of frames is performed for the following purposes:
• To allow user priority information to be added to frames carried on IEEE 802 LAN MAC types that have no
inherent ability to signal priority information at the MAC protocol level;
• To allow a frame to carry a VID;
iMG/RG Software Reference Manual (Switching)
2-85
VLAN
Overview
• To allow the frame to indicate the format of MAC Address information carried in MAC user data;
• To allow VLANs to be supported across different MAC types.
Tagging a frame requires:
• The addition of a tag header to the frame. This header is inserted immediately following the destination
MAC Address and source MAC Address fields of the frame to be transmitted;
• Recomputation of the Frame Check Sequence (FCS).
When relaying a tagged frame between 802.3/Ethernet MACs, a switch may adjust the PAD field such that the
minimum size of a transmitted tagged frame is 68 octets.
Preample
7 octets
Start frame delimiter
1 octet
6 octets
6 octets
Source address
2 octets
Length/type = 802.1QTagType
2 octets
TAG control information
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
TAG header
User priority CFI
VALN identifier VID (12 bit)
2 octets
MAC control length/type
MAC client data
42-1500 octets
Pad
4 octets
Frame check sequence
FIGURE 2-2
Tagged frame format according to IEEE 802.3ac standard
The tag header carries the following information (see Figure 2-2):
• The Tag Protocol Identifier (TPID) carrying an Ethernet Type value (802.1QTagType), which identifies the
frame as a tagged frame. The value of 802.1QTagType is 81-00
2-86
iMG/RG Software Reference Manual (Switching)
Overview
VLAN
• Tag Control Information (TCI). The TCI field is two octets in length, and contains user priority, CFI and VID
(VLAN Identifier) fields. Figure ... illustrates the structure of the TCI field:
• User priority. The user priority field is three bits in length, interpreted as a binary number. The user priority
is therefore capable of representing eight priority levels, 0 through 7. This field allows the tagged frame to
carry user priority information across Bridged LANs in which individual LAN segments may be unable to signal priority.
• Canonical Format Indicator (CFI). The Canonical Format Indicator (CFI) is a single bit flag value. CFI reset
indicates that all MAC Address information that may be present in the MAC data carried by the frame is in
Canonical format.
• The meaning of the CFI when set depends upon the variant of the tag header in which it appears.
• In an Ethernet-encoded tag header, transmitted using 802.3/Ethernet MAC methods, CFI has the following
meanings:
• When set, indicates that the E-RIF field is present in the tag header, and that the NCFI bit in the RIF
determines whether MAC Address information that may be present in the MAC data carried by the
frame is in Canonical (C) or Non-canonical (N) format;
• When reset, indicates that the E-RIF field is not present in the tag header, and that all MAC Address
information that may be present in the MAC data carried by the frame is in Canonical format (C).
• VLAN Identifier (VID). The twelve-bit VLAN Identifier field uniquely identifies the VLAN to which the frame
belongs. The VID is encoded as an unsigned binary number. In Table 8 are described the values of the VID
field that have specific meanings or uses; the remaining values of VID are available for general use as VLAN
identifiers.
A priority-tagged frame is a tagged frame whose tag header contains a VID value equal to the null VLAN ID.
iMG/RG Software Reference Manual (Switching)
2-87
VLAN
VLAN Functional Description
TABLE 2-5
Reserved VID Values
VID Value
(Hexadecimal)
Meaning/Use
0
The null VLAN ID. Indicates that the tag header contains only user
priority information; no VLAN identifier is present in the frame. This
VID value shall not be configured as a PVID, configured in any Filtering Database entry, or used in any Management operation.
1
The default PVID value used for classifying frames on ingress through
a switch port. The PVID value can be changed by management on a
per-port basis.
FFF
Reserved for implementation use. This VID value shall not be configured as a PVID, configured in any Filtering Database entry, used in
any Management operation, or transmitted in a tag header.
2.4.2 VLAN Functional Description
2.4.2.1 VLAN support on Ethernet interfaces
The Gateway supports up to 16 VLANs (irrespective of whether they are carrying tagged or untagged frames)
from VID=1 up to VID=4094.
If a non-tagged or null-VID tagged packet is received, the ingress port VID is used for look up.
The look up process starts with a VLAN table look up to determine whether the VID is valid.
If the VID is not valid the packet will be dropped and its address will not be learned.
If the VID is valid, FID is retrieved for further look up.
FID + DA is used to determine the destination port. FID + SA is used for learning purposes.
2.4.2.1.1 VLAN definition and port tagging
By default the Gateway starts with only one VLAN defined with name default and VID=1.
All the system ports are members of the default VLAN.
Creating and configuring a new VLAN is a two-step process:
• A VLAN is created by specifying a name for the VLAN and its VID value.
• The ports are added to the VLAN. When a port is added it's necessary to specify the frame format in which
packets associated with that VLAN will be transmitted from that port: untagged or tagged.
Note that a physical port can be a member of one or more VLANs.
2-88
iMG/RG Software Reference Manual (Switching)
VLAN Functional Description
VLAN
• A port can be member of two or more VLANs only if it is tagged on all the VLANs or it is untagged on one
VLAN only and tagged on all the other VLANs. A port cannot be member of two or more VLANs as
untagged port.
To change the tagged/untagged frame format of a port for a specific VLAN it's necessary remove the port from
the VLAN and then re-add the port to the VLAN, specifying the required frame format.
When a port is removed from a VLAN and the same port is not a member of any other VLAN, the port is automatically added to the default VLAN with the untagged attribute.
2.4.2.2 VLAN support on ADSL interface
The ADSL Residential Gateways extend the support on tagged frames from the Ethernet ports to the ADSL
port.
Specifically, only on ADSL connections that use RFC1483 encapsulation method, it’s possible assign a connection to manage tagged traffic for one or more VLANs and simultaneously manage also untagged frames for one
VLAN only.
2.4.2.2.1 Untagged RFC1483 connections
To assign an RFC1483 to manage untagged frames for one VLAN, use the command RFC1483 SET TRANSPORT FRAME UNTAGGED.
• All the incoming untagged frames that from the ADSL port arrive to the residential gateway on the PVC
channel specific for the RFC1483 transport, are forwarded internally to the bridge software as tagged
frames with the VLAN identifier equal to the VID value of VLAN specified.
• If the same RFC1483 transport has not been assigned to manage any tagged frame, any tagged incoming
frames are silently discharged.
• All the outgoing tagged frames that from the bridge software must be sent outside on the ADSL port, are filtered to discharge not valid tagged frames:
• If the frame VID value in the 802.1Q header equals the VID value of VLAN specified, the 802.1Q header is
removed and the frame is sent as untagged frame, otherwise the frame is silently discharged.
2.4.2.2.2 Tagged RFC1483 connections
To assign an RFC1483 to manage tagged frames for one VLAN, use the command rfc1483 set transport frame
tagged.
All the incoming tagged frames that from the ADSL port arrive to the residential gateway on the PVC channel
specific for the RFC1483 transport and having the VID value equal to the VID value of VLAN specified, are simply forwarded internally to the bridge software as tagged frames maintaining the same VLAN identifier.
iMG/RG Software Reference Manual (Switching)
2-89
VLAN
VLAN Functional Description
All the incoming tagged frames that from the ADSL port arrive to the residential gateway on the PVC channel
specific for the RFC1483 transport and having the VID value different to the VID value of VLAN specified are
silently discharged.
Note that it’s possible assign the same RFC1483 transport to manage tagged frames for more than one VLAN
simply entering multiple times the command RFC1483 SET TRANSPORT FRAME TAGGED for each VLAN to
be configured.
All the incoming untagged frames that from the ADSL port arrive to the residential gateway on the PVC channel specific for the RFC1483 transport, are silently discharged if the RFC1483 transport has not being assigned
any VLAN as untagged transport.
• All the outgoing tagged frames that from the bridge software must be sent outside on the ADSL port, are
filtered to discharge not valid tagged frames:
If the frame VID value in the 802.1Q header equals the VID value of VLAN specified, the frame is sent as tagged
frame maintaining the same VLAN identifier; otherwise the frame is silently discharged.
2.4.2.3 VLAN versus IP interface
One of the major constraints when using VLANs is that packets exchanged between hosts that are members of
the same VLAN cannot be received by hosts that are members of a different VLAN.
The Gateway solves this limitation by offering a packet routing service between different VLANs.
The routing of packets between VLANs is based on the classical layer 3 routing method as, for example, a typical router performs between IP interfaces.
Based on this approach, there is the requirement that each VLAN that you wish to be involved in the routing of
packets must have an associated IP interface.
In this way, the Layer 3 routing process is able to treat VLAN IP interfaces as though they were distinct Ethernet ports, and route rules apply as they would for a multi-port router.
Each primary IP interface uses the VLAN data transport services (frame tagging and untagging and related layer
2 forwarding) as though it were an Ethernet port.
For the system point of view, when a VLAN is used to support an IP interface, the VLAN becomes a transport
device supporting Ethernet traffic (see Figure 2-3).
2-90
iMG/RG Software Reference Manual (Switching)
VLAN Functional Description
VLAN
Default
Configuration
VLAN
Creation
IP Interface
Creation
VLAN Port
Adding
IP Interface
Configuration
VLAN Ethernet
Transport Adding
IP and VLAN
Attach
IP Interface
on VLAN
FIGURE 2-3
IP interface over LAN - first steps
The maximum number of primary IP interfaces that can be defined is 16 and is equal to the maximum number of
VLANs that it is possible to create on the residential gateway.
When more than one IP interfaces is defined, routing between these interfaces is immediately enabled without
requiring any route to be explicitly defined.
By default, the Gateway starts with one IP interface attached to the default VLAN in order to provide remote
access to the system via telnet.
The default VLAN and the IP interface attached to it cannot be removed. It's possible to remove all the ports
from the default VLAN if one or more other VLANs exist.
2.4.2.4 VLAN Translations
An additional feature that can be of use - when trying to match Network specified VLAN id’s to a customer’s
network - is the use of VLAN translations. This mechanism allows the user take all traffic received from the
WAN interface - on a given VLAN - and convert the VLAN TAG to an internal VID - for transfer to the LAN
interfaces.
iMG/RG Software Reference Manual (Switching)
2-91
VLAN
Functional Differences in Product Categories
2.4.3 Functional Differences in Product Categories
There are a number of different options that are available to manage VLANs in the newer devices, however the
Basics for creating and configuring a VLAN - are simplified into a small subset of commands that are described
below. For more sophisticated users, access to the BRIDGE VLAN commands can provide additional flexibility.
TABLE 2-6
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
VLAN tagging
X
X
X
X
X
X
X
X
X
VLAN support on Ethernet interfaces
X
X
X
X
X
X
X
X
X
X
X
X
1
2
2
X
X
Functions
VLAN support on ADSL interface
VLAN versus IP interface
1
2
1
VLAN Translations
2
2
2
X
X
X
Note 1:
To create a primary IP interface and connect it to a VLAN, the following steps must be performed.
• Create a VLAN using the VLAN ADD VID command
• Add ports to the VLAN using the VLAN ADD PORT command
• Add the VLAN to the Ethernet transports list using the ETHERNET ADD TRANSPORT command. This
command instructs the system that a new (virtual) transport device has been added to the system.
• Create an IP interface with the IP ADD INTERFACE command. This command constructs a new IP
interface with the specified IP address and net mask but doesn't bind the IP interface to any port.
• Bind the IP interface to the VLAN using the IP ATTACH TRANSPORT command.
***** It is not necessary to add the VLAN to the CPU port - when the VLAN is attached to the bridge,
it is automatically added to the CPU port.
Note 2:
To create a primary IP interface and connect it to a VLAN, the following steps must be performed.
• Create a VLAN using the VLAN CREATE command - the VLAN is automatically created on the Bridge.
• Add switch ports to the VLAN using the VLAN ADD command
• Create an IP interface with the IP ADD INTERFACE command. This command constructs a new IP
interface with the specified IP address and net mask but doesn't bind the IP interface to any port.
• Bind the IP interface to the VLAN using the IP ATTACH command.
***** If it is desired that the CPU recieve traffic in a particular VLAN, it is necessary to add the VLAN to
the CPU port - in the tagged mode - using the VLAN ADD command.
2-92
iMG/RG Software Reference Manual (Switching)
VLAN command reference
VLAN
2.4.4 VLAN command reference
This section describes the commands available to create, configure and manage VLANs.
2.4.4.1 VLAN CLI commands
The table below lists the VLAN commands provided by the CLI:
Commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
BRIDGE ADD VLAN
X
X
X
X
X
X
BRIDGE CLEAR VLANS
X
X
X
X
X
X
BRIDGE DELETE VLAN
X
X
X
X
X
X
BRIDGE LIST STATIC VLANS
X
X
X
X
X
X
BRIDGE LIST VLANS
X
X
X
X
X
X
BRIDGE SHOW VLAN
X
X
X
X
X
X
BRIDGE CLEAR INTERFACEVLANSTATS
X
X
X
X
X
X
BRIDGE LIST INTERFACEVLANSTATS
X
X
X
X
X
X
BRIDGE SHOW INTERFACEVLANSTATS
X
X
X
X
X
X
BRIDGE ADD VLANINTERFACE
X
X
X
X
X
X
BRIDGE CLEAR VLANINTERFACES
X
X
X
X
X
X
BRIDGE DELETE VLANINTERFACE
X
X
X
X
X
X
BRIDGEVLAN ADD TRANSPORT
X
X
X
X
X
X
BRIDGEVLAN CLEAR TRANSPORTS
X
X
X
X
X
X
BRIDGEVLAN DELETE TRANSPORT
X
X
X
X
X
X
BRIDGEVLAN LIST TRANSPORTS
X
X
X
X
X
X
VLAN ADD
X
X
X
X
X
X
X
X
VLAN ADD PORT
X
X
X
VLAN ADD VID
X
X
X
VLAN CREATE
X
iMG/RG Software Reference Manual (Switching)
X
X
X
2-93
VLAN
VLAN command reference
Commands
VLAN DELETE
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
VLAN LIST
X
VLAN SHOW
X
X
VLAN TRANSLATE
X
X
X
X
2.4.4.1.1 BRIDGE ADD VLAN
Syntax
BRIDGE ADD VLAN <name> <vlanid> <fdb>
Description
This command adds a named VLAN (either the default VLAN or a user-defined VLAN)
to the bridge. By default, all of the bridge interfaces are added to the untagged interface
list of the default VLAN.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
2-94
Option
Description
Default Value
Name
An arbitrary name that identifies the VLAN. It can be
made up of one or more letters or a combination of
letters and digits, but it cannot start with a digit. Set to
‘DefaultVlan’ to add the default VLAN.
N/A
Vlanid
The VLAN Id that the user wants to assign to the
named VLAN. The valid values for the VLAN Id ranges
between 1 and 4094. Set to 1 to add the default VLAN.
(VLAN Id 1 is used only for the default VLAN.)
Fdb
The name of an existing Filtering Database with which
the user wants the VLAN to be associated. If the FDB
already exists, the VLAN becomes associated with that
FDB. If the FDB does not exist, it is created and the
VLAN becomes associated with it. See bridge list fdbs
CLI commands to display all the existing filtering databases configured in the bridge and their corresponding
statistics. Set to DefaultFdb’ to add the default VLAN.
--> bridge add vlan VLAN_1 2 FDB_1
iMG/RG Software Reference Manual (Switching)
VLAN command reference
See also
VLAN
BRIDGE DELETE VLAN
BRIDGE LIST STATIC VLAN
BRIDGE LIST VLANS
2.4.4.1.2 BRIDGE CLEAR VLANS
Syntax
BRIDGE CLEAR VLANS
Description
This command deletes the statically configured VLANs from the bridge. The egress interfaces and multicast filtering entries (for an IVM configuration) associated with the VLANs
are also deleted by this command. If a VLAN is the last VLAN associated with its FDB,
the FDB along with the unicast and multicast filtering entries and forward all/unregistered
group entries are also deleted from the bridge.
Example
--> bridge add interface bridge1
See also
BRIDGE ADD VLANS
BRIDGE DELETE VLAN
2.4.4.1.3 BRIDGE DELETE VLAN
Syntax
BRIDGE DELETE VLAN {<name>|<number>}
Description
This command deletes a single statically configured VLAN.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
A name that identifies an existing VLAN. To display the
list of statically configured VLANs, use bridge list static
vlans. To display the list of all the static and dynamic
VLANs in the bridge use bridge list vlans CLI command
N/A
Number
A number that identifies an existing VLAN. To display
the list of statically configured VLANs, use the bridge
list static vlans command. The number appears in the
first column under the heading ID.
N/A
Example
--> bridge delete vlan VLAN_1
See also
BRIDGE ADD VLAN
BRIDGE LIST STATIC VLANS
BRIDGE LIST VLANS
iMG/RG Software Reference Manual (Switching)
2-95
VLAN
VLAN command reference
2.4.4.1.4 BRIDGE LIST STATIC VLANS
•
•
•
•
Syntax
BRIDGE LIST STATIC VLANS
Description
This command displays all of the statically configured VLANs. See bridge add vlan CLI
command to statically configure a VLAN. For each of the VLANs, the command displays
all of the statically added egress interfaces. See the bridge add vlaninterface CLI command to add an interface to the named VLAN.
ID: The sequence number given by the CLI system for the VLAN in the CLI listing.
VLAN ID: A number that identifies an existing statically-configured VLAN.
VLAN Name: A name that identifies an existing statically-configured VLAN.
FDB Name: The name of an existing filtering database to which the filtering entry will be added. See Note
on filtering database in this command.
• Tagged Interfaces: Tagged egress interface list.
• Untagged Interfaces: Untagged egress interface list.
Example
--> bridge list static vlans
..ID..|...VLAN ID....|......VLAN Name.......|...FDB Name
------|--------------|----------------------|---------------...1..|......2.......|.......VLAN_1.........|....FDB_1
Tagged Interfaces: bridge1
Untagged Interfaces: bridge2
------------------------------------------------------------See also
BRIDGE LIST INTERFACES
BRIDGE ATTACH
2.4.4.1.5 BRIDGE LIST VLANS
•
•
•
•
Syntax
BRIDGE LIST VLANS
Description
This command adds a named interface to the bridge.
ID: The sequence number given by the CLI system for the VLAN in the CLI listing.
VLAN ID: A number that identifies an existing statically-configured VLAN.
VLAN Name: A name that identifies an existing statically-configured VLAN.
FDB Name: The name of an existing filtering database to which the filtering entry will be added. See Note
on filtering database in this command.
• Type: Indicates whether the VLAN is either statically configured or dynamically learnt.
• Tagged Interfaces: Tagged egress interface list.
Example
2-96
--> bridge list vlans
iMG/RG Software Reference Manual (Switching)
VLAN command reference
VLAN
.ID.|.VLAN ID.|.VLAN Name..|.FDB Name..|.Type....|
---------------------------------------------------------..1.|.2.......|.VLAN_1.....|.FDB_1.....|.static..|
Tagged Interfaces: bridge1
Untagged Interfaces: bridge2
------------------------------------------------------------See also
BRIDGE ADD VLAN
BRIDGE ADD VLANINTERFACE
BRIDGE LIST STATIC VLANS
2.4.4.1.6 BRIDGE SHOW VLAN
Syntax
BRIDGE
Description
This command displays a single statically configured VLAN. See bridge add vlan CLI command to statically configure a VLAN. The command displays all the statically added egress
interfaces of the VLAN. See bridge add vlaninterface CLI command to add an interface to
a VLAN.
SHOW VLAN {< name >|<number>}
• VLAN: A name that identifies an existing statically-configured VLAN.
• VLAN ID: A number that identifies an existing statically-configured VLAN.
• Filtering Database: The name of an existing filtering database to which the filtering entry will be added. See
Note on filtering database in this command.
• Tagged Interfaces: Tagged egress interface list.
• Untagged Interfaces: Untagged egress interface list.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable)
Name
Description
Default Value
Name
A name that identifies an existing VLAN. To display the
list of statically configured VLANs, use bridge list static
vlans. To display the list of all the static and dynamic
VLANs in the bridge use bridge list vlans CLI command. This command also displays the egress interface
list for each VLAN.
N/A
iMG/RG Software Reference Manual (Switching)
2-97
VLAN
VLAN command reference
Example
Name
Description
Default Value
Number
A number that identifies an existing VLAN. To display
the list of statically configured VLANs, use the bridge
list static vlans command. The number appears in the
first column under the heading ID.
N/A
--> bridge show vlan VLAN_1
VLAN: VLAN_1
VLAN Id: 2
Filtering Database: FDB_1
Tagged Interfaces: bridge1
Untagged Interfaces: bridge2
See also
BRIDGE
BRIDGE
BRIDGE
BRIDGE
ADD VLAN
ADD VLANINTERFACE
LIST STATIC VLANS
LIST VLANS
2.4.4.1.7 BRIDGE CLEAR INTERFACEVLANSTATS
Syntax
BRIDGE CLEAR INTERFACEVLANSTATS [{<vlanname>|<vlannumber>}
[<interfacename>]]
Description
This command clears the statistics for:
• All the egress interfaces across all the VLANs.
• All the egress interfaces for the named VLAN.
• A particular egress interface for the named VLAN.
Options
Example
2-98
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Vlanname
The name of an existing VLAN. See bridge add vlan
CLI command to configure a new VLAN.
N/A
Vlannumber
A number that identifies an existing VLAN. To display
the list of statically configured VLANs, use the bridge
list static vlans command. The number appears in the
first column under the heading ID.
N/A
Interfacename
The name of an egress interface of the VLAN.
N/A
--> bridge clear interfacevlanstats
iMG/RG Software Reference Manual (Switching)
VLAN command reference
VLAN
--> bridge clear interfacevlanstats VLAN_1
--> bridge clear interfacevlanstats VLAN_1 bridge1
See also
BRIDGE ADD VLAN
BRIDGE ADD VLANINTERFACE
BRIDGE LIST INTERFACEVLANSTATS
2.4.4.1.8 BRIDGE LIST INTERFACEVLANSTATS
Syntax
BRIDGE LIST INTERFACEVLANSTATS { < vlanname > | < vlannumber >
Description
This command displays the statistical information of the egress interfaces of the named
VLAN.
}
• Name: The name of an existing VLAN. See bridge add vlan CLI command to configure a new VLAN.
• Rx Frames: The number of frames received on the interface for the named VLAN.
• Tx Frames: The number of frames transmitted from the interface for the named VLAN.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Vlanname
The name of an existing VLAN. See bridge add vlan CLI
command to configure a new VLAN.
N/A
Vlannumber
A number that identifies an existing VLAN. To display
the list of statically configured VLANs, use the bridge
list static vlans command. The number appears in the
first column under the heading ID.
N/A
--> bridge list interfacevlanstats VLAN_1
Interfaces Stats for the VLAN: VLAN_1
Name | Rx Frames | Tx Frames
---------|-----------|------------bridge1 | 56 | 72
----------------------------------See also
BRIDGE ADD VLAN
BRIDGE ADD VLANINTERFACE
BRIDGE CLEAR INTERFACEVLANSTATS
iMG/RG Software Reference Manual (Switching)
2-99
VLAN
VLAN command reference
2.4.4.1.9 BRIDGE SHOW INTERFACEVLANSTATS
Syntax
BRIDGE SHOW INTERFACEVLANSTATS {< vlanname > | < vlannumber
>} <interfacename>
Description
This command adds a named interface to the bridge.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
Vlanname
The name of an existing VLAN. See bridge add vlan
CLI command to configure a new VLAN.
N/A
Vlannumber
A number that identifies an existing VLAN. To display
the list of statically configured VLANs, use the bridge
list static vlans command. The number appears in the
first column under the heading ID.
N/A
Interfacename
The name of an egress interface of the VLAN.
N/A
--> bridge show interfacevlanstats VLAN_1 bridge1
VLAN Interface Name: ethernet
Rx Frames | Tx Frames
|--------------------|-----------------22 | 1056
-------------------------------------See also
BRIDGE ADD VLAN
BRIDGE ADD VLANINTERFACE
BRIDGE LIST INTERFACEVLANSTATS
2.4.4.1.10 BRIDGE ADD VLANINTERFACE
Syntax
BRIDGE ADD VLANINTERFACE {<name>|<number>} {tagged|untagged}
<interfacename>
Description
This command adds an interface in the egress interface list of the named VLAN. The
egress interface list for a VLAN is the union of tagged interfaces and the untagged interfaces. For the default VLAN, all the bridge interfaces, are automatically configured as its
untagged egress interfaces. The user need not explicitly add untagged interfaces for the
DefaultVlan. See bridge add vlan to add a default or a new VLAN. However, the user is
free to add/delete the interfaces from the default VLAN.
2-100
iMG/RG Software Reference Manual (Switching)
VLAN command reference
Options
VLAN
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
A name that identifies an existing VLAN. To display the
list of statically configured VLANs, use bridge list static
vlans. To display the list of all the static and dynamic
VLANs in the bridge use bridge list vlans CLI command.
N/A
Number
A number that identifies an existing VLAN. To display
the list of statically configured VLANs, use the bridge
list static vlans command. The number appears in the
first column under the heading ID.
N/A
Tagged
To add a port in the tagged port list of the named
VLAN.
N/A
Untagged
To add a port in the untagged port list of the named
VLAN.
N/A
interface name
The name of a bridge interface that has previously been
added and attached to a transport using the bridge add
interface and bridge attach CLI commands, respectively.
N/A
Example
--> bridge add vlaninterface VLAN_1 tagged bridge1
See also
BRIDGE ADD INTERFACE
BRIDGE ATTACH
BRIDGE ADD VLAN
2.4.4.1.11 BRIDGE CLEAR VLANINTERFACES
Syntax
untagged }]
Description
BRIDGE CLEAR VLANINTERFACES {<name>|<number>} [{ tagged |
This command provides three different option to delete:
•
All tagged interfaces.
•
All untagged interfaces.
•
All the egress interfaces, i.e., all tagged and untagged interfaces of the named VLAN.
iMG/RG Software Reference Manual (Switching)
2-101
VLAN
VLAN command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
A name that identifies an existing VLAN. To display the
list of statically configured VLANs, use bridge list static
vlans. To display the list of all the static and dynamic
VLANs in the bridge use bridge list vlans CLI command. This command also displays the egress interface
list for each VLAN.
N/A
Number
A number that identifies an existing VLAN. To display
the list of statically configured VLANs, use the bridge
list static vlans command. The number appears in the
first column under the heading ID.
N/A
Tagged
Removes all the tagged interfaces from the egress
interface list of the VLAN. If no tagged / untagged
option is given in this command, all the egress interfaces are removed from the VLAN.
N/A
Untagged
Removes all the untagged interfaces from the egress
interface list of the VLAN. If no tagged / untagged
option is given in this command, all the egress interfaces are removed from the VLAN.
N/A
Example
--> bridge clear vlaninterfaces
See also
BRIDGE
BRIDGE
BRIDGE
BRIDGE
ADD VLAN
ADD VLANINTERFACE
LIST STATIC VLANS
LIST VLANS
2.4.4.1.12 BRIDGE DELETE VLANINTERFACE
Syntax
BRIDGE DELETE VLANINTERFaCE {<name>|<number>} <interfacename>
Description
This command removes an interface from the egress interface list of the named VLAN.
2-102
iMG/RG Software Reference Manual (Switching)
VLAN command reference
Options
VLAN
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Name
A name that identifies an existing VLAN. To display the
list of statically configured VLANs, use bridge list static
vlans. To display the list of all the static and dynamic
VLANs in the bridge use bridge list vlans CLI command.
N/A
Number
A number that identifies an existing VLAN which is an
egress interface in the VLAN. To display the list of statically configured VLANs, use the bridge list static vlans
command. The number appears in the first column
under the heading ID.
N/A
Interfacename
The name of a bridge interface, which belongs to the
egress interface list of the VLAN.
N/A
Example
--> bridge delete vlaninterface VLAN_1 bridge1
See also
BRIDGE
BRIDGE
BRIDGE
BRIDGE
ADD VLAN
ADD VLANINTERFACE
LIST STATIC VLANS
LIST VLANS
2.4.4.1.13 BRIDGEVLAN ADD TRANSPORT
Syntax
BRIDGE VLAN ADD TRANSPORT <name> <vlanid>
Description
This command adds a named VLAN transport corresponding to a VLAN Id. By attaching
an IP interface to this transport, the IP interface will be able to send and receive traffic on the
VLAN with Id as <vlanid>. Section 23.5 describes the CLI command to attach an IP interface to a
VLAN transport.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
name
A name that identifies a VLAN transport. It can be made up
of one or more letters or a combination of letters and
digits, but it cannot start with a digit.
iMG/RG Software Reference Manual (Switching)
Default Value
2-103
VLAN
VLAN command reference
vlanid
VLAN Id on which the transport is created. A VLAN corresponding to the vlanid should be already created for
this command to be successful. Use bridge add vlan
CLI command to add a VLAN.
Example
bridgevlan add transport vt1 2
See also
bridgevlan delete transport
bridgevlan list transports
2.4.4.1.14 BRIDGEVLAN CLEAR TRANSPORTS
Syntax
BRIDGEVLAN CLEAR TRANSPORTS
Description
This command deletes all the configured VLAN transports from the system.
Options
None
Example
bridgevlan clear transports
See also
bridgevlan add transport
bridgevlan list transports
2.4.4.1.15 BRIDGEVLAN DELETE TRANSPORT
Syntax
BRIDGEVLAN DELETE TRANSPORT {<name> | <number>}
Description
This command deletes a single configured VLAN transport.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
name
A name that identifies an existing VLAN transport. To
display the list of configured VLAN transports, use
bridgevlan list transports CLI command.
number
A number that identifies an existing VLAN transport.
To display the list of configured VLAN transports, use
bridgevlan list transports. The number appears in
the first column under the heading ID.
Example
bridgevlan delete transport vt1
See also
bridgevlan add transport
bridgevlan list transports
2-104
iMG/RG Software Reference Manual (Switching)
Default Value
VLAN command reference
VLAN
2.4.4.1.16 BRIDGEVLAN LIST TRANSPORTS
Syntax
BRIDGEVLAN LIST TRANSPORTS
Description
This command displays information about all of the configured VLAN transports. See
bridgevlan add transport on page 62. The following fields are displayed:
•
IDThe numerical identifier automatically assigned to the object when it was created.
•
NameThe name that identifies an existing VLAN transport.
•
VLAN IDThe numerical identifier automatically assigned to the VLAN object when it
was created.
•
IP InterfaceIP interface associated with the transport, if any.
Options
None
Example
bridgevlan list transports
See also
bridgevlan add transport
ip interface attachbridgevlan
2.4.4.1.17 VLAN ADD
Syntax
VLAN ADD < vlanname > < portname > FRAME { TAGGED | UNTAGGED
Description
This command adds an Ethernet port to an existing named VLAN that has been created
with the command VLAN ADD VID.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
}
Name
Description
Default Value
Vlanname
An existing VLAN. To display the existing VLANs, use
the VLAN LIST command.
N/A
Portname
The name of the switch port to be configured. Available ports are:
N/A
lan1
lan2
lan3
lan4
lan5
lan6
cpu
iMG/RG Software Reference Manual (Switching)
2-105
VLAN
VLAN command reference
Name
Description
Default Value
TAGGED/
UNTAGGED
Specify if the switch port must be set as tagged or
untagged port for the selected vlan.
N/A
Example
--> vlan add voip lan1 frame tagged
See also
VLAN LIST
2.4.4.1.18 VLAN ADD PORT
Syntax
UNTAGGED}
VLAN ADD <vlanname> PORT <portname> FRAME {TAGGED |
Description
This command adds an Ethernet port to an existing named VLAN that has been created
with the command VLAN ADD VID.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
vlanname
An existing VLAN. To display the existing VLANs,
use the VLAN SHOW command.
N/A
portname
A name that identifies an Ethernet port. Valid port
names (case insensitive) are lan1, lan2, lan3 and lan4.
N/A
FRAME
The FRAME parameter specifies whether a VLAN
tag header is included in each frame transmitted on
the specified ports.
N/A
If tagged is specified, a VLAN tag is added to frames
prior to transmission. The port is then called a
tagged port for this VLAN.
If untagged is specified, the frame is transmitted
without a VLAN tag. The port is then called an
untagged port for this VLAN.
Example
vlan add voip port lan1 frame untagged
See also
VLAN SHOW
2.4.4.1.19 VLAN ADD VID
Syntax
2-106
VLAN ADD <vlanname> VID <vlanID> [802.1p_priority <priority>]
iMG/RG Software Reference Manual (Switching)
VLAN command reference
Description
VLAN
This command defines a new VLAN that has the specified VID value.
The VLAN name can be 16 characters length; it cannot start with a digit and cannot contain dots '.' or the slash symbols '/'.
This command specifies also the priority value of the tagged packets that from the network processor are sent to the layer 2 switch and then to the network.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
vlanname
An arbitrary name that identifies the VLAN. The
name must not be already in use for another
VLAN. The VLAN name can be at most 16 chars
long.
N/A
vlanID
The VLANID parameter specifies a unique VLAN
Identifier (VID) for the VLAN.
N/A
If tagged ports are added to this VLAN, the specified VID is used in the VID field of the tag in outgoing frames.
If untagged ports are added to this VLAN, the
specified VID only acts as an identifier for the
VLAN in the Forwarding Database. The default
port based VLAN has a VID of 1.
priority
It's the priority value as defined in 802.1p of the
tagged packets that from the Residential Gateway
network processor are sent to the switch and
then outside to the network. Available values are
in the range 0 to 7.
Example
vlan add voip vid 10 802.1p_priority 7
See also
VLAN SHOW
0
2.4.4.1.20 VLAN CLEAR
Syntax
VLAN CLEAR < vlanname >
Description
This command removes an existing vlan from the vlan database.
iMG/RG Software Reference Manual (Switching)
2-107
VLAN
VLAN command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Vlanname
An existing VLAN. To display the existing VLANs, use
the VLAN LIST command.
N/A
Example
--> vlan clear voip
See also
VLAN LIST
2.4.4.1.21 VLAN CREATE
Syntax
VLAN CREATE < vlanname > < vlanid >
Description
This command defines a new VLAN and specifies the corresponding VLAN identifier
(VID).
The VLAN name can be 16 characters length; it cannot start with a digit and cannot contain dots '.' or the slash symbols '/'.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
Vlanname
An arbitrary name that identifies the VLAN. The name
must not be already in use for another VLAN. The
VLAN name can be at most 16 chars long.
N/A
Vlanid
The VLANID parameter specifies a unique VLAN Identifier (VID) for the VLAN.
N/A
If tagged ports are added to this VLAN, the specified
VID is used in the VID field of the tag in outgoing
frames.
If untagged ports are added to this VLAN, the specified
VID only acts as an identifier for the VLAN in the Forwarding Database. The default port based VLAN has a
VID of 1.
Example
2-108
--> vlan create voip vid 10
--> vlan create wan_net 20
--> vlan create lan_net 20
--> vlan add interface wan_net wan frame tagged
--> vlan add interface lan_net lan1 frame untagged
iMG/RG Software Reference Manual (Switching)
VLAN command reference
VLAN
--> vlan add interface wan_net cpu frame tagged
--> vlan add interface lan_net cpu frame tagged
--> vlan translate lan_net 20
--> vlan translate wan_net 10
See also
VLAN LIST
2.4.4.1.22 VLAN DELETE
Syntax
VLAN DELETE <vlanname> <portname>
Description
This command removes a switch port to be membership of an existing VLAN.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Vlanname
An existing VLAN. To display the existing VLANs, use
the VLAN LIST command.
N/A
Portname
The name of the switch port to be configured. Available
ports are:
N/A
lan1
lan2
lan3
lan4
lan5
lan6
cpu
wan
cesc
cesd
Example
--> vlan delete voip lan1
See also
VLAN ADD PORT
VLAN ADD VID
VLAN SHOW
2.4.4.1.23 VLAN LIST
Syntax
VLAN LIST
Description
This command display the following information about all the VLANs defined in the system:
iMG/RG Software Reference Manual (Switching)
2-109
VLAN
VLAN command reference
Example
•
VLAN Name: The name of the VLAN.
•
VLAN ID: The numerical VLAN identifier of the VLAN (VID).
•
Untagged port(s): A list of untagged ports that belong to the VLAN.
•
Tagged port(s): A list of tagged ports that belong to the VLAN.
--> vlan list
VLANs:
ID | VLAN ID | VLAN
Name
|
-----|---------|-----------------|1 | 1
| DefaultVlan
|
Tagged Ports:
cpu
Untagged Ports:
----------------------------------2 | 200
| vlan_int
|
Tagged Ports:
cpu
Untagged Ports: lan1 lan2 lan3 lan4
----------------------------------3 | 1200
| vlan_dmz
|
Tagged Ports:
cpu
Untagged Ports: lan5 lan6
----------------------------------See also
VLAN ADD PORT
VLAN ADD VID
2.4.4.1.24 VLAN SHOW
Syntax
VLAN SHOW
Description
This command display the following information about all the VLANs defined in the system:
Example
2-110
•
Name- The name of the VLAN.
•
Identifier- The numerical VLAN identifier of the VLAN (VID).
•
Status - The status of the VLAN (only static VLAN are supported)
•
Untagged port(s) - A list of untagged ports that belong to the VLAN.
•
Tagged port(s) - A list of tagged ports that belong to the VLAN.
•
802.1p priority - The value of the 802.1.p priority assigned to packets sent from
the Residential Gateway processor.
vlan show
iMG/RG Software Reference Manual (Switching)
VLAN command reference
VLAN
VLAN information
--------------------------------------------Name: default
Identifier
1
Status
static
802.1p Priority
7
Untagged port(s)
lan3, lan2
Tagged port(s)
cpu
Name: voip
Identifier
10
Status
static
802.1p Priority
7
Untagged port(s)
lan2
Tagged port(s)
lan1
--------------------------------------------See also
VLAN ADD PORT
VLAN ADD VID
2.4.4.1.25 VLAN TRANSLATE
Syntax
VLAN TRANSLATE<vlanname> <vlanid>
Description
This command will create a software base VLAN translation. This process can be CPU
intensive and should not be used for video:
Example
•
VLAN Name: The name of the VLAN.
•
VLAN ID: The numerical VLAN identifier of the VLAN (VID).
•
Untagged port(s): A list of untagged ports that belong to the VLAN.
•
Tagged port(s): A list of tagged ports that belong to the VLAN.
--> vlan create wan_net 20
--> vlan create lan_net 20
--> vlan add interface wan_net wan frame tagged
--> vlan add interface lan_net lan1 frame untagged
--> vlan add interface wan_net cpu frame tagged
--> vlan add interface lan_net cpu frame tagged
--> vlan translate lan_net 20
--> vlan translate wan_net 10
This command defines a new VLAN and specifies the corresponding VLAN identifier
(VID).
iMG/RG Software Reference Manual (Switching)
2-111
VLAN
VLAN command reference
The VLAN name can be 16 characters length; it cannot start with a digit and cannot contain dots '.' or the slash symbols '/'.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Name
Description
Default Value
Vlanname
An arbitrary name that identifies the VLAN. The name
must not be already in use for another VLAN. The VLAN
name can be at most 16 chars long.
N/A
Vlanid
The VLANID parameter specifies a unique VLAN Identifier (VID) for the VLAN.
N/A
If tagged ports are added to this VLAN, the specified VID
is used in the VID field of the tag in outgoing frames.
If untagged ports are added to this VLAN, the specified
VID only acts as an identifier for the VLAN in the Forwarding Database. The default port based VLAN has a VID
of 1.
2-112
iMG/RG Software Reference Manual (Switching)
Multicasting overview
IGMP snooping
3. IGMP
3.1 IGMP snooping
3.1.1 Multicasting overview
Multicasting is a technique developed to send packets from one location in the Internet to many other locations,
without any unnecessary packet duplication. In multicasting, one packet is sent from a source and is replicated as
needed in the network to reach as many end-users as necessary.
The concept of a group is crucial to multicasting. Every multicast stream requires a multicast group; the sender
(or source) transmits to the group address, and only members of the group can receive the multicast data. A
group is defined by a Class D address.
Multicasting is useful because it conserves bandwidth by replicating packets as needed within the network,
thereby not transmitting unnecessary packets. Multicasting is the most economical technique for sending a
packet stream (which could be audio, video, or data) from one location to many other locations on the Internet
simultaneously.
Of course, multicasting has to be a connectionless process. The server simply sends out its multicast UDP packets, with no idea of whom will be receiving them, and whether they get received. It would be quite impossible
for the server to have to wait for ACKs from all the recipients, and remember to retransmit to those recipients
from whom it does not receive ACKs. Apart from anything else the server does not know who the recipients
are, or how many there are.
3.1.1.1 Multicast Group addresses
A multicast stream is a stream of data whose destination address is a multicast address – i.e. an IP address with
the first byte having a value of 224 to 240. The destination address used by a stream is referred to as its Group
address. These Group Addresses, like all IP addresses, are a limited resource, and there are all sorts of rules
about who may use addresses from which address ranges.
A server sends out a multicast stream to a group multicast address but the way it is routed to the hosts that
actually want to receive it is a very different process to routing unicast packets. With unicast packets, the destination address of the packet uniquely identifies the host who should receive the packet and all the routers along
the path just need to look in their routing tables to work out which is the correct route to send the packet
down.
However, in the case of multicast, the stream is simply being sent out, with no particular knowledge of who
wants to receive it, and where the recipients are. One approach would be for every router that receives a multicast stream on one interface to just retransmit that stream out ALL its other interfaces. In that way it would
be guaranteed to eventually reach every host that might be interesting in receiving it. However, that would be an
inefficient use of bandwidth, as a lot of the time the routers would sending the streams out along paths that do
iMG/RG Software Reference Manual (IGMP)
3-1
IGMP snooping
Multicasting overview
not contain any hosts that want to receive them. Given that the main reason for having multicasting is to make
efficient use of bandwidth, this would not be a good approach.
So, a more efficient approach is needed. This is where IGMP comes in.
3.1.1.2 IGMP protocol
IGMP (Internet Group Management Protocol) is the protocol whereby hosts indicate that they are interested in
receiving a particular multicast stream. When a host wants to receive a stream (in multicast jargon, this is called
‘joining a group’) it sends to its local router an IGMP packet containing the address of the group it wants to join
– this is called an IGMP Membership report (sometimes called a Join packet).
Now, the local router is generally going to be a long way from the server that is generating the stream. So, having received the IGMP join packet, the router then knows that it has to forward the multicast stream onto its
LAN (if it is not doing so already). However, if the router is not already receiving the multicast stream from the
server (probably many hops away) what does the router do next in order to ensure that the multicast stream
gets to it? This is achieved by elaborate process involving multicast routing protocols like PIM, DVMRP, and
MOSPF.
The IGMP packet exchange works as described in the following paragraphs.
At a certain period (default is 125 seconds), the router sends an IGMP query message onto the local LAN. The
destination address of the query message is a special ‘all multicast groups’ address. The purpose of this query is
to ask, “Are there any hosts on the LAN that wish to remain members of Multicast Groups?”
Hosts on the LAN receive the query, if any given host wishes to remain in a Multicast group; it sends a new
IGMP Membership report (Join message) for that group (of course some hosts may be members of more than
one group – so they will send join messages for all the groups that they are members of).
The router looks at the responses it receives to its query, and compares these to the list of Multicast streams
that it has currently registered to receive. If there are any items in that list for which it has not received query
responses, it will send a message upstream, asking to no longer receive that stream – i.e. to be ‘pruned’ from
the tree through which that stream is flowing.
In IGMP version 2, the IGMP leave message was added. So, a host can now explicitly inform its router that it
wants to leave a particular multicast group. So, the router keeps a table of how many hosts have joined particular groups, and removes hosts from the table when it receives leave messages, then it can know straight away
when there are no hosts on its LAN that are still members of a given group. So, it can ask to be pruned from
that tree straight away, rather than having to wait until the next query interval.
3.1.1.3 Multicast MAC addresses
Multicast IP addresses are Class D IP addresses. So, all IP addresses from 224.0.0.0 to 239.255.255.255 are multicast IP addresses. They are also referred to as Group Destination Addresses (GDA).
For each GDA there is an associated MAC address. This MAC address is formed by 01-00-5e, followed by the
last 23 bits of the GDA translated in hex. Therefore:
3-2
iMG/RG Software Reference Manual (IGMP)
IGMP snooping Functional Overview (Includes New Functionality)
IGMP snooping
230.20.20.20 corresponds to MAC 01-00-5e-14-14-14
224.10.10.10 corresponds to MAC 01-00-5e-0a-0a-0a
Consequently, this is not a one-to-one mapping, but a one-to-many mapping:
224.10.10.10 corresponds to MAC 01-00-5e-0a-0a-0a
226.10.10.10 corresponds to MAC 01-00-5e-0a-0a-0a, as well.
It is required that when an IP multicast packet is sent onto an Ethernet, the destination MAC address of the
packet must be the MAC address that corresponds to the packet’s GDA. So, it is possible, from the destination
MAC address of a multicast packet, to know the set of values that its GDA must fall within.
3.1.2 IGMP snooping Functional Overview (Includes New Functionality)
IGMP snooping is a filtering process performed at layer 2 to reduce the amount of multicast traffic on a LAN.
It is designed to solve the problem when a multicast traffic is received from a layer 2 switch due to join requests
performed by hosts connected to some of the switch ports.
If individual hosts on the LAN (i.e. hosts connected to ports on the switches) wish to receive multicast streams,
then they will send out IGMP joins, which will get up to the multicast router; and the router will join into the
appropriate multicast trees; and the multicast flows will then reach the router, and it will forward them into the
LAN.
By default, when a switch receives a multicast packet, it must forward it out all its ports (except the port upon
which it was received). So, considering the example where only host number 1 actually requests to join a particular multicast group, what will happen is that all the hosts on the LAN will start receiving the multicast packets,
as all the switches will forward the multicast packets to all their ports.
This is rather a waste of bandwidth, and the purpose of multicasting is to make efficient use of bandwidth.
The solution to this problem is to make the layer-2 switch aware of the IGMP packets that are being passed
around. That is, although the IGMP packets are destined for the router, the layer-2 switch needs to ‘snoop’ them
as they go past. Then the layer-2 switch can know which hosts have asked to join which multicast groups, and
only forward the multicast data to the places where it really needs to go.
Because the uplink interface can be connected to the network through an ADSL port, the igmp snooping feature is extended to include also the ADSL port when it is used on RFC1483 (bridged) connections.
IGMP snooping is designed to work in a network environment where both multicast router(s) and multicast
host(s) are present.
Note:
Multicast packets having as destination IP the following range: 224.0.0.[0-255] and 224.0.1.[0-255] will
NOT be blocked in the upstream direction since belonging to reserved traffic (OSPF, RIPv2, PIM etc…)
The goal is to construct an internal view of the multicast network based on the IGMP messages received both
from multicast router(s) and multicast host(s).
iMG/RG Software Reference Manual (IGMP)
3-3
IGMP snooping
IGMP snooping Functional Overview (Includes
The following sections describe the IGMP snooping functionality for iMG models belonging to group Fiber-B,
Fiber-D, Fiber-E, Modular and ADSL-B, ADSL-C.
3.1.2.1 Multicast router port discovery
The system listens for IGMP General Query messages and records the port(s) where any such message has
been received.
In this way the Gateway knows where multicast routers are located in order to forward IGMP report and leave
messages only to the correct uplink port(s).
Once the Residential Gateway has detected where the multicast router is located, it keeps the entry for a
period of time defined by the Bridge Multicast Interface Aging Time attribute.
If a new IGMP General Query is received, the multicast router timer is refreshed and the corresponding uplink
port is updated if needed.
If the multicast entry expires before any IGMP General Query is received, forwarding of any multicast stream
to internal hosts is stopped.
It's therefore recommended that the multicast uplink interface timer is longer than the query interval configured on the multicast router (two times the query interval, at least).
Then the forwarding of IGMP queries from multicast router and the forwarding of IGMP report/leave messages
from internal multicast hosts follows different schemes depending if the IGMP process on the
Residential Gateway is working in Snoop-Only mode or it is configured to work in Proxy mode.
Independently on the operational mode, the IGMP process on the Residential Gateway keeps always a view of
the multicast network updating the local multicast group database
3.1.2.2 Snoop-Only Operation Mode
Snoop-Only mode is the default operational mode for IGMP snooping. It's possible to force the IGMP snooping
to work in Snoop-Only mode via the bridge set igmp snooping mode snooponly command.
Before changing the igmp operational mode it's always recommended to disable the IGMP process via the
bridge set igmpsnooping disable command and then re-enable it after the configuration changes have been
entered.
When operating in Snoop-Only mode, the IGMP process does not act any change on IGMP messages. IGMP
source IP and MAC addresses are left unchanged and they are forwarded through the Residential Gateway as
they arrive to the CPE.
IGMP process checks only if there are hosts that have joined or left multicast streams in order to update the
local multicast group database.
The following picture shows an example of IGMP messages flow when Snoop-Only mode is active.
3-4
iMG/RG Software Reference Manual (IGMP)
IGMP snooping Functional Overview (Includes New Functionality)
FIGURE 3-1
IGMP snooping
IGMP messages flow when Snoop-Only mode is active
3.1.2.2.1 Joining a Multicast Group
The Residential Gateway detects unsolicited IGMP Report messages that hosts send to join a multicast channel.
The Residential Gateway updates the local multicast group database storing the information about the
requested stream and the requesting port.
The IGMP process then forwards immediately the IGMP Report message to the multicast router.
Local igmp entries can be displayed via the bridge list igmpsnooping groupinfo command.
As soon the multicast router opens the multicast stream towards the Residential Gateway, the port that
requested that stream starts to receive it.
iMG/RG Software Reference Manual (IGMP)
3-5
IGMP snooping
IGMP snooping Functional Overview (Includes
3.1.2.2.2 Leaving a multicast group
Periodically the multicast router sends Generic Queries to check whether there are multicast hosts that are
still active.
If one or most hosts are still interested to receive multicast streams, they will reply with IGMP Report messages and the corresponding entries on the local multicast group database will be refreshed.
When an host wants to leave group, it sends an IGMP Leave message specific for the group it wants to leave.
The IGMP Leave message is then forwarded to the upstream multicast router and a timer equals to the Last
Member Query Interval secs is started for the corresponding local igmp entry.
When this timer expires, the IGMP process stops the forwarding of the multicast stream on the port that has
received the IGMP leave message.
This mechanism is used to reduce the flooding of unsolicited multicast streams in case the multicast upstream
router takes a long time before closing the multicast stream towards the Residential Gateway.
The upper multicast router can decide to keep open the multicast stream towards the Residential Gateway if it
has detected that there are other hosts interested to receive the multicast stream.
This is usually done by the upper multicast router upon the reception of an IGMP leave messages sending one
or more specific queries for the multicast stream just left.
3.1.2.3 Proxy Operational Mode
Proxy Mode is an operational mode where the Residential Gateway takes a more active roll in the management
of the IGMP messages.
IGMP messages received from the upper multicast router or from the internal hosts are always terminated into
the Residential Gateway.
IGMP messages sent by the Residential Gateway to the internal hosts or to the upper multicast router will use
the CPE source IP and MAC addresses creating in this way a demarcation point between the access and the
user network.
3.1.2.3.1 Joining a Multicast Group
As for IGMP Snoop-Only mode, the system listens for unsolicited IGMP Report messages that hosts send to
join a multicast group.
The Residential Gateway updates the local multicast group database storing the information about the
requested stream and the requesting port.
If the received IGMP report message is the first one (i.e. no other hosts have requested the same multicast
stream), then the IGMP process forwards immediately the IGMP Report message to the upper multicast router
(replacing the source IP and MAC addresses).
3-6
iMG/RG Software Reference Manual (IGMP)
IGMP snooping Functional Overview (Includes New Functionality)
IGMP snooping
Instead, if the received IGMP report message refers to a multicast channel that is already registered in the local
database, the IGMP process will drop it without forwarding it to the multicast router and will update the local
database, if needed.
Periodically the multicast router sends Generic Queries to check the presence of active multicast hosts.
Then the IGMP process answers to each IGMP query notifying all the multicast stream registered on the local
multicast group database without querying the internal hosts.
The upper multicast router does not have therefore any knowledge of the internal lan configuration. IGMP
reports (and leaves) messages are always sent by the CPE IGMP process using the Residential Gateway IP and
MAC source address.
In order to keep the local multicast group database up to date, the IGMP process sends periodically IGMP
generic queries to the internal hosts. The period IGMP queries are sent, is called Query Interval. Each host still
interested to receive multicast streams must respond with one or more IGMP Report messages within a timeframe called Query Response Interval.
The picture here below shows an example scenario where two hosts join two different multicast channels.
iMG/RG Software Reference Manual (IGMP)
3-7
IGMP snooping
IGMP snooping Functional Overview (Includes
FIGURE 3-2
3-8
Two Hosts Join Two Different Mulitcast Channels
iMG/RG Software Reference Manual (IGMP)
IGMP snooping Functional Overview (Includes New Functionality)
IGMP snooping
3.1.2.3.2 Leaving a Multicast Stream
Under Proxy operational mode, when an host wants to leave a multicast group and sends an IGMP Leave message, the IGMP process takes different actions depending if the Fast Leave feature is enabled or disabled.
• Fast Leave Disabled
Upon the reception of an IGMP leave message, the IGMP process starts sending IGMP Specific Queries to the
port that has received the leave message to double check whether that there are other hosts still interested to
receive the multicast stream.
The number of IGMP specific queries sent by the Residential Gateway is defined by the Robustness attribute.
The max response time that the IGMP process wait for an answer is defined by the Last Member Query Interval
value.
If no hosts answer to the Residential gateway in a timeframe less than Last Member Query Interval times the
Robustness variable, the Residential Gateway will purge from the local igmp database the entry that matches the
multicast stream and the corresponding port.
Then, if there are no other hosts on the other ports that are listening the same multicast stream, the IGMP process will send an IGMP leave message to the multicast router to inform it that it can close the multicast stream
towards the Residential Gateway.
The picture here below shows an example scenario where two hosts join two different multicast channels.
iMG/RG Software Reference Manual (IGMP)
3-9
IGMP snooping
IGMP snooping Functional Overview (Includes
FIGURE 3-3
Two Hosts Join Two Different Multicast Channels
In case a multicast host is disconnected from the network, the IGMP process is able to detect such condition
checking the absence of IGMP reports on the port where the host left.
This process takes a time that is usually longer than the case where the host leaves the network in a gracefully
way. The IGMP process has to wait for no answers to the internal Generic Queries a number of times equals to
the Robustness attribute value.
The picture here below shows an example where an host disconnects from the network without sending any
IGMP leave message.
3-10
iMG/RG Software Reference Manual (IGMP)
IGMP snooping Functional Overview (Includes New Functionality)
FIGURE 3-4
IGMP snooping
Host Disconnects - No Leave Message
• Fast Leave Enabled
When Fast Leave support is enabled, upon the reception of an IGMP leave message, the IGMP process stops
immediately the forwarding of multicast stream towards the internal host.
The IGMP process does not send any specific query to check if there are other hosts still interested to receive
the multicast stream.
When the IGMP process receives the IGMP leave message, if there are no other hosts receiving the same
stream on other ports, it sends immediately an IGMP leave message to the multicast router.
iMG/RG Software Reference Manual (IGMP)
3-11
IGMP snooping
IGMP snooping Functional Overview (Includes
In case other hosts have joined the same multicast stream, the IGMP process purges only the entry matching
the corresponding lan port and drop the IGMP leave message.
The picture here below shows an example scenarios where an host leaves a multicast stream and a scenario
where two hosts leave the same multicast stream.
FIGURE 3-5
3-12
One and Two Hosts Leave the Same Multicast Stream
iMG/RG Software Reference Manual (IGMP)
Old IGMP Snooping Functionality
IGMP snooping
3.1.3 Old IGMP Snooping Functionality
The following sections describe the IGMP snooping functionality for iMG models belonging to group Fiber-A,
Fiber-C, and ADSL-A.
3.1.3.1 Multicast router port discovery
IGMP snooping is activated using the IGMP SNOOPING ENABLE command.
The system listens for IGMP Membership General Query packets sent to the address 01-00-5e-00-00-01 and
records the port(s) where any such message has been received.
In this way the Residential Gateway knows where multicast routers are located in order to forward report and
leave messages only to the correct port(s).
Note that even if multiple VLANs can be present in the system, the IGMP snooping feature can be turned on
only on one VLAN at time.
3.1.3.2 Snoop-Only Operation Mode
3.1.3.2.1 Joining a Multicast Group
The system listens for unsolicited IGMP Report messages that hosts send to join a multicast group and records
the port where each message has been received. What happens next depends on the circumstances in which
the packet is received. To understand this, let us consider two possible scenarios:
• First Scenario:
Host A is the first host in an Ethernet segment to join a group.
Host A sends an unsolicited IGMP Membership report.
The Residential Gateway intercepts the IGMP membership report sent Host A and creates a multicast entry for
the group that host A was requesting. It then links this entry to the port on which it has received the report.
It also sets, for this port and this multicast group , a local Timeout timer to the Timeout Interval value This
timer is used to refresh the multicast membership table periodically.
The system then forwards the IGMP report on to the multicast router. In this way the router will also receive
the IGMP report and will update its multicast routing table accordingly. If no Multicast router has been detected,
then it does nothing.
Immediately multicast traffic for the requested group address is forwarded only to the port where the report
from Host A has been received.
• Second Scenario:
Another host B, on the same Ethernet segment as host A joins the same multicast group as host A.
iMG/RG Software Reference Manual (IGMP)
3-13
IGMP snooping
Old IGMP Snooping Functionality
Host B sends an unsolicited IGMP Membership report.
The Gateway intercepts the IGMP membership report sent by Host B.
As a multicast entry for this group already exists, the Gateway simply adds the port to the already existing
entry for that multicast group. It also adds another Timeout timer specific for this port to the multicast group.
If another host joins another multicast group or the same multicast group, the same procedures described in
the first and second scenarios are performed, respectively. A new Group entry will be added whenever a new
group has been joined.
Note:
In order to maintain group membership, the multicast router sends IGMP queries periodically. This query
is intercepted and forwarded to all ports on the switch. All hosts that are members of the group will
answer that query. The IGMP protocol was designed in such a way that only one member of any group
on any VLAN would have to respond to any given query. But, because the reports are intercepted, the
hosts do not see each other's reports, and thus, all hosts send a report (instead of one per group). These
reports are then forwarded to the router; one report per group from among all received responses.
3.1.3.2.2 Leaving a multicast group
When a host wants to leave group it sends an IGMP Leave message specific for the group it wants to leave.
The IGMP Leave message is captured and if no other devices are known to be joined to that multicast group on
that port - then the multicast stream is removed from that port. If no other ports have hosts joined to the
same multicast group, then the leave messages is forwarded to the multicast router. In this way the multicast
traffic the router is asked to stop sending the multicast stream.
If more than one port has hosts that have joined the multicast group, then the host that sent the IGMP Leave
message is removed from the multicast membership record without forwarding the leave message to the multicast router.
• Time-out interval expiring
When the Time-out Interval expires, the Residential Gateway removes that entry from the multicast membership records and that multicast stream from the associated port - if it is the last entry registered against that
port.
3.1.3.3 Proxy Operation Mode
Proxy mode is the default operational mode for the old IGMP snooping mode. It's possible to force the IGMP
snooping to work in proxy mode via the igmp snooping set mode proxy command.
The Gateway responds to the IGMP Group Specific Query from the Multicast Router based on it's internal
multicast records - replying with an IGMP Membership report for each multicast stream that the hosts that it is
managing are subscribed to.
It also periodically sends IGMP Group Specific Query messages to all ports that are not known multicast router
ports - in order to understand which multicast streams are subscribed to on which ports. The frequency with
which this happens is based upon the Query interval that is configured on the device.
3-14
iMG/RG Software Reference Manual (IGMP)
Old IGMP Snooping Functionality
IGMP snooping
Upon receiving an IGMP Leave message, the system can either process it immediately - as described above (This
is known as FastLeave) - or if configured to do so - send an IGMP Group Specific Query to the port where the
IGMP Leave message was received from. The Leave Time value is used in the query message to request a fast
response from other hosts that may be present on the same Ethernet segment. This can be used to ensure that
when one host asks for a multicast stream to be stopped - it does not adversely impact another host on the
same port that is subscribed to that multicast stream.
If no answer is received to the IGMP Group Specific Query and if no other ports have hosts joined to the same
multicast group, then an IGMP leave messages is sent to the multicast router. In this way the multicast traffic the
router is asked to stop sending any multicast data for that particular group.
The IGMP leave message forwarded by the Gateway will have as source MAC address the Gateway's MAC
address and will have as source IP address the ipaddress of the ip interface associated with the VLAN that is
associated with the IGMP service.
3.1.3.4 IP source address masking – Secondary IP Interface
If the Interface associated with the VLAN that the IGMP module is associated with does not have an IP address,
it is possible to refer, as source IP address for upstream IGMP signalling messages, the IP address of any other
existing IP interface. This interface is not required to be attached to the VLAN where IGMP snooping has been
enabled.
3.1.3.5 IGMP snooping security
This feature allows the iBG/iMG/RG to limit accepted IGMP signalling to that from designated STB identified by
their MAC addresses. These MAC addresses will be learned automatically by the software up to a configured
number and saved in a non volatile memory. They are specifically named in the configuration. with the maximum
number of STB MAC addresses supported being 10. It is possible to manually configure the allowed MAC
addresses - so that via a provisioning action - the security of the Video network is maintained.
3.1.3.6 Routed IGMP proxy
An alternative to Bridged IGMP snooping is routed IGMP.
This is a layer-3 feature that allows multicast traffic to be routed between multiple IP interfaces.
IGMP traffic is typically limited to the VLAN where it is received. If a host joins a multicast group but multicast
traffic is received on another VLAN to which the host is not connected, the multicast traffic will never reach the
host.
Routed IGMP overrides this limitation with the only constraint that multicast traffic must be received only on
one IP interface called the upstream interface.
In this case, when a host joins a multicast group, the IP interface attached to the transport (VLAN) where the
host is located, becomes a downstream interface. It will receive all the multicast traffic related to the group that
the host has joined.
iMG/RG Software Reference Manual (IGMP)
3-15
IGMP snooping
Functional Differences in Product Categories
It is possible to statically define the upstream IP interface.
3.1.4 Functional Differences in Product Categories
There are two different implementations of IGMP that are encountered in these ATI Gateways. The original
implementation is configured using IGMP SNOOPING and IGMP PROXY commands. It is a separate application that IGMP packets are sent to - and is not integrated with the Bridge - that is an integral part of the Packet
processing on the CPU. The newer implementation is configured using BRIDGE IGMPSNOOP and IGMP commands.It is integrated into the CPU based Bridge - which supports VLAN segregation of traffic flows.
In addition the IGMP PROXY commands have been superseded by the IGMP commands that are now available
to manage Routed IGMP Proxy. The IGMP PROXY commands are retained in older devices for backward compatibility - but are not recommended.
TABLE 3-1
Functional Mapping for Bridge
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
Modular
A
B
C
D
E
A
B
C
Functions
Multicast router port discovery
1
2
1
2
2
2
1
2
2
Joining a Multicast Group
1
2
1
2
2
2
1
2
2
Leaving a multicast group
1
2
1
2
2
2
1
2
2
Multicast router port discovery
1
2
1
2
2
2
1
2
2
Proxy Operation Mode
1
2
1
2
2
2
1
2
2
IP source address masking – Secondary IP Interface
1
2
1
2
2
2
1
2
2
IGMP snooping security
1
2
1
2
2
2
1
2
2
Routed IGMP proxy
1
2
1
2
2
2
1
2
2
1) Utilizes IGMP SNOOPING command set. IGMP Command set recommended in place of IGMP PROXY
command set.
2) Utilizes integrated BRIDGE IGMPSNOOP and the IGMP command set.
3.1.5 IGMP Snooping command reference
This section describes the commands available to enable, configure and manage the IGMP snooping feature.
3-16
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
3.1.5.1 IGMP snooping CLI commands
The table below lists the IGMP snooping commands provided by the CLI:
TABLE 3-2
Bridge IGMP Snooping Commands
Functions
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
Modular
A
B
C
D
E
A
B
C
BRIDGE ADD IGMPSNOOP MCASTROUTERINTF
X
X
X
X
X
X
BRIDGE ADD IGMPSNOOP SECURITY
X
X
X
X
X
X
BRIDGE DELETE IGMPSNOOP MCASTROUTERINTF
X
X
X
X
X
X
BRIDGE DELETE IGMPSNOOP SECURITY
X
X
X
X
X
X
BRIDGE LIST IGMPSNOOP GROUPINFO
X
X
X
X
X
X
BRIDGE LIST IGMPSNOOP INTERFACESTATS
X
X
X
X
X
X
BRIDGE LIST IGMPSNOOP STATIC MCASTROUTERINTFS
X
X
X
X
X
X
BRIDGE LIST IGMPSNOOP SECURITY
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP DEFAULTFASTLEAVE
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP LASTMBERQUERYINTVL
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP MCASTROUTERTIMEOUT
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP MODE
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP NETINTERFACE
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP QUERYINTVL
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP QUERYRESPONSEINTVL
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP ROBUSTNESSVAR
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP SECURITY
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP AUTOLEARNING
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP SECURITY MAXMACNUMBER
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP VLAN
X
X
X
X
X
X
BRIDGE SET IGMPSNOOP V1TIMER
X
X
X
X
X
X
iMG/RG Software Reference Manual (IGMP)
3-17
IGMP snooping
IGMP Snooping command reference
TABLE 3-2
Bridge IGMP Snooping Commands (Continued)
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E
Modular
A
B
C
Functions
IGMP SET FORWARDALL
X
X
X
X
X
X
X
X
X
IGMP SET LASTMBERQUERYINTVL
X
X
X
X
X
X
X
X
X
IGMP SET QUERYINTVL
X
X
X
X
X
X
X
X
X
IGMP SET QUERYRESPONSEINTVL
X
X
X
X
X
X
X
X
X
IGMP SET ROBUSTNESS
X
X
X
X
X
X
X
X
X
IGMP SET UPSTREAMINTERFACE
X
X
X
X
X
X
X
X
X
IGMP SHOW FORWARDALL
X
X
X
X
X
X
X
X
X
IGMP SHOW STATUS
X
X
X
X
X
X
X
X
X
IGMP SHOW TIMERCONFIGURATION
X
X
X
X
X
X
X
X
X
IGMP SHOW UPSTREAMINTERFACE
X
X
X
X
X
X
X
X
X
IGMP SNOOPING DISABLE
X
X
X
IGMP SNOOPING ENABLE
X
X
X
IGMP SNOOPING SET SECONDARY-NETINTERFACE
X
X
X
IGMP SNOOPING SET MODE
X
X
X
IGMP SNOOPING SET LEAVETIME
X
X
X
IGMP SNOOPING SET TIMEOUT
X
X
X
IGMP SNOOPING SHOW
X
X
X
IGMP SNOOPING SECURITY
X
X
X
IGMP SNOOPING SECURITY SET MAXMACNUMBER
X
X
X
IGMP SNOOPING SECURITY LEARNING
X
X
X
IGMP SNOOPING SECURITY ADD
X
X
X
IGMP SNOOPING SECURITY DELETE
X
X
X
IGMP SNOOPING SECURITY SHOW
X
X
X
IGMP PROXY SET UPSTREAMINTERFACE
X
X
IGMP PROXY SHOW UPSTREAMINTERFACE
X
X
IGMP PROXY SHOW STATUS
X
X
3-18
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
3.1.5.1.1 BRIDGE ADD IGMPSNOOP MCASTROUTERINTF
Syntax
BRIDGE ADD IGMPSNOOP MCASTROUTERINTF <interface name>
Description
This command allows the user to add a static multicast router interface. A multicast
router interface is also called an upstream interface and a multicast router is connected
to this interface. The upstream interface implements the Host portion of the IGMP protocol. The IGMP membership reports and leave group messages are forwarded on the
upstream interfaces.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
interface_name
Description
Default value
The name of a bridge interface that has previously
been added and attached to a transport using the
bridge add interface and bridge attach CLI commands.
N/A
Example
--> bridge add igmpsnoop mcastrouterintf eth0
See also
BRIDGE SHOW
3.1.5.1.2 BRIDGE ADD IGMPSNOOP SECURITY
Syntax
BRIDGE ADD IGMPSNOOP SECURITY <mac_name> MAC <mac_address>
Description
This command allows the user to add a static mac address into the list of mac addresses
that are authorized to be provided video service via IGMP. When an IGMP packet is
received, the source MAC address is validated against this list of MAC Addresses - and if
a match if found - it is processed as normal - if not - then it is dropped.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
mac_name
The name of this particular entry in the MAC table
N/A
mac_address
The MAC Address of the Set Top Box that is authorized to receive video. It is of the format:
<XX:XX:XX:XX:XX:XX>
N/A
iMG/RG Software Reference Manual (IGMP)
3-19
IGMP snooping
IGMP Snooping command reference
Example
--> bridge add igmpsnoop security firstSTB mac 00:01:02:03:04:05
See also
BRIDGE LIST IGMPSNOOP SECURITY
3.1.5.1.3 BRIDGE DELETE IGMPSNOOP MCASTROUTERINTF
Syntax
BRIDGE DELETE IGMPSNOOP MCASTROUTERINTF <interface name>
Description
This command allows the user to delete a previously added static multicast router interface. The interface reverts to a downstream interface after deletion.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
interface_name
Example
Description
Default value
The name of a bridge interface that has previously been
added and attached to a transport using the bridge add
interface and bridge attach CLI commands.
N/A
--> bridge delete igmpsnoop mcastrouterintf eth0
3.1.5.1.4 BRIDGE DELETE IGMPSNOOP SECURITY
Syntax
BRIDGE DELETE IGMPSNOOP SECURITY <mac_name|mac_number|ALL>
Description
This command allows the user to delete one or all static mac address from the list of
mac addresses that are authorized to be provided video service via IGMP.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
mac_name
The name of this particular entry in the MAC table
N/A
mac_number
The number of the particular entry in the MAC Table
N/A
ALL
All entries
Example
--> bridge delete igmpsnoop security All
See also
BRIDGE LIST IGMPSNOOP SECURITY
3-20
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
3.1.5.1.5 BRIDGE LIST IGMPSNOOP GROUPINFO
Syntax
BRIDGE LIST IGMPSNOOP GROUPINFO
Description
This command displays all of the multicast groups in the IGMP database.
Example
--> bridge set igmpsnoop groupinfo
3.1.5.1.6 BRIDGE LIST IGMPSNOOP INTERFACESTATS
Syntax
BRIDGE LIST IGMPSNOOP INTERFACESTATS
Description
This command displays IGMP packet statistics collected for each interface on the bridge.
3.1.5.1.7 BRIDGE LIST IGMPSNOOP STATIC MCASTROUTERINTFS
Syntax
BRIDGE LIST IGMPSNOOP STATIC MCASTROUTERINTFS
Description
This command allows the user to list all previously added static multicast router interfaces and the manner in which they were added.
Description
--> bridge list igmpsnoop static mcastrouterintfcs
Bridge Interfaces:
Name | Type
--------------ethe0 | static
--------------3.1.5.1.8 BRIDGE LIST IGMPSNOOP SECURITY
Syntax
BRIDGE LIST IGMPSNOOP SECURITY
Description
This command allows the user to display the IGMP information associated with IGMP
Seccurity to include the configuration - enabled or disabled, the maximum number of
MAC Addresses allowed and whether or not MAX Addresses can be learned. Learned
MACs are sticky - in that if one is learned, then a system restart - or provisioning action
is required to remove it.
Example
--> bridge list igmpsnoop security
IGMP Snoop Configuration:
IGMP Snoop:
IGMP Net Interface:
IGMP Enabled Vlan:
Default Fast Leave
Last Member Query Interval:
iMG/RG Software Reference Manual (IGMP)
Disable
ip0
-1
Enable
0
3-21
IGMP snooping
IGMP Snooping command reference
Query Interval:
Robustness Variable:
Query Response Interval:
V1 Timer Value:
Multicast Intf Aging Time:
IGMP Snoop Mode:
IGMP MAC Security:
IGMP MAC Security Learning:
IGMP MAC Security Max Number:
MAC Address 1:
MAC Address 2:
MAC Address 3:
MAC Address 4:
MAC Address 5:
MAC Address 6:
MAC Address 7:
MAC Address 8:
MAC Address 9:
41
2
3
133
133
snooponly
Disable
Disable
5
Empty
Empty
Empty
Empty
Empty
Empty
Empty
Empty
Empty
3.1.5.1.9 BRIDGE SET IGMPSNOOP
Syntax
BRIDGE SET IGMPSNOOP { Enable | Disable | Drop }
Description
This command turns on/off the IGMP snooping processes.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
Enabled |
Disabled |
Drop
When Enabled, the IGMP process will intercept all
IGMP frames on the bridge and performs multicast
trunking by adding static multicast entries to the FDB.
Disabled
When Disabled, the IGMP process removes all static
entries from the FDB and floods all multicast frames.
When Drop, the IGMP process will intercept all IGMP
frames on the bridge and not forward the packets.
Example
--> bridge set igmpsnoop enabled
See also
BRIDGE SHOW
3-22
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
3.1.5.1.10 BRIDGE SET IGMPSNOOP DEFAULTFASTLEAVE
Syntax
BRIDGE SET IGMPSNOOP DEFAULTFASTLEAVE { defaultfastleave }
Description
Set the default fast leave state when enabling IGMP. Fast leave, proxy mode only, will
force leaves out the WAN facing network upon receipt of a leave on the LAN facing network. If DEFAULTFASTLEAVE is disabled, then when in Proxy mode, the system will
send an IGMP Query down the LAN side to make sure that no other device is receiving
the specific multicast stream- prior to sending the IGMP Leave message out the WAN
interface.
Note:
You must disable and re-enable IGMP before this command will take effect.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
Defaultfastleave
Enable/disable
Enabled
3.1.5.1.11 BRIDGE SET IGMPSNOOP LASTMBERQUERYINTVL
Syntax
BRIDGE SET IGMPSNOOP LASTMEMBERQUERYINT<lastmberqueryintvl>
Description
This command sets the value for the last member query interval. When the Gateway
receives the what it believes is an IGMP Leave from the last device in a Multicast Group
on a particular port- the Last Member Query Interval is used to specify the time the
Gateway waits for an IGMP Report after sending an IGMP Query message for that multicst stream down that port. If the Gateway does not receive an IGMP Report in that
interval then it sends an IGMP leave to the Multicast Router.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
lastmberqueryintvl
The last member query interval value in seconds.
Valid range is 0 to 255. 0 is a special case, 333 ms.
1
Example
--> bridge set igmpsnoop lastmberqueryintvl 5
See also
BRIDGE LIST IGMPSNOOP
iMG/RG Software Reference Manual (IGMP)
3-23
IGMP snooping
IGMP Snooping command reference
3.1.5.1.12 BRIDGE SET IGMPSNOOP MCASTROUTERTIMEOUT
Syntax
BRIDGE SET IGMPSNOOP MCASTROUTERTIMEOUT < mcastroutertimeout >
Description
This command sets the value for the multicast router time out interval which is the time
a dynamic multicast router interface remains an upstream interface after receiving an
IGMP Query with a non-zero source IP address. If an IGMP Query with a non-zero
source IP address is not received on the dynamic multicast router interface during this
time interval, the dynamic multicast router interface is reverted back to a downstream
interface.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
mcastroutertimeout
The aging time for multicast interfaces in seconds.
Valid range is 1 to 65535
400
Example
--> bridge set igmpsnoop mcastroutertimeout 500
See also
BRIDGE LIST IGMPSNOOP
3.1.5.1.13 BRIDGE SET IGMPSNOOP MODE
Syntax
BRIDGE SET IGMPSNOOP MODE { Proxy | Snooponly }
Description
This command specifies the mode of operation for the IGMP process.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
Proxy |
Snooponly
When in snooponly mode, the IGMP process samples
IGMP packets without interference, using the data to
trunk multicast streams.
Snooponly
When in proxy mode, the IGMP process intercepts all
IGMP packets and re-sources and times the reports
and queries base on IGMP configuration.
Example
--> bridge set igmpsnoop mode proxy
See also
BRIDGE SHOW
3-24
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
3.1.5.1.14 BRIDGE SET IGMPSNOOP NETINTERFACE
Syntax
BRIDGE SET IGMPSNOOP NETINTERFACE <ip interface name>
Description
This command specifies the IP interface from which IGMP proxy messages should be
sourced. Uses IP address 0.0.0.0 if not specified.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
Name
A name that identifies an existing ip interface as seen
with ip list interfaces
ip0
Example
--> bridge set igmpsnoop netinterface ip0
See also
IP LIST INTERFACES
3.1.5.1.15 BRIDGE SET IGMPSNOOP QUERYINTVL
Syntax
BRIDGE SET IGMPSNOOP QUERYINTVL < queryintvl >
Description
This command sets the value for the query interval. The Query Interval is the time
between General Queries sent by the proxy Querier.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
Queryintvl
The query interval value in seconds. Query interval
cannot be less than or equal to the query response
interval. Valid range is 2 to 255
125
Example
--> bridge set igmpsnoop queryintvl 200
See also
BRIDGE SHOW
BRIDGE SET IGMPSNOOP QUERYRESPONSEINTVL
3.1.5.1.16 BRIDGE SET IGMPSNOOP QUERYRESPONSEINTVL
Syntax
BRIDGE SET IGMPSNOOP QUERYRESPONSEINTVL < queryresponseintvl
>
iMG/RG Software Reference Manual (IGMP)
3-25
IGMP snooping
IGMP Snooping command reference
Description
This command sets the value for the query response interval. The Max Response Time
inserted into the periodic General Queries.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
queryresponseintvl
The query response interval value in seconds. Query
response interval cannot be greater than or equal to
the query interval. Valid range is 1 to 254.
3
Example
--> bridge set igmpsnoop queryresponseintvl 20
See also
BRIDGE SET IGMPSNOOP QUERYINTVL
3.1.5.1.17 BRIDGE SET IGMPSNOOP ROBUSTNESSVAR
Syntax
BRIDGE SET IGMPSNOOP ROBUSTNESSVAR < robustnessvar >
Description
This command sets the value for the network robustness, allowing tuning based upon
expected packet loss on the network. This robustness value will modify the time, in
proxy mode only, between the leave on the LAN facing network and the leave being sent
on the WAN facing network will be robustness times the lastmemberqueryintvl. It functions by forcing multiple IGMP Packet transmissions.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default value
robustnessvar
The the robustness variable value is a retry count for
IGMP packet transmissions. Valid range is 2 to 255.
2
--> bridge set igmpsnoop robustnessvar 3
3.1.5.1.18 BRIDGE SET IGMPSNOOP SECURITY
Syntax
BRIDGE SET IGMPSNOOP SECURITY <enable|disable>
Description
This command enabled or disables IGMP Security for the device. When enabled - all
IGMP messaging is validated against the MAC Addresses in the IGMP Security table to
ensure that they are authorized to receive video service..
3-26
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
Options
IGMP snooping
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
enable/disable
Activates or deactivates the service
disable
Example
--> bridge set igmpsnoop security enable
See also
BRIDGE LIST IGMPSNOOP SECURITY
3.1.5.1.19 BRIDGE SET IGMPSNOOP AUTOLEARNING
Option
Description
Default value
enable/disable
Activates or deactivates the service
disable
Syntax
BRIDGE SET IGMPSNOOP SECURITY AUTOLEARNING <enable|disable>
Description
This command activates or deactivates the ability of the security mechanism to learn
MAC addresses. When the system starts - only configured MAC addresses are populated
in the list of allowed MAC addresses. If AutoLearning is enabled, as new MAC addresses
are encountered, they are added to the list of valid MAC addresses - until the table has
reached the maximum size allowed. Once in the table, they cannot be removed, unless
the system is restarted. Once in the table - and the config is saved, they cannot be
removed except by a manual action.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
enable/disable
Activates or deactivates the autolearning feature
disable
Example
--> bridge set igmpsnoop security autolearning enable
See also
BRIDGE LIST IGMPSNOOP SECURITY
3.1.5.1.20 BRIDGE SET IGMPSNOOP SECURITY MAXMACNUMBER
Syntax
BRIDGE SET IGMPSNOOP SECURITY MAXMACNUMBER < num_macs >
iMG/RG Software Reference Manual (IGMP)
3-27
IGMP snooping
IGMP Snooping command reference
Description
This command sets the limit on the number of MAC addresses that the IGMP Securitiy
feature will allow to be populated in it’s internal table - and thus the number of devices
that can get video service..
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
num_macs
The maximum number of MACs that IGMP Security is
allowed to be configured with - or learn..
5
Example
--> bridge set igmpsnoop security maxmacnumber 3
See also
BRIDGE LIST IGMPSNOOP SECURITY
3.1.5.1.21 BRIDGE SET IGMPSNOOP VLAN
Syntax
BRIDGE SET IGMPSNOOP VLAN < vlan_id >
Description
This command restricts all IGMP messaging to the specified VLAN. If IGMP messages are
received on a different VLAN then they are forwarded as normal messages.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
vlan_id
The integer number of the VLAN - from 1 to 4094.
No restrictions
(-1)
Example
--> bridge set igmpsnoop vlan 313
See also
BRIDGE LIST IGMPSNOOP
3.1.5.1.22 BRIDGE SET IGMPSNOOP V1TIMER
Syntax
BRIDGE SET IGMPSNOOP V1TIMER < v1timer >
Description
This command sets the value for the v1 timer. The Version 1 Router Present Timeout is
how long a host must wait after hearing a Version 1 Query before it may send any IGMP
version 2 messages.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
3-28
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
Option
Description
Default value
v1timer
The v1timer variable value in seconds. Valid range is 1
to 65535.
400
Example
--> bridge set igmpsnoop v1timer 200
See also
BRIDGE SHOW
3.1.5.1.23 IGMP SET FORWARDALL
Syntax
IGMP SET FORWARDALL
Description
This command allows you to enable/disable your router’s ability to forward multicast traffic to ALL interfaces. By default, multicast traffic is only forwarded to interfaces on which
there is IGMP Proxy group membership.
< enabled|disabled >
Setting froward all is an alternative to IGMP Proxy. If you set forwardall enabled, it unsets
the upstream interface and disables IGMP proxy.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
enabled/disabled
Enabled forwards multicast traffic to all interfaces. Disabled forwards multicast traffic only to interfaces on
which there are IGMP Proxy group members
disabled
Example
--> igmp set forwardall enabled
See also
IGMP SHOW FORWARDALL
3.1.5.1.24 IGMP SET LASTMBERQUERYINTVL
Syntax
IGMP SET LASTMEMBERQUERYINT <lastmberqueryintvl>
Description
This command sets the value for the last member query interval. When the Gateway
receives the what it believes is an IGMP Leave from the last device in a Multicast Group
on a particular port- the Last Member Query Interval is used to specify the time the
Gateway waits for an IGMP Report after sending an IGMP Query message for that multicst stream down that port. If the Gateway does not receive an IGMP Report in that
interval then it sends an IGMP leave to the Multicast Router.
iMG/RG Software Reference Manual (IGMP)
3-29
IGMP snooping
Options
IGMP Snooping command reference
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
lastmberqueryintvl
The last member query interval value in seconds.
Valid range is 1 to 255.
1
Example
--> igmp set lastmberqueryintvl 5
See also
IGMP SHOW STATUS
3.1.5.1.25 IGMP SET QUERYINTVL
Syntax
IGMP SET QUERYINTVL < queryintvl >
Description
This command sets the value for the query interval. The Query Interval is the time
between General Queries sent by the proxy Querier.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
Queryintvl
The query interval value in seconds. Query interval
cannot be less than or equal to the query response
interval. Valid range is 2 to 255
125
Example
--> igmp set queryintvl 200
See also
IGMP SET QUERYRESPONSEINTVL
3.1.5.1.26 IGMP SET QUERYRESPONSEINTVL
Syntax
IGMP SET QUERYRESPONSEINTVL < queryresponseintvl >
Description
This command sets the value for the query response interval. The Max Response Time
inserted into the periodic General Queries.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
3-30
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
Option
Description
Default value
queryresponseintvl
The query response interval value in seconds.
Query response interval cannot be greater than or
equal to the query interval. Valid range is 1 to 254.
10
Example
--> igmp set queryresponseintvl 20
See also
IGMP SET QUERYINTVL
3.1.5.1.27 IGMP SET ROBUSTNESS
Syntax
IGMP SET ROBUSTNESS < robustness >
Description
This command sets the value for the network robustness, allowing tuning based upon
expected packet loss on the network. This robustness value will modify the time, in
proxy mode only, between the leave on the LAN facing network and the leave being sent
on the WAN facing network will be robustness times the lastmemberqueryintvl.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default value
robustness
The the robustness variable value is a retry count
for IGMP packet transmissions. Valid range is 2 to
255.
2
--> igmp set robustness 3
3.1.5.1.28 IGMP SET UPSTREAMINTERFACE
Syntax
IGMP SET UPSTREAMINTERFACE < ip_interface|none >
Description
This command enables the router’s IGMP Proxy, and sets one of the router’s existing IP
interfaces as teh upstream interface; all other router interfaces are designated downstream interfaces. The upstream interface implements the Host portion of the IGMP protocol, and the downstream interfaces implement the Router portion of the IGMP
protocol. The IGMP Proxy may be disabled by setting the upstream interface to none.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (IGMP)
3-31
IGMP snooping
IGMP Snooping command reference
Option
Description
Default value
ip_interface
The name of an existing router interface that you
want to set as the upstream interface
N/A
none
Disables IGMP proxy
N/A
Example
--> igmp set upstream interface ip1
See also
IGMP SHOW
3.1.5.1.29 IGMP SHOW FORWARDALL
Syntax
IGMP SHOW FORWARDALL
Description
This command displays the status of the ForwardAll configuration.
Example
--> iigmp show forwardall
IGMP Forwarder:
Forward All : false
See also
IGMP SET FORWARDALL
3.1.5.1.30 IGMP SHOW STATUS
Syntax
IGMP SHOW STATUS
Description
This command displays the following information about the status of IGMP proxy:
Example
•
IGMP Proxy group membership per interface details
•
Interface name and querier status
•
Group address
--> igmp proxy show status
Multicast group membership:
Interface (querier) | Group address
---------------------|----------------ip_video (yes)
| 239.255.255.250
--------------------------------------3.1.5.1.31 IGMP SHOW TIMERCONFIGURATION
Syntax
3-32
IGMP SHOW TIMERCONFIGURATION
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
Description
This command displays the All the timer settings for the IGMP Proxy. This includes the
Robustness setting, Query Interval, Query response interval and the last member query
interval.
Example
--> igmp proxy show status
IGMP Proxy configuration:
Robustness
Query Int
Query Rsp Int
Last Member Query Int
See also
IGMP
IGMP
IGMP
IGMP
SET
SET
SET
SET
:
:
:
:
2
125
10
1
LASTMEMBERQUERYINT
QUERYINTERVAL|
QUERYRSPINTERVAL
ROBUSTNESS
3.1.5.1.32 IGMP SHOW UPSTREAMINTERFACE
Syntax
IGMP SHOW UPSTREAMINTERFACE
Description
This command displays the status of the upstream interface. If an upstream interface has
been set using the IGMP SET UPSTREAMINTERFACE command, this command displays
the current setting.
Example
--> igmp show upstreaminterface
IGMP Proxy configuration
Upstream If : ip0
See also
IGMP SET UPSTREAMINTERFACE
3.1.5.1.33 IGMP SNOOPING DISABLE
Syntax
IGMP SNOOPING DISABLE <vlan_name>
Description
This command disables the layer- 2 IGMP snooping feature previously enabled with the
IGMP SNOOPING ENABLE command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (IGMP)
3-33
IGMP snooping
IGMP Snooping command reference
Option
Description
Default value
vlan_name
The name of an existing vlan where igmp snooping
has been previously enabled.
N/A
Example
Æ igmp snooping disable vlan_video
See also
IGMP SNOOPING ENABLE
3.1.5.1.34 IGMP SNOOPING ENABLE
Syntax
IGMP SNOOPING ENABLE
Description
This command enables the layer-2 IGMP snooping feature.
Default timeout values are used:
Options
•
leavetime10secs
•
timeout270secs
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
vlan_name
The name of an existing vlan where igmp snooping
has been previously enabled.
N/A
Example
Æ igmp snooping enable vlan_video
See also
IGMP SNOOPING DISABLE
IGMP SNOOPING SET
3.1.5.1.35 IGMP SNOOPING SET SECONDARY-NETINTERFACE
Syntax
IGMP SNOOPING SET SECONDARY-NETINTERFACE
<secondary_net_interface>
Description
This command sets the ip address interface used as reference for the ip address value to
be replaced in the upstream IGMP signalling messages. The IGMP module will use this
secondary ip interface ONLY if the ip interface attached to the vlan where IGMP snooping has been enabled has null value (0.0.0.0). In the contrary all upstream IGMP signalling
3-34
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
messages will use the ip address of the IP interface immediately attached to the multicast
vlan.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
secondary_net_interface
The name of an existing IP interface to be
used as reference source IP address.
N/A
Example
Æ igmp snooping set secondary-netinterface ip_mgmt
See also
IGMP SNOOPING SHOW
3.1.5.1.36 IGMP SNOOPING SET MODE
Description
IGMP SNOOPING SET MODE <mode>
This command sets the mode to forward IGMP packets. When mode is set to “proxy”,
the original Source MAC address and the original Source IP address are substituted with
the gateway’s own MAC and IP addresses. When mode is set to “snooping”, the IGMP
packets are forwarded with no changes.
When IGMP snooping is enabled, by default this parameter is set “snooping”.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default value
mode
Implemented different igmpsnooping mode:
snooping
proxy: Substitutes Source MAC Address and Source MAC
address with its own addresses forwarding received IGMP
packets.
snooping: Forwards received IGMP packets with no
changes.
Example
--> igmp snooping set mode proxy
See also
IGMP SNOOPING ENABLE
iMG/RG Software Reference Manual (IGMP)
3-35
IGMP snooping
IGMP Snooping command reference
3.1.5.1.37 IGMP SNOOPING SET LEAVETIME
Syntax
IGMP SNOOPING SET LEAVETIME <leavetime>
Description
This command sets the duration of the Leave Period timer for the IGMP snooping process. The timer controls the maximum allowed time before hosts must send a response
to Query message issued by the Gateway.
When IGMP snooping is enabled, by default this value is set to 10 sec.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
leavetime
The leavetime value expressed in seconds. Valid values are
between 0 and 65535.
10
Example
◊ igmp snooping set leavetime 50
See also
IGMP SNOOPING ENABLE
3.1.5.1.38 IGMP SNOOPING SET TIMEOUT
Syntax
IGMP SNOOPING SET TIMEOUT <timeout>
Description
This command sets the longest interval, in seconds, for which a group will remain in the
local multicast group database without the Residential Gateway receiving a Host Membership Report for this multicast group.
When IGMP snooping is enabled, by default this value is set to 270 sec.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default value
timeout
The timeout interval value expressed in seconds. Valid values are from 1 to 65535.
270
Example
igmp snooping set timeout 125
See also
IGMP SNOOPING ENABLE
3-36
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
3.1.5.1.39 IGMP SNOOPING SHOW
Syntax
IGMP SNOOPING SHOW
Description
This command shows IGMP snooping status.
The following information are reported:
See also
•
Timeout Interval
Interval after which entries will be removed from the group database
•
Interface Name
VLAN reference
•
Multicast Router
Recognized Multicast route
•
Group List
Membership list for this VLAN
•
Group
The group multicast address. Multicast Filter highlights members useful to stop
•
Port
Port where the member is attached
•
Last Adv
The last host to advertise the membership report or query
•
Refresh time
The time interval (in seconds) before the membership group is deleted
IGMP SNOOPING ENABLE
3.1.5.1.40 IGMP SNOOPING SECURITY
Syntax
IGMP SNOOPING SECURITY <enable/disable>
Description
This command enables/disables the security feature
3.1.5.1.41 IGMP SNOOPING SECURITY SET MAXMACNUMBER
Syntax
IGMP SNOOPING SECURITY SET MAXMACNUMBER <max_mac_number>
Description
This command sets the maximum number of MAC addresses that can be statically (via the
“add” command) or dynamically (via auto-learning) managed by the CPE. Range is 1-10,
default 5. In case of some MACs have been already learned/set, a new value of this parameter is accepted if equal or greater than registered MAC numbers.
iMG/RG Software Reference Manual (IGMP)
3-37
IGMP snooping
IGMP Snooping command reference
3.1.5.1.42 IGMP SNOOPING SECURITY LEARNING
Syntax
IGMP SNOOPING SECURITY LEARNING <enable/disable>
Description
This command enables/disables the auto-learning option
3.1.5.1.43 IGMP SNOOPING SECURITY ADD
Syntax
IGMP SNOOPING SECURITY ADD <name> max <mac_address>
Description
This command statically adds a new MAC address.
3.1.5.1.44 IGMP SNOOPING SECURITY DELETE
Syntax
IGMP SNOOPING SECURITY DELETE {<name> | ALL }
Description
This command deletes a MAC entry, either statically or dynamically added
3.1.5.1.45 IGMP SNOOPING SECURITY SHOW
Syntax
IGMP SNOOPING SECURITY SHOW
Description
This command shows the security info the MAC list and the status
3.1.5.1.46 IGMP PROXY SET UPSTREAMINTERFACE
Syntax
IGMP PROXY SET UPSTREAMINTERFACE {<ip_interface> | NONE}
Description
This command enables the gateway's IGMP Proxy Routing function, and sets one of the
existing IP interfaces as the upstream interface; all other interfaces are designated downstream interfaces. The upstream interface implements the Host portion of the IGMP protocol, and the downstream interfaces implement the Router portion of the IGMP
protocol. Setting upstream interface to none may disable the IGMP Proxy.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Option
Description
Default value
ip_interface
The name of an existing interface that you want to
set as the upstreaminterface.
N/A
none
Disables IGMP proxy
N/A
Options
--> igmp proxy set upstreaminterface ip0
See also
IGMP PROXY SHOW STATUS
3-38
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
IGMP snooping
3.1.5.1.47 IGMP PROXY SHOW UPSTREAMINTERFACE
Syntax
IGMP PROXY SHOW UPSTREAMINTERFACE
Description
This command displays the status of the upstream interface. If an upstream interface has
been set using the IGMP PROXY SET UPSTREAMINTERFACE command, this command
displays the current setting.
Example
--> igmp proxy show upstreaminterface
IGMP Proxy configuration
Upstream If : ip0
See also
IGMP PROXY SET UPSTREAMINTERFACE
3.1.5.1.48 IGMP PROXY SHOW STATUS
Syntax
IGMP PROXY SHOW STATUS
Description
This command displays the following information about the status of IGMP proxy:
Example
•
IGMP Proxy group membership per interface details
•
Interface name and querier status
•
Group address
--> igmp proxy show status
Multicast group membership:
Interface (querier) | Group address
---------------------|----------------ip_video (yes)
| 239.255.255.250
--------------------------------------See also
IGMP PROXY SHOW UPSTREAMINTERFACE
iMG/RG Software Reference Manual (IGMP)
3-39
IGMP snooping
3-40
iMG/RG Software Reference Manual (IGMP)
IGMP Snooping command reference
Overview
IP
4. IPNetwork Functions
4.1 IP
4.1.1 Overview
This chapter describes the main features of the Internet Protocol (IPv4) and how to configure and operate the
AT-iMG models IP interface.
Before you start configuring the IP Stack for your own network requirements, it is essential that you are familiar
with the basic functionality of the IP Stack
The IP Stack allows you to configure basic connectivity for your network to provide IP routing between interfaces and to support local applications, such as Telnet, web server, DHCP and so on.
The dual IP Stack implements the following IPv4 protocols:
• Internet Protocol (IP), including RFC 791.
• Includes support for Fragmentation and Reassembly (RFC 0791 and RFC 1812 (section 4.2.2.7))
• Includes support for Subnetting and Classless Interdomain Routing. • Internet Control Message Protocol
(ICMP) (RFC 0792); see ICMP (RFC 972).
•
•
•
•
•
User Datagram Protocol (UDP) - RFC 768
Transmission Control Protocol (TCP) - RFC 793
featuring also TCP MSS Clamp;
Address Resolution Protocol (ARP) for Ethernet - RFC 826 and RFC 894.
Internet Group Management Protocol (IGMP), Version 2 - RFC 236. Multicast forwarding and IGMP
Proxy (RFC 2236);
• Routing Information Protocol (RIP), Version 2 - RFC 1723; see RIP v2 (for IPv4).
4.1.2 IP Interfaces
In order to use the IP stack, one or more interfaces must be added to the IP stack and attached to a transport.
For IPv4 interfaces, each interface must be configured with an IP address and a subnet mask. Together, these
define the range of addresses which can be reached via the interface withoutpassing through any other routers
Each interface (real and virtual) must have a unique subnet; the range of addresses on each interface must not
overlap with any other interface. The only exception to this is unnumbered interfaces, which may be configured
on point to point links when there is no local subnet associated with the interface.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-1
IP
IP support on AT-iMG Models
4.1.3 IP support on AT-iMG Models
In order to use the IP stack, one or more interfaces must be added to the IP stack and attached to a transport.
Each interface must be configured with an IP address and a subnet mask. Together, these define the range of
addresses that can be reached via the interface without passing through any other routers.
Each interface (real and virtual) must have a unique subnet; the range of addresses on each interface must not
overlap with any other interface. In situations where there is no local subnet associated with an interface,
unnumbered interfaces may be used.
4.1.3.1 Adding and attaching IP interfaces
IP interfaces are added and attached using the commands provided in the IP and Ethernet module respectively.
IP interfaces use typically the services provided by Ethernet transports. Ethernet transport is an abstraction
layer used to classify the format of the IP packets that will be transferred through the network. Another type of
transport is, for example, is PPPoE. Packets transmitted through a PPPoE connection or Ethernet connection
will have different frame format even if the convey the same type of information to the IP layer.
Because the system supports VLANs, the same Ethernet port can be shared between different VLANs. Therefore it's not possible map an Ethernet transport directly to a physical Ethernet port.
Instead Ethernet transports are mapped to VLANs that from a logical point of view they act like an Ethernet
segment, as an Ethernet port would do in a simple system without VLANs
The way a transport is attached to the gateway depends on the kind of core switching type.
On FIBER A/C and ADSL A devices it happens like depicted in steps here below.
• Create an Ethernet transport using the command:
ethernet add transport eth1 myvlan
• Create an interface to the IP stack: using, for example, the command:
ip add interface ip1 192.168.101.2 255.255.255.0
• Attach the transport to the interface using the command:
ip attach ip1 eth1
Things are slightly different on the remaining models. A Vlan is handled as a bridgeport. Each bridgeport is a
transport of type Qbridge. therefore step 1) is not necessary.
• Create an interface to the IP stack: using, for example, the command:
ip add interface ip1 192.168.101.2 255.255.255.0
• Attach the transport to the interface using the command:
ip attach ip1 myvlan
4-2
iMG/RG Software Reference Manual (IPNetwork Functions)
IP support on AT-iMG Models
IP
The maximum number of IP interfaces is set to 16, which means that there are up to 16 IP interfaces
internally numbered one to 16. Since one interface is reserved for use as a loopback interface, this means up to
15 IP interfaces can be added by the user
When a packet arrives on an IP interface, the IP stack determines what to do with the packet. There are two
options:
• Receive the packet locally;
• Forward the packet to another interface
4.1.3.2 IP stack and incoming packets
When a packet arrives on an IP interface, the IP stack determines whether:
• The packet should be received locally
• The packet should be forwarded to another interface
4.1.3.3 Locally received packets
A packet will be received locally if:
• The destination address of the packet matches any of the IP stack interface addresses (real or virtual interface, primary or secondary addresses)
• The packet is a broadcast
• The packet is a multicast to a group that the IP stack belongs to
• The packet has the Router Alert option set
The packet is either processed internally within the IP stack (for example, ICMP or IGMP control messages), or
passed up to an application via the appropriate protocol processing (for example, TCP or UDP data).
For a local application to successfully send a packet back to another host, the IP stack must be able to find a
suitable route to that host.
4.1.3.4 Forwarding packets
If the IP stack determines that a packet should not be received locally, it will try to forward the packet. The
packet will be forwarded if:
• The destination of the packet can be reached directly via any of the IP stack’s interfaces
• A route has been added, either manually or by a routing protocol, specifying a suitable gateway via which
that destination may be reached
Several address tests are applied before forwarding a packet, for example to prevent broadcast packets from
being forwarded. For more information about these tests, see RFC1122: Requirements for Internet - Hosts.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-3
IP
Unconfigured interfaces
If the packet cannot be forwarded, an ICMP Destination Unreachable error will be returned to the sender.
By default, the checksum of forwarded IP packets is not checked. This is for reasons of efficiency, because calculating the checksum on all packets adds significantly to the forwarding time and reduces throughput. This default
setting is common in most IP routers. Locally terminated packets always have their checksum checked.
4.1.4 Unconfigured interfaces
An interface with an IP address of 0.0.0.0 is unconfigured. An interface is added as unconfigured when it is to be
configured at a later time, for example, by IPCP or DHCP.
No traffic will be forwarded from an unconfigured interface. However, an unconfigured interface may still
receive certain types of traffic, such as responses to DHCP requests.
An unconfigured interface should not be confused with an unnumbered interface.
4.1.5 Unnumbered interfaces
In a routed network, consider two routers that are joining two different subnets via a point-to-point link. It
would usually be necessary to allocate a whole subnet just for the link between the routers, in addition to the
other two subnets.
An unnumbered interface does not have a subnet associated with it and simply serves as one end of a point-topoint link. An unnumbered link does not have an IP address, but a router ID THAT is the IP address of one of
the router’s other interfaces.
You can have multiple unnumbered interfaces as long as you have at least one normal (numbered) IP interface in
your router so that you can use its IP address as the router ID. The unnumbered interfaces can either use different router ID values, or use the same router ID value. WhaTEVER THEIR VALUE, THE ROUTER ID(s) must match
the address of a normal interface.
Note:
Unnumbered interfaces can only be used on point-to-point links. This includes PPP. You cannot use
unnumbered interfaces with Ethernet
4.1.5.1 Unconfigured interfaces vs unnumbered interfaces
An unnumbered interface is not the same as an unconfigured interface.
An unconfigured interface is created by adding an interface without specifying an IP address (ip add interface
myinterface), or by specifying an IP address of 0.0.0.0 (ip add interface myinterface 0.0.0.0).
You would add an unconfigured interface if the interface address were to be set automatically later, for example, by IPCP or DHCP. It cannot be used for normal traffic.
An unnumbered interface is different - it is used for normal traffic but does not have its own IP address or a
local subnet associated with it.
4-4
iMG/RG Software Reference Manual (IPNetwork Functions)
Unnumbered interfaces
IP
4.1.5.2 Configuring unnumbered interfaces
Unnumbered interfaces are created using the following CLI command:
IP ADD INTERFACE <name> <ipaddress> 255.255.255.255
For example:
ip add interface myinterface 192.168.101.3 255.255.255.255
In this command:
• myinterface is the unnumbered interface name.
• 192.168.101.3 is the router id. The router ID must be set to the IP address of one of the router’s normal
interfaces. The main use of the router ID is as the source address for packets sent on an unnumbered interface from local applications or routing protocols. Router IDs are described in RFC1812 Requirements for
IP v4 Routers.
• 255.255.255.255 is a special subnet mask that identifies an unnumbered interface and distinguishes it from
any other type of interface.
You must also add a route before your unnumbered interface can send packets.
4.1.5.3 Creating a route
Because an unnumbered interface does not have a local subnet associated with it, no packets can be routed to
an unnumbered interface until a route is added. Let us just consider how this is done.
Usually, for Ethernet interface, routes are added with a gateway to be used for a particular destination.
For example:
ip add route myroute 10.0.0.0 255.0.0.0 gateway 192.168.101.10
This means that all packets for the 10.0.0.0 subnet will be sent to the address 192.168.101.10 as their next hop.
The gateway must be reachable directly, so 192.168.101.10 must be on a subnet served by one of the local interfaces.
But, for point-to-point links, you can add a route through the interface, without specifying a gateway address,
for example:
ip add route myroute 10.0.0.0 255.0.0.0 interface myinterface
All packets for the specified destination will be sent via the unnumbered interface called myinterface. This type
of route can be used for all interfaces with point-to-point links, not just for unnumbered interfaces.
On devices of the type FIBER B/D/E, MODULAR and ADSL B/C routes can be disabled and
enabled.Unless explicitely set: routes are created and enabled.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-5
IP
Virtual interfaces
4.1.6 Virtual interfaces
Usually, each transport only has one router interface associated with it, and each router interface has only one
IP address and local subnet associated with.
Virtual interfaces allow you to attach more than one IP interface to the same transport. Secondary IP addresses
allow you to associate more than one IP address with the same IP interface. Together, these features allow
many configurations that would not otherwise be possible.
Virtual interfaces allow you to create multiple router interfaces on the same transport, for example, on the
same Ethernet port. This allows the IP stack to communicate with and route between multiple subnets existing
on the same LAN.
4.1.6.1 Configuring virtual interfaces
To configure a virtual interface you need to create an IP interface, but instead of attaching it to a transport, you
need to attach it to a second IP interface that already has a transport attached to it.
In this way, the two interfaces share the transport that is only attached to one of the interfaces.
The original interface attached directly to a transport is called the real interface, and the interface that is
attached to the real interface is called the virtual interface.
To configure a virtual interface using the CLI:
• Create the real interface, then create an Ethernet transport and attach the IP interface to the transport:
ip add interface real_ip 192.168.101.2 255.255.255.0
On FIBER A/C and ADSL A devices:
ethernet add transport eth1 myvlan
ip attach real_ip eth1
On the remaining models it’s enough to:
ip attach real_ip myvlan
• Create the virtual interface:
ip add interface virtual_ip 192.168.50.10 255.255.255.0
• Attach the virtual interface to the real interface:
ip attachvirtual virtual_ip real_ip
You can add more than one virtual interface to the same real interface.
Attaching them to a real interface instead of to a transport directly creates virtual interfaces. If the real interface is deleted, then all associated virtual interfaces are detached automatically.
4-6
iMG/RG Software Reference Manual (IPNetwork Functions)
Secondary IP addresses
IP
4.1.6.2 Similarities between virtual interfaces and real interfaces
A virtual interface is similar to a real interface:
• Virtual interfaces may be manipulated in the same way as real interfaces using the CLI.
• The IP stack will route between virtual interfaces and real interfaces in the same way that it routes between
real interfaces.
Note:
Like real interfaces, virtual interfaces must have a unique subnet that does not overlap with other
interfaces. In order to have the router respond to more than one IP address on the same subnet,
secondary addresses must be used instead of virtual interfaces.
4.1.6.3 Differences between virtual interfaces and real interfaces
When the IP stack receives a packet from a transport that has associated virtual interfaces, the IP stack must
decide which interface the packet arrived on.
The source address of the incoming packet is compared with the subnet of each virtual interface on that transport. If there is no match, the IP stack assumes that the packet arrived on the real interface.
The interface that the packet arrived on is important in two scenarios:
• When the Firewall is in use - different rules (such as policies, portfilters and validators) are configured
between different interfaces, so you need to know which interfaces the packet passes between.
• Some applications are written to only respond to traffic received on a specific interface. For example, DHCP
server.
Because the traffic for all virtual interfaces is received in the same way as the real interface, the only reasonable
way of selecting an interface is based on source address as described above. This means that:
• A virtual interface only receives packets with a source address matching its interface subnet, providing packets arrive via the real interface that the virtual interface is attached to.
• Packets that arrive with a source address that does not match a local subnet are deemed to have been
received on the real interface, even if the next hop would be reached through the virtual interface when
sending to that destination.
• Any packets from an unconfigured host, for example DHCP or BOOTP requests, are deemed to be received
on the real interface.
Note:
Remember that the sender can spoof the source address of the packet; therefore security-related
decisions should not be based on the ability to distinguish between virtual interfaces on the same
transport.
4.1.7 Secondary IP addresses
Secondary IP addresses differ from virtual interfaces because there is no concept of a separate local subnet
associated with a secondary address.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-7
IP
TCP/IP command reference
The secondary addresses share the same subnet with the interface.
Secondary addresses therefore allow the IP stack to have more than one address on the same subnet. After
setting the main interface address, one or more additional addresses on the same subnet can be added to the
interface.
4.1.7.1 Configuring secondary IP addresses
You can create and configure secondary IP addresses using the CLI.
The following CLI commands allow you to create and configure secondary IP addresses:
ip
ip
ip
ip
Note:
interface
interface
interface
interface
add secondaryipaddress
clear secondaryipaddresses
delete secondaryipaddress
list secondaryipaddresses
FThe ability to specify a subnet mask with a secondary address is superseded by the functionality of
virtual interfaces. You should use virtual interfaces instead.
Support for adding secondary IP addresses including subnet mask specification will be withdrawn in a future
software release.
4.1.7.2 Functionality of secondary IP addresses
On Ethernet interfaces, secondary IP addresses must be on the same subnet as the interface. Secondary
addresses may be added to virtual interfaces, as well as real interfaces.
On Point-to-Point links, secondary addresses may be added on a different subnet to the main interface address.
This will provide an additional address that the IP stack will respond to for traffic arriving on that interface, but
with no associated local subnet.
This is similar to configuring a virtual interface as an unnumbered interface. This is not a common configuration.
4.1.8 TCP/IP command reference
This section describes the commands available on AT-iMG models to manage the TCP/IP module.
4.1.8.1 IP Tracing commands
You can carry out tracing in the IP stack using the following system commands:
• SYSTEM LOG ENABLE|DISABLE; enables/disables the tracing support output for a specific module and category.
• SYSTEM LOG LIST; displays the tracing options for the modules available in the current image
4-8
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
4.1.8.2 IP CLI commands
The table below lists the IP commands provided by the CLI:
TABLE 4-1
IP CLI commands
Commands
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E
A
B
C
Modular
IP ATTACH
X
X
X
X
X
X
X
X
X
IP ATTACHBRIDGE
X
X
X
X
X
X
X
X
X
IP ATTACHVIRTUAL
X
X
X
X
X
X
X
X
X
IP CLEAR ARPENTRIES
X
X
X
X
X
X
X
X
X
IP CLEAR INTERFACES
X
X
X
X
X
X
X
X
X
IP CLEAR RIPROUTES
X
X
X
X
X
X
X
X
X
IP CLEAR ROUTES
X
X
X
X
X
X
X
X
X
IP DELETE INTERFACE
X
X
X
X
X
X
X
X
X
IP DELETE ROUTE
X
X
X
X
X
X
X
X
X
IP DETACH INTERFACE
X
X
X
X
X
X
X
X
X
IP INTERFACE ADD PROXYARPENTRY
X
X
X
X
X
X
X
X
X
IP INTERFACE ADD PROXYARPEXCLUSION
X
X
X
X
X
X
X
X
X
IP INTERFACE ADD SECONDARYIPADDRESS
X
X
X
X
X
X
X
X
X
IP INTERFACE ADD STATICARPENTRY
X
X
X
X
X
X
X
X
X
IP INTERFACE CLEAR PROXYARPENTRIES
X
X
X
X
X
X
X
X
X
IP INTERFACE CLEAR SECONDARYIPADDRESSES
X
X
X
X
X
X
X
X
X
IP INTERFACE CLEAR STATICARPENTRIES
X
X
X
X
X
X
X
X
X
IP INTERFACE DELETE PROXYARPENTRIES
X
X
X
X
X
X
X
X
X
IP INTERFACE DELETE PROXYARPEXCLUSION
X
X
X
X
X
X
X
X
X
IP INTERFACE DELETE SECONDARYIPADDRESSES
X
X
X
X
X
X
X
X
X
IP INTERFACE DELETE STATICARPENTRY
X
X
X
X
X
X
X
X
X
IP INTERFACE LIST PROXYARPENTRIES
X
X
X
X
X
X
X
X
X
IP INTERFACE LIST SECONDARYIPADDRESSES
X
X
X
X
X
X
X
X
X
iMG/RG Software Reference Manual (IPNetwork Functions)
4-9
IP
TCP/IP command reference
TABLE 4-1
IP CLI commands (Continued)
Commands
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E
Modular
A
B
C
IP INTERFACE LIST STATICARPENTRIES
X
X
X
X
X
X
X
X
X
IP LIST APPSERVICES
X
X
X
X
X
X
X
X
X
IP LIST ARPENTRIES
X
X
X
X
X
X
X
X
X
IP LIST CONNECTIONS
X
X
X
X
X
X
X
X
X
IP LIST INTERFACES
X
X
X
X
X
X
X
X
X
IP LIST RIPROUTES
X
X
X
X
X
X
X
X
X
IP LIST ROUTES
X
X
X
X
X
X
X
X
X
STOP PING
X
X
X
X
X
X
X
X
X
IP PING
X
X
X
X
X
X
X
X
X
IP SET APPSERVICE
X
X
X
X
X
X
X
X
X
IP SET INTERFACE IPADDRESS
X
X
X
X
X
X
X
X
X
IP SET INTERFACE NETMASK
X
X
X
X
X
X
X
X
X
IP SET INTERFACE MTU
X
X
X
X
X
X
X
X
X
IP SET INTERFACE DHCP
X
X
X
X
X
X
X
X
X
IP SET INTERFACE GATEWAY
X
X
X
X
X
X
X
X
X
IP SET INTERFACE RIP ACCEPT
X
X
X
X
X
X
X
X
X
IP SET INTERFACE RIP MULTICAST
X
X
X
X
X
X
X
X
X
IP SET INTERFACE RIP SEND
X
X
X
X
X
X
X
X
X
IP SET INTERFACE TCPMSSCLAMP
X
X
X
X
X
X
X
X
X
IP SET RIP ADVERTISEDEFAULT
X
X
X
X
X
X
X
X
X
IP SET RIP AUTHENTICATION
X
X
X
X
X
X
X
X
X
IP SET RIP DEFAULTROUTECOST
X
X
X
X
X
X
X
X
X
IP SET RIP HOSTROUTES
X
X
X
X
X
X
X
X
X
IP SET RIP PASSWORD
X
X
X
X
X
X
X
X
X
IP SET RIP POISON
X
X
X
X
X
X
X
X
X
IP SET ROUTE
X
X
X
X
X
X
X
X
X
4-10
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
TABLE 4-1
IP
IP CLI commands (Continued)
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E
A
B
C
Modular
Commands
IP SET ROUTE
X
X
X
X
X
X
X
X
X
IP SET ROUTE
X
X
X
X
X
X
X
X
X
IP SET ROUTE ADVERTISE
X
X
X
X
X
X
X
X
X
IP SET ROUTE DESTINATION
X
X
X
X
X
X
X
X
X
IP SET ROUTE GATEWAY
X
X
X
X
X
X
X
X
X
IP SET ROUTE COST
X
X
X
X
X
X
X
X
X
IP SET ROUTE INTERFACE
X
X
X
X
X
X
X
X
X
IP SET TTL
X
X
X
X
X
X
X
X
X
IP SHOW
X
X
X
X
X
X
X
X
X
IP SHOW APPSERVICE
X
X
X
X
X
X
X
X
X
IP SHOW INTERFACE
X
X
X
X
X
X
X
X
X
IP SHOW ROUTE
X
X
X
X
X
X
X
X
X
(*) Those commands are avalaible on FIBER B,D,E, MODULAR and ADSL B,C devices
4.1.8.2.1 IP ADD DEFAULTROUTE GATEWAY
Syntax
IP ADD DEFAULTROUTE GATEWAY <gateway_ip>
Description
This command creates a default route. It acts as a shortcut command that you can use
instead of typing the following:
ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.103.3
Note:
You can only create one default route. A default route will not be created if you have already created a
default route using the IP ADD ROUTE command or the IP ADD DEFAULTROUTE INTERFACE command.
If you want RIP to advertise a default route with a default cost metric, see the IP SET RIP
ADVERTISEDEFAULT and IP SET RIP DEFAULTROUTECOST commands.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-11
IP
TCP/IP command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
gateway_ip
The IP address of the gateway that this route will
use by default, in the format: 192.168.103.3
gateway_ip
Example
--> ip add defaultroute gateway 192.168.103.3
See also
ip
ip
ip
ip
add
add
set
set
route
defaultroute interface
rip advertisedefault
rip defaultroutecost
4.1.8.2.2 IP ADD DEFAULTROUTE GATEWAY DISABLED
Syntax
IP ADD DEFAULTROUTE GATEWAY <gateway_ip> DISABLED
Description
This command creates a default route and but prevents its activation. It acts as a shortcut
command that you can use instead of typing the following:
ip add route default 0.0.0.0 0.0.0.0 gateway 192.168.103.3 DISABLED
Note:
You can only create one default route. A default route will not be created if you have already created a
default route using the IP ADD ROUTE command or the IP ADD DEFAULTROUTE INTERFACE command.
If you want RIP to advertise a default route with a default cost metric, see the IP SET RIP
ADVERTISEDEFAULT and IP SET RIP DEFAULTROUTECOST commands
Note:
This command are avalable on FIBER B,D,E MODULAR and ADSL B,C models only.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
gateway_ip
The IP address of the gateway that this route will
use by default, in the format: 192.168.103.3
gateway_ip
Example
--> ip add defaultroute gateway 192.168.103.3
See also
ip add route disabled, ip add route, ip set route enabled
ip add defaultroute interface, ip add default route interface disabled
ip set rip advertisedefault
ip set rip defaultroutecost
4-12
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
4.1.8.2.3 IP ADD DEFAULTROUTE INTERFACE
Syntax
IP ADD DEFAULTROUTE INTERFACE <interface>
Description
This command creates a default route. It acts as a shortcut command that you can use
instead of typing the following:
ip add route default 0.0.0.0 0.0.0.0 interface ip3
Note:
You can only create one default route. A default route will not be created if you have already created a
default route using the ip add route command or the ip add defaultroute gateway command.
If you want RIP to advertise a default route with a default cost metric, see the IP SET RIP
ADVERTISEDEFAULT and IP SET RIP DEFAULTROUTECOST commands.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
interface
The name of the existing interface that this route will
use. To display interface names, use the IP LIST INTERFACES command.
N/A
Example
--> ip add defaultroute interface ip3
See also
ip
ip
ip
ip
add
add
set
set
route
defaultroute gateway
rip advertisedefault
rip defaultroutecost
4.1.8.2.4 IP ADD DEFAULTROUTE INTERFACE DISABLED
Syntax
IP ADD DEFAULTROUTE INTERFACE <interface> DISABLED
Description
This command creates a default route but prevents its activation. It acts as a shortcut
command that you can use instead of typing the following:
ip add route default 0.0.0.0 0.0.0.0 interface ip3 disabled
Note:
You can only create one default route. A default route will not be created if you have already created a
default route using the ip add route command or the ip add defaultroute gateway command.
If you want RIP to advertise a default route with a default cost metric, see the IP SET RIP
ADVERTISEDEFAULT and IP SET RIP DEFAULTROUTECOST commands.
Note:
This command is avalable on FIBER B,D,E MODULAR and ADSL B,C models only.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-13
IP
TCP/IP command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
interface
The name of the existing interface that this route will
use. To display interface names, use the IP LIST INTERFACES command.
N/A
Example
--> ip add defaultroute interface ip3
See also
ip add route, ip add route disabled, ip set route enabled
ip add defaultroute gateway, ip add defaultroute gateway
disabled
ip set rip advertisedefault
ip set rip defaultroutecost
4.1.8.2.5 IP ADD INTERFACE
Syntax
IP ADD INTERFACE <name> [<ipaddress> [<netmask>]]
Description
This command adds a named interface and optionally sets its IP address. The IP address is
not mandatory at this stage, but if it is not specified in this command, the interface will be
unconfigured. There are three ways that the IP address can be set later:
•
Using the IP SET INTERFACE IPADDRESS command
•
You can set the interface to obtain its configuration via dynamic host configuration
protocol (DHCP) using the IP SET INTERFACE DHCP ENABLED command. By
default, DHCP is disabled.
This interface can obtain its IP configuration via PPP IPCP (Internet Protocol Control Protocol) negotiation.
See PPPoA CLI commands or PPPoE CLI commands .
The IP stack automatically creates a loopback interface for address 127.0.0.1 subnet
mask 255.0.0.0. This interface is not displayed by the IP LIST INTERFACES command.
You can use this command to add unnumbered interfaces.
Options
4-14
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies the ip interface. It can
be made up of one or more letters or a combination of
letters and digits, but it cannot start with a digit.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
Option
Description
Default Value
ipaddress
The interface IP address in the format 192.168.102.3
If the IP address is set to the special value 0.0.0.0, the
interface is marked as unconfigured. This value is used
when the interface address is obtained automatically.
For an unnumbered interface, the IP address parameter
is used to specify the router-id of the interface. The
router-id should be the same as the IP address of one of
the router’s numbered interfaces.
0.0.0.0
netmask
The netmask address of the interface displayed in the
following format 255.255.255.0
The special value 255.255.255.255 is used to indicate an
unnumbered interface. An unnumbered interface is configured by setting the IP address to the interface’s
router-id value, and setting netmask to 255.255.255.255.
If no IP address is
supplied, the natural mask of the IP
address is used.
Example
--> ip add interface ip1 192.168.103.3 255.255.255.0
See also
ip
ip
ip
ip
Note:
attach
show interface
set interface ipaddress
set interface dhcp
For information on setting DHCP client configuration options, see DHCP Client command reference.
4.1.8.2.6 IP ADD ROUTE
Syntax
IP ADD ROUTE <name> <dest_ip> <netmask> {[GATEWAY
<gateway_ip>]|[INTERFACE <interface>]}
Description
This command creates a static route to a destination network address via a gateway
device or an existing interface. It also allows you to create a default route.
Note:
You can only create one default route. A default route will not be created if you have already created a
default route using the IP ADD DEFAULTROUTE GATEWAY command or the IP ADD DEFAULTROUTE INTERFACE
command.
A route specifies a destination network (or single host), together with a mask to indicate
what range of addresses the network covers, and a next-hop gateway address or interface. If there is a choice of routes for a destination, the route with the most specific mask
is chosen.
Routes are used when sending datagrams as well as forwarding them, so they are not relevant only to routers. However, a system with a single interface is likely to have a single
route as a default route to the router on the network that it most often needs to use. If
iMG/RG Software Reference Manual (IPNetwork Functions)
4-15
IP
TCP/IP command reference
the interface can communicate more efficiently with a particular destination by using a
different router, then it will learn this fact from an Internet Control Message Protocol
(ICMP) redirect message.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies the route. It can be
made up of one or more letters or a combination of
letters and digits, but it cannot start with a digit. To
create a default static route to a destination address,
type default as the route name. You can only create
one route called default.
N/A
dest_ip
The IP address of the destination network displayed in
the following format: 192.168.102.3
N/A
netmask
The destination netmask address (format:
255.255.255.0)
N/A
gateway_ip
The IP address of the gateway that this route will use,
displayed in the following format: 192.168.102.3
N/A
interface
The existing interface that this route will use. To display interface names, use the IP LIST INTERFACES
command.
N/A
Example 1 routes through a gateway.
--> ip add route route1 192.168.103.3 255.255.255.0 gateway 192.168.102.3
Example 2 is a default route.
--> ip add route default 0.0.0.0 0.0.0.0 interface ip1
See also
ip list interfaces
ip add defaultroute gateway
ip add defaultroute interface
4.1.8.2.7 IP ADD ROUTE DISABLED
Syntax
IP ADD ROUTE <name> <dest_ip> <netmask> {[GATEWAY
<gateway_ip>]|[INTERFACE <interface>]} DISABLED
Description
This command creates a static route to a destination network address via a gateway
device or an existing interface. It also allows you to create a default route.
4-16
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
Note:
IP
You can only create one default route. A default route will not be created if you have already created a
default route using the IP ADD DEFAULTROUTE GATEWAY command or the IP ADD DEFAULTROUTE INTERFACE
command.
A route specifies a destination network (or single host), together with a mask to indicate
what range of addresses the network covers, and a next-hop gateway address or interface. If there is a choice of routes for a destination, the route with the most specific mask
is chosen.
Routes are used when sending datagrams as well as forwarding them, so they are not relevant only to routers. However, a system with a single interface is likely to have a single
route as a default route to the router on the network that it most often needs to use. If
the interface can communicate more efficiently with a particular destination by using a different router, then it will learn this fact from an Internet Control Message Protocol
(ICMP) redirect message.
Note:
This command is avalable on FIBER B,D,E MODULAR and ADSL B,C models only.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies the route. It can be
made up of one or more letters or a combination of letters and digits, but it cannot start with a digit. To create a
default static route to a destination address, type default
as the route name. You can only create one route called
default.
N/A
dest_ip
The IP address of the destination network displayed in the
following format: 192.168.102.3
N/A
netmask
The destination netmask address (format: 255.255.255.0)
N/A
gateway_ip
The IP address of the gateway that this route will use, displayed in the following format: 192.168.102.3
N/A
interface
The existing interface that this route will use. To display
interface names, use the IP LIST INTERFACES command.
N/A
Example 1 routes through a gateway.
--> ip add route route1 192.168.103.3 255.255.255.0 gateway 192.168.102.3
Example 2 is a default route.
--> ip add route default 0.0.0.0 0.0.0.0 interface ip1
iMG/RG Software Reference Manual (IPNetwork Functions)
4-17
IP
TCP/IP command reference
See also
ip list interfaces
ip add defaultroute gateway
ip add defaultroute interface
4.1.8.2.8 IP ATTACH
Syntax
IP ATTACH {<name>|<number>} <transport>
Description
This command attaches an existing transport to an existing IP interface (e.g., a bridge or
router) so that data can be transported via the selected transport method.
This command implicitly enables the transport being attached.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the ip list interfaces command.
N/A
number
An existing IP interface. To display interface numbers,
use the ip list interfaces command. The number appears
in the first column under the heading ID.
N/A
transport
An existing transport.
N/A
In the example below, eth1 is the name of an Ethernet transport created using the ETHERNET ADD TRANSPORT command:
--> ip attach ip1 eth1
See also
IP ADD INTERFACE
IP LIST INTERFACES
4.1.8.2.9 IP ATTACHBRIDGE
Syntax
IP ATTACHBRIDGE {<name>|<number>}
Description
This command attaches the bridge to the router via an existing IP interface.
4-18
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
Options
See also
IP
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the ip list interfaces command.
N/A
number
An existing IP interface. To display interface numbers,
use the ip list interfaces command. The number appears
in the first column under the heading ID.
N/A
IP ADD INTERFACE
IP LIST INTERFACES
4.1.8.2.10 IP ATTACHVIRTUAL
Syntax
IP ATTACHVIRTUAL <name> <real_interface>
Description
This command creates a virtual interface. The virtual interface is associated with a ‘real’
IP interface that has already been attached to a transport using the IP attach command.
You can attach multiple virtual interfaces to one ‘real’ IP interface.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface to be used as a virtual interface.
The IP interface should not have a transport attached to
it. To display interface names, use the IP LIST INTERFACES command.
N/A
real_interface
An existing ‘real’ IP interface, attached to a transport, to
which the virtual interface is associated with an existing
‘real’ IP interface. To display interface names, use the IP
LIST INTERFACES command.
N/A
Example
--> ip attachvirtual ip_virtual ip_real
See also
ip list interfaces
4.1.8.2.11 IP CLEAR ARPENTRIES
Syntax
ip clear arpentries
Description
This command clears all ARP entries.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-19
IP
TCP/IP command reference
Example
--> ip clear arpentries
See also
IP LIST ARPENTRIES
4.1.8.2.12 IP CLEAR INTERFACES
Syntax
ip clear interfaces
Description
This command clears all IP interfaces that were created using the IP ADD INTERFACE
command.
Example
--> ip clear interfaces
See also
ip delete interface
4.1.8.2.13 IP CLEAR RIPROUTES
Syntax
ip clear riproutes
Description
This command deletes all the existing dynamic routes that have been obtained from RIP.
It does not delete the static routes; see the IP CLEAR ROUTES command.
Example
--> ip clear riproutes
See also
ip
ip
ip
ip
clear routes
set rip hostroutes
set interface rip accept
set interface rip send
4.1.8.2.14 IP CLEAR ROUTES
Description
This command clears all static routes that were created using the IP ADD ROUTE command.
Example
--> ip clear routes
See also
IP DELETE ROUTE
4.1.8.2.15 IP DELETE INTERFACE
Syntax
IP DELETE INTERFACE {<name>|<number>}
Description
This command deletes a single IP interface that was created using the IP ADD INTERFACE command.
4-20
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
Options
IP
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use
the IP LIST INTERFACES command. The number appears
in the first column under the heading ID.
N/A
Example
--> ip delete interface ip1
See also
IP CLEAR INTERFACES
IP LIST INTERFACES
4.1.8.2.16 IP DELETE ROUTE
Syntax
IP DELETE ROUTE {<name>|<number>}
Description
This command deletes a single route that was created using the IP ADD ROUTE command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing route. To display route names, use the IP LIST
ROUTES command.
N/A
number
An existing route. To display route numbers, use the IP
LIST ROUTES command. The number appears in the first
column under the heading ID.
N/A
Example
--> ip delete route route1
See also
IP LIST ROUTES
4.1.8.2.17 IP DETACH INTERFACE
Syntax
IP DETACH {<name>|<number>}
Description
This command detaches a transport from an IP interface that was previously attached
using the IP ATTACH INTERFACE command.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-21
IP
TCP/IP command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the ip list interfaces command.
N/A
number
An existing IP interface. To display interface numbers,
use the ip list interfaces command. The number appears
in the first column under the heading ID.
N/A
Example
--> ip detach ip1
See also
ip list interfaces
4.1.8.2.18 IP INTERFACE ADD PROXYARPENTRY
Syntax
IP INTERFACE {<name>|<number>} ADD PROXYARPENTRY <ipaddress>
[<netmask>]
Description
This command configures proxy ARP functionality on an existing IP interface. This means
that an interface responds to ARP requests for both its own address and for any address
that has been configured as a proxy ARP address.
You can configure proxy ARP functionality on a single address or a range of addresses.
Once you have configured a range of proxy ARP interfaces, you can set one or more
addresses in the range to NOT respond to proxy ARP using the IP INTERFACE ADD
PROXYARPEXCLUSION command.
Options
Example
4-22
The following table gives the range of values for each option thatcan be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use
the IP LIST INTERFACES command. The number appears
in the first column under the heading ID.
N/A
ipaddress
The IP address/range of addresses of the interface to be
set as a proxy ARP entry, in the format: 192.168.102.3
N/A
netmask
The netmask address (or range of addresses) of the interface, displayed in the following format: 255.255.255.0
N/A
The following command adds proxy ARP support to the entire subnet 192.168.100.0:
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
--> ip interface ip1 add proxyarpentry 192.168.100.0 255.255.255.0
See also
ip interface add proxyarpexclusion
ip interface list proxyarpentries
4.1.8.2.19 IP INTERFACE ADD PROXYARPEXCLUSION
Syntax
IP INTERFACE {<name>|<number>} ADD PROXYARPEXCLUSION <ipaddress>
[<netmask>]
Description
This command configures proxy ARP exclusion functionality on an existing IP interface.
This means that once you have configured an interface with a range of proxy ARP interfaces, you can set one or more addresses in the range to NOT respond to proxy ARP.
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
name
An existing IP interface. To display interface names,
use the IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers,
use THE IP LIST INTERFACES command. The number appears in the first column under the heading ID.
N/A
ipaddress
The IP address (or range of addresses) of the interface that you want to set as a proxy ARP exclusion
entry, displayed in the following format: 192.168.102.3
N/A
netmask
The netmask address (or range of addresses) of the
interface, displayed in the following format:
255.255.255.0
N/A
Example 1 adds proxy ARP support to the subnet 192.168.100.0 :
--> ip interface ip1 add proxyarpentry 192.168.100.0 255.255.255.0
Example 2 adds proxy ARP exclusion support to 192.168.100.10 255.255.255.254:
--> ip interface ip1 add proxyarpexclusion 192.168.100.10 255.255.255.254
This means that the entire 192.168.100.0 subnet supports proxy ARP, EXCEPT for
addresses 192.168.100.10 and 192.168.100.11.
See also
IP INTERFACE ADD PROXYARPENTRY
IP INTERFACE LIST PROXYARPENTRIES
iMG/RG Software Reference Manual (IPNetwork Functions)
4-23
IP
TCP/IP command reference
4.1.8.2.20 IP INTERFACE ADD SECONDARYIPADDRESS
Syntax
IP INTERFACE {<name>|<number>} ADD SECONDARYIPADDRESS <ipaddress>
[<netmask>]
Description
This command adds a secondary IP address to an existing IP interface. A secondary
address may be used to create an extra IP address on an interface for management purposes, or to allow the IP stack to route between two subnets on the same interface.
The functionality of secondary IP addresses depends on several parameters including the
type of IP interface and the netmask:
Note:
If a secondary address is on the same subnet as the primary interface address, you
do not need to specify a subnet mask for that secondary address. This applies to all
interface types.
•
If a secondary address is on a different subnet to the primary address, and the interface is Ethernet or a transport using a bridged encapsulation, you must specify the
subnet mask. The IP stack will listen on the new address for connections to local
services (e.g., for management purposes), and will also route packets to the new
subnet.
•
If a secondary address is on a different subnet to the primary address, and the interface is a point-to-point interface, specifying a netmask is optional.
•
For the same behavior as described for Ethernet interfaces above, the subnet mask
should be specified.
•
If the subnet mask is not specified, the IP address will not be associated with any
subnet, but will still be recognized as one of the IP stack’s own addresses for local
traffic.
The ability to specify a subnet mask with a secondary address is still supported, but superseded by the
functionality of virtual interfaces. You should USE VIRTUAL INTERFACES instead; see IP
ATTACHVIRTUAL. Support for adding secondary IP addresses including subnet mask specification will be
withdrawn in a future releases.
Options
4-24
•
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use
the IP LIST INTERFACES command. The number appears
in the first column under the heading ID.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
Option
Description
Default Value
ipaddress
A secondary IP address that you want to add to the main
IP interface. You can add any number of secondary IP
addresses. The IP address is displayed in the following format: 192.168.102.3
To display the secondary IP addresses, use the IP INTERFACE LIST SECONDARYIPADDRESSES command.
N/A
netmask
The netmask of the secondary IP address displayed in the
following format: 255.255.255.0 To display the secondary
IP addresses, use the IP INTERFACE LIST SECONDARYIPADDRESSES command.
none specified
Example
--> ip interface ip1 add secondaryipaddress 192.168.102.3 255.255.255.0
See also
IP LIST INTERFACES
IP INTERFACE LIST SECONDARYIPADDRESSES
4.1.8.2.21 IP INTERFACE ADD STATICARPENTRY
Syntax
IP INTERFACE {<name>|<number>} ADD STATICARPENTRY <ipaddress> <macaddr>
Description
This command allows you to add a static ARP entry. This is useful for testing purposes.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers,
use the IP LIST INTERFACES command. The number
appears in the first column under the heading ID.
N/A
ipaddress
The IP address/range of addresses of the interface to be
set as a static ARP entry, in the format: 192.168.102.3
N/A
macaddr
A valid MAC address in the format: ##:##:##:##:##:##
N/A
Example
--> ip interface ip1 add staticarpentry 192.168.1.1 00:20:2b:e0:03:87
See also
ip list interfaces
ip interface list staticarpentries
iMG/RG Software Reference Manual (IPNetwork Functions)
4-25
IP
TCP/IP command reference
4.1.8.2.22 IP INTERFACE CLEAR PROXYARPENTRIES
Syntax
IP INTERFACE {<name>|<number>} CLEAR PROXYARPENTRIES
Description
This command clears all proxy ARP entries and exclusions that were created using the IP
INTERFACE ADD PROXYARPENTRY and IP INTERFACE ADD PROXYARPEXCLUSION commands.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use
the IP LIST INTERFACES command. The number appears
in the first column under the heading ID.
N/A
Example
--> ip interface ip1 clear proxyarpentries
See also
IP INTERFACE ADD PROXYARPENTRY
IP INTERFACE ADD PROXYARPEXCLUSION
4.1.8.2.23 IP INTERFACE CLEAR SECONDARYIPADDRESSES
Syntax
IP INTERFACE {<name>|<number>} CLEAR SECONDARYIPADDRESSES
Description
This command deletes all additional IP addresses that have been added to an existing IP
interface using the IP INTERFACE ADD SECONDARYIPADDRESS command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use
the IP LIST INTERFACES command. The number appears
in the first column under the heading ID.
N/A
Example
--> ip interface ip1 clear secondaryipaddresses
See also
IP LIST INTERFACES
IP INTERFACE ADD SECONDARYIPADDRESS
4-26
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
IP INTERFACE DELETE SECONDARYIPADDRESS
IP INTERFACE LIST SECONDARYIPADDRESSES
4.1.8.2.24 IP INTERFACE CLEAR STATICARPENTRIES
Syntax
IP INTERFACE {<name>|<number>} CLEAR STATICARPENTRIES
Description
This command clears all static ARP entries that were created using THE IP INTERFACE
ADD STATICARPENTRY command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use
the IP LIST INTERFACES command. The number appears
in the first column under the heading ID.
N/A
Example
--> ip interface ip1 clear staticarpentries
See also
ip list interfaces
4.1.8.2.25 IP INTERFACE DELETE PROXYARPENTRIES
Syntax
IP INTERFACE {<name>} DELETE PROXYARPENTRIES <number>
Description
This command deletes a single proxy ARP entries that was created using the IP INTERFACE ADD PROXYARPENTRY command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing proxy ARP entry. To display proxy ARP entry
numbers, use the IP INTERFACE LIST PROXYARPENTRIES command.
N/A
--> ip interface ip1 delete proxyarpentry 1
iMG/RG Software Reference Manual (IPNetwork Functions)
4-27
IP
TCP/IP command reference
See also
IP INTERFACE ADD PROXYARPENTRY
IP INTERFACE LIST PROXYARPENTRIES
4.1.8.2.26 IP INTERFACE DELETE PROXYARPEXCLUSION
SyntaxIP INTERFACE {<name>} DELETE PROXYARPEXCLUSION <number>
Description
This command deletes a single proxy ARP exclusion entry that was created using the IP
INTERFACE ADD PROXYARPEXCLUSION command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing proxy ARP exclusion entry. To display proxy
ARP exclusion numbers, use the IP INTERFACE LIST
PROXYARPENTRIES command.
N/A
Example
--> ip interface ip1 delete proxyarpexclusion 2
See also
IP INTERFACE ADD PROXYARPEXCLUSION
IP INTERFACE LIST PROXYARPENTRIES
4.1.8.2.27 IP INTERFACE DELETE SECONDARYIPADDRESSES
Syntax
IP INTERFACE {<name>|<number>} DELETE SECONDARYIPADDRESS
<secondaryipaddress number>
Description
This command deletes a single secondary IP address that has previously been added to
an existing IP interface using the IP INTERFACE ADD SECONDARYIPADDRESS command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
4-28
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use
THE IP LIST INTERFACES command. The number appears
in the first column under the heading ID.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
Option
Description
Default Value
secondary
ipaddress
number
The number that identifies a secondary IP address that you
want to delete from the main IP interface. To display secondary IP address numbers, use THE IP INTERFACE LIST
SECONDARYIPADDRESSES command. The number
appears in the first column under the heading ID.
N/A
Example
--> ip interface ip1 delete secondaryipaddress 1
See also
IP LIST INTERFACES
IP INTERFACE LIST SECONDARYIPADDRESSES
4.1.8.2.28 IP INTERFACE DELETE STATICARPENTRY
Syntax
IP INTERFACE <name> DELETE STATICARPENTRY <number>
Description
This command deletes a single static ARP entry that was created using the IP INTERFACE ADD STATICARPENTRY command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names,
use the IP LIST INTERFACES command.
N/A
number
An existing static ARP entry. To display static ARP
entry numbers, use the IP INTERFACE LIST
STATICARPENTRIES command.
N/A
Example
--> ip interface ip1 delete staticarpentry 2
See also
ip list interfaces
ip interface list staticarpentries
4.1.8.2.29 IP INTERFACE LIST PROXYARPENTRIES
Syntax
IP INTERFACE {<name>|<number>} LIST PROXYARPENTRIES
Description
This command displays information about proxy ARP entries and exclusions that were
created using the IP INTERFACE ADD PROXYARPENTRY and IP INTERFACE ADD
PROXYARPEXCLUSION commands.
The following information is displayed:
iMG/RG Software Reference Manual (IPNetwork Functions)
4-29
IP
TCP/IP command reference
Options
Example
•
Interface ID numbers
•
IP address and netmask of proxy ARP entries and exclusions
•
Exclusion status: true for exclusions, false for inclusions
The following table gives the range of values for each option THAT can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers,
use the IP LIST INTERFACES command. The number
appears in the first column under the heading ID.
N/A
--> ip interface ip1 list proxyarpentries
ID |
IP Address |
Netmask
| Exclude
-----|----------------|----------------|---------1 | 192.168.100.0 | 255.255.255.0 | false
2 | 192.168.100.8 | 255.255.255.254| true
-------------------------------------------------See also
IP INTERFACE ADD PROXYARPENTRY
IP INTERFACE ADD PROXYARPEXCLUSION
IP LIST INTERFACES
4.1.8.2.30 IP INTERFACE LIST SECONDARYIPADDRESSES
Syntax
IP INTERFACE {<name>|<number>} LIST SECONDARYIPADDRESSES
Description
This command lists the secondary IP addresses (and netmasks if applicable) that have
been added to an existing IP interface using the IP INTERFACE ADD SECONDARYIPADDRESS command.
Options
The following table gives the range of values for each option THAT can be specified with
this command and a Default Value (if applicable).
4-30
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use
the IP LIST INTERFACES command. The number appears
in the first column under the heading ID.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
Example
IP
In the example output below, secondary IP addresses without associated netmasks
appear as 0.0.0.0 by default.
--> ip interface ip1 list secondaryipaddresses
ID |
IP Address
|
Netmask
-----|----------------------------------1 | 192.168.104.6
| 255.255.255.0
2 | 192.168.103.4
| 0.0.0.0
3 | 192.168.103.2
| 0.0.0.0
----------------------------------------See also
ip list interfaces
ip interface list secondaryipaddresses
4.1.8.2.31 IP INTERFACE LIST STATICARPENTRIES
Syntax
IP INTERFACE {<name>|<number>} LIST STATICARPENTRIES
Description
This command displays information about static ARP entries that were created using the
IP INTERFACE ADD STATICARPENTRY command.
The following information is displayed:
Options
Example
•
Interface ID numbers
•
IP address of static ARP entries
•
MAC address of static ARP entries
The following table gives the range of values for each option THAT can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the
IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use
the IP LIST INTERFACES command. The number appears
in the first column under the heading ID.
N/A
--> ip interface ip1 list staticarpentries
ID |
IP Address |
Mac Address
-----|----------------|-------------------1 | 192.168.100.0 | 00:20:2b:e0:03:87
2 | 192.168.100.8 | 00:20:2b:03:0a:72
-------------------------------------------
iMG/RG Software Reference Manual (IPNetwork Functions)
4-31
IP
TCP/IP command reference
See also
IP LIST INTERFACES
4.1.8.2.32 IP LIST APPSERVICES
Syntax
ip list aPPSERVICES
Description
A number of system processes use the IP stack to provide services, such as SNMP agent
and TFTP server. These services are called AppServices.
This command lists the AppServices that are available and have configurable security
classes. It displays the following information:
Example
•
AppService ID numbers
•
AppService names
•
the Security Class(es) configured on a specific AppService.
--> ip list appservices
------------------------------------------------------------------ID |AppService| Security Classes
-----|----------|-------------------------------------------------1 | ssh
| all
2 | snmp
| all
3 | http
| all
4 | telnet
| all
------------------------------------------------------------------See also
IP SHOW APPSERVICE
4.1.8.2.33 IP LIST ARPENTRIES
Syntax
ip list arpentries
Description
This command displays the ARP table that lists the following information:
Example
•
IP addresses and corresponding MAC addresses obtained by ARP.
•
IP interface on which the host is connected
•
Static status - ‘no’ for dynamically generated ARP entries; ‘yes’ for static entries
added by the user.
--> ip list arpentries
IP ARP table entries:
IP address
| MAC address
| Interface
| Static
-----------------|-------------------|--------------|-------10.10.10.10
| 00:20:2b:e0:03:87 | ip3
| no
4-32
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
-----------------|-------------------|--------------|-------20.20.20.20
| 00:20:2b:03:0a:72 | ip2
| no
-----------------|-------------------|--------------|-------30.30.30.30
| 00:20:2b:03:09:c4 | ip1
| no
------------------------------------------------------------See also
IP CLEAR ARPENTRIES
4.1.8.2.34 IP LIST CONNECTIONS
Syntax
ip list connections
•
This command lists the active TCP/UDP connections in use by applications running
on the device. It displays the following information:
•
Protocol type (TCP or UDP)
•
Local connection address
•
Remote connection address
•
Connection state for TCP connections
This command does not show raw socket connections or UDP connections opened
internally within the IP stack.
Example
The example below shows an active telnet connection, WebServer, TFTP server and
SNMP:
--> ip list connections
Local TCP/UDP connections:
Prot | Local address
| Remote address
| State
| Owner
------|----------------------|----------------------|-------------|-----------tcp | *:8008
| *:*
| LISTEN
| webserver
tcp | *:22
| *:*
| LISTEN
| sshd
tcp | *:23
| *:*
| LISTEN
| webserver
tcp | *:80
| *:*
| LISTEN
| webserver
udp | 255.255.255.255:3913 | <2> *:*
|
| grsp
udp | *:68
| *:*
|
| dhcpclient
udp | *:68
| <1> *:*
|
| dhcpclient
udp | *:55001
| *:*
|
| tftp
udp | *:55000
| *:*
|
| tftp
udp | *:50001
| *:*
|
| snmpr
udp | *:161
| *:*
|
| snmpr
udp | *:50000
| *:*
|
| dnsrelay
udp | *:53
| *:*
|
| dnsrelay
udp | *:520
| *:*
|
| rip
udp | *:123
| *:*
|
| sntp
iMG/RG Software Reference Manual (IPNetwork Functions)
4-33
IP
TCP/IP command reference
4.1.8.2.35 IP LIST INTERFACES
Syntax
ip list interfaces
Description
This command lists information about IP interfaces that were added using the IP ADD
INTERFACE command. The following information is displayed:
Example
•
Interface ID numbers
•
Interface names
•
IP addresses (if previously specified)
•
DHCP status
•
Whether a transport is attached to the interface, and if so, the name of the transport
•
Whether a virtual interface is attached to a real interface. The name of the attached
virtual interface is displayed in the Transport column in square brackets, for example
[ip2]
--> ip list interfaces
IP Interfaces:
ID |
Name
|
IP Address
|
DHCP
| Transport
-----|--------------|------------------|----------|--------------1 | ppp_device
| 192.168.102.2
| disabled | pppoe1
2 | ip2
| 192.168.102.3
| disabled | Not attached
3 | ip_real
| 192.168.101.2
| disabled | ethernet1
4 | ip_virtual
| 192.168.150.1
| disabled | [ip_real]
------------------------------------------------------------------
See also
IP SHOW INTERFACE
IP SET INTERFACE DHCP
4.1.8.2.36 IP LIST RIPROUTES
Syntax
ip list riproutes
Description
This command lists information about the routes that have been obtained from RIP. It
displays the following:
4-34
•
Destination IP addresses
•
Destination netmask address
•
Gateway address
•
Cost - The number of hops counted as the cost of the route.
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
Example
IP
•
Timeout - the number of seconds that this RIP route will remain in the routing table
unless updated by RIP
•
Source interface - the name of the existing interface that this route uses
--> ip list riproutes
IP RIP routes:
Destination
| Mask
| Gateway
| Cost | Time |Source
---------------|---------------|---------------|------|------|-----192.168.101.1 | 255.255.255.0 | 10.10.10.10
| 1
| 3000 | ip2
--------------------------------------------------------------------
See also
IP SET RIP HOSTROUTES
IP SET INTERFACE RIP ACCEPT
IP SET INTERFACE RIP SEND
4.1.8.2.37 IP LIST ROUTES
Syntax
ip list routes
Description
This command lists information about existing routes. It displays the ID, name, destination IP address (if applicable), netmask address (if applicable), and gateway address or
interface name (whichever is applicable).
Example
•
Route ID numbers
•
Route names
•
Destination IP addresses (if previously specified)
•
Destination netmask address (if previously specified)
•
Either the gateway address or the name of the destination interface (whichever is
set)
--> ip list routes
IP routes:
ID |
Name | Destination
| Netmask
|Gateway/Interface
-----|----------|----------------|----------------|----------------2 | route2
| 192.168.102.3 | 255.255.255.0 | ip1
1 | route1
| 192.168.50.50 | 255.255.255.0 | 192.168.68.68
-------------------------------------------------------------------See also
ip show route
iMG/RG Software Reference Manual (IPNetwork Functions)
4-35
IP
TCP/IP command reference
4.1.8.2.38 STOP PING
Syntax
STOP PING
Description
This command is used to stop a running ping request. In case, you specify a high number
of attempts for the ping request and then intend to stop the running ping request cycle,
you need to use the stop ping command to obtain the required functionality.
This command involves no parameters. On entering a stop ping request, the statistics for
the number of pings attempted so far shall be displayed. These statistics are displayed,
once the ping task completes the last ping request it was processing at the time when the
stop ping command was triggered.
Example
--> ip ping 192.168.0.12 iplan 644 (644 specifies the numberOfAttempts)
ping: PING 192.168.0.12: 32 data bytes ping: 40 bytes from 192.168.0.12: seq = 0,
ttl=128, rtt<10ms ping: 40 bytes from 192.168.0.12: seq = 0, ttl=128, rtt<10ms ping: 40
bytes from 192.168.0.12: seq = 0, ttl=128, rtt<10ms ping: 40 bytes from 192.168.0.12:
seq = 0, ttl=128, rtt<10ms
stop ping
ping: MANUALLY STOPPING THE RUNNING PING REQUEST !!!!!
ping: 40 bytes from 192.168.0.11: seq = 0, ttl=128, rtt<10ms ping: Ping stopped manually
by the user
ping: Ping statistics:
ping: Packets: Sent = 5, Recieved = 5, Lost = 0 ping: Round-trip times:
ping: Minimum = 0ms, Maximum = 0ms, Average < 1ms
See also
Domain name system - DNS
4.1.8.2.39 IP PING
Syntax
IP PING <destination> [<ifname>] [<numberofattempts>]
[<timeoutval>] [<blocksize>] [<tos>]
Description
This command pings a specified destination. If you are using a DNS client, you can ping
either an IP address or a host name. If you are not using DNS client, you only ping a destination IP address.
It’s possible specify the name of the interface over which the ping is sent. The ping
request message will use the IP address of this interface as source IP address.
In addition to these, you can configure certain additional parameters for the ping request.
These include the number of ping attempts [<numberOfAttempts>], the timeout value
for a ping request [<timeoutVal>], the data block size for an outgoing ping request
[<blockSize>] and the type of service or diffServCodePoint parameter [<TOS>]. The
4-36
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
type of service (TOS) parameter is used for test packets, and to specify the type of service provided to the outgoing ping request at the IP level.
All these additional parameters are optional and hence when these are not specified, the
Default Values are used instead.
Options
Example
The following table gives the range of values for each option THAT can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
destination
Either the IP address or host name (if you are using
DNS client) of the destination machine that you want to
ping.
N/A
ifname
A name that identifies an existing IP interface. To display
interface names, use the ip list interfaces command.
numberOfAttempts
A number that identifies the number of ping attempts
for the ping operation. t ranges from 0-65534.
1
timeoutVal
A number that identifies the value in seconds, for which
the ping response will be awaited. In case the destination specified in the destination parameter is not reachable, then the request will be taken as timed out after
the specified number of seconds have elapsed. It ranges
from 0-60 (seconds).
4
blockSize
A number that identifies the payload size for a ping
request. It ranges from 0-65534.
32
TOS
A number that identifies the type of service for the ping
request message. This shall be used for the test packets.
It ranges from 0- 64.
0
--> ip ping 192.168.102.3
ip: ping - reply received from 192.168.102.3
If ping was unsuccessful, the following output is displayed:
ip: ping - no reply received.
See also
Domain name system - DNS
4.1.8.2.40 IP SET APPSERVICE
Syntax
IP SET APPSERVICE <name> SECCLASSES <secClasses>
iMG/RG Software Reference Manual (IPNetwork Functions)
4-37
IP
TCP/IP command reference
Description
A number of system processes use the IP stack to provide services, such as SNMP agent
and TFTP server. These services are called AppServices. This command allows you to set
the security class(es) associated with an AppService. A security class is synonymous with
a security interface type. It is assumed that you have already assigned security interfaces
to your IP interfaces, using the command security show alg.
Setting the security class(es) for an AppService defines the interface(s) through which
the AppService will be provided.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
A name that identifies an existing AppService. To display
AppService names, use the ip list appservices command.
N/A
number
A number that identifies an existing AppService. To display
AppService numbers, use the ip list appservices command.
The number appears in the first column under the heading
ID.
N/A
secClasses
Supported secClasses values are as follows:
0.0.0.0
all - allows access to the AppService via all existing security
interfaces
none - prevents access to the AppService via any existing
security interface
internal - allows access to the AppService via existing internal security interfaces
external - allows access to the AppService via existing external security interfaces
dmz - allows access to the AppService via existing dmz security interfaces
To allow access to an AppService via two security interface
types, type the secClass values separated by a comma (for
example, internal,external) or separated by a space and
enclosed in double-quotation marks (for example, “internal
external”).
To specify all three internal, external and dmz secClasses, use
the all value.
Example
--> ip set appservice tftp secclasses external,dmz
Example
--> ip set appservice http secclasses none
4-38
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
See also
IP
IP
IP
IP
IP
SET INTERFACE MTU
SET INTERFACE DHCP
LIST INTERFACES
SET INTERFACE NETMASK
4.1.8.2.41 IP SET INTERFACE IPADDRESS
Syntax
IP SET INTERFACE {<name>|<number>} IPADDRESS <ipaddress> [<netmask>]
Description
This command sets the IP address for an existing IP interface.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers,
use the IP LIST INTERFACES command. The number
appears in the first column under the heading ID.
N/A
ip address
The IP address of the interface displayed in the following
format: 192.168.102.3. If the IP address is set to the
special value 0.0.0.0, the interface is marked as unconfigured. This value is used when the interface address is
obtained automatically. For unnumbered interfaces, the
IP address parameter is used to specify the router-id of
the interface. The router-id should be the same as the
IP address of one of the router’s numbered interfaces.
0.0.0.0
netmask
The netmask address of the interface displayed in the
following format: 255.255.255.0. The special value
255.255.255.255 indicates an unnumbered interface,
that is configured by setting the IP address to the interface’s router-id value, and setting netmask to
255.255.255.255.
If no IP address is
supplied, the natural mask of the IP
address is used.
Example
--> ip set interface ip4 ipaddress 192.168.102.3 255.255.255.0
See also
IP
IP
IP
IP
SET INTERFACE MTU
SET INTERFACE DHCP
LIST INTERFACES
SET INTERFACE NETMASK
iMG/RG Software Reference Manual (IPNetwork Functions)
4-39
IP
TCP/IP command reference
4.1.8.2.42 IP SET INTERFACE NETMASK
Syntax
IP SET INTERFACE {<name>|<number>} NETMASK <netmask>
Description
This command sets the netmask for an existing IP interface.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers,
use THE IP LIST INTERFACES command. The number
appears in the first column under the heading ID.
N/A
netmask
The netmask address of the interface in the format:
255.255.255.0 The special value 255.255.255.255 is used
to indicate an unnumbered interface, that is configured
by setting the IP address to the interface’s router-id
value, and setting netmask to 255.255.255.255.
N/A
Example
--> ip set interface ip6 netmask 255.255.255.0
See also
IP SET INTERFACE IPADDRESS
IP LIST INTERFACES
4.1.8.2.43 IP SET INTERFACE MTU
Syntax
IP SET INTERFACE {<name>|<number>} MTU <mtu>
Description
This command sets the MTU (Maximum Transmission Unit) for an existing IP interface.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
4-40
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use
the IP LIST INTERFACES command. The number appears
in the first column under the heading ID.
1500
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
Option
Description
Default Value
mtu
Maximum Transmission Unit: maximum packet size
1500
(in bytes) an interface can handle. The MTU should be set
to a value appropriate for the transport attached to the
interface (typically from 576 to 1500 bytes). For example,
Ethernet and most other transports support an MTU of
1500 bytes, whereas PPPoE supports an MTU of 1492
bytes.
Example
--> ip set interface ip2 mtu 800
See also
IP SET INTERFACE IPADDRESS
IP SET INTERFACE DHCP
IP LIST INTERFACES
4.1.8.2.44 IP SET INTERFACE DHCP
Syntax
IP SET INTERFACE {<name>|<number>} DHCP {ENABLED|DISABLED}
Description
This command specifies whether a named interface should obtain its configuration via
DHCP.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names,
use the ip list interfaces command.
N/A
number
An existing IP interface. To display interface numbers,
use the ip list interfaces command. The number
appears in the first column under the heading ID.
N/A
enabled
The interface obtains configuration information from
DHCP client.
Disabled
disabled
The interface does not use DHCP client configuration information.
Example
--> ip set interface ip2 dhcp enabled
See also
IP SET INTERFACE IPADDRESS
IP SET INTERFACE MTU
IP LIST INTERFACES
iMG/RG Software Reference Manual (IPNetwork Functions)
4-41
IP
TCP/IP command reference
Description
For information on setting DHCP client configuration options, see DHCP Client command reference.
4.1.8.2.45 IP SET INTERFACE GATEWAY
Syntax
IP SET INTERFACE {<name>|<number>} GATEWAY {<IP-ADDRESS>}
Description
This command specifies the gateway ip-address associated to the given interface
Note:
This command is avalable on FIBER B,D,E MODULAR and ADSL B,C models only.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the ip list interfaces command.
N/A
number
An existing IP interface. To display interface numbers,
use the ip list interfaces command. The number appears
in the first column under the heading ID.
N/A
ip-address
The gateway ip-address
N/A
Example
--> ip set interface ip2 dhcp enabled
See also
IP ADD ROUTE
IP SET INTERFACE MTU
IP LIST INTERFACES
For information on setting DHCP client configuration options, see DHCP Client command reference.
4.1.8.2.46 IP SET INTERFACE RIP ACCEPT
Syntax
IP SET INTERFACE {<name>|<number>} RIP ACCEPT {NONE|V1|V2|ALL}
Description
This command specifies whether an existing interface accepts RIP messages. You can
specify what version of RIP messages are accepted by the interface.
When receiving RIP v1 messages, the IP stack tries to use the information it has available
to determine the appropriate subnet mask for the addresses received.
4-42
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
Options
IP
The following table gives the range of values for each option THAT can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the IP
LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use the
IP LIST INTERFACE COMMAND. The number appears in
the first column under the heading ID.
N/A
none
The interface does not accept RIP messages.
None
v1
The interface only accepts RIP v. 1 messages (RFC1058)
v2
The interface only accepts RIP v. 2 messages (RFC1723)
all
The interface accepts RIP version 1 (RFC1058) and RIP version 2 (RFC1723) messages
Example
--> ip set interface ip3 rip accept none
See also
IP
IP
IP
IP
IP
IP
SET INTERFACE RIP SEND
SET INTERFACE RIP MULTICAST
SET RIP HOSTROUTES
SET RIP POISON
SHOW
LIST INTERFACES
4.1.8.2.47 IP SET INTERFACE RIP MULTICAST
Syntax
IP SET INTERFACE {<name>|<number>} RIP MULTICAST {ENABLED | DISABLED}
Description
This command allows you to enable/disable whether RIP version 2 messages are sent via
multicast.
RIP version 2 messages sent via multicast are only received by the hosts on the network
that have a multicast network address. If this command is disabled, RIP version 2 messages are sent via broadcast and are received by all the hosts on the network.
You need to set RIP to send v2 messages using the IP SET INTERFACE RIP SEND command in order for the IP SET INTERFACE RIP MULTICAST ENABLED command to send
version 2 messages via multicast.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-43
IP
TCP/IP command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names,
use the IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers, use the IP LIST INTERFACES command. The
number appears in the first column under the
heading ID.
N/A
enabled
Allows RIP version 2 messages to be sent via multicast.
Disabled
disabled
Disables RIP version 2 messages being sent via multicast. Messages are sent via broadcast instead.
Example
--> ip set interface ip1 rip multicast enabled
See also
IP LIST INTERFACES
IP SET INTERFACE RIP SEND
4.1.8.2.48 IP SET INTERFACE RIP SEND
Syntax
IP SET INTERFACE {<name>|<number>} RIP SEND {NONE|V1|V2|ALL}
Description
This command specifies whether an existing interface can send RIP messages. You can
specify which version of RIP messages will broadcast routing information on the interface. Routing information is broadcast every 30 seconds or when the RIP routing table is
changed.
Note:
RIP version 1 does not allow specification of subnet masks; a RIP version 1 route that appears to be to
an individual host might in fact be to a subnet, and treating it as a route to the whole network may be the
best way to make use of the information.
Options
4-44
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the IP LIST INTERFACES command.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
Option
Description
Default Value
number
An existing IP interface. To display interface numbers,
use the IP LIST INTERFACES command. The number
appears in the first column under the heading ID.
N/A
rip send none
The interface does not accept RIP messages.
rip send none (this
command affects
all interfaces
except loopback
interfaces)
rip send v1
The interface only sends RIP v. 1 messages (RFC1058)
rip send v2
The interface only sends RIP version 2 messages
(RFC1723). If set, RIP version 2 is used on all non-loopback interfaces.
rip send all
The interface sends RIP version 1 (RFC1058) and RIP
version 2 (RFC1723) messages.
Example
--> ip set interface ip1 rip send v1
See also
IP
IP
IP
IP
IP
SET INTERFACE RIP ACCEPT
SET RIP HOSTROUTES
SET RIP POISON
SHOW
LIST INTERFACES
For information on RFC1058 and RFC1723, see http://www.ietf.org/rfc/rfc1723.txt
4.1.8.2.49 IP SET INTERFACE TCPMSSCLAMP
Syntax
IP SET INTERFACE <name> TCPMSSCLAMP {ENABLED|DISABLED}
Description
This command enables/disables TCP MSS (Maximum Segment Size) Clamp functionality
on an existing IP interface. When TCP MSS Clamp is enabled on an interface, all TCP
traffic routed through that interface will be examined. If a TCP SYN (synchronize/start)
segment is sent with a maximum segment size larger than the interface MTU (Maximum
Transmission Unit), the MSS option will be rewritten in order to allow TCP traffic to
pass through the interface without requiring fragmentation.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-45
IP
TCP/IP command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names,
use the IP LIST INTERFACES command.
N/A
enabled
TCP SYN segments routed through this interface will
be examined and, if necessary, modified.
Disabled
disabled
The IP stack will not examine or modify TCP traffic
routed through this interface.
Example
--> ip set interface ip2 tcpmssclamp enabled
See also
IP SET INTERFACE MTU
IP SHOW
4.1.8.2.50 IP SET RIP ADVERTISEDEFAULT
Syntax
ip set rip advertisedefault {enabled | disabled}
Description
This command enables/disables the advertising of a default route via RIP. If you set this to
enabled, then create a default route using the IP ADD DEFAULTROUTE commands, the
route will also be added to those advertised by the RIP protocol. The cost associated
with the route is the value set using the IP SET RIP DEFAULTROUTECOST command.
You must enable default advertising before you create the default route.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
enabled
Enables RIP to advertise a default route with the cost
metric set using the IP SET RIP DEFAULTROUTECOST command.
Disabled
disabled
Disables advertisement of a default route.
Example
--> ip set rip advertisedefault enabled
See also
ip
ip
ip
ip
4-46
add
add
set
set
defaultroute gateway
defaultroute interface
rip defaultroutecost
route advertise
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
4.1.8.2.51 IP SET RIP AUTHENTICATION
Syntax
ip set rip authentication {enabled | disabled}
Description
This command enables/disables RIP v2 plain text authentication.
If enabled, a plain text authentication string is placed in RIP v2 packets. RIP v2 packets will
only be accepted if they contain an authentication entry with the correct password string.
Packets with no authentication or the wrong password will be rejected.
To set an authentication password, use the IP SET RIP PASSWORD command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
--> ip set rip authentication enabled
See also
ip set rip password
ip show
4.1.8.2.52 IP SET RIP DEFAULTROUTECOST
Syntax
IP SET RIP DEFAULTROUTECOST <cost>
Description
This command sets the number of hops counted as the cost of a default route advertised
via RIP.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
cost
The number of hops counted as the cost of the default
route. It can be any positive integer between 1 and 15.
1
Example
--> ip set rip defaultroutecost 10
See also
IP
IP
IP
IP
ADD
ADD
SET
SET
DEFAULTROUTE GATEWAY
DEFAULTROUTE INTERFACE
RIP ADVERTISEDEFAULT
ROUTE ADVERTISE
4.1.8.2.53 IP SET RIP HOSTROUTES
Syntax
ip set rip hostroutes {enabled | disabled}
Description
Specifies whether IP interfaces will accept RIP routes to specific routes.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-47
IP
TCP/IP command reference
Note:
RIP version 1 does not allow specification of subnet masks; a RIP version 1 route that appears to be to
an individual host might in fact be to a subnet, and treating it as a route to the whole network may be the
best way to make use of the information.
To display the current state of RIP hostroutes, use the IP SHOW COMMAND.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
enabled
Sets the hostroutes flag to on. The interface accepts RIP
routes to specific routes.
disabled
Sets the hostroutes flag to off:
Default Value
Disabled
RIP version 1 routes to individual hosts are
treated as routes to the network containing the
host.
RIP version 2 routes to individual hosts are
ignored.
Example
--> ip set rip hostroutes enabled
See also
IP SET INTERFACE RIP ACCEPT
IP SET INTERFACE RIP SEND
IP SHOW
4.1.8.2.54 IP SET RIP PASSWORD
Syntax
IP SET RIP PASSWORD <password>
Description
This command sets an authentication string that is placed in RIP v2 packets if IP SET RIP
AUTHENTICATION is enabled.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
4-48
Option
Description
Default Value
password
An authentication password used by RIP v2 packets if IP
SET RIP AUTHENTICATION is enabled. The password is
a string of 0 to 16 characters.
N/A
--> ip set rip password vancouver
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
See also
IP
IP SET RIP AUTHENTICATION
IP SHOW
4.1.8.2.55 IP SET RIP POISON
SyntaxIP SET RIP POISON {ENABLED | DISABLED}
Description
Enables or disables the poisoned reverse flag. If this flag is on, TCP/IP performs poisoned
reverse as defined in RFC 1058; see that RFC for discussion.
To display the current state of the poisoned reverse flag, use the IP SHOW command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
enabled
Sets the poisoned reverse flag to on. TCP/IP performs
poisoned reverse as defined in RFC 1058.
Disabled
disabled
Sets the poisoned reverse flag to off.
Example
--> ip set rip poison enabled
See also
IP
IP
IP
IP
SET INTERFACE RIP ACCEPT
SET INTERFACE RIP SEND
SET RIP HOSTROUTES
SHOW
4.1.8.2.56 IP SET ROUTE
Syntax
IP SET ROUTE {<name>|<number>} <ENABLED|DISABLED>
Description
This command enables/disables an existing static route (including a default route).
If the route being operated on by this command is a default route then the command also
might have the effect of making the device not reachable
Note:
This command is avalable on FIBER B,D,E MODULAR and ADSL B,C models only.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
enabled
Enables a static route.
Disabled
iMG/RG Software Reference Manual (IPNetwork Functions)
4-49
IP
TCP/IP command reference
Option
Description
disabled
Disables a static route.
Example
--> ip set route myroute enabled
See also
ip list routes, ip add route, ip show route
Default Value
4.1.8.2.57 IP SET ROUTE ADVERTISE
Syntax
IP SET ROUTE {<name>|<number>} ADVERTISE <ENABLED|DISABLED>
Description
This command enables/disables the advertising of an existing static route (including a
default route) via RIP. The cost advertised with this route is the cost specified by the IP
SET ROUTE COST command.
If the route being operated on by this command is a default route then the setting of the
IP SET RIP ADVERTISEDEFAULT command also has an effect:
Options
•
If the IP SET RIP ADVERTISEDEFAULT command is enabled, then it controls the
advertising of the route and uses the cost set by the IP SET DEFAULTROUTECOST
command.
•
If the IP SET RIP ADVERTISEDEFAULT command is disabled, then the IP SET
ROUTE ADVERTISE command controls the advertising of the route and uses the
cost set by the IP SET ROUTE COST command as described above.
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
enabled
Enables RIP to advertise a static route.
Disabled
disabled
Disables advertisement of a static route.
Example
--> ip set route myroute advertise enabled
See also
IP
IP
IP
IP
SET ROUTE COST
LIST ROUTES
SET RIP ADVERTISEDEFAULT
SET RIP DEFAULTROUTECOST
4.1.8.2.58 IP SET ROUTE DESTINATION
Syntax
IP SET ROUTE {<name>|<number>} DESTINATION <dest-network> <netmask>
Description
This command sets the destination network address of a route previously created using
the IP ADD ROUTE COMMAND.
4-50
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
Options
IP
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing route. To display route names, use the IP
LIST ROUTES command.
N/A
number
An existing route. To display route numbers, use the IP
LIST ROUTES command. The number appears in the
first column under the heading ID.
N/A
dest-network
The IP address of the destination network in the format:
192.168.102.3
N/A
netmask
The destination netmask address (format:
255.255.255.0)
N/A
Example
--> ip set route route1 destination 192.168.103.3 255.255.255.0
See also
IP SET ROUTE GATEWAY
IP SET ROUTE COST
IP LIST ROUTES
4.1.8.2.59 IP SET ROUTE GATEWAY
Syntax
IP SET ROUTE {<name>|<number>} GATEWAY <gateway>
Description
This command sets the gateway address of a route previously created using the IP ADD
ROUTE command. If you want the route to go directly to its destination and not via a
gateway, specify 0.0.0.0 as the gateway.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing route. To display route names, use the IP
LIST ROUTES command.
N/A
number
An existing route. To display route numbers, use the
IP LIST ROUTES command. The numbers appear in
the first column under the heading ID.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
4-51
IP
TCP/IP command reference
Option
Description
Default Value
gateway
The IP address of the gateway that the IP routes
through, displayed in the following format:
192.168.102.3 If you added a route directly to an
interface, the gateway address is set by default to
0.0.0.0 so that no gateway is specified.
N/A
Example
--> ip set route route1 gateway 192.168.102.3
See also
IP
IP
IP
IP
ADD ROUTE
SET ROUTE DESTINATION
SET ROUTE COST
LIST ROUTES
4.1.8.2.60 IP SET ROUTE COST
Syntax
IP SET ROUTE {<name>|<number>} COST <cost>
Description
This command sets the number of hops counted as the cost of the route for a route previously created using the IP ADD ROUTE command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing route. To display route names, use the
IP LIST ROUTES command.
N/A
number
An existing route. To display route numbers, use
the IP LIST ROUTES command. The number
appears in the first column under the heading ID.
N/A
cost
The number of hops counted as the cost of the
route. This may affect the choice of route when the
route is competing with routes acquired from RIP.
(Using a mixture of RIP and static routing is not
advised). The cost value can be any positive integer.
1
Example
--> ip set route route1 cost 3
See also
IP ADD ROUTE
IP LIST ROUTES
IP SET ROUTE ADVERTISE
4-52
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
4.1.8.2.61 IP SET ROUTE INTERFACE
Syntax
IP SET ROUTE {<name>|<number>} INTERFACE {<interface>|NONE}
Description
This command sets the interface used by a route previously created by the IP ADD
ROUTE command. If you want the existing route to route to an address via a gateway
device, use none so that no interface is set.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing route. To display route names, use the IP
LIST ROUTES command.
N/A
number
An existing route. To display route numbers, use the
IP LIST ROUTES command. The number appears in
the first column under the heading ID.
N/A
interface
The name of the existing interface that the IP routes
through, displayed in the following format:
192.168.102.3 To display interface names, use the IP
LIST INTERFACES command.
N/A
none
No interface is set. This is used for routes that route
via a gateway device instead of an interface.
N/A
Example
--> ip set route r1 interface eth1
See also
IP LIST INTERFACES
IP LIST ROUTES
4.1.8.2.62 IP SET TTL
Syntax
IP SET TTL {<number>}
Description
This command sets the default time-to-live (ttl) value in the IP header of a generated IP
packet. To display the current state of ttl, use the ip show command.
Note:
This command is avalable on FIBER B,D,E MODULAR and ADSL B,C models only.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
number
A number that specifies the time-to-live (ttl) value
for the IP header of all transmitted packets
128
iMG/RG Software Reference Manual (IPNetwork Functions)
4-53
IP
TCP/IP command reference
Example
--> ip set ttl 60
See also
ip show
4.1.8.2.63 IP SHOW
Syntax
ip show
Description
Shows current RIP configuration and any other information global to the router.
Example
--> ip show
Global IP configuration:
Host routes:
Poison reverse:
Authentication:
Auth password:
Advertise default:
Default Route Cost:
Default TTL:
See also
false
false
false
false
1
128
IP SET RIP HOSTROUTES
IP SET RIP POISON
4.1.8.2.64 IP SHOW APPSERVICE
Syntax
IP SHOW APPSERVICE {<name>|<number>}
Description
This A number of ISOS processes use the IP stack to provide services, such as SNMP
agent and TFTP server. These services are called AppServices.
This command shows system related information about the specified AppService. The command is typically
used for debugging purposes than for normal system configuration.
Options
4-54
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
A name that identifies an existing AppService. To display
AppService names, use the ip list appservices command.
N/A
number
A number that identifies an existing AppService. To display AppService numbers, use the ip list appservices
command. The number appears in the first column
under the heading ID.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
TCP/IP command reference
IP
4.1.8.2.65 IP SHOW INTERFACE
Syntax
IP SHOW INTERFACE {<name>|<number>}
Description
This command displays the following information about a named interface:
Options
Example
•
IP address and netmask address (if set). For virtual interfaces, the name of the real
interface that the virtual interface is attached to is also displayed.
•
MTU (Maximum Transmission Unit)
•
Status of DHCP
•
Status of TCP MSS Clamp
•
Status of RIP send and RIP accept
•
Status of RIP multicast
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use
the IP LIST INTERFACES command.
N/A
number
An existing IP interface. To display interface numbers,
use the IP LIST INTERFACES command. The number
appears in the first column under the heading ID.
N/A
Real IP interface
--> ip show interface ip0
IP Interface: ip0
IPaddr
Mask
Rx Packet Count
Tx Packet Count
MTU
:
:
:
:
:
10.17.90.153
255.255.255.0
210
5
1500
Dhcp : true
TCP MSS Clamp
Source Addr Validation
Icmp Router Advertise
Accept V1
:
:
:
:
false
false
false
false
iMG/RG Software Reference Manual (IPNetwork Functions)
4-55
IP
TCP/IP command reference
Send V1
Accept V2
Send V2
Send Multicast
Example
:
:
:
:
false
false
false
false
Virtual IP interface
-> ip show interface ip1
IP Interface: ip1 - virtual [ip0]
IPaddr
Mask
Rx Packet Count
Tx Packet Count
MTU
:
:
:
:
:
192.168.10.1
255.255.255.0
0
0
1500
Dhcp : false
TCP MSS Clamp
Source Addr Validation
Icmp Router Advertise
Accept V1
Send V1
Accept V2
Send V2
Send Multicast
See also
:
:
:
:
:
:
:
:
false
false
false
false
false
false
false
false
IP SHOW
IP SHOW ROUTE
IP LIST INTERFACES
4.1.8.2.66 IP SHOW ROUTE
Syntax
IP SHOW ROUTE {<name>|<number>}
Description
This command displays the following information about a named route:
4-56
•
Destination IP address
•
Netmask address
•
Gateway IP address
•
Cost: the number of hops counted as the cost of the route
•
Interface name
iMG/RG Software Reference Manual (IPNetwork Functions)
Overview
Security
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Options
Example
Option
Description
Default Value
name
An existing route. To display route names, use the IP
LIST ROUTES command.
N/A
number
An existing route. To display route numbers, use the
IP LIST ROUTES command. The number appears in
the first column under the heading ID.
N/A
--> ip show route route3
IP route: DHCP-DefRt1
Destination:
Netmask:
Gateway:
Cost:
Interface:
Advertise:
0.0.0.0
0.0.0.0
10.17.90.1
1
ip0
false
Route enabled: true
Route valid: true
See also
IP SHOW
IP LIST ROUTES
4.2 Security
This section describes the AT-iMG models built-in security facilities, and how to configure and monitor them.
4.2.1 Overview
The aim of this chapter is to teach you how to configure security services to manage and restrict the traffic that
passes between the Internet and your network, and protect your network infrastructure from attacks. The
components of the package are:
• Network Address Translation (NAT) component; maps multiple addresses on a private network to an externally-visible address (or range of addresses) on the outside network
• Firewall component; blocks certain traffic between interfaces based on stateful packet information (SPI)
iMG/RG Software Reference Manual (IPNetwork Functions)
4-57
Security
Security support on AT-iMG Models
• Intrusion Detection Settings (IDS) component; implements security measures to protect your network from
suspicious hosts
• Security component; manages the Security package, and enables security features such as management stations, triggers, security applications, session tracking and application services
4.2.2 Security support on AT-iMG Models
The Security module is the main module in the AT-iMG Models that acts as a server to the other two security
modules; Firewall and NAT, forming the Security System (see Figure 7).
This component allows you to:
• enable/disable all modules in the Security package (including the child modules; NAT and Firewal, that
cannot otherwise be configured)
• add IP interfaces to the Security package to create security interfaces that are used to configure the NAT
and Firewall child modules
• configure triggers to allow applications to open secondary port sessions
• configure IDSs (Intrusion Detection Settings)
• configure management stations to allow a specific host (or range of hosts) remote access to the device
without having to go through NAT and/or Firewall
• configure application services; to restrict access to a specific application service on a specific IP interface
once the interfaces have been defined as security interface
• configure logging: (On FIber D,E Modular and ADSL A,B,C models only) to track intrusion events, blocking-events and session-events.
Security module
Firewall module
FIGURE 4-1
NAT module
Security modules on AT-iMG Models
4.2.3 Security interfaces
A security interface is an existing IP interface that has been defined as either as Internal, External and DMZ
(see Figure To Be Supplied)
4-58
iMG/RG Software Reference Manual (IPNetwork Functions)
Security interfaces
Security
• An Internal interface is an IP interface that is attached to a network that needs to be protected from the
network attached to the External interface. For example, an interface attached to a private LAN is an internal interface.
• The External interface is an IP interface that is attached to a network, for example the Internet, containing
hosts that may pose a security threat to hosts on the internal interfaces.
• A DMZ (demilitarized zone) is an IP interface serving a small network that acts as a neutral zone between
the inside network and the outside network. A DMZ is a portion of the local network that is almost completely open to the external network. There may be some restriction at external access to the DMZ, but
much less than the restriction of access to the internal interface.
To define an IP interface use the IP ADD INTERFACE command. (ref to ip command list)
To define an existing IP interface as a security interface use the SECURITY ADD INTERFACE command.
To show the security interfaces currently defined, use the SECURITY LIST INTERFACES command.
Note:
Only one external security interface and one DMZ security interface can be defined
Note:
Security interfaces must be created before you can configure the majority of the features of the security
package
External
Network
External interface
DMZ
Network
DMZ interface
Internal
Network
Internal interface
Internal interface
Internal
Network
Internal interface
Internal
Network
FIGURE 4-2
Security interfaces on AT-iMG Models
iMG/RG Software Reference Manual (IPNetwork Functions)
4-59
Security
Security interfaces
4.2.3.1 Security Triggers - Dynamic Port Opening
The Dynamic Port Opening (aka Security Trggers) feature solves a typical security problem related to Internet
applications that require secondary ports to be open in order for a session to operate or need to have binary
IP addresses in the payload translated and do not have an Application Level Gateway (ALG)
For example, an FTP control session operates on port 21, but FTP uses port 20 as a secondary port for the
data transfer process. The more ports that are open, the greater the security risk. So, the Dynamic Port Opening service makes it possible to designate certain secondary ports that will only be opened when there is an
active session on their associated primary port.
AT-iMG Models use triggers to inform the security mechanism to expect secondary sessions and how to handle
them. Rather than allowing a range of port numbers, triggers handle the situation dynamically, allowing the secondary sessions only when appropriate.
The trigger mechanism works without having to understand the application protocol or reading the payload of
the packet, (although the payload does need to be read when using NAT if address replacement has to be performed).
4.2.3.1.1 CONFIGURING TRIGGERS
To create a trigger for a TCP or UDP application, enter:
security add trigger <name> {tcp|udp} <startport> <endport> <maxactinterval>
The <startport> and <endport> attributes allow you to configure the port range used by the application to open
a primary session. Most applications use a single port to open a primary session, in which case you can enter
the same port value for both attributes. For example, to create a trigger for Windows Media Player, enter:
security add trigger WMP tcp 1755 1755 30000
In this command, notice that the <maxactinterval> attribute has been set to 30000. This attribute determines
the maximum interval time in milliseconds between the use of secondary port sessions. It prevents the security
threat posed by ports remaining open unnecessarily for long periods of time. If a secondary port remains inactive for the duration set, the port is automatically closed.
4.2.3.1.2 CONFIGURING SESSION CHAINING
The majority of applications that require triggers only open one additional (secondary) session, however a small
number of rare applications (like WS NetMeeting) open a secondary session which in turn opens additional
sessions after the primary session has ended. This is called session chaining; multi-level session are triggered
from a single trigger. To configure session chaining, use the command:
security set trigger <name> sessionchaining {enable|disable}
This command enables session chaining for TCP packets only. If you also want to configure session chaining for
UDP packets, use the command:
security set trigger <name> UDPsessionchaining {enable|disable}
4-60
iMG/RG Software Reference Manual (IPNetwork Functions)
Security interfaces
Security
Note:
TCP session chaining must be always enabled if UDP session chaining is to be used. It's not possible
define a UDP session chaining without previously enabling TCP session chaining.
Disabling TCP session chaining also automatically disables UDP session chaining.
Note:
For the majority of applications, you do not need to enable session chaining and should do so only if you
are certain that they are required: because NetMeeting is so commonly used, an apposite commandmacro is provided to create a NetMeeting trigger with minimal configuration requirements:security add
trigger <name> netmeeting . You do not have to set a port range or maximum activity interval for this
trigger; the security module automatically sets this for you.
4.2.3.1.3 CONFIGURING ADDRESS REPLACEMENT
If your device is configured as a NAT router, you may need to configure triggers for certain protocols to replace
the embedded binary IP addresses of incoming packets with the correct inside host IP addresses. This ensures
that addresses are translated correctly. To enable/disable binary address replacement, enter:
security set trigger <name> binaryaddressreplacement {enable|disable}
Once enabled, you can enable address replacement on TCP, UDP or both types of packet:
security set trigger <name> addressreplacement {none|tcp|udp|both}
4.2.3.1.4 CONFIGURING ADDRESS REPLACEMENT
By default, a trigger can only initiate a secondary session requested by the same host that initiated the primary
session. Certain applications, such as SSL, may initiate secondary sessions from different remote hosts. This is
called multihosting. To enable/disable multihosting, enter:
security set trigger <name> multihost {enable|disable}
The commands below allow you to determine the range of ports that a secondary session can use. In the
majority of cases, you do not need to configure the secondary port ranges because triggers will only open specific port numbers for secondary sessions within the range 1024 - 65535.
To configure a secondary port range, enter:
security set trigger <name> secondarystartport <portnumber> security
set trigger <name> secondaryendport <portnumber>
4.2.3.1.5 APPLICATION LEVEL GATEWAYS (ALGS)
Essentially, triggers and ALGs perform the same function; they deal with difficult applications that your NAT or
Firewall configuration cannot manage. However, certain applications prove too difficult for triggers and must be
handled by ALGs. The Security module is configured with ALGs for certain well-known applications (see table
below).
Security triggers can be configured to deal with some applications, but only when ALGs are not available
iMG/RG Software Reference Manual (IPNetwork Functions)
4-61
Security
Intrusion Detection Settings
An ALG provides a service for a specific application such as FTP (File Transfer Protocol). Incoming packets are
checked against existing NAT rules or Firewall filters, IP addresses are evaluated and detailed packet analysis is
performed. If necessary, the contents of a packet is modified, and if a secondary port is required, the ALG will
open one. The ALG for each application does not require additional configuration.
Application
TCP Port
UDP Port
5190
N/A
File Transfer Protocol (FTP)
21
N/A
Internet Key Exchange (IKE)
N/A
500
389 (+1002)
N/A
Microsoft Networks (MSN)
1863
N/A
Point to Point Tunnelling Protocol (PPTP)
1723
N/A
Resource Reservation Protocol (RSVP (protocol 46))
N/A
N/A
Real Time Streaming Protocol (RTSP)
N/A
N/A
Layer Two Tunnelling Protocol (L2TP)
N/A
1701
Session Initiation Protocol (SIP)
(includes Session Description Protocol (SDP))
5060
5060
AOL Instant Messenger (AIM)
Internet Locator Service (ILS) (a directory service based
on Lightweight Directory Access Protocol (LDAP))
4.2.4 Intrusion Detection Settings
Intrusion Detection is a feature that looks for traffic patterns that correspond to certain known types of attack
from suspicious hosts that attempt to damage the network or to prevent legitimate users from using it.
The Intrusion Detection protects the system from the following kinds of attacks:
• DOS (Denial of Service) attacks - a DOS attack is an attempt by an attacker to prevent legitimate hosts
from accessing a service.
• Port Scanning - an attacker scans a system in an attempt to identify any open ports, that are listening for a
particular service
• Web Spoofing - an attacker creates a 'shadow' of the World Wide Web on their own machine, however a
legitimate host sees this as the 'real' WWW. The attacker uses the shadow WWW to monitor the host's
activities and send false data to and from the host's machine.
Intrusion Detection works differently for each type of attack.
4-62
iMG/RG Software Reference Manual (IPNetwork Functions)
Intrusion Detection Settings
Security
Once an intrusion attempt is detected and the attacker is blocked and blacklisted for a set time limit. The length
of time that a blacklisted host remains blocked depends on the kind of attack:
• For Denial of Service attacks by the SECURITY SET IDS DOSATTACKBLOCK command and by the
SECURITY SET IDS MALICIOUSATTACKBLOCK (default is 30 minutes in both cases)
• For Port Scan attacks by the SESECURITY SET IDS SCANATTACKBLOCK command.(default is 24 hours)
• For Web Spoofing attacks by the SECURITY SET IDS VICTIMPROTECTION command (default is 10 minutes.)
4.2.4.1 Port Scan Attacks
Scans are performed by sending a message to each port in turn with certain TCP flag headers set. The response
received from each port indicates whether the port is in use and can be probed further in an attempt to violate
the network. For example, if a weak port is found, the attacker may attempt to send a DoS attack to that port.
The Security module offers protection from the port scan attacks listed in the table below. Certain port scan
attacks are classed as Trojan Horse attacks. These are programs that may appear harmless, but once executed
they can cause damage to your computer and/or allow remote attackers access to it
The default protection measures are the same for each scan attack:
Scan Attack
Description
Echo scan
The attacker sends scanning traffic to the standard Echo port (TCP
port 7).
Xmas Tree scan
The attacker sends TCP packets with FIN, URG and PSH flags set. If a
port is closed, the device responds with an RST. If a port is open, the
device does not respond.
IMAP scan
The attacker exploits vulnerability of the IMAP port (TCP port 143)
once a TCP packet is received from the victim with the SYN and FIN
flag set.
TCP SYN ACK scan
The attacker sends a SYN packet and the device responds with a SYN
and ACK to indicate that the port is listening, or an RST if it is not listening.
TCP FIN RST scan
The attacker sends a FIN packet to close an open connection. If a port
is closed, the device responds with an RST. If a port is open, the device
does not respond
NetBus scan
NetBus is a Trojan Horse attack for Windows 95/98/NT. Once
installed on the victim’s PC, the attacker uses TCP port 12345, 12346
or 20034 to remotely perform illicit activities.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-63
Security
Intrusion Detection Settings
Scan Attack
Description
Back Orifice scan
Back Orifice and Back Orifice 2k are Trojan Horse attacks for Windows 95/98/NT. Once installed on the victim’s PC, the attacker commonly listens on UDP ports 31337, 31338 (Back Orifice) and 54320,
54321 (Back Orifice 2k). The attacker can then remotely perform illicit
activities.
SubSeven attack
SubSeven and SubSeven 2.1 are Trojan Horse attacks for Windows
platforms. Once installed on the victim’s PC, the attacker uses TCP
ports 1243, 6711, 6712, 6713 (SubSeven) and 27374 (SubSeven 2.1) to
remotely perform illicit activities
4.2.4.2 How Port Scanning works - Configuring Port Scanning
The device detects an attempted port scan if it receives more than 5 scanning packets (e.g., SYN/ ACK, FIN or
RST packets) per second from a single host. To modify this default threshold:
security set IDS scanthreshold <max>
The device counts the maximum number of scan packets allowed per second over a 60 second period. To modify this default duration
security set IDS scanperiod <duration>
If the number of scanning packets counted within the specified duration is greater than the scan threshold set,
the suspected attacker is blocked for 86400 seconds (24 hours). To modify this default duration, enter:
security set IDS SCANattackblock <duration>
Echo scan, Xmas Tree scan, IMAP scan on the contrary are blocked using the MaliciousAttack attribute. Block
duration default is set to 30 minutes, to change it:
security set IDS MaliciousAttackBlock <duration>
4.2.4.3 Denial of Service (DoS) Attacks
There are two main types of DoS attack:
• Flood attacks - an attacker tries to overload your device by flooding it with packets. Whilst your device tries
to cope with this sudden influx of packets, it causes delays to the transport of legitimate packets or prevents
the network from transporting legitimate traffic altogether.
• Logic or software attacks - a small number of corrupt packets are designed to exploit known software bugs
on the target system.
4-64
iMG/RG Software Reference Manual (IPNetwork Functions)
Intrusion Detection Settings
Security
The Security module can detect the early stages of the following DoS attacks:
Dos Attack
Description
SMURF Attack
Attacker sends pings (Echo Requests) to a host with a destination IP
address of broadcast (protocol 1, type 8). The broadcast address
has a spoofed return address which is the address of the intended
victim, and the replies cause the system to crash
SYN/FIN/RST Flood
Attackers send unreachable source addresses in SYN packets, so
your device sends SYN/ACK packets to the unreachable address,
but does not receive any ACK packets in return. This causes a backlog of half-opened sessions.
ICMP Flood
The attacker floods the network with ICMP packets that are not
Echo requests, stealing bandwidth needed for legitimate services.
The device detects an attempted ICMP flood if it receives more than
100 ICMP packets per second from a single host
Ping Flood
The attacker floods the network with pings, using bandwidth
needed for legitimate services. The device detects an attempted
ping flood if it receives more than 15 pings per second from a single
host
Ascend Kill
The attacker sends a UDP packet containing special data to port 9
(the discard port), causing your Ascend router to reboot and possibly crash continuously
WinNuke Attack
The attacker sends invalid TCP packets which disable networking on
many Microsoft Windows 95 and Windows NT machines. Bad data
is sent to an established connection with a Windows user. NetBIOS
(TCP port 139) is often used
Echo Chargen
A chargen attack exploits character generator (chargen) service
(UDP port 19). Sessions that appear to come from the local system’s Echo service are spoofed and pointed at the chargen service
to create an endless loop of high volume traffic that will slow your
network down
Echo Storm
Attackers send oversized ICMP datagrams to your device using ping
in an attempt to crash, freeze or cause a reboot. The device detects
an attempted Echo Storm attack if it receives more than 15 ICMP
datagrams per second from a single host.
Boink
An attacker sends fragmented TCP packets that are too big to be
reassembled on arrival, causing Microsoft Windows 95 and Windows NT machines to crash.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-65
Security
Intrusion Detection Settings
Dos Attack
Description
Land Attack
This attack targets Microsoft Windows machines. An attacker sends
a forged packet with the same source and destination IP address
which confuses the victim’s machine, causing it to crash or reboot.
Ping of Death
It is possible to crash, reboot or otherwise kill a large number of
systems by sending a ping of a certain size from a remote machine.
A ping is defined as a ping of death when the ping payload exceeds
65535 bytes.
Overdrop
This attack uses incorrect IP packet fragmentation to exploit vulnerabilities in networked devices. Fragmented IP packets are sent and
the fragment information indicates that the packet length is over
65535 bytes (including IP header), but the actual data in the payload
is much less than this amount.
For each DoS attack there are different IDS settings, summarized in the the table below:
Dos Attack
Related Detection settings
Block duration setting / (Default)
SMURF
Attack
security enable IDS victimprotection
security set IDS victimprotection
<duration> /(10 min)
SYN/FIN/RST
Flood
security set IDS floodthreshold
<max>
security set IDS DOSattackblock
<duration> / (30 min)
security set IDS portfloodthreshold <max>
security set IDS floodperiod
<duration>
security set IDS MaxTCPopenhandshake <max>
4-66
ICMP Flood
security set IDS MaxICMP <max>
security set IDS DOSattackblock
<duration> / (30 min)
Ping Flood
security set IDS MaxPING
<max>
security set IDS DOSattackblock
<duration> / (30 min)
Ascend Kill
N/A
security set IDS MaliciousAttackBlock
<duration> / (30 min
WinNuke
Attack
N/A
security set IDS MaliciousAttackBlock
<duration> / (30 min
iMG/RG Software Reference Manual (IPNetwork Functions)
Management stations - Remote Management
Security
Dos Attack
Related Detection settings
Block duration setting / (Default)
Echo
Chargen
N/A
security set IDS DOSattackblock
<duration> / (30 min)
Echo Storm
security set IDS MaxPING
<max>
security set IDS DOSattackblock
<duration> / (30 min)
Boink
N/A
security set IDS DOSattackblock
<duration> / (30 min)
Land Attack
N/A
security set IDS DOSattackblock
<duration> / (30 min)
Ping of Death
N/A
security set IDS DOSattackblock
<duration> / (30 min)
Overdrop
N/A
security set IDS DOSattackblock
<duration> / (30 min)
4.2.4.4 IDS Trojan Database
Trojan attacks are detected by scanning for packets on pre-defined Trojan attack ports, using a pre-defined
Database includes commonly attacked Trojan Ports.
To enter a new Trojan name in the IDS Trojan Database
security IDS add trojan <trojan name>
Once you have added a Trojan name to the database, you may need to identify the attack port that might be
used by that Trojan. Use the following command to add a port to the IDS Trojan Database against the Trojan
name specified in the previous command:
security IDS add trojanport <trojan name> <ident> <udp|tcp> <port>
In order to start scanning you must enable the Trojan with the following CLI command:
security IDS enable trojan <trojan name>
4.2.5 Management stations - Remote Management
A management station is a host or range of hosts that can remotely access your device from the public Internet
for a certain period of time. Once your device has been configured to allow remote access, the management
station sends IP traffic on a specific transport/port to the device’s external port. Any NAT or Firewall configuration is bypassed. This allows a network administrator access to the device’s configuration without having to visit
the site
Note:
It is important for ISPs to configure management stations as precisely as possible to reduce the chance
of malicious access.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-67
Security
Security logging
The exact IP address (or range of addresses) for the management station device(s) must be defined in the following command:
security add mgmt-station <name> {range <start_addr> <end_addr> |
subnet <address> <mask>} <transport_type> <port> <idle_timeout>
Once you have configured a management station and want to enable a remote session to the device’s external
port, enter:
security set mgmt-station <name> enabled
4.2.6 Security logging
Note:
Security logging is avalaible on FIber D,E Modular and ADSL A,B,C models only
Configuring the security logging module allows you to track:
• intrusion events; logs details of attempted DoS, port scanning and web spoofing attacks including the name of
the attack, the port number used and the source/destination IP addresses.
• blocking events; if an intrusion has been detected, this logs details of the blocked/blacklisted host including
their IP address and the length of time they will be blocked/blacklisted for.
• session events; logs details of session activity when a session is timed-out when it finishes naturally and is
removed from the session list.
Before you can log intrusion, blocking and session events, enable the logging module by entering:
security enable logging
4.2.7 Security command reference
This section describes the commands available on the AT-iMG Models to enable, configure and manage the
Security module.
4.2.7.1 Command Set
The table below lists the security commands provided by the CLI.
TABLE 4-2
Security Commands and Product Category
Commands
SECURITY ENABLE | DISABLE
SECURITY ENABLE | DISABLE {LOGGING|blockinglog|
intrusionlog| sessionlog}
4-68
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E
A
B
C
Modular
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
TABLE 4-2
Security
Security Commands and Product Category (Continued)
Commands
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E
A
B
C
Modular
SECURITY ENABLE | DISABLE {blockinglog| intrusionlog|
sessionlog} CONSOLEPRINTIng
X
X
X
X
X
X
SECURITY SET BLOCKINGLOG|INTRUSIONLOG|SESSIONLOG LEVEL
X
X
X
X
X
X
SECURITY ADD ALG
X
X
X
X
X
X
X
X
X
SECURITY DELETE ALG
X
X
X
X
X
X
X
X
X
SECURITY LIST ALG
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
SECURITY LIST LOGGING
SECURITY SHOW ALG
X
X
X
X
X
X
X
X
X
SECURITY STATUS
X
X
X
X
X
X
X
X
X
SECURITY ADD INTERFACE
X
X
X
X
X
X
X
X
X
SECURITY CLEAR INTERFACES
X
X
X
X
X
X
X
X
X
SECURITY DELETE INTERFACE
X
X
X
X
X
X
X
X
X
SECURITY LIST INTERFACES
X
X
X
X
X
X
X
X
X
SECURITY SHOW INTERFACE
X
X
X
X
X
X
X
X
X
SECURITY ADD MGMT-STATION RANGE
X
X
X
X
X
X
X
X
X
SECURITY DELETE MGMT-STATION
X
X
X
X
X
X
X
X
X
SECURITY SET MGMT-STATION
X
X
X
X
X
X
X
X
X
SECURITY LIST MGMT-STATION
X
X
X
X
X
X
X
X
X
SECURITY ADD TRIGGER TCP|UDP
X
X
X
X
X
X
X
X
X
SECURITY ADD TRIGGER NETMEETING
X
X
X
X
X
X
X
X
X
SECURITY CLEAR TRIGGERS
X
X
X
X
X
X
X
X
X
SECURITY DELETE TRIGGER
X
X
X
X
X
X
X
X
X
SECURITY LIST TRIGGERS
X
X
X
X
X
X
X
X
X
SECURITY SET TRIGGER ADDRESSREPLACEMENT
X
X
X
X
X
X
X
X
X
SECURITY SET TRIGGER MULTIHOST
X
X
X
X
X
X
X
X
X
iMG/RG Software Reference Manual (IPNetwork Functions)
4-69
Security
Security command reference
TABLE 4-2
Security Commands and Product Category (Continued)
Commands
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E
Modular
A
B
C
SECURITY SET TRIGGER BINARYADDRESSREPLACEMENT
X
X
X
X
X
X
X
X
X
SECURITY SET TRIGGER MAXACTINTERVAL
X
X
X
X
X
X
X
X
X
SECURITY SET TRIGGER ENDPORT
X
X
X
X
X
X
X
X
X
SECURITY SET TRIGGER STARTPORT
X
X
X
X
X
X
X
X
X
SECURITY SET TRIGGER SECONDARYENDPORT
X
X
X
X
X
X
X
X
X
SECURITY SET TRIGGER SECONDARYSTARTPORT
X
X
X
X
X
X
X
X
X
SECURITY SET TRIGGER SESSIONCHAINING
X
X
X
X
X
X
X
X
X
SECURITY SET TRIGGER UDPSESSIONCHAINING
X
X
X
X
X
X
X
X
X
SECURITY SHOW TRIGGER
X
X
X
X
X
X
X
X
X
SECURITY SET SESSIONTIMEOUT
X
X
X
X
X
X
X
X
X
SECURITY ADD WAITINGSESSION
X
X
X
X
X
X
X
X
X
SECURITY DELETE WAITINGSESSION
X
X
X
X
X
X
X
X
X
SECURITY SET WAITINGSESSION
X
X
X
X
X
X
X
X
X
SECURITY SHOW WAITINGSESSION
X
X
X
X
X
X
X
X
X
SECURITY ENABLE|DISABLE IDS
X
X
X
X
X
X
X
X
X
SECURITY ENABLE|DISABLE IDS BLACKLIST
X
X
X
X
X
X
X
X
X
SECURITY CLEAR IDS BLACKLIST
X
X
X
X
X
X
X
X
X
SECURITY ENABLE|DISABLE IDS VICTIMPROTECTION
X
X
X
X
X
X
X
X
X
SECURITY SET IDS VICTIMPROTECTION
X
X
X
X
X
X
X
X
X
SECURITY SET IDS DOSATTACKBLOCK
X
X
X
X
X
X
X
X
X
SECURITY SET IDS MALICIOUSATTACKBLOCK
X
X
X
X
X
X
X
X
X
SECURITY SET IDS MAXICMP
X
X
X
X
X
X
X
X
X
SECURITY SET IDS MaxPING
X
X
X
X
X
X
X
X
X
SECURITY SET IDS MAXTCPOPENHANDSHAKE
X
X
X
X
X
X
X
X
X
SECURITY SET IDS SCANATTACKBLOCK
X
X
X
X
X
X
X
X
X
4-70
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
TABLE 4-2
Security
Security Commands and Product Category (Continued)
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E
A
B
C
Modular
Commands
SECURITY SET IDS FLOODPERIOD
X
X
X
X
X
X
X
X
X
SECURITY SET IDS FLOODTHRESHOLD
X
X
X
X
X
X
X
X
X
SECURITY SET IDS PORTFLOODTHRESHOLD
X
X
X
X
X
X
X
X
X
SECURITY SET IDS SCANPERIOD
X
X
X
X
X
X
X
X
X
SECURITY SET IDS SCANTHRESHOLD
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
SECURITY SET AEMLOGGINGINTERVAL
SECURITY SHOW IDS
X
X
X
X
4.2.7.1.1 SECURITY ENABLE | DISABLE
Syntax
security {enable | disable}
Description
This command explicitly enables/disables all modules in the Security package (including
the child modules; NAT and Firewall). You must enable the Security package if you want
to use the NAT and/or Firewall modules to configure security for your system.
If you disable the Security package during a session, any configuration changes made to
the Security, NAT or Firewall modules when the package was enabled remain in the system, so that you can re-enable them later in the session. If you need to reboot your system but want to save the security configuration between sessions, use the SYSTEM
CONFIG CREATE and SYETM CONFIG SET command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
enabled
Enables all modules in the Security package (Security,
NAT and Firewall modules).
Disabled
disabled
Disables all modules in the Security package (Security,
NAT and Firewall modules).
Example
--> security enable
See also
firewall ENABLE logging
iMG/RG Software Reference Manual (IPNetwork Functions)
4-71
Security
Security command reference
4.2.7.1.2 SECURITY ENABLE | DISABLE
{LOGGING|BLOCKINGLOG| INTRUSIONLOG| SESSIONLOG}
Syntax
security {enable | disable} {logging|blockinglog|intrusionlog|sessionlog}
Description
This command enables/disables logging of:
•
logging activit
•
blocking activity
•
intrusion activity
•
session events
This command is not present on FIBER A,B,C devices
Note:
Before you can log intrusion, blocking and session events, logging module must be enabled
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
enabled
Logging is enabled.
N/A
disabled
Logging is disabled.
logging
generic logging module reference
Enabled
blockinglog
Details of blocking activity are logged.
Enabled
intrusionlog
Details of intrusion activity are logged.
Disabled
sessionlog
Details of session events are logged.
Disabled
Example
--> security enable blockinglog
See also
firewall set securitylevel
4.2.7.1.3 SECURITY ENABLE | DISABLE {BLOCKINGLOG| INTRUSIONLOG| SESSIONLOG}
CONSOLEPRINTING
Syntax
security {enable | disable} {blockinglog|intrusionlog|sessionlog} CONSOLEPRINTING
Description
This command allows you to set whether blocking, intrusion or session logging is sent to
the console instead of to the event log. Note that you must first enable logging using the
command security enable|disable logging|blockinglog|intrusionlog|sessionlog. This command is not present of FIBER A,B,C devices
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
4-72
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Example
Security
Option
Description
Default Value
enabled
The specified logging activity is displayed at the console.
Disable
disabled
The specified logging activity is sent to the event log.
blockinglog
Specifies where blocking activity is displayed.
intrusionlog
Specifies where intrusion activity is displayed..
sessionlog
Specifies where session activity is displayed.
consoleprinting
Enabling consoleprinting sends logging to the console
instead of to the event log. Disabling consoleprinting
sends logging to the event log instead of to the console.
N/A
N/A
--> security enable blockinglog consoleprinting
4.2.7.1.4 SECURITY SET BLOCKINGLOG|INTRUSIONLOG|SESSIONLOG LEVEL
Syntax
security set {blockinglog | intrusionlog | sessionlog} <level>
DescriptionFor each logging event it’s possible set the minimum level of logging that is reported. The levels
available in this command correspond to syslog levels (emergency, alert, critical, error, warning, notice, informational, debug).
The default reporting level for an enabled log activity is notice, which will report emergency, alert, critical, error, warning and notice messages but not the informational or
debug messages.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
blockinglog
Configures blocking logging.
N/A
intrusionlog
Configures intrusion logging.
N/A
sessionlog
Configures session event logging.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
4-73
Security
Security command reference
Option
Description
Default Value
level
The level of logging reported at the event log or
the console. You can choose from the following
levels:
Notice
emergency, alert, critical, error, warning, notice,
informational, debug. These levels directly correspond to syslog levels.
Example
--> security set blockinglog warning
See also
firewall set securitylevel
4.2.7.1.5 SECURITY ADD ALG
Syntax
security add alg <algname> <algtype> [transport] [port]
SECURITY ADD ALG <ALGNAME> <ALGTYPE> [PROT <PROTNO>]
DescriptionThis command enables a specific ALG
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
algname
A unique identifier specified by the user.
N/A
algtype
Application/Protocol ALG to be enabled. Example
– sip or rtsp.
N/A
transport
Transport protocol. Example – tcp, udp. If no
transport is specified, the default configured transport for the algtype will be used.
N/A
port
If the transport is neither tcp nor udp, this field is
to be used to specify the transport. The actual
protocol number used by ALG is to be specified.
N/A
protno
Port used by ALG. If transport is neither tcp nor
udp, the port shall be 0. If no port is specified, the
default configured port for the algtype will be
used.
N/A
--> security add alg algsip sip udp 5060
--> security add alg algrsvp rsvp prot 46
See also
4-74
firewall set securitylevel
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Security
4.2.7.1.6 SECURITY DELETE ALG
Syntax
security delete alg <algname>
DescriptionThis command disables a specific ALG.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
algname
Unique identifier specified to delete the ALG.
N/A
--> security delete alg alg_sipudp
4.2.7.1.7 SECURITY LIST ALG
Syntax
security LIST alg
DescriptionThis command will display information of all the configured ALGs in tabular format.
Example
--> security list alg
ID | AlgType | Transport | Port |
-------------------------------------------1 | ftp | 6 | 21
2 | ils | 6 | 389
3 | ils | 6 | 1002
4 | ike | 17 | 500
5 | aim | 6 | 5190
6 | msnmsgr | 6 | 1863
7 | pptp | 6 | 1723
8 | rsvp | 46 | 0
9 | l2tp | 17 | 1701
10 | rtsp | 6 | 554
11 | sip | 17 | 5060
-------------------------------------------4.2.7.1.8 SECURITY LIST LOGGING
Syntax
security LIST logging
DescriptionThis command will display information of all the configured logging in tabular format. This command is not present on FIBER A,B,C devices
Example
--> security list logging
The logging module is: true
iMG/RG Software Reference Manual (IPNetwork Functions)
4-75
Security
Security command reference
Session event logging is: false
Blocking event logging is: false
Intrusion event logging is: false
4.2.7.1.9 SECURITY SHOW ALG
Syntax
security SHOW alg <algname>
Description
DescriptionThis command will display the following information about a specific ALG.
Options
Example
•
AlgType - Application/Protocol ALG to be enabled. Example – sip.
•
Transport - Transport protocol. Example – tcp, udp. If no transport is specified, the
default configured transport for the algtype will be used.
•
Port - If the transport is neither tcp nor udp, this field is to be used to specify the
transport. The actual protocol number used by ALG is to be specified.
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
algname
Unique identifier specified to delete the ALG.
N/A
--> security show alg alg_sipudp
Alg Type : sip
Transport: 17
Port :
5060
4.2.7.1.10 SECURITY STATUS
Syntax
security status
Description
This command displays the following information about the Security package:
Example
4-76
•
Security status (enabled or disabled)
•
Firewall status (enabled or disabled)
•
Firewall security level setting (none, high, low, or medium)
•
Firewall session logging (enabled or disabled)
•
Firewall blocking logging (enabled or disabled)
•
Firewall intrusion logging (enabled or disabled)
•
NAT status (enabled or disabled)
--> security status
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Security
Security enabled.
Firewall disabled.
Firewall security level: none.
NAT disabled.
Intrusion detection is disabled.
Security logging is enabled.
Session logging disabled.
Blocking logginisabled.
Intrusion logging disabled.
Security AEM Logging Interval: 5 Sec(s).
See also
SECURITY ENABLE | DISABLE
FIREWALL SET SECURITYLEVEL
4.2.7.1.11 SECURITY ADD INTERFACE
Syntax
SECURITY ADD INTERFACE <name> {EXTERNAL | INTERNAL | DMZ}
Description
This command adds an existing IP interface to the Security package to create a security
interface, and specifies what type of interface it is depending on how it connects to the
network.
Once you have added security interfaces, you can use them in the NAT and/or Firewall
configurations.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing IP interface. To display interface names, use the ip
list interfaces command.
N/A
external
An interface that connects to the external network.
N/A
internal
An interface that connects to the internal network
N/A
dmz
An interface that connects to the de-militarized zone, DMZ
N/A
Example
--> security add interface ip1 internal
See also
IP LIST INTERFACES
See also
Firewall command reference
NAT CLI commands
iMG/RG Software Reference Manual (IPNetwork Functions)
4-77
Security
Security command reference
4.2.7.1.12 SECURITY CLEAR INTERFACES
Syntax
security clear interfaces
Description
This command removes all security interfaces that were added to the Security package
using the security add interface command.
Example
--> security clear interfaces
See also
SECURITY DELETE INTERFACE
4.2.7.1.13 SECURITY DELETE INTERFACE
Syntax
SECURITY DELETE INTERFACE <name>
Description
This command removes a single security interface that was added to the Security package using the security add interface command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing security interface. To display interface
names, use the SECURITY LIST INTERFACES
command.
N/A
Example
--> security delete interface f1
See also
SECURITY CLEAR INTERFACES
SECURITY LIST INTERFACES
4.2.7.1.14 SECURITY LIST INTERFACES
Syntax
security list interfaces
Description
This command lists the following information about security interfaces that were added
to the Security package using the security add interface command:
Example
•
Interface ID number
•
Interface name
•
Interface type (external, internal or DMZ)
--> security list interfaces
Security Interfaces:
ID |
Name
| Type
-----|----------|---------1 | i1
| internal
4-78
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Security
2 | i2
| external
3 | i3
| dmz
--------------------------See also
SECURITY SHOW INTERFACE
4.2.7.1.15 SECURITY SHOW INTERFACE
Syntax
SECURITY SHOW INTERFACE <name>
Description
This command displays information about a single interface that was added to the Security package using the security add interface command. The following interface information is displayed:
Options
Example
•
Interface name
•
Interface type (external, internal or DMZ)
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing security interface. To display all interface
names, use the security list interfaces command.
N/A
--> security show interface f2
Interface name: f2
Interface type: internal
See also
SECURITY LIST INTERFACES
4.2.7.1.16 SECURITY ADD MGMT-STATION RANGE
Syntax
SECURITY ADD MGMT-STATION <name> {RANGE <start_addr>
<end_addr> | SUBNET <address> <mask> } <transport_type>
<port> <idle_timeout>
Description
This command creates a Management Station that allows a specific host (or range of
hosts) to access your device directly, bypassing NAT and Firewall. IP packets from a
Management Station are sent to the external interface (WAN) using a specific transport
and port number. The Management Station is not enabled until you enable it using
SECURITY SET MGMT-STATION.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-79
Security
Security command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies the management station. It can be made up of one or more letters or a
combination of letters and digits, but it cannot start
with a digit.
N/A
start_addr
The first remote host IP address in the range allowed.
N/A
end_addr
The last remote host IP address in the range allowed.
N/A
address
A specific IP address in the remote subnet allowed.
N/A
mask
The mask defining the remote subnet allowed.
N/A
transport_type
The number of the transport type used, e.g., TCP = 6,
UDP = 17, wildcard = 255.
N/A
port
The port number used. This is only effective if the
transport_type is set to 6 (TCP) or 17 (UDP). The wildcard is 65535.
N/A
idle_timeout
The idle time (in minutes). If no sessions are created by
the Management Station within this setting the Station is disabled. If a session is created, that session uses
the idle time set and the Station is not disabled until the
session expires.
0 (no timeout)
Example
--> security add mgmt-station ISP 192.168.1.1 255.255.255.0 17 26 10
See also
security set mgmt-station
4.2.7.1.17 SECURITY DELETE MGMT-STATION
Syntax
SECURITY DELETE MGMT-STATION <name>
Description
This command deletes a single Management Station that was added to the Security
module using the SECURITY ADD MGMT-STATION command.
4-80
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Options
Security
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing Management Station. To display Management Station names, use the SECURITY LIST
MGMT-STATION command.
N/A
Example
--> security delete mgmt-station ISP
See also
SECURITY ADD MGMT-STATION
SECURITY LIST MGMT-STATION
4.2.7.1.18 SECURITY SET MGMT-STATION
Syntax
SECURITY SET MGMT-STATION <name> {ENABLED|DISABLED}
Description
This command enables a Management Station that was added to the Security module
using the SECURITY ADD MGMT-STATION command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing Management Station. To display Management Station names, use the SECURITY LIST
MGMT-STATION command.
N/A
enabled
Enables the Management Station. Once enabled,
Management Station sessions can be created.
Disabled
disabled
Disables the Management Station.
Example
--> set mgmt-station ISP enabled
See also
SECURITY ADD MGMT-STATION
SECURITY LIST MGMT-STATION
4.2.7.1.19 SECURITY LIST MGMT-STATION
Syntax
security list mgmt-stations
iMG/RG Software Reference Manual (IPNetwork Functions)
4-81
Security
Security command reference
Description
Example
This command lists Management Stations that were added to the Security module using
the security add mgmt-station command. It displays the following information about
Management Stations:
•
Management station id number
•
Management station name
•
Subnet status (true/false)
•
IP address (of subnet or first address in range)
•
Subnet mask or last address of range
•
Transport number
•
Port number
•
Idle timeout (minutes)
•
Enabled status (true/false)
--> security list mgmt-stations
Management Stations:
ID |
Name
| Subnet |
IP address
| Mask/End Address | Interface | Transp
| Port | Idle
| Enable
-----------------------------------------------------------------------------------------------------------------1 | new
| false | 192.168.1.4
| 192.168.1.10
| ip1
| 17
|
26
| 10
| false
------------------------------------------------------------------------------------------------------------------
See also
security add mgmt-station
4.2.7.1.20 SECURITY ADD TRIGGER TCP|UDP
Syntax
SECURITY ADD TRIGGER <name> {TCP|UDP} <startport> <endport>
<maxactinterval>
Description
This command adds a trigger to the Security module. A trigger allows an application to
open a secondary port in order to transport packets.
Some applications, such as FTP, need to open secondary ports - they have a control session port (21 for FTP) but also need to use a second port in order to transport data.
Adding a trigger it means that you do not have to define static portfilters to open ports
for each secondary session. If you did this, the ports would remain open for potential use
(or misuse, see the command FIREWALL SET IDS SCANATTACKBLOCK) until the
portfilters were deleted. A trigger opens a secondary port dynamically, and allows you to
specify the length of time that it can remain inactive before it is closed.
4-82
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Options
Example
Security
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies the trigger. It can be
made up of one or more letters or a combination of letters and digits, but it cannot start with a digit.
N/A
tcp
Adds a trigger for a TCP application to the security package.
N/A
udp
Adds a trigger for a UDP application to the security
package.
N/A
startport
Sets the start of the trigger port range for the control
session.
N/A
endport
Sets the end of the trigger port range for the control
session.
N/A
maxactinterval
Sets the maximum interval time (in milliseconds)
between the use of secondary port sessions. If a secondary port opened by a trigger has not been used for the
specified time, it is closed.
3000
The following example creates a Netmeeting (H323) trigger:
--> security add trigger t1 tcp 1720 1720 30000
See also
SECURITY LIST TRIGGERS
SECURITY ADD TRIGGER NETMEETING
4.2.7.1.21 SECURITY ADD TRIGGER NETMEETING
Syntax
SECURITY ADD TRIGGER <name> NETMEETING
Description
This command allows you to use the example trigger provided by the CLI. It allows you
to add a trigger to allow Netmeeting to transport data through the Security package. This
application opens a secondary port session. You do not have to set the port range or
maxactinterval for a Netmeeting trigger - the CLI automatically sets this for you.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-83
Security
Security command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies the trigger. It can be
made up of one or more letters or a combination of letters and digits, but it cannot start with a digit.
N/A
Example
--> security add trigger t2 netmeeting
See also
SECURITY LIST TRIGGERS
SECURITY ADD TRIGGER TCP|UDP
4.2.7.1.22 SECURITY CLEAR TRIGGERS
Syntax
security clear triggers
Description
This command deletes all triggers that were added to the Security module using the
security add trigger commands.
Example
--> security clear triggers
See also
security delete trigger
4.2.7.1.23 SECURITY DELETE TRIGGER
Syntax
SECURITY DELETE TRIGGER <name>
Description
This command deletes a single trigger that was added to the Security module using the
security add trigger commands.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing trigger. To display trigger names, use the
security list trigger command.
N/A
Example
--> security delete trigger t2
See also
SECURITY LIST TRIGGERS
SECURITY CLEAR TRIGGERS
4.2.7.1.24 SECURITY LIST TRIGGERS
Syntax
4-84
security list triggers
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Description
Example
Security
This command lists triggers that were added to the Security module using the security
add trigger command. It displays the following information about triggers:
•
Trigger ID number
•
Trigger name
•
Trigger transport type (TCP or UDP)
•
Port range
•
Secondary port range
•
Interval
--> security list triggers
Security Triggers:
ID| Name | Type| Port Range | Sec Port Range |Interval
--|------|-----|------------|----------------|-------1| tr1 | tcp | 21
- 21 | 1720 - 1720
|3000
-----------------------------------------------------See also
SECURITY SHOW TRIGGER
4.2.7.1.25 SECURITY SET TRIGGER ADDRESSREPLACEMENT
Syntax
SECURITY SET TRIGGER <name> ADDRESSREPLACEMENT
{NONE|TCP|UDP|BOTH}
Description
The settings in this command are only effective if you enable address translation using the
command SECURITY SET TRIGGER BINARYADDRESSREPLACEMENT.
This command allows you to specify what type of address replacement is set on a trigger.
Incoming packets are searched in order to find their embedded IP address. The address is
then replaced by the correct inside host IP address, and NAT translates the packets to
the correct destination.
You can specify whether you want to carry out address replacement on TCP packets, on
UDP packets or on both TCP and UDP packets.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
A name that identifies a trigger. To display trigger names,
use the security list triggers command.
N/A
none
Disables address replacement.
None
iMG/RG Software Reference Manual (IPNetwork Functions)
4-85
Security
Security command reference
Option
Description
tcp
Sets address replacement on TCP packets for an existing
trigger.
udp
Sets address replacement on UDP packets for an existing
trigger.
both
Sets address replacement on TCP and UDP packets for an
existing trigger.
Example
--> security set trigger t2 addressreplacement tcp
See also
SECURITY SET TRIGGER BINARYADDRESSREPLACEMENT
Default Value
4.2.7.1.26 SECURITY SET TRIGGER MULTIHOST
Syntax
SECURITY SET TRIGGER <name> MULTIHOST {ENABLE | DISABLE}
Description
This command sets whether a secondary session can be initiated to/from different
remote hosts or the same remote host on an existing trigger.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing trigger. To display trigger names, use the security list triggers command.
N/A
enable
A secondary session can be initiated to/from different
remote hosts.
Disable
disable
A secondary session can only be initiated to/from the
same remote host.
Example
--> security set trigger t1 multihost enable
See also
SECURITY LIST TRIGGERS
4.2.7.1.27 SECURITY SET TRIGGER BINARYADDRESSREPLACEMENT
Syntax
SECURITY SET TRIGGER <name> BINARYADDRESSREPLACEMENT {ENABLE | DISA-
BLE}
Description
4-86
This command enables/disables binary address replacement on an existing trigger. You
can then set the type of address replacement (TCP, UDP, both or none) using the command SECURITY SET TRIGGER ADDRESSREPLACEMENT.
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Options
Security
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing trigger. To display trigger names, use the security list triggers command.
N/A
enable
Enables the use of binary address replacement on an existing trigger.
Disable
disable
Disables the use of binary address replacement on an
existing trigger.
Example
--> security set trigger t5 binaryaddressreplacement enable
See also
SECURITY SET TRIGGER ADDRESSREPLACEMENT
SECURITY LIST TRIGGERS
4.2.7.1.28 SECURITY SET TRIGGER MAXACTINTERVAL
Syntax
SECURITY SET TRIGGER <name> MAXACTINTERVAL <interval>
Description
This command sets the maximum activity interval limit on existing session entries for an
existing trigger.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing trigger. To display trigger names, use the security list triggers command.
N/A
interval
Sets the maximum interval time (in milliseconds) between
the use of secondary port sessions. If a secondary port
opened by a trigger has not been used for the specified
time, it is closed.
N/A
Example
--> security set trigger t2 maxactinterval 5000
See also
SECURITY LIST TRIGGERS
4.2.7.1.29 SECURITY SET TRIGGER ENDPORT
Syntax
SECURITY SET TRIGGER <name> ENDPORT <portnumber>
Description
This command sets the end of the port number range for an existing trigger.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-87
Security
Security command reference
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing trigger. To display trigger names, use the
security list triggers command.
N/A
portnumber
Sets the end of the trigger port range.
N/A
Example
--> security set trigger t3 endport 21
See also
security set trigger startport
4.2.7.1.30 SECURITY SET TRIGGER STARTPORT
Syntax
SECURITY POLICY <name> SET TRIGGER STARTPORT <portnumber>
Description
This command sets the start of the port number range for an existing trigger.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing trigger. To display trigger names, use
the security list triggers command.
N/A
port
Sets the start of the trigger port range.
N/A
Example
--> security set trigger t3 startport 21
See also
security set trigger endport
4.2.7.1.31 SECURITY SET TRIGGER SECONDARYENDPORT
Syntax
SECURITY SET TRIGGER <name> SECONDARYENDPORT <portnumber>
Description
This command sets the end of the secondary port number range for an existing trigger. It
allows you to restrict the ports that a trigger will open, however, this is not usually necessary.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
4-88
Option
Description
Default Value
name
An existing trigger. To display trigger names, use
the security list triggers command.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Security
Option
Description
Default Value
portnumber
Sets the end of the trigger’s secondary port range.
65535
Example
--> security set trigger t3 secondaryendport 1933
See also
SECURITY SET TRIGGER SECONDARYSTARTPORT
4.2.7.1.32 SECURITY SET TRIGGER SECONDARYSTARTPORT
Syntax
SECURITY POLICY <name> SET TRIGGER SECONDARYSTARTPORT <portnumber>
Description
This command sets the start of the secondary port number range for an existing trigger.
It allows you to restrict the ports that a trigger will open, however, this is not usually necessary.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing trigger. To display trigger names, use the
security list triggers command.
N/A
port
Sets the start of the trigger’s secondary port range.
1024
Example
--> security set trigger t3 secondarystartport 1923
See also
SECURITY SET TRIGGER SECONDARYENDPORT
4.2.7.1.33 SECURITY SET TRIGGER SESSIONCHAINING
Syntax
SECURITY SET TRIGGER <name> SESSIONCHAINING {ENABLE | DISABLE}
Description
This command determines whether a triggering protocol can be chained. If session chaining is enabled, TCP dynamic sessions also become triggering sessions, which allows multilevel session triggering.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing trigger. To display trigger names, use the security list triggers command.
N/A
enable
Enables TCP session chaining on an existing trigger.
Disable
iMG/RG Software Reference Manual (IPNetwork Functions)
4-89
Security
Security command reference
Option
Description
disable
Disables all session chaining (TCP and UDP) on an existing
trigger.
Example
--> security set trigger t4 sessionnchaining enable
See also
security set trigger UDPsessionchaining
Default Value
4.2.7.1.34 SECURITY SET TRIGGER UDPSESSIONCHAINING
Syntax
SECURITY SET TRIGGER <name> UDPSESSIONCHAINING {ENABLE |
DISABLE}
Description
You must set the SECURITY SET TRIGGER SESSIONCHAINING ENABLE command in
order for this command to become effective.
If UDP session chaining is enabled, both UDP and TCP dynamic sessions also become
triggering sessions, which allows multi-level session triggering.
Note:
This CLI command is case-sensitive. You must type the command attributes exactly as they appear in
the Example section. If you do not use the same case-sensitive syntax, the command fails and the CLI
displays a syntax error message.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing trigger. To display trigger names, use the security list triggers command.
N/A
enable
Enables UDP sessionchaining on an existing trigger. TCP
and UDP session chaining is allowed if the security set trigger sessionchaining command is enabled.
Disable
disable
Disables UDP session chaining on an existing trigger. TCP
session chaining is allowed if the security set trigger sessionchaining command is enabled.
Example
--> security set trigger t3 UDPsessionchaining enable
See also
SECURITY SET TRIGGER SESSIONCHAINING
4.2.7.1.35 SECURITY SHOW TRIGGER
Syntax
4-90
SECURITY SHOW TRIGGER <name>
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Description
Options
Example
Security
This command displays information about a single trigger that was added to the Security
module using the security add trigger command. The following trigger information is displayed:
•
Trigger name
•
Transport type (TCP or UDP)
•
Start of the port range
•
End of the port range
•
Multiple host permission (true/false)
•
Maximum activity interval (in milliseconds)
•
Session chaining permission (true/false)
•
Session chaining on UDP permission (true/false)
•
Binary address replacement permission (true/false)
•
Address translation type (UDP, TCP, none or both)
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing trigger. To display trigger names, use the
security list triggers command.
N/A
--> security show trigger t2
Security Trigger: t2
Transport Type:
Starting port number:
Ending port number:
Allow multiple hosts:
Max activity interval:
Session chaining:
Session chaining on UDP:
Binary address replacement:
Address translation type:
See also
tcp
1000
1000
false
30000
false
false
false
none
SECURITY LIST TRIGGERS
iMG/RG Software Reference Manual (IPNetwork Functions)
4-91
Security
Security command reference
4.2.7.1.36 SECURITY SET SESSIONTIMEOUT
Syntax
security set session tiemout {esp | icmp | other | tcpclose
| tcpestb | tcpinit | udp} <duration>
Description
This command enables user to configure a time out period after which any session may
timeout.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
duration
Time period configured by user for session time out..
N/A
--> security set session timeout icmp 20
4.2.7.1.37 SECURITY ADD WAITINGSESSION
Syntax
SECURITY ADD WAITINGSESSION <name> <interface>
<local_real_ip> <tranport_type> <local_mapping_port>
<local_real_port> [<idle_timeout> {enabled | disabled}
COMMENT <comment> REMOTEIP <remoteip>]
Description
This command adds a waitingsession to the security module. Waiting sessions are a sort
of “presessions” which are created so that the security modules know about the
expected traffic.
A waiting session must at least have specific local and mapping IP addresses defined. The
other parameters (IP addresses, protocol, port numbers) may be specified as wildcards.
However, the more parameters specified, the more secure the waiting session.
Options
4-92
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
Name of the waitingsession
N/A
interface
Specify the external/dmz interface over which traffic
is expected
N/A
local_real_ip
Specify the IP address of the local host which is
expecting this traffic
N/A
transport_type
Specify the transport type for the traffic eg. TCP/
UDP
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Example
Security
Option
Description
Default Value
local_mapping_port
Specify the TCP/UDP port on local host which this
traffic is to be re-directed to
N/A
local_real_port
Specify the TCP/UDP port on which the traffic
reaches the router
N/A
idle_timeout
Optionally specify the time-out after which not to
expect this traffic
N/A
enabled
Specify whether the waiting-session should be
enabled
N/A
disabled
Specify whether the waiting-session should be disabled
N/A
comment
Optionally provide a comment for this traffic
N/A
remoteip
Optionally specify the IP address of the remote host
from which the traffic is expected
N/A
--> security add waitingsession yahoo-video wan 192.168.0.1 17 500 5000 60 enabled
comment yahoouser wants video remoteip 172.26.4.1
4.2.7.1.38 SECURITY DELETE WAITINGSESSION
Syntax
SECURITY DELETE WAITINGSESSION <name>
Description
This command deletes the waitingsession added to a security module.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
name
Name of the waitingsession
N/A
--> security delete waitingsession yahoo-video
4.2.7.1.39 SECURITY SET WAITINGSESSION
Syntax
SECURITY SET WAITINGSESSION <name> <local_real_port><duration>
(ENABLED |DISAB
Description
This command sets various attributes of the waitingsession.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-93
Security
Security command reference
‘local_real_port and duration’ attributes of the waitingsession cannot be set once a waitingsession has been created and enabled. To set these the waitingsession must be disabled.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
Name of the waitingsession
N/A
local_real_port
Specify the TCP/UDP port on which the traffic reaches
the router
N/A
duration
Optionally specify the duration after which not to
expect this traffic
N/A
Enabled
Specify whether the waiting-session should be enabled
N/A
Disabled
Specify whether the waiting-session should be disabled
N/A
--> security set waitingsession yahoo-video loacalrealport 4000
4.2.7.1.40 SECURITY LIST WAITINGSESSIONS
Syntax
security LIST waitingsessionS
Description
This command lists Waiting Sessions that were added to the Security module using the
security add waitingsession command. It displays the following information about Waiting
Sessions:
Example
•
Waiting Session Name
•
Interface Name
•
Local Real IP (IP-Address)
•
Local Remote IP (IP-Address)
•
Transport Number (prot)
•
Local Real Port
•
Local Map Port
•
enabled status (true/false)
security list waitingsessions
Waiting Sessions:
Local
| Local
Name
| Interface |
4-94
| Real
Local Real IP | Remote IP | Prot | Port
iMG/RG Software Reference Manual (IPNetwork Functions)
| Map
| Port
|
| Enable
Security command reference
Security
-----------------------------------------------------------------------------------yahoo-vi.. | ip0
| 192.168.1.1
| 0.0.0.0
| 17
| 5000 | 500
| true
------------------------------------------------------------------------------------
4.2.7.1.41 SECURITY SHOW WAITINGSESSION
Syntax
SECURITY SHOW WAITINGSESSION <name
Description
This command displays information about a single waitingsession that was added to the
Security module using the security add waitingsession command. The following informations are displayed:
•
Waiting Session Name: Waiting Session Name.
•
Interface Name: Specify the external/dmz interface over which traffic is expected.
•
Local Real IP Address: Specify the IP address of the local host which is expecting this traffic.
•
Remote IP Address: Optionally specify the IP address of the remote host from which the
traffic is expected.
•
Protocol: The Protocol type- TCP/ UDP.
•
Local Real Port: Specify the TCP/UDP port on which the traffic reaches the router.
•
Local Mapping Port: Specify the TCP/UDP port on local host which this traffic is to be redirected to.
Options
Example
•
Remote Port: The remote port from which this traffic is expected, or wildcard.
•
Duration: Optionally specify the duration after which not to expect this traffic.
•
Reusable: Specify whether the waiting-session should be enabled.
•
Enabled: Specify whether the waiting-session should be disabled.
•
Description: Comment provided to describe this particular traffic, if any.
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
Name of the waitingsession
N/A
--> security show waitingsession yahoo-video
Waiting Session Name: yahoo-video
Interface Name: wan
Local Real IP Address: 192.168.0.1
Remote IP Address: 0.0.0.0
iMG/RG Software Reference Manual (IPNetwork Functions)
4-95
Security
Security command reference
Protocol: 17
Local Real Port: 4000
Local Mapping Port: 500
Remote Port: 65535
Duration: 300
Reusable: true
Enabled: true
Description: whatisit
4.2.7.1.42 SECURITY ENABLE|DISABLE IDS
Syntax
SECURITY {enable | disable} IDS
Description
This command explicitly enables/disables IDS (Intrusion Detection Service). You must
enable IDS if you want to activate the settings specified in the security IDS commands.
If you disable IDS during a session, any configuration changes made when IDS was
enabled are not deleted - you can re-enable them later in the session.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
enable
Enables the IDS portion of the Security module.
Disable
disable
Disables the IDS portion of the Security module.
Example
--> security enable IDS
See also
SECURITY enable|disable
4.2.7.1.43 SECURITY ENABLE|DISABLE IDS BLACKLIST
Syntax
security enable|disable IDS blacklist
Description
This command enables support for the IDS blacklist (Intrusion Detection Setting). Blacklisting denies an external host access to the system if IDS has detected an intrusion from
that host. Access to the network is denied for ten minutes.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
4-96
Option
Description
Default Value
enable
Enables blacklisting of an external host if IDS has
detected an intrusion from that host..
Disable
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Example
Security
Option
Description
disable
Disables blacklisting of an external host if IDS has
detected an intrusion from that host.
Default Value
--> security enable IDS blacklist
4.2.7.1.44 SECURITY CLEAR IDS BLACKLIST
Syntax
SECURITY CLEAR IDS BLACKLIST
Description
This command clears blacklisting of an external host. Blacklisting denies an external host
access to the system if IDS has detected an intrusion from that host. Access to the network is denied for ten minutes, unless this command is used before this duration expires.
Example
--> security clear IDS blacklist
4.2.7.1.45 SECURITY ENABLE|DISABLE IDS VICTIMPROTECTION
Syntax
security enable|disable IDS victimprotection
Description
This command enables/disables the victim protection Intrusion Detection Setting (IDS).
This protects your system against broadcast pings. An attacker sends out a ping with a
broadcast destination address and a spoofed source address. Packets destined for the victim of a spoofing attack are blocked for a specified duration (600 minutes by default).
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
enable
Enables victim protection and blocks packets destined for the victim host.
Disable
disable
Disables victim protection.
--> security enable IDS victimprotection
4.2.7.1.46 SECURITY SET IDS VICTIMPROTECTION
Syntax
security set IDS victimprotection <duration>
Description
This command sets the duration of the victim protection Intrusion Detection Setting
(IDS). If victim protection is enabled, packets destined for the victim host of a spoofing
iMG/RG Software Reference Manual (IPNetwork Functions)
4-97
Security
Security command reference
style attack are blocked. The command allows you to specify the duration of the block
time limit.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
duration
The length of time (in seconds) that packets destined
for the victim of a spoofing style attack. are blocked for.
600
(10 minutes)
--> security set IDS victimprotection 800
4.2.7.1.47 SECURITY SET IDS DOSATTACKBLOCK
Syntax
SECURITY SET IDS DOSATTACKBLOCK <DURATION>
Description
This command sets the DOS (Denial of Service) attack block duration Intrusion Detection Setting (IDS). A DOS attack is an attempt by an attacker to prevent legitimate users
from using a service. If a DOS attack is detected, all suspicious hosts are blocked for a
set time limit. This command allows you to specify the duration of the block time limit.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
duration
The length of time (in seconds) that suspicious
hosts are blocked for once a DOS attack attempt
has been detected.
1800
(30 minutes)
--> security set IDS DOSattackblock 800
4.2.7.1.48 SECURITY SET IDS MALICIOUSATTACKBLOCK
Syntax
SECURITY SET IDS MALICIOUSATTACKBLOCK <duration>
Description
This command sets the malicious attack block duration Intrusion Detection Setting
(IDS). A malicious attack happens when a bad packet is sent which causes the networking
on certain systems to crash. For eg. In WinNuke attack, the attacker sends TCP packets
on port NetBIOS (135) with URG bit set, which causes networking to be disabled on
Win 95/NT machines. If a malicious attack is detected, all suspicious source IPs are
blocked for a set time limit. This command allows you to specify the duration of the
block time limit.
4-98
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Options
Example
Security
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
duration
The length of time (in seconds) that suspicious
hosts are blocked for once a malicious attack
attempt has been detected.
1800
(30 minutes)
--> security set IDS MaliciousAttackBlock 3600
4.2.7.1.49 SECURITY SET IDS MAXICMP
Syntax
SECURITY SET IDS MAXICMP <MAX>
Description
This command sets the maximum number of ICMP packets per second that are allowed
before an ICMP Flood is detected. An ICMP Flood is a DOS (Denial of Service) attack. An
attacker tries to flood the network with ICMP packets in order to prevent transportation
of legitimate network traffic. Once the maximum number of ICMP packets per second is
reached, an attempted ICMP Flood is detected.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
max
The maximum number (per second) of ICMP packets that are allowed before an ICMP Flood attempt
is detected.
100
--> security set IDS MaxICMP 200
4.2.7.1.50 SECURITY SET IDS MAXPING
Syntax
SECURITY SET IDS MAXPING <MAX>
Description
This command sets the maximum number of pings per second that are allowed before an
Echo Storm is detected. Echo Storm is a DOS (Denial of Service) attack. An attacker
sends oversized ICMP datagrams to the system using the ‘ping’ command. This can cause
the system to crash, freeze or reboot, resulting in denial of service to legitimate users.
Once the maximum number of pings per second is reached, an attempted DOS attack is
detected.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
iMG/RG Software Reference Manual (IPNetwork Functions)
4-99
Security
Security command reference
Example
Option
Description
Default Value
max
The maximum number (per second) of pings that
are allowed before an Echo Storm attempt is
detected.
15
--> security set IDS MaxPING 25
4.2.7.1.51 SECURITY SET IDS MAXTCPOPENHANDSHAKE
Syntax
SECURITY SET IDS MAXTCPOPENHANDSHAKE <MAX>
Description
This command sets the maximum number of unfinished TCP handshaking sessions per
second that are allowed before a SYN Flood is detected. SYN Flood is a DOS (Denial of
Service) attack. When establishing normal TCP connections, three packets are
exchanged:
•
1 A SYN (synchronize) packet is sent from the host to the network server
•
2 A SYN/ACK packet is sent from the network server to the host
•
3 An ACK (acknowledge) packet is sent from the host to the network server
If the host sends unreachable source addresses in the SYN packet, the server sends the
SYN/ACK packets to the unreachable addresses and keeps resending them. This creates
a backlog queue of unacknowledged SYN/ACK packets. Once the queue is full, the system will ignore all incoming SYN requests and no legitimate TCP connections can be
established.
Once the maximum number of unfinished TCP handshaking sessions is reached, an
attempted DOS attack is detected. The suspected attacker is blocked for the time limit
specified in the security set IDS DOSattackblock command.
Options
Example
4-100
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
max
The maximum number (per second) of unfinished
TCP handshaking sessions that are allowed before a
SYN Flood attempt is detected..
100
--> security set IDS MaxTCPopenhandshake 150
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Security
4.2.7.1.52 SECURITY SET IDS SCANATTACKBLOCK
Syntax
SECURITY SET IDS SCANATTACKBLOCK <DURATION>
Description
This command allows you to set the scan attack block duration Intrusion Detection Setting (IDS). If hosts are blocked for a set time limit, this command allows you to specify the
duration of the block time limit.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
duration
The length of time (in seconds) that a suspicious
host is blocked for, after scan activity has been
detected.
86400 (one day)
--> security set IDS SCANattackblock 43200
4.2.7.1.53 SECURITY SET IDS FLOODPERIOD
Syntax
SECURITY SET IDS FLOODPERIOD <DURATION>
Description
This command allows you to set the time limit during which suspected SYN floods are
counted. If the number of SYN floods counted within the specified duration is greater
than the threshold set by either SECURITY SET IDS FLOODTHRESHOLD OR SECURITY SET IDS PORTFLOODTHRESHOLD, the suspected attacker is blocked for the
time limit specified in the command SECURITY SET IDS DOSATTACKBLOCK.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
duration
The length of time (in seconds) that suspected SYN
floods are counted for.
10
--> security set IDS floodperiod 60
4.2.7.1.54 SECURITY SET IDS FLOODTHRESHOLD
Syntax
SECURITY SET IDS FLOODTHRESHOLD <MAX>
Description
This command allows you to set the maximum number of SYN packets allowed before a
flood is detected. If the number of SYN packets counted within the time duration set by
the command SECURITY SET IDS FLOODPERIOD is greater than the maximum value
iMG/RG Software Reference Manual (IPNetwork Functions)
4-101
Security
Security command reference
set here, the suspected attacker is blocked for the time limit specified in the command
SECURITY SET IDS DOSATTACKBLOCK.
For example, using the default settings, if more than 20 SYN packets are received per
second for a 10 second duration, the attacker is blocked.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
max
Maximum number of SYN packets that can be
received before a flood is detected.
20 (per second)
--> security set IDS floodthreshold 25
4.2.7.1.55 SECURITY SET IDS PORTFLOODTHRESHOLD
Syntax
SECURITY SET IDS PORTFLOODTHRESHOLD <MAX>
Description
This command allows you to set the maximum number of SYN packets that can be sent
to a single port before a port flood is detected. If the number of SYN packets counted
within the time duration set by the command SECURITY SET IDS FLOODPERIOD is
greater than the maximum value set here, the suspected attacker is blocked for the time
limit specified in the command SECURITY SET IDS DOSATTACKBLOCK.
For example, using the default settings, if more than 10 SYN packets are received per
second for a 10 second duration, the attacker is blocked.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
max
Maximum number of SYN packets that can be
received by a single port before a flood is
detected.
10 (per second)
--> security set IDS portfloodthreshold 15
4.2.7.1.56 SECURITY SET IDS SCANPERIOD
Syntax
4-102
SECURITY SET IDS SCANPERIOD <DURATION>
iMG/RG Software Reference Manual (IPNetwork Functions)
Security command reference
Security
Description
This command allows you to set the time limit during which scanning type traffic (such as
closed TCP port reviving SYN/ACK, FIN or RST) is counted. If the number of scanning
packets counted within the specified duration is greater than the threshold set by SECURITY SET IDS SCANTHRESHOLD, the suspected attacker is blocked for the time limit
specified in the command SECURITY SET IDS SCANATTACKBLOCK.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
duration
The length of time (in seconds) that scanning type
traffic is counted for.
60 (seconds)
--> security set IDS scanperiod 90
4.2.7.1.57 SECURITY SET IDS SCANTHRESHOLD
Syntax
SECURITY SET IDS SCANTHRESHOLD <MAX>
Description
This command allows you to set the maximum number of scanning packets that can be
received before a port scan is detected. If the number of scanning packets counted within
the time duration set by the command SECURITY SET IDS SCANPERIOD is greater than
the maximum value set here, the suspected attacker is blocked for the time limit specified
in the command SECURITY SET IDS SCANATTACKBLOCK.
For example, using the default settings, if more than 5 scanning packets are received per
second for a 60 second duration, the attacker is blocked.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
max
Maximum number of scanning packets that can be
received before a port scan attack is detected.
5 (per second)
--> security set IDS scanthreshold 8
See also
iMG/RG Software Reference Manual (IPNetwork Functions)
4-103
Security
Security command reference
4.2.7.1.58 SECURITY SET AEMLOGGINGINTERVAL
Syntax
SECURITY SET AEMLOGGINGINTERVAL <number>
Description
This command sets the alarm logging interval value
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
number
The interval between each AEM logging message.
5
Example
--> security set IDS MaxPING 25
See also
security show
4.2.7.1.59 SECURITY SHOW IDS
Syntax
SECURITY SHOW IDS
Description
This command displays the following information about IDS settings:
Example
•
IDS enabled status (true or false)
•
Blacklist status (true or false)
•
Use Victim Protection status (true or false)
•
DOS attack block duration (in seconds)
•
Scan attack block duration (in seconds)
•
Victim protection block duration (in seconds)
•
Maximum TCP open handshaking count allowed (per second)
•
Maximum ping count allowed (per second)
•
Maximum ICMP count allowed (per second)
--> security show IDS
Firewall IDS:
IDS Enabled:
Use Blacklist:
Use Victim Protection:
Dos Attack Block Duration:
Scan Attack Block Duration:
Malicious Attack Block Duration:
4-104
false
false
false
1800
86400
86400
iMG/RG Software Reference Manual (IPNetwork Functions)
Overview
Firewall
Victim Protection Block Duration:
Scan Detection Threshold:
Scan Detection Period:
Port Flood Detection Threshold:
Host Flood Detection Threshold:
FloodDetectPeriod :
Max TCP Open Handshaking Count:
Max PING Count:
Max ICMP Count:
600
5
10
10
20
10
5
15
100
4.3 Firewall
4.3.1 Overview
The AT-iMG Models security system implements a stateful Firewall providing high security by blocking certain
incoming traffic based on stateful information.
Each time outbound packets are sent from an internal host to an external host, the following information is
logged by the Firewall:
•
•
•
•
source and destination addresses
Port number
Sequencing information
Additional flags for each connection associated with that particular internal host
All inbound packets are compared against this logged information and only allowed through the Firewall if it can
be determined that they are part of an existing connection. This makes it very difficult for hackers to break
through the stateful Firewall, because they would need to know addresses, port numbers, sequencing information and individual connection flags for an existing session to an internal host.
The firewall module manages firewall behaviour. The firewall module offers the ability to:
•
•
•
•
•
•
Control what kind of Firewall activity is logged
Protect the internal network using stateful firewall functionality
Create policies
Add validators to policies
Add portfilters to policies
Enable/disable and configure Intrusion Detection Settings (IDS)
In order to access firewall features, the firewall module must be enabled using the firewall enable command.
Figure 9 shows the entities involved in the firewall module and their relationships.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-105
Firewall
Firewall command reference
4.3.1.1 Policy
A policy is a relationship between two security interfaces where it is possible to assign portfilter and validator
rules between them.
There are three different security interface combinations that Firewall policies can be created between:
• The external interface and the internal interface
• The external interface and the DMZ interface
• The DMZ interface and the internal interface
To add a policy between one of the three above interface combinations use the FIREWALL ADD POLICY command.
4.3.1.2 Portfilter
A portfilter is a rule that determines how the Firewall should handle packets being transported between two
security interfaces that are defined in an existing policy. The rules define:
•
•
•
•
What protocol type is allowed
Which TCP/UDP port numbers the packets are allowed to be transported on
the name of the well-known protocol, service or application allowed to be transported
source and destination addresses
Whichever type of filter rule you use, you must also determine which direction packets should be allowed to
travel in:
• inbound; permitted traffic is transported from the outside interface to the inside interface
• outbound; permitted traffic is transported from the inside interface to the outside interface
• both; inbound and outbound rules apply
To add a portfilter to an existing policy use the FIREWALL ADD PORTFILTER command.
More than one portfilter object can be added to the same policy.
4.3.2 Firewall command reference
This section describes the commands available on AT-iMG Models to enable, configure and manage the Firewall module
The table below lists the firewall commands provided by the CLI:
4-106
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
TABLE 4-3
Firewall
Firewall commands and Product Type
Commands
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E Modular
A
B
C
FIREWALL ENABLE|DISABLE
X
X
X
X
X
X
X
X
X
FIREWALL ENABLE|DISABLE IDS
X
X
X
X
X
X
X
X
X
FIREWALL ENABLE|DISABLE BLOCKINGLOG|INTRUSIONLOG|SESSIONLOG
X
X
X
X
X
X
X
X
X
FIREWALL SET SECURITYLEVEL
X
X
X
X
X
X
X
X
X
FIREWALL STATUS
X
X
X
X
X
X
X
X
X
FIREWALL LIST POLICIES
X
X
X
X
X
X
X
X
X
FIREWALL SHOW POLICY
X
X
X
X
X
X
X
X
X
FIREWALL LIST PROTOCOL
X
X
X
X
X
X
X
X
X
FIREWALL ADD DOMAINFILTER
X
X
X
X
X
X
X
X
X
FIREWALL SET DOMAINFILTER
X
X
X
X
X
X
X
X
X
FIREWALL DELETE DOMAINFILTER
X
X
X
X
X
X
X
X
X
FIREWALL ADD PORTFILTER
X
X
X
X
X
X
X
X
X
FIREWALL SET PORTFILTER
X
X
X
X
X
X
X
X
X
FIREWALL CLEAR PORTFILTERS
X
X
X
X
X
X
X
X
X
FIREWALL DELETE PORTFILTER
X
X
X
X
X
X
X
X
X
FIREWALL LIST PORTFILTERS
X
X
X
X
X
X
X
X
X
FIREWALL SHOW PORTFILTER
X
X
X
X
X
X
X
X
X
FIREWALL ADD VALIDATOR
X
X
X
X
X
X
X
X
X
FIREWALL DELETE VALIDATOR
X
X
X
X
X
X
X
X
X
FIREWALL LIST VALIDATORS
X
X
X
X
X
X
X
X
X
FIREWALL LIST VALIDATORS
X
X
X
X
X
X
X
X
X
FIREWALL SHOW VALIDATOR
X
X
X
X
X
X
X
X
X
FIREWALL SET IDS VICTIMPROTECTION
X
X
X
X
X
X
X
X
X
FIREWALL SET IDS DOSATTACKBLOCK
X
X
X
X
X
X
X
X
X
iMG/RG Software Reference Manual (IPNetwork Functions)
4-107
Firewall
Firewall command reference
TABLE 4-3
Firewall commands (Continued)and Product Type
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E Modular
A
B
C
Commands
FIREWALL SET IDS MAXICMP
X
X
X
X
X
X
X
X
X
FIREWALL SET IDS MaxPING
X
X
X
X
X
X
X
X
X
FIREWALL SET IDS MAXTCPOPENHANDSHAKE
X
X
X
X
X
X
X
X
X
FIREWALL SET IDS SCANATTACKBLOCK
X
X
X
X
X
X
X
X
X
FIREWALL SET IDS FLOODPERIOD
X
X
X
X
X
X
X
X
X
FIREWALL SET IDS FLOODTHRESHOLD
X
X
X
X
X
X
X
X
X
FIREWALL SET IDS PORTFLOODTHRESHOLD
X
X
X
X
X
X
X
X
X
FIREWALL SET IDS SCANPERIOD
X
X
X
X
X
X
X
X
X
FIREWALL SET IDS SCANTHRESHOLD
X
X
X
X
X
X
X
X
X
FIREWALL SHOW IDS
X
X
X
X
X
X
X
X
X
4.3.2.0.1 FIREWALL ENABLE|DISABLE
Syntax
firewall {enable | disable}
Description
This command enables/disables the entire Firewall module except for the IDS portion of
the module (see the command FIREWALL ENABLE|DISABLE IDS).
When the Firewall is enabled, all IP traffic on existing security interfaces that are NOT
featured in a Firewall policy is blocked. For details on setting default policy security levels
on security interfaces, see the FIREWALL SET SECURITYLEVEL command.
If you disable the Firewall during a session, any configuration changes made when the
Firewall was enabled remain in the Firewall, so that you can re-enable them later in the
session. If you need to reboot your system but want to save the Firewall configuration
between sessions, use the SYSTEM CONFIG SAVE command.
Options
Example
4-108
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
enable
Enables the Firewall module.
Disable
disable
Disables the Firewall module.
--> firewall enable
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Firewall
4.3.2.0.2 FIREWALL ENABLE|DISABLE IDS
Syntax
firewall {enable | disable}
Description
This command explicitly enables/disables IDS (Intrusion Detection Service). You must
enable IDS if you want to activate the settings specified in the security IDS commands.
This command is nothing but an alias of the “security enable|disable IDS“
Note:
You must enable the Security module using the command security on in order to use IDS
If you disable IDS during a session, any configuration changes made when IDS was enabled
are not deleted - you can re-enable them later in the session.
Note:
You must enable the Security module using the command security on in order to use IDS
This CLI command is case-sensitive. You must type the command attributes exactly as
they appear in the Command Syntax section on this page. If you do not use the same
case-sensitive syntax, the command fails and the CLI displays a syntax error message
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
enable
Enables the IDS portion of the Security module.
Disable
disable
Disables the IDS portion of the Security module.
Example
--> firewall enable IDS
See also
security enable IDS, security disable IDS
4.3.2.0.3 FIREWALL ENABLE|DISABLE BLOCKINGLOG|INTRUSIONLOG|SESSIONLOG
Syntax
firewall {enable | disable} {blockinglog|intrusionlog|sessionlog}
Description
This command enables/disables the entire Firewall module except for the IDS portion of
the module (see the command FIREWALL ENABLE|DISABLE IDS).
When the Firewall is enabled, all IP traffic on existing security interfaces that are NOT
featured in a Firewall policy is blocked. For details on setting default policy security levels
on security interfaces, see the FIREWALL SET SECURITYLEVEL command.
If you disable the Firewall during a session, any configuration changes made when the
Firewall was enabled remain in the Firewall, so that you can re-enable them later in the
session. If you need to reboot your system but want to save the Firewall configuration
between sessions, use the SYSTEM CONFIG SAVE command.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-109
Firewall
Firewall command reference
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
enable
Enables the Firewall module.
Disable
disable
Disables the Firewall module.
--> firewall enable
4.3.2.0.4 FIREWALL SET SECURITYLEVEL
Syntax
FIREWALL SET SECURITYLEVEL {NONE | HIGH | MEDIUM | LOW}
Description
This command allows you to set which security level is used by the Firewall. There are
four default security levels (none, high, medium and low) that contain different security
configuration information for each interface connection.
Selecting a security level deletes the previous security level and any policies or portfilters
set, and replaces them with the newly selected level.
The factory default setting none is not a security level. It is a blank firewall configuration
that allows you to create your own policies and portfilters, using the commands firewall
add policy and firewall add portfilter. These manually configured policies/portfilters are
stored in the im.conf file.
Explicitly setting the security level to none sets a security level that does not contain any
policies or portfilters. Note that if you create policies/portfilters and store them in the
im.conf file, then select none (or any other security level), all of your manually configured
policies/portfilters will be deleted and replaced with this level.
The userdefined option allows you to select a security configuration that you have previously created.
There are three types of interface connections:
•
Between the external interface and internal interface
•
Between the external interface and the de-militarized zone (DMZ)
•
Between the DMZ and the internal interface
You can add your own firewall portfilters to a security level by using the FIREWALL ADD
PORTFILTER command. If you then save your configuration using the SYSTEM CONFIG
CREATE/SET command, these additional filters are saved with the default level and are
restored on reboot.
4-110
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Options
Firewall
The following tables describe the default policies enabled in the firewall for each of the
high, medium and low security levels. The tables tell you whether a certain service can be
received in or allowed out by a specific policy. (Y=yes; N=no):
TABLE 4-4
High Security Level
Service
Default Policies Enabled in the Firewall - High Security
External< > Internal
External< >DMZ
DMZ< >Internal
Port
In
Out
In
Out
In
Out
http
80
N
Y
Y
Y
Y
Y
dns
53
N
Y
N
Y
N
Y
telnet
23
N
N
N
N
N
N
smtp
25
N
Y
Y
Y
Y
Y
pop3
110
N
Y
Y
Y
Y
Y
nntp
119
N
N
N
N
N
N
real audio/video
7070
N
N
N
N
N
N
icmp
N/A
N
Y
N
Y
N
Y
H.323
1720
N
N
N
N
N
N
T.120
1503
N
N
N
N
N
N
SSH
22
N
N
N
Y
N
iMG/RG Software Reference Manual (IPNetwork Functions)
4-111
Firewall
Firewall command reference
TABLE 4-5
High Security Level
Service
Default Policies Enabled in the Firewall - Medium Security
External< > Internal
External< >DMZ
DMZ< >Internal
Port
In
Out
In
Out
In
Out
http
80
N
Y
Y
Y
Y
Y
dns
53
N
Y
Y
Y
Y
Y
telnet
23
N
Y
N
Y
N
Y
smtp
25
N
Y
Y
Y
Y
Y
pop3
110
N
Y
Y
Y
Y
Y
nntp
119
N
Y
Y
Y
Y
Y
real audio/video
7070
Y
N
N
Y
N
Y
icmp
N/A
N
Y
N
Y
N
Y
H.323
1720
N
Y
N
Y
N
Y
T.120
1503
N
Y
N
Y
N
Y
SSH
22
N
Y
N
Y
N
Y
TABLE 4-6
High Security Level
Service
Default Policies Enabled in the Firewall - Low Security
External< > Internal
External< >DMZ
DMZ< >Internal
Port
In
Out
In
Out
In
Out
http
80
N
Y
Y
Y
Y
Y
dns
53
Y
Y
Y
Y
Y
Y
telnet
23
N
Y
Y
Y
Y
Y
smtp
25
N
Y
Y
Y
Y
Y
pop3
110
N
Y
Y
Y
Y
Y
nntp
119
N
N
N
N
N
N
real audio/video
7070
Y
N
Y
Y
Y
Y
icmp
N/A
N
Y
Y
Y
Y
Y
H.323
1720
Y
Y
Y
Y
Y
Y
T.120
1503
Y
Y
Y
Y
Y
Y
SSH
22
Y
Y
Y
Y
Y
Y
Options
4-112
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable):
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Example
Firewall
Option
Description
Default Value
none
The factory default setting none is not a security level it allows you to manually configure your own policies/
portfilters. Explicitly setting none sets a security level
that does not contain any policies/portfilters.
None
(factory default
setting)
high
Your system uses the high firewall security level, providing a high level of firewall security between interfaces.
medium
Your system uses the medium firewall security level, providing a medium level of firewall security between interfaces.
low
Your system uses the low firewall security level, providing a low level of firewall security between interfaces.
userdefined
Your system uses a security configuration that you have
previously created.
slevel
The name of the security configuration level that you
have previously created
N/A
--> firewall set securitylevel medium
4.3.2.0.5 FIREWALL STATUS
Syntax
firewall status
Description
This command displays the following information about the Firewall:
Example
•
Firewall status (enabled or disabled)
•
Security level setting (none, high, low or medium)
•
Firewall logging status:
•
session logging (enabled or disabled)
•
blocking logging (enabled or disabled)
•
intrusion logging (enabled or disabled)
--> firewall status
Firewall enabled.
Firewall security level: medium.
Firewall session logging enabled.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-113
Firewall
Firewall command reference
Firewall blocking logging enabled.
Firewall intrusion logging disabled.
See also
firewall enable|disable
firewall set securitylevel
4.3.2.0.6 FIREWALL LIST POLICIES
Syntax
firewall list policies
Description
This command lists the following information about policies that were added to the firewall using the FIREWALL ADD POLICY command:
Example
•
Policy ID number
•
Policy name
•
Interface Type 1 and Interface Type 2 - the two interface types between which a policy exists (external - internal, external - DMZ or internal - DMZ)
•
Validator Allow Only status - False, only traffic based on the direction and the IP
address(es) specified by Firewall validators is blocked. All other traffic is allowed.
--> firewall list policies
Firewall Policies:
ID | Name
| Type 1
| Type 2
| Validator Allow Only
---------------------------------------------------------1 | ext-int | external | internal | false
2 | ext-dmz | external | dmz
| false
3 | dmz-int | dmz
| internal | false
---------------------------------------------------------See also
FIREWALL SHOW POLICY
FIREWALL ADD
FIREWALL ADD VALIDATOR
4.3.2.0.7 FIREWALL SHOW POLICY
Syntax
firewall show policy {ext-int|ext-dmz|dmz-int}
Description
This command displays information about a single policy that exists between two Security interface types. Allow only Validator: false, means that only traffic based on the
direction and the IP address(es) specified in the firewall add validator command is
blocked. All other traffic is allowed.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
4-114
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Firewall
Option
Description
Default Value
name
An existing firewall policy. To display policy names, use
the FIREWALL LIST POLICIES command.
N/A
--> firewall show policy ext-dmz
Example
Firewall Policy: ext-dmz
Interface Type 1: external
Interface Type 2: dmz
Allow Only Validator: false
See also
FIREWALL LIST POLICIES
See also
firewall set securitylevel
4.3.2.0.8 FIREWALL LIST PROTOCOL
Syntax
firewall list protocol
Description
This command lists the. The number of a non-TCP or non-UDP protocol. Protocol numbers can be found at http://www.ietf.org/rfc/rfc1700.txt.
Example
--> firewall list protocol
Assigned Internet Protocol Numbers
see RFC 1700 "Assigned Numbers"
section "Protocol Numbers" pages 7 - 9
1
2
3
4
6
8
9
17
46
47
89
92
94
See also
ICMP
IGMP
GGP
IP
TCP
EGP
IGP
UDP
RSVP
GRE
OSPFIGP
MTP
IPIP
Internet Control Message
Internet Group Management
Gateway-to-Gateway
IP in IP (encapsulation)
Transmission Control
Exterior Gateway Protocol
any private interior gateway
User Datagram
Reservation Protocol
General Routing Encapsulation
OSPFIGP
Multicast Transport Protocol
IP-within-IP Encapsulation Protocol
Firewall add portfilter, firewall set portfilter
iMG/RG Software Reference Manual (IPNetwork Functions)
4-115
Firewall
Firewall command reference
4.3.2.0.9 FIREWALL ADD DOMAINFILTER
Syntax
FIREWALL ADD DOMAINFILTER <filtername> <policyname> <urlstring>
<starttime> <endtime>
Description
This command adds a new domainfilter. Your must specify the url which is an alphanumeric string including wildcard chars("*") and ".".
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
Option
Description
Default Value
filtername
Any alphanumeric string. This is the name of the
domain filter which should be unique.
N/A
policyname
Firewall policy.
N/A
urlstring
Any alphanumeric string which represents a valid
domain name. includes '*' to support wildcards.
N/A
starttime
Start time from when filter is active. Format will
be in 24 hour hh:mm:ss
N/A
endtime
Time after which filter is no more active.
N/A
--> firewall add domainfilter all_http ext-int www.*.com 10:00:00 18:00:00
4.3.2.0.10 FIREWALL SET DOMAINFILTER
Syntax
firewall SET domainfilter RULEACTION {<ALLOW|DENY>}
Description
This command is used to change the default action required for every created domainfilter.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Example
4-116
Option
Description
Default Value
allow
allows all the domainfilters created
N/A
deny
denies all the domainfilters created .
N/A
--> firewall add domainfilter ruleAction allow
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Firewall
4.3.2.0.11 FIREWALL DELETE DOMAINFILTER
Syntax
firewall delete domainfilter <filtername> <policyname>
Description
This command is used for deleting the URL filter created using the previous command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
filtername
Any alphanumeric string. This is the name of the
domain filter which should be unique..
N/A
policyname
Firewall policy.
N/A
Example
-->firewall delete domainfilter all_http ext-int
See also
firewall add portfilter, firewall list domainfilter
4.3.2.0.12 FIREWALL ADD PORTFILTER
Syntax
FIREWALL ADD PORTFILTER <name> <policyname> {PROTOCOL <protocol>} {INBOUND|OUTBOUND|BOTH}
FIREWALL ADD PORTFILTER <name> <policyname> {TCP|UDP} <startport> <endport> {INBOUND|OUTBOUND|BOTH}
FIREWALL ADD PORTFILTER <name> <policyname> {ICMP|SMTP|HTTP|FTP|TELNET} {INBOUND|OUTBOUND|BOTH}
Description
This command adds a portfilter to an existing firewall policy. Portfilters are individual
rules that determine what kind of traffic can pass between the two interfaces specified in
the firewall add policy command.
There are three ways that you can add a portfilter depending on the type of protocol that
you want to feature in the portfilter:
Specify the number of a non-TCP or non-UDP protocol (for more information, see http://www.ietf.org/rfc/
rfc1700.txt)
Specify TCP or UDP protocol, together with an application’s start/end port numbers
Specify one of the listed protocols, applications or services. These are provided by the Firewall as popular
examples that you can use. You do not need to specify the portnumber - the Firewall does this for you.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
iMG/RG Software Reference Manual (IPNetwork Functions)
4-117
Firewall
Firewall command reference
Option
Description
Default Value
name
An arbitrary name that identifies the portfilter. It can be
made up of one or more letters or a combination of letters
and digits, but it cannot start with a digit.
N/A
policyname
An existing firewall policy. To display policy names, use the
FIREWALL LIST POLICIES command.
N/A
protocol
startport
endport
inbound
outbound
both
Example
Example 1 - specifying a protocol <number>
The following example allows IGMP (Internet Group Management Protocol) packets
inbound from the external interface to the DMZ interface. IGMP is protocol number 2
(see http://www.ietf.org/rfc/rfc1700.txt).
First, we need to create a policy:
--> firewall add policy ext-dmz external-dmz
Then we can add the portfilter to it:
--> firewall add portfilter pf1 ext-dmz protocol 2 inbound
Example 2 - specifying a TCP/UDP protocol
The following example allows DNS (Domain Name Service) outbound packets from the
internal interface to the external interface. DNS uses UDP port 53 (see http://
www.ietf.org/rfc/rfc1700.txt).
First, we need to create a policy:
--> firewall add policy ext-int external-internal
Then we can add the portfilter to it:
--> firewall add portfilter pf2 ext-int udp 53 53 outbound
Example 3 - using a provided protocol, application or service
4-118
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Firewall
The following example allows SMTP (Simple Mail Transfer Protocol) packets inbound
and outbound between the internal interface to the DMZ interface. This is a popular protocol that is provided by the Firewall. You do not need to specify the portnumber - the
Firewall does this for you.
First, we need to create a policy:
--> firewall add policy dmz-int dmz-internal
Then we can add the portfilter to it:
--> firewall add portfilter pf3 dmz-int smtp both
See also
FIREWALL LIST POLICIES
FIREWALL LIST PROTOCOL
See the Well Known Port Numbers section of RFC 1700 for a list of port numbers and protocols for particular
services (see http://www.ietf.org/rfc/rfc1700.txt).
4.3.2.0.13 FIREWALL SET PORTFILTER
Syntax
firewall set portfilter <name> <policyname> {srcaddr <IPaddress><Mask>} {dstaddr <IPaddress><Mask>}
firewall set portfilter <name> <policyname> {srcport <startport><endport>} {dstport
<startport><endport>}
firewall set portfilter <name> <policyname> {Protocol <protocol>}
firewall set portfilter <name> <policyname> {direction <inbound | outbound | both>}
filrewall set portfilter <name> <policyname> {ENABLE | disabled}
filrewall set portfilter <name> <policyname> {ALLOW | DENY}
Description
Options
This command sets all the attributes of each portfilter object created in the system. The
attributes of portfilters are:
•
set the permission status of portfilter to allow or deny
•
source and destination address
•
source and destination port
•
protocol
•
direction
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
iMG/RG Software Reference Manual (IPNetwork Functions)
4-119
Firewall
Firewall command reference
Option
Description
Default Value
name
An arbitrary name that identifies the portfilter. It can be made
up of one or more letters or a combination of letters and digits, but it cannot start with a digit.
N/A
policyname
An existing firewall policy. To display policy names, use the
FIREWALL LIST POLICIES command.
N/A
IPaddress
The source and destination IP address. The IP address is displayed in the following format: 192.168.102.3
N/A
Mask
the IP Mask address.
N/A
protocol
The number of a non-TCP or non-UDP protocol. Protocol
numbers can be found at http://www.ietf.org/rfc/rfc1700.txt
N/A
startport
The start of the port range for a TCP or UDP protocol.
N/A
endport
The end of the port range for a TCP or UDP protocol.
N/A
inbound
Allows transport of packets of the specified protocol, application or service from an outside interface to an inside one.
Outbound transport of the packets is not allowed.
N/A
outbound
Allows transport of packets of the specified protocol, application or service from an inside interface to an outside interface. Inbound transport of the packets is not allowed.
N/A
both
Allows inbound and outbound transport of packets of the
specified protocol, application or service between inside and
outside interfaces.
N/A
enable
It enables the changes done to the attributes.
N/A
disable
It disables the changes done to the attributes.
N/A
allow
set the permission status of portfilter to allow
N/A
deny
set the permission status of portfilter to deny
4.3.2.0.14 FIREWALL CLEAR PORTFILTERS
Syntax
FIREWALL CLEAR PORTFILTERS <policyname>
Description
This command deletes all portfilters that were added to an existing firewall policy using
the firewall add portfilter command.
4-120
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Options
Firewall
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
policyname
An existing firewall policy. To display policy names, use the
FIREWALL LIST POLICIES command.
N/A
Example
--> firewall clear portfilters ext-int
See also
FIREWALL DELETE PORTFILTER
FIREWALL LIST POLICIES
4.3.2.0.15 FIREWALL DELETE PORTFILTER
Syntax
FIREWALL DELETE PORTFILTER <name> <policyname>
Description
This command deletes a single portfilter that was added to a firewall policy using the firewall add portfilter command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing portfilter. To display portfilter names, use
the FIREWALL LIST PORTFILTER command.
N/A
policyname
An existing firewall policy. To display policy names, use
the FIREWALL LIST POLICIES command.
N/A
Example
--> firewall delete portfilter pf3 ext-int
See also
FIREWALL LIST POLICIES
FIREWALL LIST PORTFILTERS
FIREWALL CLEAR PORTFILTERS
4.3.2.0.16 FIREWALL LIST PORTFILTERS
Syntax
FIREWALL LIST PORTFILTERS <policyname>
Description
This command lists portfilters that were added to a firewall policy using the firewall add
portfilter command. It displays the following information:
iMG/RG Software Reference Manual (IPNetwork Functions)
4-121
Firewall
Firewall command reference
Options
Example
•
Portfilter ID number
•
Portfilter name
•
Type - port number range or specified port number
•
Port range used by the specified TCP or UDP protocol (e.g., 53 for DNS, 25 for
SMTP). For non-TCP/UDP protocols, the port range is set to 0-0.
•
In - displays the inbound permission setting (true or false)
•
Out- displays the outbound permission setting (true or false)
•
Raw - displays whether the portfilter uses a non-TCP/UDP protocol (true or false)
•
TCP - displays whether the portfilter uses a TCP protocol (true or false)
•
UDP - displays whether the portfilter uses a UDP protocol (true or false)
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
policyname
An existing firewall policy. To display policy names, use the
FIREWALL LIST POLICIES command.
N/A
--> firewall list portfilters ext-int
Firewall Port Filters:
ID | Name
| Prot | Status | allow
------------------------------------------1 | pf2
| TCP | enabled | true
2 | pf3
| UDP | enabled | true
3 | pf4
| 92
| disabled| false
------------------------------------------See also
FIREWALL LIST POLICIES
FIREWALL LIST PROTOCOL
See also
FIREWALL SHOW PORTFILTER
See also
For a list of the port numbers and/or numbers assigned to
protocols, see http://www.ietf.org/rfc/rfc1700.txt.
4.3.2.0.17 FIREWALL SHOW PORTFILTER
Syntax
4-122
FIREWALL SHOW PORTFILTER <name> <policyname>
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Description
Options
Example
Firewall
This command displays information about a single portfilter that was added to a firewall
policy using the firewall policy add portfilter command. The following portfilter information is displayed:
•
Portfilter name
•
Transport type used by the protocol (e.g., 6 for SMTP)
•
Start of the port range
•
End of the port range
•
Inbound permission (true or false)
•
Outbound permission (true or false)
•
Raw IP - whether the portfilter uses a non-TCP/UDP protocol (true or false)
•
TCP permission - whether the portfilter uses a TCP protocol (true or false)
•
UDP permission - whether the portfilter uses a UDP protocol (true or false)
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing portfilter. To display portfilter names, use the
FIREWALL LIST PORTFILTERS command.
N/A
policyname
An existing firewall policy. To display policy names, use the
FIREWALL LIST POLICIES command.
N/A
--> firewall show portfilter pf3 ext-int
Firewall Port Filter: pf3
Source IP range start
Source IP range end
Destination IP range start
Destination IP range end
IP protocol
Source port number start
Source port number end
Destination port number start
Destination port number end
Inbound permission
Outbound permission
:
:
:
:
:
:
:
:
:
:
:
0.0.0.0
255.255.255.255
0.0.0.0
255.255.255.255
TCP
0
65535
25
25
true
true
iMG/RG Software Reference Manual (IPNetwork Functions)
4-123
Firewall
Firewall command reference
Status : enabled
Permitted? : true
See also
FIREWALL LIST POLICIES
FIREWALL LIST PORTFILTERS
4.3.2.0.18 FIREWALL ADD VALIDATOR
Syntax
FIREWALL ADD VALIDATOR <name> <policyname> {INBOUND|OUTBOUND|BOTH} <ipaddress> <hostipmask>
Description
This command adds a validator to a firewall policy. Traffic is blocked based on the source/
destination IP address and netmask. This command allows you to specify:
•
the IP address(es) and netmask(s) that you want to block
•
the direction of traffic that you want to block
Once you have added a validator to a policy, specifying the IP address and direction values, you can reuse these values by adding the validator to other policies.
Options
4-124
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies the portfilter. It can be
made up of one or more letters or a combination of letters and digits, but it cannot start with a digit.
N/A
policyname
An existing firewall policy. To display policy names, use the
FIREWALL LIST POLICIES command.
N/A
inbound
Validator blocks incoming traffic based on IP addresses.
N/A
outbound
Validator blocks outgoing traffic based on IP addresses.
N/A
both
Validator filters inbound and outbound traffic based on IP
addresses.
N/A
ipaddress
The IP address that you want to carry out IP address validation on. The IP address is displayed in the following format: 192.168.102.3
N/A
hostipmask
The IP mask address. If you want to filter a range of
addresses, you can specify the mask, e.g., 255.255.255.0. If
you want to filter a single IP address, you can use the specific IP mask address, e.g., 255.255.255.255.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Example
Firewall
In the following example, a policy is created, then a validator added to block inbound and
outbound traffic from/to the IP address stated. All other traffic is allowed.
--> firewall add policy ext-int external-internal blockonly-val
--> firewall add validator v1 ext-int both 192.168.102.3 255.255.255.255
See also
firewall
firewall
firewall
firewall
add policy
list policies
delete validator
show validator
4.3.2.0.19 FIREWALL DELETE VALIDATOR
Syntax
FIREWALL DELETE VALIDATOR <name> <policyname>
Description
This command deletes a single validator from a named policy.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing validator. To display validator names, use the
FIREWALL LIST VALIDATORS command.
N/A
policyname
An existing firewall policy. To display policy names, use the
FIREWALL LIST POLICIES command.
N/A
Example
--> firewall delete validator v1 ext-int
See also
FIREWALL LIST VALIDATORS
FIREWALL LIST POLICIES
4.3.2.0.20 FIREWALL LIST VALIDATORS
Syntax
FIREWALL LIST VALIDATORS <policyname>
Description
This command lists the following information about validators added to a policy using the
FIREWALL ADD VALIDATOR command:
•
Validator ID number
•
Validator name
•
Direction (inbound, outbound or both)
•
Host IP address
iMG/RG Software Reference Manual (IPNetwork Functions)
4-125
Firewall
Firewall command reference
•
Options
Example
Host mask address
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
policyname
An existing firewall policy. To display policy names, use the
FIREWALL LIST POLICIES command.
N/A
--> firewall list validators ext-int
Firewall Host Validators:
ID |
Name | Direction |
Host IP
|
Mask
------------------------------------------------------------1 | v1
| both
| 192.168.103.2 | 255.255.255.0
2 | v2
| inbound
| 192.168.103.1 | 255.255.255.0
------------------------------------------------------------See also
FIREWALL ADD VALIDATOR
FIREWALL SHOW VALIDATOR
FIREWALL LIST POLICIES
4.3.2.0.21 FIREWALL SHOW VALIDATOR
Syntax
FIREWALL SHOW VALIDATOR <name> <policyname>
Description
This command displays information about a single validator that was added to firewall
policy using the FIREWALL ADD VALIDATOR command. The following validator information is displayed:
Options
4-126
•
Validator name
•
Direction (inbound, outbound or both)
•
Host IP address
•
Host mask address
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing validator. To display validator names, use the
FIREWALL LIST VALIDATORS command.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Example
Firewall
Option
Description
Default Value
policyname
An existing firewall policy. To display policy names, use the
FIREWALL LIST POLICIES command.
N/A
--> firewall show validator v1 ext-int
Firewall Host Validator: v1
Direction: both
Host IP: 192.168.103.2
Host Mask: 255.255.255.0
See also
FIREWALL ADD VALIDATOR
FIREWALL LIST VALIDATORS
FIREWALL LIST POLICIES
4.3.2.0.22 FIREWALL SET IDS VICTIMPROTECTION
Syntax
firewall set IDS victimprotection <duration>
Description
This command sets the duration of the victim protection Intrusion Detection Setting
(IDS). If victim protection is enabled, packets destined for the victim host of a spoofing
style attack are blocked. The command allows you to specify the duration of the block
time limit.
Note:
This command is nothing but an alias of the corresponding “security set IDS” command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
duration
The length of time (in seconds) that packets destined for
the victim of a spoofing style attack. are blocked for.
600
Example
--> firewall set IDS victimprotection 800
See also
security set ids victimprotection
(10 minutes)
4.3.2.0.23 FIREWALL SET IDS DOSATTACKBLOCK
Syntax
firewall set IDS DOSATTACKBLOCK <DURATION>
iMG/RG Software Reference Manual (IPNetwork Functions)
4-127
Firewall
Firewall command reference
Description
Note:
This command sets the DOS (Denial of Service) attack block duration Intrusion Detection Setting (IDS). A DOS attack is an attempt by an attacker to prevent legitimate users
from using a service. If a DOS attack is detected, all suspicious hosts are blocked for a
set time limit. This command allows you to specify the duration of the block time limit.
This command is nothing but an alias of the corresponding “security set IDS” command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
duration
The length of time (in seconds) that suspicious hosts are
blocked for once a DOS attack attempt has been detected.
1800
Example
--> firewall set IDS DOSattackblock 800
See also
security set IdS Dosattackblock
(30 minutes)
4.3.2.0.24 FIREWALL SET IDS MAXICMP
Syntax
FIREWALL SET IDS MAXICMP <MAX>
Description
This command sets the maximum number of ICMP packets per second that are allowed
before an ICMP Flood is detected. An ICMP Flood is a DOS (Denial of Service) attack.
An attacker tries to flood the network with ICMP packets in order to prevent transportation of legitimate network traffic. Once the maximum number of ICMP packets per
second is reached, an attempted ICMP Flood is detected.
Note:
This command is nothing but an alias of the corresponding “security set IDS” command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
max
The maximum number (per second) of ICMP packets that
are allowed before an ICMP Flood attempt is detected.
100
Example
--> firewall set IDS MaxICMP 200
See also
security set IDS MaxICMP
4-128
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Firewall
4.3.2.0.25 FIREWALL SET IDS MAXPING
Syntax
FIREWALL SET IDS MAXPING <MAX>
Description
This command sets the maximum number of pings per second that are allowed before an
Echo Storm is detected. Echo Storm is a DOS (Denial of Service) attack. An attacker
sends oversized ICMP datagrams to the system using the ‘ping’ command. This can cause
the system to crash, freeze or reboot, resulting in denial of service to legitimate users.
Once the maximum number of pings per second is reached, an attempted DOS attack is
detected.
Note:
This command is nothing but an alias of the corresponding “security set IDS” command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
max
The maximum number (per second) of pings that are
allowed before an Echo Storm attempt is detected.
15
Example
--> firewall set IDS MaxPING 25
See also
security set IDS MaxPING
4.3.2.0.26 FIREWALL SET IDS MAXTCPOPENHANDSHAKE
Syntax
FIREWALL SET IDS MAXTCPOPENHANDSHAKE <MAX>
Description
This command sets the maximum number of unfinished TCP handshaking sessions per
second that are allowed before a SYN Flood is detected. SYN Flood is a DOS (Denial of
Service) attack. When establishing normal TCP connections, three packets are
exchanged:
•
1 A SYN (synchronize) packet is sent from the host to the network server
•
2 A SYN/ACK packet is sent from the network server to the host
•
3 An ACK (acknowledge) packet is sent from the host to the network server
If the host sends unreachable source addresses in the SYN packet, the server sends the
SYN/ACK packets to the unreachable addresses and keeps resending them. This creates a
backlog queue of unacknowledged SYN/ACK packets. Once the queue is full, the system
will ignore all incoming SYN requests and no legitimate TCP connections can be established.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-129
Firewall
Firewall command reference
Once the maximum number of unfinished TCP handshaking sessions is reached, an
attempted DOS attack is detected. The suspected attacker is blocked for the time limit
specified in the FIREWALL SET IDS DOSattackblock command.
Note:
This command is nothing but an alias of the corresponding “security set IDS” command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
max
The maximum number (per second) of unfinished
TCP handshaking sessions that are allowed before a
SYN Flood attempt is detected..
100
Example
--> firewall set IDS MaxTCPopenhandshake 150
See also
security set IDS MaxTCPopenhandshake
4.3.2.0.27 FIREWALL SET IDS SCANATTACKBLOCK
Syntax
FIREWALL SET IDS SCANATTACKBLOCK <DURATION>
Description
This command allows you to set the scan attack block duration Intrusion Detection Setting (IDS). If hosts are blocked for a set time limit, this command allows you to specify
the duration of the block time limit.
Note:
This command is nothing but an alias of the corresponding “security set IDS” command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
duration
The length of time (in seconds) that a suspicious
host is blocked for, after scan activity has been
detected.
86400 (one day)
Example
--> firewall set IDS SCANattackblock 43200
See also
security set IDS SCANattackblock
4.3.2.0.28 FIREWALL SET IDS FLOODPERIOD
Syntax
4-130
FIREWALL SET IDS FLOODPERIOD <DURATION>
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Description
Note:
Firewall
This command allows you to set the time limit during which suspected SYN floods are
counted. If the number of SYN floods counted within the specified duration is greater
than the threshold set by either FIREWALL SET IDS FLOODTHRESHOLD OR FIREWALL SET IDS PORTFLOODTHRESHOLD, the suspected attacker is blocked for the
time limit specified in the command FIREWALL SET IDS DOSATTACKBLOCK.
This command is nothing but an alias of the corresponding “security set IDS” command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
duration
The length of time (in seconds) that suspected
SYN floods are counted for.
10
Example
--> firewall set IDS floodperiod 60
See also
security set IDS floodperiod
4.3.2.0.29 FIREWALL SET IDS FLOODTHRESHOLD
Syntax
FIREWALL SET IDS FLOODTHRESHOLD <MAX>
Description
This command allows you to set the maximum number of SYN packets allowed before a
flood is detected. If the number of SYN packets counted within the time duration set by
the command FIREWALL SET IDS FLOODPERIOD is greater than the maximum value
set here, the suspected attacker is blocked for the time limit specified in the command
FIREWALL SET IDS DOSATTACKBLOCK.
For example, using the default settings, if more than 20 SYN packets are received per second for a 10 second duration, the attacker is blocked.
Note:
This command is nothing but an alias of the corresponding “security set IDS” command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
max
Maximum number of SYN packets that can be
received before a flood is detected.
20 (per second)
iMG/RG Software Reference Manual (IPNetwork Functions)
4-131
Firewall
Firewall command reference
Example
--> firewall set IDS floodthreshold 25
See also
security set IDS floodthreshold
4.3.2.0.30 FIREWALL SET IDS PORTFLOODTHRESHOLD
Syntax
FIREWALL SET IDS PORTFLOODTHRESHOLD <MAX>
Description
This command allows you to set the maximum number of SYN packets that can be sent
to a single port before a port flood is detected. If the number of SYN packets counted
within the time duration set by the command FIREWALL SET IDS FLOODPERIOD is
greater than the maximum value set here, the suspected attacker is blocked for the time
limit specified in the command FIREWALL SET IDS DOSATTACKBLOCK.
For example, using the default settings, if more than 10 SYN packets are received per
second for a 10 second duration, the attacker is blocked.
Note:
This command is nothing but an alias of the corresponding “security set IDS” command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
max
Maximum number of SYN packets that can be
received by a single port before a flood is detected.
10 (per second)
Example
--> firewall set IDS portfloodthreshold 15
See also
security set IDS portfloodthreshold
4.3.2.0.31 FIREWALL SET IDS SCANPERIOD
Syntax
FIREWALL SET IDS SCANPERIOD <DURATION>
Description
This command allows you to set the time limit during which scanning type traffic (such as
closed TCP port reviving SYN/ACK, FIN or RST) is counted. If the number of scanning
packets counted within the specified duration is greater than the threshold set by FIREWALL SET IDS SCANTHRESHOLD, the suspected attacker is blocked for the time limit
specified in the command FIREWALL SET IDS SCANATTACKBLOCK.
Note:
This command is nothing but an alias of the corresponding “security set IDS” command
Options
4-132
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
iMG/RG Software Reference Manual (IPNetwork Functions)
Firewall command reference
Firewall
Option
Description
Default Value
duration
The length of time (in seconds) that scanning type
traffic is counted for.
60 (seconds)
Example
--> firewall set IDS scanperiod 90
See also
security set IDS scanperiod
4.3.2.0.32 FIREWALL SET IDS SCANTHRESHOLD
Syntax
FIREWALL SET IDS SCANTHRESHOLD <MAX>
Description
This command allows you to set the maximum number of scanning packets that can be
received before a port scan is detected. If the number of scanning packets counted within
the time duration set by the command FIREWALL SET IDS SCANPERIOD is greater than
the maximum value set here, the suspected attacker is blocked for the time limit specified
in the command FIREWALL SET IDS SCANATTACKBLOCK.
For example, using the default settings, if more than 5 scanning packets are received per
second for a 60 second duration, the attacker is blocked.
Note:
This command is nothing but an alias of the corresponding “security set IDS” command
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
max
Maximum number of scanning packets that can be
received before a port scan attack is detected.
5 (per second)
Example
--> firewall set IDS scanthreshold 8
See also
security set IDS scanthreshold
4.3.2.0.33 FIREWALL SHOW IDS
Syntax
FIREWALL SHOW IDS
Description
This command displays the following information about IDS settings:
•
IDS enabled status (true or false)
•
Blacklist status (true or false)
iMG/RG Software Reference Manual (IPNetwork Functions)
4-133
Network address translation - NAT
Example
Overview
•
Use Victim Protection status (true or false)
•
DOS attack block duration (in seconds)
•
Scan attack block duration (in seconds)
•
Victim protection block duration (in seconds)
•
Maximum TCP open handshaking count allowed (per second)
•
Maximum ping count allowed (per second)
•
Maximum ICMP count allowed (per second)
--> firewall show IDS
Firewall IDS:
IDS Enabled:
Use Blacklist:
Use Victim Protection:
Dos Attack Block Duration:
Scan Attack Block Duration:
Malicious Attack Block Duration:
Victim Protection Block Duration:
Scan Detection Threshold:
Scan Detection Period:
Port Flood Detection Threshold:
Host Flood Detection Threshold:
FloodDetectPeriod :
Max TCP Open Handshaking Count:
Max PING Count:
Max ICMP Count:
See also
false
false
false
1800
86400
86400
600
5
10
10
20
10
5
15
100
security show IDS
4.4 Network address translation - NAT
4.4.1 Overview
Basic NAT is a router function (described in RFC 1631) that determines how to translate network IP addresses.
As data packets are received on the device’s interfaces, data in their protocol headers is compared to criteria
established in NAT rules through global pools and reserved mappings. The criteria includes ranges of source or
destination addresses. If the packet meets the criteria of one of the rules, the packet header undergoes the
translation specified by the mapping and the revised packet is forwarded. If the packet does not meet the criteria, it is discarded. ISOS supports both static and dynamic versions of NAT:
4-134
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT support on AT-iMG Models
Network address translation - NAT
• static NAT: defines a fixed address translation from the internal network to the external network
• dynamic NAT: translates from a pool of local IP addresses to a pool of global IP addresses
NAT provides a mechanism for reducing the need for globally unique IP addresses. It allows you to use
addresses that are not globally unique on your internal network and translate them to a single globally unique
external address
10.0.0.3
10.0.0.2
24.2.249.4
Internet
Unit
(Router with NAT)
10.0.0.1
10.0.0.4
FIGURE 4-3
Address Conservation Using NAT
4.4.2 NAT support on AT-iMG Models
AT-iMG Models NAT module is designed to provide the following features:
• Global IP address pools
• Reserved mappings
• Application level gateways (algs)
NAT services are available between External security interface and Internal Security interfaces.
In order to access NAT services, the NAT module must be enabled between a a pair of interfaces by using the
NAT ENABLE command and assigning an arbitrary name to this relationship.
Note:
Before enabling NAT, the Security module must be already enabled using SECURITY ENABLE
command.
See XREF_HERESecurity section for details regarding security interfaces.
Global IP Address Pools
A Global Address Pool is a pool of addresses seen from the external network. By default, each external interface creates a Global Address Pool with a single address – the address assigned to that interface.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-135
Network address translation - NAT
Interactions of NAT and other security features
For outbound sessions, an address is picked from a pool by hashing the source IP address for a pool index and
then hashing again for an address index. For inbound sessions to make use of the global pool, it is necessary to
create a reserved mapping. See below for more information on reserved mappings.
4.4.2.1 Reserved mappings
Reserved mapping is used to support NAT traversal.
NAT traversal is a mechanism that makes a service (listening port) on an internal computer accessible to external computers. NAT traversal operates by having the NAT listen for incoming messages on a selected port on
its external interface. When the NAT receives a message, it uses its internal interface to forward the packet to
the same port number on a selected internal computer (And any responses from the internal computer are forwarded to the requesting external computer).
Reserved mappings can also be used so that different internal hosts can share a global address by mapping different ports to different hosts.
For example, Host A is an FTP server and Host B is a Web server.
By choosing a particular IP address in the global address pool, and mapping the FTP port on this address to the
FTP port on Host A and the HTTP port on the global address to the HTTP port on Host B, both internal hosts
can share the same global address.
To add a reserved mapping rule to an existing NAT relation, use NAT ADD RESVMAP INTERFACE command.
With this command it is possible set a mapping rule based on port number or protocol number.
Setting the protocol number to 255(0xFF) means that the mapping will apply to all protocols. Setting the port
number to 65535(0xFFFF) for TCP or UDP protocols means that the mapping will apply to all port numbers
for that protocol.
4.4.2.2 Application level gateways (ALGs)
Some applications embed address and/or port information in the payload of the packet.
The most notorious of these is FTP. For most applications, it is sufficient to create a trigger with address
replacement enabled. However, there are three applications for which a specific ALG is provided: FTP, NetBIOS and DNS.
4.4.3 Interactions of NAT and other security features
4.4.3.1 Firewall filters and reserved mappings.
So far, the NAT reserved mappings have been considered independently of the firewall.
If the firewall is not enabled, then all that is required to enable NAT to allow in TCP sessions to a certain port
number is to create a reserved mapping for that particular TCP port number.
4-136
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT and secondary IP addresses
Network address translation - NAT
However, if the firewall is enabled, there is a matter of precedence to consider if reserved mapping has been
created for a particular TCP port but the firewall is not configured to allow in TCP data for that port.
In this case the blocking by the firewall will take precedence.
So, when the firewall has been enabled, care must be taken to ensure that when NAT reserved mapping are created, the firewall is also configured to allow in the traffic for which the reserve mapping is defined.
4.4.3.2 NAT and dynamic port opening
The description of Dynamic Port Opening (see Security section) discussed that feature in the context of the
firewall – i.e. the Dynamic Port Opening feature was presented as being required to allow secondary sessions
in through the firewall.
It should be noted that, by default, incoming sessions are not allowed through by NAT either. So, if NAT is enabled, even if the firewall is not enabled, then if you wish to be able to access services that involve incoming secondary sessions, then you will need to create Dynamic Port Opening definitions for those services.
So, for example, if you have NAT enabled on the router, and wish for users on the LAN to be able to successfully access external RealServers, it will be necessary to create a Dynamic Port Opening definition.
4.4.4 NAT and secondary IP addresses
NAT services work also with secondary IP addresses.
In this case it's necessary create a secondary IP address using IP INTERFACE ADD SECONDARYIPADDRESS
command and then create a security interface based on this secondary IP interface.
Then a global pool must be added and a reserved mapping configured. If using PPPoE encapsulation, secondary
IP addresses in the global pool must be on a separate subnet. If the secondary IP addresses are on the same subnet as the external IP address, the addresses are not visible to the external network.
4.4.5 NAT command reference
This section describes the commands available on AT-iMG Models to enable, configure and manage NAT module.
4.4.5.1 NAT CLI commands
The table below lists the NAT commands provided by the CLI:
iMG/RG Software Reference Manual (IPNetwork Functions)
4-137
Network address translation - NAT
TABLE 4-7
NAT command reference
NAT CLI Commands and Product Category
Commands
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E
A
B
C
Modular
NAT ENABLE
X
X
X
X
X
X
X
X
X
NAT DISABLE
X
X
X
X
X
X
X
X
X
NAT ADD GLOBALPOOL
X
X
X
X
X
X
X
X
X
NAT ADD GLOBALPOOL
X
X
X
X
X
X
X
X
X
NAT CLEAR GLOBALPOOLS
X
X
X
X
X
X
X
X
X
NAT DELETE GLOBALPOOL
X
X
X
X
X
X
X
X
X
NAT IKETRANSLATION
X
X
X
X
X
X
X
X
X
NAT IKETRANSLATION
X
X
X
X
X
X
X
X
X
NAT LIST GLOBALPOOLS
X
X
X
X
X
X
X
X
X
NAT SHOW GLOBALPOOL
X
X
X
X
X
X
X
X
X
NAT ADD RESVMAP GLOBALIP TCP|UDP|BOTH
X
X
X
X
X
X
X
X
X
NAT ADD RESVMAP GLOBALIP
X
X
X
X
X
X
X
X
X
NAT ADD RESVMAP INTERFACENAME TCP|UDP|BOTH
X
X
X
X
X
X
X
X
X
NAT ADD RESVMAP INTERFACENAME
X
X
X
X
X
X
X
X
X
NAT CLEAR RESVMAPS
X
X
X
X
X
X
X
X
X
NAT DELETE RESVMAP
X
X
X
X
X
X
X
X
X
NAT DELETE RESVMAP
X
X
X
X
X
X
X
X
X
NAT SET RESVMAPS ENABLE|DISABLE
X
X
X
X
X
X
X
X
X
NAT SET RESVMAPS SRCIP
X
X
X
X
X
X
X
X
X
NAT SHOW RESVMAP
X
X
X
X
X
X
X
X
X
NAT STATUS
X
X
X
X
X
X
X
X
X
4.4.5.1.1 NAT ENABLE
Syntax
4-138
NAT ENABLE <name> <interfacename> {INTERNAL|DMZ}
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT command reference
Description
Note:
Network address translation - NAT
This command enables NAT between an existing security interface and a network interface type. NAT is enabled between the security interface and all the interfaces that belong
to the chosen network interface type.
You must enable the Security package using the command SECURITY ENABLE if you want to use the
NAT module to configure security for your system.
An interface is either an inside or outside interface. The network attached to an inside
interface needs to be protected from the network attached to an outside interface. For
example, the network attached to an internal interface (inside) needs to be protected
from the network attached to a DMZ (outside). Also, you can only enable NAT between
two different interface types. For example, if interfacename is an external interface type,
you can enable NAT between the interfacename and the internal or the DMZ interface
type, but not the external interface type. The following interface combinations are the
only ones that you can use:
•
External (outside) and internal (inside)
•
External (outside) and dmz (inside)
•
Dmz (outside) and internal (inside)
The existing security interface must be an outside interface. NAT translates packets
between the outside interface and the inside interface type. In this way, the IP address of
a host on a network attached to an inside interface is hidden from a host on a network
attached to an outside interface.
If you want to map an outside interface to an individual host on an inside interface type,
you can use the command NAT ADD RESVMAP INTERFACENAME.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies a NAT object enabled
between a security interface and an interface type. It can be
made up of one or more letters or a combination of letters and
digits, but it cannot start with a digit.
N/A
interfacename
The name of an existing security interface (external or DMZ)
that was added to the Security package using the SECURITY
ADD INTERFACE command. To display security interfaces, use
the security list interfaces command.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
4-139
Network address translation - NAT
NAT command reference
Option
Description
Default Value
internal
Allows NAT to be enabled/disabled between the interfacename
and all interfaces that belong to the internal interface type.
N/A
dmz
Allows NAT to be enabled/disabled between the interfacename
and all interfaces that belong to the DMZ interface type. The
interfacename must be an external interface type.
N/A
Example
--> nat enable nat1 extinterface internal
See also
NAT DISABLE
NAT STATUS
SECURITY LIST INTERFACES
SECURITY ADD INTERFACE
NAT ADD RESVMAP INTERFACENAME
4.4.5.1.2 NAT DISABLE
Syntax
NAT DISABLE <name>
Description
This command disables a NAT object that was previously enabled between an existing
security interface and a network interface type using the nat enable command. NAT is
disabled between the security interface and all the interfaces that belong to the chosen
interface type.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
The name of an existing NAT object created between a security interface and an interface type using the NAT ENABLE
command. To display enabled NAT objects, use the NAT STATUS command.
N/A
Example
--> nat disable nat1
See also
nat enable
nat status
4.4.5.1.3 NAT ADD GLOBALPOOL
Syntax
4-140
NAT ADD GLOBALPOOL <name> <interfacename> {INTERNAL|DMZ}
<ipaddress> {SUBNETMASK <mask>|ENDADDRESS <address>}
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT command reference
Description
Note:
Network address translation - NAT
The NAT ENABLE COMMAND creates an IP address for the outside security interface;
however, you may want to use more than one outside IP address. For example, if your ISP
provides multiple IP addresses, you might want to map an outside address to an inside
interface that is your web server, and map another outside address to an inside interface
that is your mail server.
Before you can add a Global Address Pool, you must enable a NAT object using the command NAT
ENABLE
This command creates a pool of outside network addresses. A Network Address Pool is a
range of IP addresses that is visible outside your network. NAT translates packets
between the outside addresses and the inside interfaces that each address is mapped to.
There are two ways to specify a range of IP addresses:
•
Specify the interfacename IP address and a subnet mask address
•
Specify the interfacename IP address that represents the first address in the range,
then specify the last address in the range
If you want to map IP addresses to individual hosts on an inside interface type, you can
use the command NAT ADD RESVMAP GLOBALIP.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies a global network address or
pool of addresses. It can be made up of one or more letters or
a combination of letters and digits, but it cannot start with a
digit.
N/A
interfacename
The name of an existing security interface (external or DMZ)
created and connected to an inside interface (DMZ or internal)
using the nat enable command. To display security interfaces,
use the SECURITY LIST INTERFACES command.
N/A
internal
Maps the IP addresses to the internal interface type inside the
network.
N/A
dmz
Maps the global addresses to the DMZ interface type inside the
network.
N/A
ipaddress
The IP address of the interfacename that is visible outside the
network.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
4-141
Network address translation - NAT
Example
NAT command reference
Option
Description
Default Value
mask
The subnet mask of the network IP address.
N/A
endaddress
The last IP address in the range of addresses that make up the
global address pool.
N/A
Example 1
This example creates a network address pool that allows NAT to translate packets
between the external interface and the DMZ interface type.
First, NAT is enabled between the external interface and the DMZ interface type:
--> nat enable n1 extinterface dmz
Then the IP address and subnet mask is created:
--> nat add globalpool gp1 extinterface dmz 192.168.102.3 subnetmask 255.255.255.0
Example 2
This example creates a network address pool that allows NAT to translate packets
between the external interface and the internal interface type.
First NAT is enabled between the external interface and the internal interface type:
--> nat enable n2 extinterface internal
Then the address range is created:
--> nat add globalpool gp2 extinterface internal 192.168.103.2 endaddress
192.168.103.50
See also
Note:
NAT ENABLE
NAT STATUS
SECURITY LIST INTERFACES
Once you have created an address pool, packets received on a specific IP address can be mapped to
individual hosts inside the network. See NAT ADD RESVMAP GLOBALIP.
4.4.5.1.4 NAT CLEAR GLOBALPOOLS
Syntax
NAT CLEAR GLOBALPOOLS <interfacename>
Description
This command deletes all address pools that were added to a specific outside interface
using the nat add globalpool command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
4-142
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT command reference
Network address translation - NAT
Option
Description
Default Value
interfacename
The name of an existing security interface (external or DMZ)
created and connected to an inside interface (DMZ or internal)
using the NAT ENABLE command. To display security interfaces, use the SECURITY LIST INTERFACES command.
N/A
Example
--> nat clear globalpools extinterface
See also
nat add globalpool
security list interfaces
4.4.5.1.5 NAT DELETE GLOBALPOOL
Syntax
NAT DELETE GLOBALPOOL <name> <interfacename>
Description
This command deletes a single address pool that was added to a specific outside interface
using the nat add globalpool command.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing global IP address. To display global IP addresses,
use the NAT LIST GLOBALPOOLS command.
N/A
interfacename
The name of an existing security interface (external or DMZ)
created and connected to an inside interface (DMZ or internal) using the NAT ENABLE command. To display security
interfaces, use the SECURITY LIST INTERFACES command.
N/A
Example
--> nat delete globalpool gp1 extinterface
See also
NAT ADD GLOBALPOOL
NAT LIST GLOBALPOOLS
SECURITY LIST INTERFACES
4.4.5.1.6 NAT IKETRANSLATION
Syntax
NAT IKETRANSLATION {cookies | ports}
Description
This command supports NAT IPSec traversal. It allows you to specify how Internet Key
Exchange (IKE) packets are translated.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-143
Network address translation - NAT
NAT command reference
IKE establishes a shared security policy and authenticates keys for services that require
keys, such as IPSec. Before any IPSec traffic can be passed, each router/firewall/host must
verify the identity of its peer. This can be done by manually entering pre-shared keys into
both hosts or by a CA service.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
cookies
Source port will not be translated for IKE packets; IKE cookies are used to identify IKE sessions.
Ports
ports
Source port will be translated for IKE packets.
--> nat iketranslation cookies
4.4.5.1.7 NAT LIST GLOBALPOOLS
Syntax
NAT LIST GLOBALPOOLS <interfacename>
Description
This command lists the following NAT address pool information for a specific outside
interface:
Options
4-144
•
Address pool identification number
•
Address pool name
•
Type of inside interface (internal or DMZ)
•
Subnet status (true or false)
•
IP address - the outside network IP address or the first address in the range of network pool addresses
•
Mask/End Address - the outside subnet mask of the outside network IP address or
the last address in the range of network pool addresses
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT command reference
Example
Network address translation - NAT
Option
Description
Default Value
interfacename
The name of an existing security interface (external or
DMZ) created and connected to an inside interface (DMZ
or internal) using the NAT ENABLE command. To display
security interfaces, use the SECURITY LIST INTERFACES
command.
N/A
--> nat list globalpools extinterface
NAT global address pool:
ID | Name |
Type
| Subnet |
IP address | Mask/End Address
-------------------------------------------------------------------1 | gp1
| dmz
| true
| 192.168.102.3 | 255.255.255.0
2 | g2
| internal | false | 192.168.103.2 | 192.168.103.50
-------------------------------------------------------------------See also
SECURITY LIST INTERFACES
NAT SHOW GLOBALPOOL
4.4.5.1.8 NAT SHOW GLOBALPOOL
Syntax
NAT SHOW GLOBALPOOL <name> <interfacename>
Description
This command displays information about a single network address pool that has been
added to an outside interface:
Options
•
Type of inside interface (internal or DMZ)
•
Subnet configuration status (true if the network pool was set using a subnet mask,
false if it was set using a range of IP addresses)
•
IP address - the outside network IP address or the first address in the range of
addresses
•
Subnet Mask or End Address - the subnet mask of the outside network IP address or
the last address in the range of addresses
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
iMG/RG Software Reference Manual (IPNetwork Functions)
4-145
Network address translation - NAT
Example
NAT command reference
Option
Description
Default Value
name
An existing global IP address. To display global IP
addresses, use the NAT LIST GLOBALPOOLS command.
N/A
interfacename
The name of an existing security interface (external or
DMZ) created and connected to an inside interface (DMZ
or internal) using the NAT ENABLE command. To display
security interfaces, use the SECURITY LIST INTERFACES
command.
N/A
--> nat show globalpool gpl extinterface
NAT global address pool: gp1
Interface type: dmz
Subnet configuration: true
IP address: 192.168.102.3
Subnet mask or End Address: 255.255.255.0
See also
NAT LIST GLOBALPOOLS
SECURITY LIST INTERFACES
4.4.5.1.9 NAT ADD RESVMAP GLOBALIP TCP|UDP|BOTH
Syntax
NAT ADD RESVMAP <name> GLOBALIP <interfacename> <globalip>
<internalip> {TCP|UDP|BOTH} <portno> [<2ndportno>
[<localportno> [<2ndlocalportno>]]]
Description
This command maps an IP address from a global pool (created using the NAT ADD
GLOBALPOOL command) to an individual IP address inside the network. NAT translates packets between the outside IP address and the individual host based on the transport information (TCP or UDP or both) given in this command.
Note:
Before you can add reserved mapping, you must enable a NAT object using the command NAT
ENABLE.
You can define reserved mappings for a range of ports and/or translating port numbers.
Options
4-146
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT command reference
Network address translation - NAT
Option
Description
Default Value
name
An arbitrary name that identifies a reserved mapping
configuration. It can be made up of one or more letters or a combination of letters and digits, but it cannot start with a digit.
N/A
interfacename
The name of an existing security interface (external
or DMZ) created and connected to an inside interface (DMZ or internal) using the NAT ENABLE
command. To display security interfaces, use the
SECURITY LIST INTERFACES command.
N/A
globalip
The IP address of an outside interface set using the
NAT ADD GLOBALPOOL command.
N/A
internalip
The IP address of an individual host inside the network (internal or DMZ interface type).
N/A
portno
Either a single TCP or UDP port number that you
want to use in your reserved mapping configuration,
or the first port number in the range of ports.
N/A
2ndportno
The second TCP or UDP port number in the range
that started with the port specified in portno.
N/A
localportno
Either a single internal TCP or UDP port number or
the first port number in the range of external ports.
N/A
2ndlocalportno
The second internal TCP or UDP port number in
the range of external ports to be used if you have
specified a localportno.
N/A
Example
--> nat add resvmap rm1 globalip extinterface 192.168.68.68 10.10.10.10 tcp 25
See also
NAT ENABLE
NAT LIST GLOBALPOOLS
NAT STATUS
SECURITY LIST INTERFACES
4.4.5.1.10 NAT ADD RESVMAP GLOBALIP
Syntax
NAT ADD RESVMAP <name> GLOBALIP <interfacename> <globalip> <internalip> {ICMP|IGMP|IP|EGP|RSVP|OSPF|IPIP|ALLGRE|Protocol<number>}
Description
This command maps an IP address from a global pool (created using the nat add globalpool command) to an individual IP address inside the network. NAT translates packets
iMG/RG Software Reference Manual (IPNetwork Functions)
4-147
Network address translation - NAT
NAT command reference
between the outside IP address and the individual host based on the transport information given in this command.
Note:
Before you can add reserved mapping, you must enable a NAT object using the command NAT ENABLE
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies a reserved mapping configuration. It can be made up of one or more letters or a
combination of letters and digits, but it cannot start with a
digit.
N/A
interfacename
The name of an existing security interface (external or
DMZ) created and connected to an inside interface (DMZ
or internal) using the NAT ENABLE command. To display
security interfaces, use THE SECURITY LIST INTERFACES command.
N/A
globalip
The IP address of an outside interface set using the NAT
ADD GLOBALPOOL command.
N/A
internalip
The IP address of an individual host inside the network
(internal or DMZ interface type).
N/A
icmp
Internet Control Message Protocol (ICMP) is set as
the transport type. ICMP messages are used for out-ofband messages related to network operation or mis-operation. See http://www.ietf.org/rfc/rfc0792.txt.
N/A
igmp
Internet Group Management Protocol (IGMP) is set
N/A
as the transport type. Allows Internet hosts to participate
in multicasting. See http://www.ietf.org/rfc/rfc1112.txt.
ip
Internetwork Protocol (IP). Provides all of the Internet’s
N/A
data transport services. http://www.ietf.org/rfc/rfc791.txt
and http://www.ietf.org/rfc/rfc919.txt.
egp
Exterior Gateway Protocol (EGP). Protocol for
N/A
exchanging routing information between autonomous systems. See http://www.ietf.org/rfc/rfc904.txt.
gre
4-148
Generic Routing Encapsulation (GRE).Tunneling protocol developed by Cisco that can encapsulate a wide variety of network layer protocol packet types inside IP
Tunnel See http://www.ietf.org/rfc/rfc2784.txt.
iMG/RG Software Reference Manual (IPNetwork Functions)
N/A
NAT command reference
Network address translation - NAT
Option
Description
Default Value
rsvp
Resource Reservation Protocol (RSVP) is set as the
transport type. Supports the reservation of resources
across an IP network. See http://www.ietf.org/rfc/
rfc2205.txt.
N/A
ospf
Open Shortest Path First (OSPF) is set as the transport type. A link-state routing protocol. See http://
www.ietf.org/rfc/rfc1583.
N/A
ipip
IP-within-IP Encapsulation Protocol. Encapsulates
an IP datagram within a datagram. See http://www.ietf.org/
rfc/rfc2896.txt.
N/A
all
All traffic is translated between the global IP address and
the specified inside address that it is mapped to.
N/A
protocol
<number>
Allows you to identify a protocol by its assigned number.
For details of assigned numbers, see RFC 1700.
N/A
Example
--> nat add resvmap rm1 globalip extinterface 192.168.68.68 10.10.10.10 ip
See also
NAT ENABLE
NAT LIST GLOBALPOOLS
NAT STATUS
SECURITY LIST INTERFACES
4.4.5.1.11 NAT ADD RESVMAP INTERFACENAME TCP|UDP|BOTH
Syntax
NAT ADD RESVMAP <name> INTERFACENAME <interfacename> <internalip> {TCP|UDP|BOTH} <portno> [<2ndportno> [<localportno>
[<2ndlocalportno>]]]
Description
This command maps an outside IP security interface (enabled as a NAT object using the
nat enable command) to an individual IP address inside the network. NAT translates packets between the outside IP address and an individual host based on the transport information (TCP or UDP or both) given in this command. A range of external ports can be
translated to a single local port if required.
Note:
Before you can add reserved mapping, you must enable a NAT object using the command NAT ENABLE
You can define reserved mappings for a range of ports and/or translating port numbers.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
iMG/RG Software Reference Manual (IPNetwork Functions)
4-149
Network address translation - NAT
Example
NAT command reference
Option
Description
Default Value
name
An arbitrary name that identifies a reserved mapping
configuration. It can be made up of one or more letters
or a combination of letters and digits, but it cannot start
with a digit.
N/A
interface name
The name of an existing security interface (external or
DMZ) created and connected to an inside interface
(DMZ or internal) using the NAT ENABLE command.
To display security interfaces, use the SECURITY LIST
INTERFACES command.
N/A
internalip
The IP address of an individual host inside the network
(internal or DMZ interface type).
N/A
portno
Either a single TCP or UDP port number that you want
to use in your reserved mapping configuration, or the
first port number in the range of ports.
N/A
2ndportno
The second TCP or UDP port number in the range that
started with the port specified in portno.
N/A
localportno
Either a single internal TCP or UDP port number or the
first port number in the range of external ports.
N/A
2ndlocalportno
The second internal TCP or UDP port number in the
range of external ports to be used if you have specified
a localportno.
N/A
The example below forwards TCP port 25 requests on the WAN interface to
10.10.10.10 port 80:
--> nat add resvmap rm1 interfacename WAN 10.10.10.10 tcp 25
The example below forwards TCP port 80 to 90 requests on the WAN interface to
10.10.10.10 ports 8080 to 8090. Note that the first range must be the same size as the
second range:
--> nat add resvmap rm2 interfacename WAN 10.10.10.10 tcp 80 90 8080 8090
See also
NAT ENABLE
SECURITY LIST INTERFACES
4.4.5.1.12 NAT ADD RESVMAP INTERFACENAME
Syntax
4-150
NAT ADD RESVMAP <name> INTERFACENAME <interfacename> <internalip>
{ICMP|IGMP|IP|EGP|RSVP|OSPF|IPIP|ALL|GRE|Protocol<number> }
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT command reference
Description
Note:
Network address translation - NAT
This command maps an outside IP security interface (enabled as a NAT object using the
NAT ENABLE command) to an individual IP address inside the network. NAT translates
packets between the outside IP address and the individual host based on the transport
information given in this command.
Before you can add reserved mapping, you must enable a NAT object using the command NAT ENABLE
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies a reserved mapping
configuration. It can be made up of one or more letters
or a combination of letters and digits, but it cannot start
with a digit.
N/A
interfacename
The name of an existing security interface (external or
DMZ) created and connected to an inside interface
(DMZ or internal) using the NAT ENABLE command.
To display security interfaces, use the SECURITY LIST
INTERFACES command.
N/A
internalip
The IP address of an individual host inside the network
(internal or DMZ interface type).
N/A
icmp
Internet Control Message Protocol (ICMP) is set as
N/A
the transport type. ICMP messages are used for out-ofband messages related to network operation or misoperation. See http://www.ietf.org/rfc/rfc0792.txt.
igmp
Internet Group Management Protocol (IGMP) is
N/A
set as the transport type. Allows Internet hosts to participate in multicasting. See http://www.ietf.org/rfc/
rfc1112.txt.
ip
Internetwork Protocol (IP). Provides all of the Inter-
N/A
net’s data transport services. http://www.ietf.org/rfc/
rfc791.txt and http://www.ietf.org/rfc/rfc919.txt.
egp
Exterior Gateway Protocol (EGP). Protocol for
N/A
exchanging routing information between autonomous
systems. See http://www.ietf.org/rfc/rfc904.txt.
iMG/RG Software Reference Manual (IPNetwork Functions)
4-151
Network address translation - NAT
NAT command reference
Option
Description
Default Value
gre
Generic Routing Encapsulation (GRE).Tunneling
protocol developed by Cisco that can encapsulate a
wide variety of network layer protocol packet types
inside IP Tunnel See http://www.ietf.org/rfc/rfc2784.txt.
N/A
rsvp
Resource Reservation Protocol (RSVP) is set as the
transport type. Supports the reservation of resources
across an IP network. See http://www.ietf.org/rfc/
rfc2205.txt.
N/A
ospf
Open Shortest Path First (OSPF) is set as the transport type. A link-state routing protocol. See http://
www.ietf.org/rfc/rfc1583.
N/A
ipip
IP-within-IP Encapsulation Protocol. Encapsulates
N/A
an IP datagram within a datagram. See http://
www.ietf.org/rfc/rfc2896.txt.
all
Traffic is translated between the global IP address and
the inside address that it is mapped to.
N/A
protocol <number>
Allows you to identify a protocol by its assigned number. For details of assigned numbers, see RFC 1700.
N/A
Example
--> nat add resvmap rm1 interfacename extinterface 10.10.10.10 tcp 25
See also
NAT ENABLE
SECURITY LIST INTERFACES
4.4.5.1.13 NAT CLEAR RESVMAPS
Syntax
NAT CLEAR RESVMAPS <interfacename>
Description
This command deletes all NAT reserved mappings that were added to an outside security interface using the nat add resvmap commands.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
4-152
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT command reference
Network address translation - NAT
Option
Description
Default Value
interfacename
The name of an existing security interface (external or DMZ) created and connected to an inside
interface (DMZ or internal) using the NAT ENABLE command. To display security interfaces, use
the SECURITY LIST INTERFACES command.
N/A
Example
--> nat clear resvmaps extinterface
See also
NAT DELETE RESVMAP
SECURITY LIST INTERFACES
4.4.5.1.14 NAT DELETE RESVMAP
Syntax
NAT DELETE RESVMAP <name> <interfacename>
Description
This command deletes a single NAT reserved mapping that was added to an outside security interface using the nat add resvmap commands.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing global IP address. To display global IP
addresses, use the nat list resvmaps command.
N/A
interfacename
The name of an existing security interface (external or DMZ) created and connected to an inside
interface (DMZ or internal) using the NAT ENABLE command. To display security interfaces, use
the SECURITY LIST INTERFACES command.
N/A
Example
--> nat delete resvmap rm1 extinterface
See also
nat enable
nat list resvmaps
security list interfaces
4.4.5.1.15 NAT DELETE RESVMAP
Syntax
NAT DELETE RESVMAP <name> <interfacename>
iMG/RG Software Reference Manual (IPNetwork Functions)
4-153
Network address translation - NAT
NAT command reference
Description
This command deletes a single NAT reserved mapping that was added to an outside
security interface using the nat add resvmap commands.
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing global IP address. To display global IP
addresses, use the nat list resvmaps command.
N/A
interfacename
The name of an existing security interface (external or DMZ) created and connected to an inside
interface (DMZ or internal) using the NAT ENABLE command. To display security interfaces, use
the SECURITY LIST INTERFACES command.
N/A
Example
--> nat delete resvmap rm1 extinterface
See also
nat enable
nat list resvmaps
security list interfaces
4.4.5.1.16 NAT SET RESVMAPS ENABLE|DISABLE
Syntax
NAT SET RESVMAPS <name> <interfacename> {enable|disable}
Description
This command enables or disables an existing (created using nat add resvmap command)
NAT reserve map rule
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
4-154
Option
Description
Default Value
name
An arbitrary name that identifies a reserved mapping configuration. It can be made up of one or
more letters or a combination of letters and digits,
but it cannot start with a digit.
N/A
interfacename
The name of an existing security interface (external or DMZ) created and connected to an inside
interface (DMZ or internal) using the NAT ENABLE command. To display security interfaces, use
the SECURITY LIST INTERFACES command.
N/A
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT command reference
Network address translation - NAT
Option
Description
Default Value
enable|disable
Enables/Disables an existing rule to be used/not to
be used to match against inbound packets for
translations.
N/A
Example
--> nat set resvmap rm1 extinterface enable
See also
nat add resvmap interfacename
4.4.5.1.17 NAT SET RESVMAPS SRCIP
Syntax
NAT SET RESVMAPS <name> <interfacename> srcpip {range <startaddr> <endaddr>| <subnet subnetaddr> <subnet subnetmask>}
Description
This command sets the source IP, including IP range, subnet IP, and subnet mask, of a NAT
reserve map rule
Options
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies a reserved mapping configuration. It can be made up of one or
more letters or a combination of letters and digits,
but it cannot start with a digit.
N/A
interfacename
The name of an existing security interface (external or DMZ) created and connected to an inside
interface (DMZ or internal) using the NAT ENABLE command. To display security interfaces, use
the SECURITY LIST INTERFACES command.
N/A
startaddr
Starting IP address of the range to be configured
N/A
endaddr
End IP address of the range to be configured
N/A
subnet subnetaddr
Subnet address of the subnet to be configured
N/A
subnet mask
Subnet mask of the subnet to be configured.
N/A
Example
--> nat set resvmap rm1 WAN srcip range 172.26.1.1 172.26.1.10
Example
--> nat set resvmap rm1 WAN srcip subnet 172.26.0.0 255.255.0.0
See also
nat add resvmap interfacename
iMG/RG Software Reference Manual (IPNetwork Functions)
4-155
Network address translation - NAT
NAT command reference
4.4.5.1.18 NAT SHOW RESVMAP
Syntax
NAT SHOW RESVMAP <name> <interfacename>
Description
This command displays the following information about a single reserved mapping configuration that has been added to an outside security interface:
Options
Example
•
Global IP address
•
Internal IP address
•
Transport type
•
Port number
The following table gives the range of values for each option that can be specified with
this command and a Default Value (if applicable).
Option
Description
Default Value
name
An existing global pool. To display global pool
names, use the NAT LIST RESVMAPS command.
N/A
interfacename
The name of an existing security interface (external or DMZ) created and connected to an inside
interface (DMZ or internal) using the NAT ENABLE command. To display security interfaces, use
the SECURITY LIST INTERFACES command.
N/A
--> nat show resvmap rm1 extinterface
NAT reserved mapping: rm1
Global IP address:
Internal IP address:
Transport type:
Port number:
See also
192.168.103.15
20.20.20.20
tcp
25
NAT LIST RESVMAPS
SECURITY LIST INTERFACES
4.4.5.1.19 NAT STATUS
Syntax
nat status
Description
This command lists the outside security interfaces and inside interface types that NAT is
currently enabled between. It displays the following information:
•
4-156
NAT object identification number
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT command reference
Example
Network address translation - NAT
•
NAT object name
•
Outside security interface name
•
Inside interface type
--> nat status
NAT enabled on:
ID |
Name
| Interface | Type
-----------------------------------------1 | n2
| ip2
| internal
2 | n1
| if1
| internal
-----------------------------------------See also
nat enable
iMG/RG Software Reference Manual (IPNetwork Functions)
4-157
Network address translation - NAT
4-158
iMG/RG Software Reference Manual (IPNetwork Functions)
NAT command reference
DHCP support
Dynamic Host Configuration Protocol
5. System Administration
5.1 Dynamic Host Configuration Protocol
The Dynamic Host Configuration Protocol (DHCP) is defined in RFC 1541 and provides a mechanism for passing configuration information to hosts on a TCP/IP network.
DHCP is based on the Bootstrap Protocol (BOOTP) defined in RFC 1542, but adds automatic allocation of
reusable network addresses and additional configuration options.
DHCP is based on a client–server model, where the server is the host that allocates network addresses and initialization parameters, and the client is the host that requests these parameters from the server.
There are a number of parameters that a DHCP server can supply to clients in addition to assigning IP
addresses. They can supply addresses of DNS server, WINS Server, Cookie server etc.… Also, they can supply
the gateway address for the LAN.
DHCP supports three mechanisms for IP address allocation
• In the automatic allocation mechanism, DHCP assigns a permanent IP address to a host.
• In the dynamic allocation mechanism, DHCP assigns an IP address to a host for a limited period of time, or
until the host explicitly relinquishes the address.
• In the manual allocation mechanism, the network administrator assigns a host’s IP address, and DHCP is
used simply to convey the assigned address to the host. A particular network will use one or more of these
mechanisms, depending on the policies of the network administrator.
Dynamic allocation is the only one of the three mechanisms that allows automatic reuse of an address that is
no longer needed by the host to which it was assigned. Dynamic allocation is particularly useful for assigning an
address to a host that will be connected to the network only temporarily, or for sharing a limited pool of IP
addresses among a group of hosts that do not need permanent IP addresses.
Dynamic allocation may also be a good choice for assigning an IP address to a new host being permanently connected to a network where IP addresses are sufficiently scarce that it is important to reclaim them when old
hosts are retired.
5.1.1 DHCP support
The gateway devices are able to act both as DHCP server and as DHCP client.
Typically, DHCP server features are activated on the internal network to assign IP address to hosts connected
to the internal interfaces. The DHCP client function, instead, is used on the external interface to get IP
addresses from the ISP.
iMG/RG Software Reference Manual (System Administration)
5-1
Dynamic Host Configuration Protocol
DHCP server
The devices also support DHCP relay functionality. In this case the intelligent Multiservice Gateway picks up
DHCP requests sent by hosts connected to the internal interfaces, and forwards their requests to an external
DHCP server and then routes back to the hosts the replies that are received from the server.
5.1.2 DHCP server
The DHCP protocol allows a host that is unknown to the network administrator to be automatically assigned a
new IP address out of a pool of IP addresses for its network. In order for this to work, the network administrator allocates address pools for each available subnet and enters them into the dhcpd.conf file.
On start-up, the DHCP server software reads the dhcpd.conf file and stores a list of available addresses on
each subnet. When a client requests an address using the DHCP protocol, the server allocates an address for
it.
Each client is assigned a lease, which expires after an amount of time chosen by the administrator (by default,
12 hours). Some time before the leases expire, the clients to which leases are assigned are expected to renew
them in order to continue to use the addresses. Once a lease has expired, the client to which that lease was
assigned is no longer permitted to use the leased IP address and must resort back to the DHCPDISCOVER
mechanism (see RFC 2131) to request a new lease.
In order to keep track of leases across system reboots and server restarts, the server keeps a list of leases it
has assigned in the dhcpd.leases file (stored in ISFS).
Before a lease is granted to a host, it records the lease in this file. Upon start-up, after reading the dhcpd.conf
file, the DHCP server reads the dhcpd.leases file to gain information about which leases had been assigned
before reboot.
New leases are appended to the end of the lease file.
In order to prevent the file from becoming arbitrarily large, the server periodically creates a new dhcp.leases
file from its lease database in memory.
If the system crashes in the middle of this process, only the lease file present in flash memory can be restored.
This gives a window of vulnerability whereby leases may be lost.
This server also provides BOOTP support. Unlike DHCP, the BOOTP protocol does not provide a protocol
for recovering dynamically assigned addresses once they are no longer needed. It is still possible to dynamically
assign addresses to BOOTP clients, but some administrative process for reclaiming addresses is required. By
default, leases are granted to BOOTP clients in perpetuity, although the network administrator may set an earlier cut-off date or a shorter lease length for BOOTP leases if that makes sense.
5.1.2.1 Example
This paragraph provides a guide to configuring the DHCP server using commands available on the CLI.
Let's assuming that in the system there has been defined an internal interface (where the DHCP Server module
will run) with the following IP address and netmask:
192.168.219.1 255.255.255.
5-2
iMG/RG Software Reference Manual (System Administration)
DHCP server
Dynamic Host Configuration Protocol
The following DHCP server configuration will create a range of 10 available IP addresses in the 19.168.219.0
subnet:
dhcpserver add subnet mysubnet
192.168.219.10 192.168.219.20
dhcpserver set subnet mysubnet
dhcpserver set subnet mysubnet
dhcpserver subnet mysubnet add
192.168.220.30
dhcpserver subnet mysubnet add
dhcpserver subnet mysubnet add
dhcpserver subnet mysubnet add
192.168.219.0 255.255.255.0
defaultleasetime 1800
maxleasetime 86000
option domain-name-servers
option routers 192.168.221.40
option irc-server 10.5.7.20
option auto-configure 1
• Default lease time and maximum lease time are set to 1800 seconds and 86000 seconds, respectively.
• Four DHCP options are configured, in addition to the usual IP address and subnet mask:
• DNS server address of 192.168.220.30;
• Default gateway address of 192.168.221.40;
• IRC server address of 10.5.7.20;
• And the auto-configure option, which will allow use of address auto-configuration by clients on the network.
Instead of specifying the domain-name-servers and routers options manually, the following commands could
have been used which provide automatic values for these options:
dhcpserver set subnet mysubnet hostisdnsserver enabled
dhcpserver set subnet mysubnet hostisdefaultgateway enabled
This will result in the DHCP server taking the IP address of the IP interface it is running on, and supplying that
address to DHCP clients as the DNS server and default gateway, respectively. This is especially useful in a
deployment that utilizes the DNS relay on the residential gateway.
Note:
Note that for DHCP clients using DHCPINFORM, the above declarations mean that the server would
supply the given configuration options to any client that is on the 192.168.219.x subnet. This even
includes clients that are not included in the available address ranges – this is sensible, since ideally the
DHCP server should not have addresses available to give out that may already belong to hosts on the
same subnet.
The CLI can also be used to define fixed host/IP address mappings. For example, the command:
dhcpserver add fixedhost myhost 192.168.219.5 00:20:2b:01:02:03
Will add a fixed mapping of the IP address 192.168.219.5 to a host whose ethernet MAC address is
00:20:2b:01:02:03.
Note:
Note that fixed IP mappings cannot overlap with dynamic IP ranges on a subnet, and vice-versa (you will
receive an error message if you try to do this).
iMG/RG Software Reference Manual (System Administration)
5-3
Dynamic Host Configuration Protocol
Note:
DHCP client
Note that you will still need to have a suitable subnet declaration – for example, a subnet 192.169.219.0
with netmask 255.255.255.0, as shown earlier. Any configuration options you define in this subnet will
also be offered to every fixed host you have added which is also on the given subnet.
It is also possible to assign a maximum lease duration to fixed DHCP clients as follows:
dhcpserver set fixedhost myhost maxleasetime 7200
In this context, fixed lease duration would normally be used to allow DHCP clients to see changes in offered
options quickly. The IP address itself is always guaranteed to be available for assignment to the specific host
(unless there are other DHCP servers on the same network that are deliberately configured to conflict).
You might see the following message if you have ever turned off the DHCP server:
Note:
Note the DHCP server is not currently enabled.
If you see this, issue the following command:
dhcpserver enable
The final step is to tell the system to update the DHCP server software with the new IP interface and configuration that has been defined. To do this, issue the following command:
dhcpserver update
Note:
NO configuration changes that you have made on the DHCP server will take effect until you enter the
DHCPSERVER UPDATE command.
5.1.3 DHCP client
A DHCP client uses the facilities of the IP stack to transmit and receive DHCP packets. This information is processed by the client and passed back to the IP stack to complete interface configuration for the lease duration.
A DHCP client is created on a given interface by using the IP SET INTERFACE command with the parameter
DHCP enabled. After this, the IP settings are discovered for the interface (It's possible define one or more
interfaceconfig rules to customize the option that must be requested).
This section describes how these settings are discovered.
Firstly, the interface is disabled for all non-DHCP traffic. This will reset the IP address and subnet mask of each
nominated interface to 0.0.0.0.
The DHCP client learns its required configuration details via a DHCPDISCOVER request.
If configuration details are not successfully obtained using DHCP, the DHCP client will retry indefinitely in
order to learn them, as described in RFC2131 (unless the interface is disabled). Retry characteristics can be
defined using DHCPCLIENT SET RETRY command.
Once the DHCP client has accepted a suitable configuration for the interface, it has to configure the IP stack
appropriately. This involves allocating the new IP address to the interface and configuring the subnet for the
interface.
5-4
iMG/RG Software Reference Manual (System Administration)
DHCP client
Dynamic Host Configuration Protocol
Addresses allocated by DHCP expire after the specified lease time runs out. If this happens, the DHCP client
must relearn its configuration by repeating the process described above. The client will attempt to initiate
renewal of a held lease well before it is due to expire (approximately half way through the total duration of the
lease). This avoids the problem of an active interface being unexpectedly disabled and dropping normal IP traffic.
The DHCP client on the AT-RG624/634 DHCP conforms to most of the specification given in RFC2131. A subset of the DHCP options described in RFC2132 is supported.
The residential Gateway DHCP client accepts and makes use of the following information:
•
•
•
•
•
IP address
Subnet mask
Default route (one only)
Domain name servers (up to two can be usefully supported by DNS relay)
Host name or DHCP-client-identifier. This option can be used to specify a client identifier in a host declaration, so that a DHCP server can find the host record by matching against the client identifier. This option
can be useful when attempting to operate the DHCP client with a Microsoft DHCP server.
Note:
When attempting to use a DHCP client with a Microsoft DHCP server, then send dhcpclient-identifier is
mandatory, and must be specifically set to the MAC address of the device upon which the client is
running; otherwise DHCP will not work at all.
5.1.3.1 Lease requirements and requests
The DHCP protocol allows the client to request that the server send it specific information, and not send it
other information that it is not prepared to accept. The protocol also allows the client to reject offers from
servers if they do not contain information the client needs, or if the information provided is not satisfactory.
Using the DHCPCLIENT INTERFACE CONFIG ADD REQUESTED OPTION command causes the client to
request that any server responding to the client send the client its values for the specified options. Only the
option names should be specified in the request statement - not option parameters.
Using the DHCPCLIENT INTERFACE CONFIG ADD REQUIRED OPTION command configures a list of
options that must be sent in order for an offer to be accepted. Offers that do not contain all the listed options
will be ignored.
Using the DHCPCLIENT INTERFACE CONFIG ADD SENT OPTION command causes the client to send the
specified options to the server with the specified values. Options that are always sent in the DHCP protocol
should not be specified here, except that the client can specify a requested-lease-time option other than the
default requested lease time, which is two hours. The other obvious use for this statement is to send information to the server that will allow it to differentiate between this client and other clients or kinds of clients.
iMG/RG Software Reference Manual (System Administration)
5-5
Dynamic Host Configuration Protocol
DHCP client
5.1.3.2 Support for AutoIP
The DHCP client supports also IP address auto-configuration, to be referred to as AutoIP in this manual. This
includes support for RFC2563, which allows network administrators to configure DHCP servers to deny this
auto-configuration capability to clients.
In summary, AutoIP will be engaged after a DHCP client fails to contact a DHCP server and cannot obtain a
lease. A pseudo-random algorithm invents an IP address on the 169.254 subnet. Collisions are avoided by issuing ARP requests for the suggested IP address, abandoning the address if it is already active on the network.
Additionally, the suggested address will be abandoned if any other host on the network issues an ARP probe
(i.e. the host issuing the ARP has source address 0.0.0.0) for that IP address.
Having auto-configured an IP address, the DHCP client will periodically check that it still cannot contact a
DHCP server. If the client finds it can now obtain a legitimate lease from a DHCP server, this lease will supersede any auto-configured IP address.
To turn on the AutoIP feature use DHCPCLIENT SET INTERFACECONFIG AUTOIP ENABLED command
To prevent the DHCP client from using AutoIP, USE DHCPCLIENT SET INTERFACECONFIG AUTOIP DISABLED command.
5.1.3.3 Additional DHCP client modes
There are two additional DHCP client modes for more fine control of how configuration parameters are
accepted and propagated. The first mode allows you to choose how DNS servers are to be used; the second
mode allows you to use parameters received on a DHCP client interface to automatically set up a DHCP
server on another interface in the system.
5.1.3.4 Propagating DNS server information
You can tell the DHCP client what to do with received DNS server addresses. The pertinent attributes are
giveDnsToRelay and giveDnsToClient. As is evident from the parameter names, the effect of these settings is
to cause the DHCP process to pass to the DNS relay and client processes the DNS server address(es) it has
learnt, which they are then able to use for DNS queries.
By default, DNS server addresses are only given to the DNS relay, if present.
For example, to set this up via the CLI, the following command sequence can be used:
dhcpclient
dhcpclient
dhcpclient
dhcpclient
add interfaceconfig client1 ip0
interfaceconfig 1 add requested option domain-name-servers
set interfaceconfig client1 givednstorelay enabled
set interfaceconfig client1 givednstoclient enabled
5.1.3.5 Automatically setting up a DHCP server
It is possible to tell the DHCP client to use parameters it has obtained to automatically set up a DHCP server.
5-6
iMG/RG Software Reference Manual (System Administration)
DHCP client
Dynamic Host Configuration Protocol
If you choose this mode, you must tell DHCP client how large an IP address lease pool you would like the new
server to have, and which IP interface you want the new DHCP server to bind to.
If you do not supply any interface information, the DHCP client will try to place the DHCP server on the first
LAN interface it finds (the DHCP client will regard an IP interface as being a LAN interface)
The new DHCP server’s address pool will start one IP address after the IP address of the interface upon which
the DHCP server has been set up. That is, if the DHCP client is configured to set up the DHCP server on an IP
interface named uplink, with address 192.168.219.2, the address range will commence from address
192.168.219.3.
At present, the new DHCP server will give out any DNS server addresses received by the DHCP client. It will
then advertise its own host IP address as being the default gateway.
To set this up via the CLI, the following command sequence can be used:
dhcpclient
dhcpclient
dhcpclient
dhcpclient
add interfaceconfig client1 ip0
interfaceconfig 1 add requested option domain-name-servers
set interfaceconfig client dhcpserverpoolsize 30
set interfaceconfig client1 dhcpserverinterface uplink
5.1.3.6 Example
This paragraph provides a guide to setting up a DHCP client using commands available in the CLI.
Let's assume that the system has been configured with an interface named eth0. The first step is to enable the
DHCP flag on this interface:
ip set interface eth0 dhcp enabled
DHCP client configuration is optional. You do not need to perform these steps unless you have special requirements, such as specifying whether the use of AutoIP is allowed, specific requirements for which options are to
be negotiated from a DHCP server, or specific requirements about what to do with option values when they are
received.
dhcpclient
dhcpclient
dhcpclient
dhcpclient
dhcpclient
dhcpclient
servers
dhcpclient
dhcpclient
gos"’
add interfaceconfig mycfg
set interfaceconfig mycfg
set interfaceconfig mycfg
set interfaceconfig mycfg
set interfaceconfig mycfg
interfaceconfig mycfg add
ip0
requestedleasetime 3600
clientid 00:20:2b:01:02:03
autoip enabled
givednstorelay enabled
requested option domain-name-
interfaceconfig mycfg add required option routers
interfaceconfig mycfg add sent option host-name ’"galapa-
These commands create a new DHCP client interface configuration related to the IP interface you defined earlier. Let us consider, line by line, what the above configuration does:
iMG/RG Software Reference Manual (System Administration)
5-7
Dynamic Host Configuration Protocol
DHCP Relay
• A lease time of one hour is requested.
• A client identifier of 00:20:2b:01:02:03 is specified.
• In the event of a DHCP server being unavailable, the DHCP client will automatically assign an address using
AutoIP.
• Any DNS server addresses received from a server will be passed to the DNS relay. (There is also an analogous option to pass the addresses to the DNS client).
• For this to occur, the DHCP client must request DNS server addresses from a server (maps onto the
request directive).
• The DHCP client will insist that a default gateway parameter is present in any lease offer (maps onto the
require directive).
• Finally, the DHCP client will send out galapagos as the value of the host name option – this can be used by
some ISPs as part of a simple authentication process (maps onto the send directive).
The final step is to tell the Residential Gateway to update the DHCP client software with the new IP interface
and configuration that has been defined. To do this, issue the following command:
dhcpclient update
Note:
NO configuration changes that you have made on the DHCP client will take effect until you enter the
DHCPCLIENT UPDATE command.
5.1.4 DHCP Relay
A DHCP relay uses the facilities of the IP stack to transmit and receive DHCP packets.
From a DHCP client’s point of view, the relay acts as a de-facto DHCP server, and this operation is transparent.
This is useful where a network administrator only wishes to have one DHCP server across several physical and
logical sub-networks.
The relay works by forwarding all broadcasted client requests to one or more known DHCP servers.
Server replies are then either broadcast or unicast back to the client via the DHCP relay.
Note:
Note DHCP Server and DHCP relay cannot coexist simultaneously
5.1.5 DHCP Server command reference
This section describes the commands available on gateway to enable, configure and manage DHCP Server module.
5.1.5.1 DHCP server CLI commands
The table below lists the DHCP server commands provided by the CLI:
5-8
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
TABLE 5-1
Commands
Dynamic Host Configuration Protocol
DHCP server CLI commands
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E
A
B
C
Modular
DHCPSERVER ADD USERS CLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER ADD VENDOR CLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER CLEAR CLASSES
X
X
X
X
X
X
X
X
X
DHCPSERVER DELETE CLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER LIST CLASSES
X
X
X
X
X
X
X
X
X
DHCPSERVER SET USERS CLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER SET VENDOR CLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER SHOW CLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER CLASS ADD OPTION
X
X
X
X
X
X
X
X
X
DHCPSERVER CLASS CLEAR OPTION
X
X
X
X
X
X
X
X
X
DHCPSERVER CLASS DELETE OPTION
X
X
X
X
X
X
X
X
X
DHCPSERVER CLASS LIST OPTION
X
X
X
X
X
X
X
X
X
DHCPSERVER ADD EXCLUDE
X
X
X
X
X
X
X
X
X
DHCPSERVER CLEAR EXCLUDES
X
X
X
X
X
X
X
X
X
DHCPSERVER DELETE EXCLUDE
X
X
X
X
X
X
X
X
X
DHCPSERVER LIST EXCLUDES
X
X
X
X
X
X
X
X
X
DHCPSERVER ADD INTERFACE
X
X
X
X
X
X
X
X
X
DHCPSERVER CLEAR INTERFACES
X
X
X
X
X
X
X
X
X
DHCPSERVER DELETE INTERFACE
X
X
X
X
X
X
X
X
X
DHCPSERVER LIST INTERFACES
X
X
X
X
X
X
X
X
X
DHCPSERVER ADD FIXEDHOST
X
X
X
X
X
X
X
X
X
DHCPSERVER CLEAR FIXEDHOSTS
X
X
X
X
X
X
X
X
X
DHCPSERVER DELETE FIXEDHOST
X
X
X
X
X
X
X
X
X
DHCPSERVER LIST FIXEDHOSTS
X
X
X
X
X
X
X
X
X
iMG/RG Software Reference Manual (System Administration)
5-9
Dynamic Host Configuration Protocol
Commands
DHCP Server command reference
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
Modular
A
B
C
D
E
A
B
C
DHCPSERVER SET FIXEDHOST IPADDRESS
X
X
X
X
X
X
X
X
X
DHCPSERVER SET FIXEDHOST DEFAULTLEASETIME
X
X
X
X
X
X
X
X
X
DHCPSERVER SET FIXEDHOST MACADDRESS
X
X
X
X
X
X
X
X
X
DHCPSERVER SET FIXEDHOST MAXLEASETIME
X
X
X
X
X
X
X
X
X
DHCPSERVER ADD SHAREDNETWORK
X
X
X
X
X
X
X
X
X
DHCPSERVER CLEAR SHAREDNETWORKS
X
X
X
X
X
X
X
X
X
DHCPSERVER DELETE SHAREDNETWORK
X
X
X
X
X
X
X
X
X
DHCPSERVER LIST SHAREDNETWORKS
X
X
X
X
X
X
X
X
X
DHCPSERVER SHAREDNETOWOR ADD SHAREDSUBNET
X
X
X
X
X
X
X
X
X
DHCPSERVER SHAREDNEWORK CLEAR SHAREDSUBNETS
X
X
X
X
X
X
X
X
X
DHCPSERVER SHAREDNETWORKS LIST SHAREDSUBNET
X
X
X
X
X
X
X
X
X
DHCPSERVER ADD SUBNET
X
X
X
X
X
X
X
X
X
DHCPSERVER CLEAR SUBNETS
X
X
X
X
X
X
X
X
X
DHCPSERVER DELETE SUBNET
X
X
X
X
X
X
X
X
X
DHCPSERVER LIST SUBNETS
X
X
X
X
X
X
X
X
X
DHCPSERVER SHOW SUBNET
X
X
X
X
X
X
X
X
X
DHCPSERVER SET SUBNET ASSIGNAUTODOMAIN
X
X
X
X
X
X
X
X
X
DHCPSERVER SET SUBNET DEFAULTLEASETIME
X
X
X
X
X
X
X
X
X
DHCPSERVER SET SUBNET HOSTISDEFAULTGATEWAY
X
X
X
X
X
X
X
X
X
DHCPSERVER SET SUBNET HOSTISDNSSERVER
X
X
X
X
X
X
X
X
X
DHCPSERVER SET SUBNET MAXLEASETIME
X
X
X
X
X
X
X
X
X
DHCPSERVER SET SUBNET SUBNET
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET ADD IPRANGE
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET ADD OPTION
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET ADD POOL
X
X
X
X
X
X
X
X
X
5-10
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Commands
Dynamic Host Configuration Protocol
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
Modular
A
B
C
D
E
A
B
C
DHCPSERVER SUBNET CLEAR IPRANGES
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET CLEAR OPTIONS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET CLEAR POOLS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET DELETE IPRANGE
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET DELETE OPTION
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET DELETE POOL
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET LIST IPRANGES
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET LIST OPTIONS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET LIST POOLS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL ADD ALLOWCLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL ADD DENYCLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL ADD OPTION
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL ADD POOLRANGE
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL CLEAR ALLOWCLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL CLEAR DENYCLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL CLEAR OPTIONS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL CLEAR POOLRANGE
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL DELETE ALLOWCLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL DELETE DENYCLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL DELETE OPTION
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL DELETE POOLRANGE
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL LIST ALLOWCLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL LIST DENYCLASS
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL LIST OPTION
X
X
X
X
X
X
X
X
X
DHCPSERVER SUBNET POOL LIST POOLRANGE
X
X
X
X
X
X
X
X
X
iMG/RG Software Reference Manual (System Administration)
5-11
Dynamic Host Configuration Protocol
DHCP Server command reference
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
Modular
A
B
C
D
E
A
B
C
Commands
DHCPSERVER ENABLE|DISABLE
X
X
X
X
X
X
X
X
X
DHCPSERVER FORCERENEW
X
X
X
X
X
X
X
X
X
DHCPSERVER LIST OPTIONS
X
X
X
X
X
X
X
X
X
DHCPSERVER LIST HOST
X
X
X
X
X
X
X
X
X
DHCPSERVER SET ALLOWUNKNOWNCLIENTS
X
X
X
X
X
X
X
X
X
DHCPSERVER SET BOOTP
X
X
X
X
X
X
X
X
X
DHCPSERVER SET DEFAULTLEASETIME
X
X
X
X
X
X
X
X
X
DHCPSERVER SET MAXLEASETIME
X
X
X
X
X
X
X
X
X
DHCPSERVER SHOW
X
X
X
X
X
X
X
X
X
DHCPSERVER UPDATE
X
X
X
X
X
X
X
X
X
5.1.5.1.1 DHCPSERVER ADD USERS CLASS
Syntax
DHCPSERVER ADD CLASS <name> USER-CLASS <userclassdata>
Description
This command sets DHCP server to refuse requests form users without a specific userclass ID.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
The name of the class
N/A
userclassdata
User class identifier string to be matched
N/A
--> dhcpserver add class cmyclass user-class myuserclass
5.1.5.1.2 DHCPSERVER ADD VENDOR CLASS
Syntax
DHCPSERVER ADD CLASS <name> VENDOR-CLASS <vendorclassdata>
Description
This command sets DHCP server to refuse requests form users without a specific vendor class ID.
5-12
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Options
Example
Dynamic Host Configuration Protocol
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
The name of the class
N/A
vendorclassdata
Vendo calls identifier string to be matched
N/A
--> dhcpserver add class myclass vendor-class myvendorclass
5.1.5.1.3 DHCPSERVER CLEAR CLASSES
Syntax
DHCPSERVER CLEAR CLASSES
Description
This command deletes all DHCP server classes.
Example
dhcpserver clear classes
5.1.5.1.4 DHCPSERVER DELETE CLASS
Syntax
DHCPSERVER DELETE CLASS <name>
Description
This command deletes a single DHCP server class.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
The existing class that DHCP server is set to
operate on.
N/A
--> dhcpserver delete class myclass
5.1.5.1.5 DHCPSERVER LIST CLASSES
Syntax
DHCPSERVER LIST CLASSES
Description
This command lists the existing DHCP server classes It displays the following information:
•
DHCP server interface ID number
•
Class name
iMG/RG Software Reference Manual (System Administration)
5-13
Dynamic Host Configuration Protocol
Example
DHCP Server command reference
•
User class data
•
cVendor class data
--> dhcpserver list classes
DHCP Server Classes:
ID |
Class Name
|
UserClassData
|
VendorClassData
----|------------------|----------------------|------------------1 | myclass
| myuserclass
|
-----------------------------------------------------------------5.1.5.1.6 DHCPSERVER SET USERS CLASS
Syntax
DHCPSERVER SET CLASS <name> USER-CLASS <userclassdata>
Description
This command sets DHCP server to refuse requests form users without a specific userclass ID.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
The name of the class
N/A
userclassdata
User class identifier string to be matched
N/A
--> dhcpserver set class cmyclass user-class myuserclass
5.1.5.1.7 DHCPSERVER SET VENDOR CLASS
Syntax
DHCPSERVER SET CLASS <name> VENDOR-CLASS <vendorclassdata>
Description
This command sets DHCP server to refuse requests form users without a specific vendor class ID.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-14
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Example
Dynamic Host Configuration Protocol
Option
Description
Default Value
name
The name of the class
N/A
uvendorclassdata
Vendo calls identifier string to be matched
N/A
--> dhcpserver set class myclass vendor-class myvendorclass
5.1.5.1.8 DHCPSERVER SHOW CLASS
Syntax
DHCPSERVER SHOW CLASS <name>
Description
This command shwo DHCP server class informations.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
The name of the class
N/A
--> dhcpserver shwo class myclass
DHCP Server Class: myclass
Class
: myclass
UserClassData : myuserclass
VendorClassData:
5.1.5.1.9 DHCPSERVER CLASS ADD OPTION
Syntax
DHCPSERVER CLASS <name> ADD OPTION <identifier> <value>
Description
This command add option on DHCP server class.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-15
Dynamic Host Configuration Protocol
Example
DHCP Server command reference
Option
Description
Default Value
name
The name of the class
N/A
identifier
The identifier of the option available from command dhcpserver list options
N/A
value
The value of the option
N/A
--> dhcpserver class myclass add option subnet-mask 255.255.255.0
5.1.5.1.10 DHCPSERVER CLASS CLEAR OPTION
Syntax
DHCPSERVER CLASS <NAME> CLEAR OPTIONS
Description
This command deletes all DHCP server class options.
Example
--> dhcpserver class myclass clear options
5.1.5.1.11 DHCPSERVER CLASS DELETE OPTION
Syntax
DHCPSERVER CLASS <name> DELETE OPTION <id>
Description
This command deletes a single DHCP server class option.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
The existing class that DHCP server is set to
operate on..
N/A
id
The id of the option as reported from the command dhcpserver class list options
N/A
--> dhcpserver class myclass delete option 1
5.1.5.1.12 DHCPSERVER CLASS LIST OPTION
Syntax
DHCPSERVER CLASS <NAME> LIST OPTIONS
Description
This command lists the existing DHCP server classes It displays the following information:
5-16
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Example
Dynamic Host Configuration Protocol
•
DHCP server interface ID number
•
Option identifier
•
Option value
--> dhcpserver class myclass list options
DHCP Server Classes:
ID |
Identifier
|
Value
|
----|------------------|----------------------|
1 | subnet-mask
| 255.255.2555.0
|
---------------------------------------------5.1.5.1.13 DHCPSERVER ADD EXCLUDE
Syntax
DHCPSERVER ADD <name> EXLUDE IPADDRESS <ipaddress>
Description
This command sets DHCP server to exclude a specific IP address from the lease.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
The name of the excluded address
N/A
ipaddress
The IP address that need to be excluded
N/A
--> dhcpserver add exclude onepc ipaddress 10.10.10.4
5.1.5.1.14 DHCPSERVER CLEAR EXCLUDES
Syntax
DHCPSERVER CLEAR EXLUDES
Description
This command deletes all DHCP server excluded IP address.
Example
--> dhcpserver clear excludes
5.1.5.1.15 DHCPSERVER DELETE EXCLUDE
Syntax
DHCPSERVER DELETE EXCLUDE <name>
Description
This command deletes a single DHCP server excluded address.
iMG/RG Software Reference Manual (System Administration)
5-17
Dynamic Host Configuration Protocol
Options
Example
DHCP Server command reference
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
The existing name of excluded IP address
obtained from the command dhcpserver list
excluded
N/A
--> dhcpserver delete exclude onepc
5.1.5.1.16 DHCPSERVER LIST EXCLUDES
Syntax
DHCPSERVER LISTEXCLUDES
Description
This command lists the existing DHCP server excluded IP address. It displays the following information:
Example
•
DHCP server interface ID number
•
Excluded name
•
Excluded IP address
--> dhcpserver lise excluded
DHCP server Excluded IP Addresses:
ID |
Name
|
IP address
-----|------------|-----------------1 | onepc
| 10.10.10.4
-------------------------------------
5.1.5.1.17 DHCPSERVER ADD INTERFACE
Syntax
DHCPSERVER ADD INTERFACE <ipinterface>
Description
This command sets DHCP server to operate on a specific IP interface. The IP interface is
defined as a DHCP server IP interface. By setting DHCP relay to operate on other interfaces, you can simultaneously use DHCP server and relay in your configuration.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-18
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Dynamic Host Configuration Protocol
Option
Description
Default Value
ipinterface
The name of the existing interface that you want
DHCP server to operate on. To display interface
names, use the IP LIST INTERFACES
command.
N/A
Example
--> dhcpserver add interface lan
See also
DHCPRELAY ADD INTERFACE
IP LIST INTERFACES
5.1.5.1.18 DHCPSERVER CLEAR INTERFACES
Syntax
DHCPSERVER CLEAR INTERFACES
Description
This command deletes all DHCP server IP interfaces previously defined using the
DHCPSERVER ADD INTERFACE command.
Note:
This command does not delete the IP interfaces from the router. See IP CLEAR INTERFACES
Example
--> dhcpserver clear interfaces
See also
DHCPSERVER ADD INTERFACE
IP LIST INTERFACES
5.1.5.1.19 DHCPSERVER DELETE INTERFACE
Syntax
DHCPSERVER DELETE INTERFACE <ipinterface>
Description
This command deletes a single DHCP server IP interface previously defined using the
dhcpserver add interface command.
Note:
This command does not delete the IP interfaces from the router. See IP CLEAR INTERFACES
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
ipinterface
The existing IP interface that DHCP server is set
to operate on. To display interface names, use
the DHCPSERVER LIST INTERFACES
command.
N/A
iMG/RG Software Reference Manual (System Administration)
5-19
Dynamic Host Configuration Protocol
Example
--> dhcpserver delete interface lan
See also
DHCPSERVER ADD INTERFACE
DHCPSERVER LIST INTERFACES
DHCP Server command reference
5.1.5.1.20 DHCPSERVER LIST INTERFACES
Syntax
DHCPSERVER LIST INTERFACES
Description
This command lists the existing DHCP server IP interfaces previously defined using the
dhcpserver add interface command. It displays the following information:
Example
•
DHCP server interface ID number
•
IP interface name
--> dhcpserver list interfaces
DHCP Server Interfaces:
ID |
Name
----|---------1 |
lan
----|---------2 |
wan
--------------See also
DHCPSERVER ADD INTERFACE
5.1.5.1.21 DHCPSERVER ADD FIXEDHOST
Syntax
DHCPSERVER ADD FIXEDHOST <name> <ipaddress> <macaddress>
Description
This command creates a new fixed host mapping in the DHCP server. This allows you to
configure the DHCP server to assign a specific IP address to a specific DHCP client
based on the client’s MAC address. If a DHCPDISCOVER or DHCPREQUEST is
received from a DHCP client with a matching MAC address, it will have the specified
fixed IP address assigned to it. You must also create a suitable DHCP subnet definition in
order for fixed host mapping to work.
Note:
If you create a fixed host mapping with an IP address that is already present inside a configured,
dynamic IP range, the fixed host IP address will override the address in the dynamic range.
Options
5-20
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Example
Dynamic Host Configuration Protocol
Option
Description
Default Value
Name
An arbitrary name that identifies the fixed host mapping. It can be made up of one or more letters or a
combination of letters and digits, but it cannot start
with a digit.
N/A
IPaddress
The IP address that is assigned to a DHCP client
based on the client’s MAC address, in the format:
192.168.102.3
N/A
macaddress
A MAC address in the format: ##:##:##:##:##:##
N/A
The example below creates a fixed host mapping:
--> dhcpserver add fixedhost myhost 192.168.219.1 00:20:2b:01:02:03
The example below creates a suitable subnet for the above fixed host mapping. Note that
the IP address used above is not present in the following IP range:
--> dhcpserver add subnet mysubnet 192.168.219.0 255.255.255.0 192.168.219.10
192.168.219.20
See also
DHCPSERVER DELETE FIXEDHOST
DHCPSERVER LIST FIXEDHOSTS
5.1.5.1.22 DHCPSERVER CLEAR FIXEDHOSTS
Syntax
DHCPSERVER CLEAR FIXEDHOSTS
Description
This command deletes all DHCP server fixedhosts that were created using the DHCPSERVER ADD FIXEDHOST command.
Example
--> dhcpserver clear fixedhosts
5.1.5.1.23 DHCPSERVER DELETE FIXEDHOST
Syntax
DHCPSERVER DELETE FIXEDHOST <name>
Description
This command deletes a single fixed host mapping in the DHCP server that was created
using the DHCPSERVER ADD FIXEDHOST command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-21
Dynamic Host Configuration Protocol
DHCP Server command reference
Option
Description
Default Value
name
An existing fixed host. To display fixed host
names, use the DHCPSERVER LIST
FIXEDHOSTS command.
N/A
Example
--> dhcpserver delete fixedhost myhost
See also
DHCPSERVER ADD FIXEDHOST
DHCPSERVER CLEAR FIXEDHOSTS
DHCPSERVER LIST FIXEDHOST
5.1.5.1.24 DHCPSERVER LIST FIXEDHOSTS
Syntax
DHCPSERVER LIST FIXEDHOSTS
Description
This command lists the following information about existing DHCP fixed host mappings:
Example
•
Fixed host ID number
•
Fixed host name
•
IP address
•
MAC address
•
Max lease time
--> dhcpserver list fixedhosts
DHCP server fixed host mappings:
ID | Name |
IP address
|
MAC address
| Max Lease Time
-----|-------|-----------------|--------------------|--------------1 | myhost| 192.168.219.0
| 00:20:2b:01:02:03 | 86400
-------------------------------------------------------------------See also
DHCPSERVER
DHCPSERVER
DHCPSERVER
DHCPSERVER
ADD
SET
SET
SET
FIXEDHOST
FIXEDHOST IPADDRESS
FIXEDHOST MACADDRESS
FIXEDHOST MAXLEASETIME
5.1.5.1.25 DHCPSERVER SET FIXEDHOST IPADDRESS
Syntax
DHCPSERVER SET FIXEDHOST <host name> IPADDRESS <ipaddress>
Description
This command sets the IP address that will be allocated to a DHCP client by the fixed
host mapping.
5-22
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Note:
Dynamic Host Configuration Protocol
You are not allowed to create a fixed host mapping with an IP address that is already present inside a
configured, dynamic IP range on a subnet. The reverse is also forbidden; you cannot add addresses into
a dynamic IP range that are already configured as fixed host addresses. The CLI will display a warning if
you attempt to do this.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
host name
An existing fixedhost. To display fixedhost names, use
the DHCPSERVER LIST FIXEDHOSTS command.
N/A
ip address
The IP address assigned to a DHCP client based on the
client’s MAC address, in the format: 192.168.102.3
N/A
Example
--> dhcpserver set fixedhost myhost ipaddress 192.168.219.2
See also
DHCPSERVER LIST FIXEDHOSTS
DHCPSERVER SET FIXEDHOST MACADDRESS
5.1.5.1.26 DHCPSERVER SET FIXEDHOST DEFAULTLEASETIME
Syntax
DHCPSERVER SET FIXEDHOST <host name> DEFAULTLEASETIME
<defaultleasetime>
Description
This command sets the default leas time that will be allocated to a DHCP client by the
fixed host mapping.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
host name
An existing fixedhost. To display fixedhost names, use
the DHCPSERVER LIST FIXEDHOSTS command.
N/A
defaultleasetime
The default time for the lease of a specific fixed host
N/A
--> dhcpserver set fixedhost myhost defaultleasetime 3600
iMG/RG Software Reference Manual (System Administration)
5-23
Dynamic Host Configuration Protocol
See also
DHCP Server command reference
DHCPSERVER LIST FIXEDHOSTS
DHCPSERVER SET FIXEDHOST MACADDRESS
5.1.5.1.27 DHCPSERVER SET FIXEDHOST MACADDRESS
Syntax
DHCPSERVER SET FIXEDHOST <host name> MACADDRESS <macaddress>
Description
This command sets the MAC address for an existing fixed host mapping.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
host name
An existing fixedhost. To display fixedhost names, use the
DHCPSERVER LIST FIXEDHOSTS command.
N/A
macaddress
A MAC address in the format: ##:##:##:##:##:##
N/A
Example
--> dhcpserver set fixedhost myhost macaddress 00:20:2b:01:02:03
See also
DHCPSERVER LIST FIXEDHOSTS
DHCPSERVER SET FIXEDHOST IPADDRESS
5.1.5.1.28 DHCPSERVER SET FIXEDHOST MAXLEASETIME
Syntax
DHCPSERVER SET FIXEDHOST <host name> MAXLEASETIME <maxleasetime>
Description
This command sets the maximum lease time for an existing fixed host mapping.
Options
The following table gives the range of values for each option than can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
maxleasetime
The maximum time (in seconds) for a lease when the client requesting the lease does not ask for a specific expiry
time.
86400
Example
--> dhcpserver set fixedhost myhost maxleasetime 90000
See also
DHCPSERVER LIST FIXEDHOSTS
5-24
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Dynamic Host Configuration Protocol
5.1.5.1.29 DHCPSERVER ADD SHAREDNETWORK
Syntax
DHCPSERVER ADD SHAREDNETWORK <name>
Description
This command creates a shared network. All the subnets part of the same physical network should be included in a shared network.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
Name
An arbitrary name that identifies the shared network
N/A
The example below creates a fixed host mapping:
--> dhcpserver add sharednetwork myshare
5.1.5.1.30 DHCPSERVER CLEAR SHAREDNETWORKS
Syntax
DHCPSERVER CLEAR SHAREDNETWORKS
Description
This command deletes all DHCP server share networks
Example
--> dhcpserver clear sharednetworks
5.1.5.1.31 DHCPSERVER DELETE SHAREDNETWORK
Syntax
DHCPSERVER DELETE SHAREDNETWORK <name>
Description
This command deletes a single shard network.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
The name of the shared network.
N/A
--> dhcpserver delete sharednetwork myshared
5.1.5.1.32 DHCPSERVER LIST SHAREDNETWORKS
Syntax
DHCPSERVER LIST SHAREDNETWORKS
iMG/RG Software Reference Manual (System Administration)
5-25
Dynamic Host Configuration Protocol
Description
Example
DHCP Server command reference
This command lists the following information about existing DHCP fixed host mappings:
•
Sahred Nnetwork ID
•
Sharednetwork name
--> dhcpserver list sharednetorks
DHCP server fixed host mappings:
DHCP Server Shared-Networks:
ID |
Shared-Network Name
----|-------------------------1 | myshared
------------------------------5.1.5.1.33 DHCPSERVER SHAREDNETOWOR ADD SHAREDSUBNET
Syntax
DHCPSERVER SHAREDNETWORK <name> ADD SHAREDSUBNET <subnetname>
Description
This command add a shared subnet without IP Ranges in the Shared Network.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
Sharedsubnet name
N/A
subnetname
Subnet name
N/A
--> dhcpserver sharednetwork myshare add sharedsubnet first subnet
5.1.5.1.34 DHCPSERVER SHAREDNEWORK CLEAR SHAREDSUBNETS
Syntax
DHCPSERVER SHAREDNETWORK <name> CLEAR SHAREDSUBNETS
Description
This command deletes all DHCP server share subnets of a specific sharednetwrok
Example
--> dhcpserver sharednetwork myshare clear sharedsubnets
5.1.5.1.35 DHCPSERVER SHAREDNETWORK DELETE SHAREDSUBNET
Syntax
DHCPSERVER SHAREDNETWORK <name> DELETE SHAREDSUBNET <subnetname>
Description
This command deletes a single shard subnet.
5-26
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Options
Example
Dynamic Host Configuration Protocol
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
The name of the shared network.
N/A
subnetname
Subnet name
N/A
--> dhcpserver sharednetwork myshared delete sharedsubnet mysubnet
5.1.5.1.36 DHCPSERVER SHAREDNETWORKS LIST SHAREDSUBNET
Syntax
DHCPSERVER SHAREDNETWORKS <NAME> LIST SHAREDSUBNET
Description
This command lists the information about existing DHCP shared subnet in ashared network
Example
--> dhcpserver sharednetorks myshare list sharedsubnet
5.1.5.1.37 DHCPSERVER ADD SUBNET
Syntax
DHCPSERVER ADD SUBNET <name> <ipaddress> <netmask> [<startaddr>
<endaddr>]
Description
This command creates a subnet that stores a pool of IP addresses. The DHCP server can
allocate IP addresses from this pool to clients on request.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies the subnet. It can
be made up of one or more letters or a combination
of letters and digits, but it cannot start with a digit.
N/A
ipaddress
The IP address of the subnet in the format:
192.168.102.3
N/A
iMG/RG Software Reference Manual (System Administration)
5-27
Dynamic Host Configuration Protocol
DHCP Server command reference
netmask
The netmask address of the subnet, for example:
255.255.255.0
N/A
startaddr
The first IP address in the pool of addresses. The IP
address is displayed in the following format:
192.168.102.3
N/A
endaddr
The last IP address in the pool of addresses. The IP
address is displayed in the following format:
192.168.102.3
N/A
Example
--> dhcpserver add subnet sub1 239.252.197.0 255.255.255.0 239.252.197.10
239.252.197.107
See also
DHCPSERVER LIST SUBNETS
5.1.5.1.38 DHCPSERVER CLEAR SUBNETS
Syntax
DHCPSERVER CLEAR SUBNETS
Description
This command deletes all DHCP server subnets that were created using the DHCPSERVER ADD SUBNET command.
Example
--> dhcpserver clear subnets
See also
DHCPSERVER DELETE SUBNET
5.1.5.1.39 DHCPSERVER DELETE SUBNET
Syntax
DHCPSERVER DELETE SUBNET {<name>|<number>}
Description
This command deletes a single DHCP server subnet. The pool of IP addresses in the subnet is also deleted.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
number
Example
5-28
An existing subnet. To display subnet numbers, use
the DHCPSERVER LIST SUBNETS command.
--> dhcpserver delete subnet sub1
iMG/RG Software Reference Manual (System Administration)
N/A
DHCP Server command reference
See also
Dynamic Host Configuration Protocol
DHCPSERVER CLEAR SUBNETS
5.1.5.1.40 DHCPSERVER LIST SUBNETS
Syntax
DHCPSERVER LIST SUBNETS
Description
This command lists the following information about existing DHCP server subnets:
Example
•
Subnet number
•
Subnet name
•
Subnet ip address
•
Subnet netmask address
•
Default lease time (in seconds)
•
Maximum lease time (in seconds)
•
Whether the host is a dns server (true or false)
--> dhcpserver list subnets
DHCP Server subnets:
Default
Max
Host is
ID |
IP Address |
Netmask
|Lease time| Lease time |DNS svr
----|---------------|---------------|----------|------------|------1 | 192.168.102.0 | 255.255.255.0 | 43200
| 86400
| false
--------------------------------------------------------------------
See also
DHCPSERVER SHOW SUBNET
5.1.5.1.41 DHCPSERVER SHOW SUBNET
Syntax
DHCPSERVER SHOW SUBNET {<name>|<number>}
Description
This command displays the following information about a subnet:
Options
•
Subnet name
•
Subnet ip address
•
Subnet netmask
•
Subnet maximum lease time
•
Subnet default lease time
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-29
Dynamic Host Configuration Protocol
Option
name
DHCP Server command reference
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
number
Example
An existing subnet. To display subnet numbers, use the
DHCPSERVER LIST SUBNETS command.
--> dhcpserver show subnet sub1
DHCP Server Subnet:
Subnet:
Netmask:
Max. lease time:
Default lease time:
See also
N/A
sub1
192.168.103.0
255.255.255.0
70000 seconds
30000 seconds
DHCPSERVER SHOW
5.1.5.1.42 DHCPSERVER SET SUBNET ASSIGNAUTODOMAIN
Syntax
DHCPSERVER SET SUBNET {<name>|<number>} ASSIGNAUTODOMAIN
{ENABLED|DISABLED}
Description
This command sets DHCP server to automatically pick up the domain name configured
in DNS relay and hand it out to DHCP clients on one or more of the subnets being
administered by DHCP server.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
Example
5-30
number
An existing subnet. To display subnet numbers, use the
DHCPSERVER LIST SUBNETS command.
N/A
enabled
DHCP server passes the local device’s domain name (set up
in DNS relay) to all DHCP clients on the LAN.
disabled
disabled
DHCP server does not pass the local device’s domain name
(set up in DNS relay) to all DHCP clients on the LAN.
--> dhcpserver set subnet sub1 assignautodomain enabled
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Dynamic Host Configuration Protocol
5.1.5.1.43 DHCPSERVER SET SUBNET DEFAULTLEASETIME
Syntax
DHCPSERVER SET SUBNET {<name>|<number>} DEFAULTLEASETIME
<defaultleasetime>
Description
This command sets the default lease time for an existing subnet. This command setting
overrides the global default lease time setting for this particular subnet.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
number
An existing subnet. To display subnet numbers, use
the DHCPSERVER LIST SUBNETS command.
N/A
defaultleasetime
The default time (in seconds) a subnet assigns to a
lease if the client requesting the lease does not ask
for a specific expiry time.
43200
Example
--> dhcpserver set subnet sub1 defaultleasetime 30000
See also
DHCPSERVER SHOW SUBNET
5.1.5.1.44 DHCPSERVER SET SUBNET HOSTISDEFAULTGATEWAY
Syntax
DHCPSERVER SET SUBNET <{<name>|<number>} HOSTISDEFAULTGATEWAY {ENABLED | DISABLED}
Description
This command tells the DHCP server to give out its own host IP address as the default
gateway address. This is useful when combined with DNS Relay.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-31
Dynamic Host Configuration Protocol
Option
name
DHCP Server command reference
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
number
An existing subnet. To display subnet numbers, use
the DHCPSERVER LIST SUBNETS command.
N/A
enabled
Allows DHCP server to give out its own host IP
address as the default gateway address.
disabled
disabled
Disallows DHCP server from giving out its own host
IP address as the default gateway address.
Example
--> dhcpserver set subnet sub1 hostisdefaultgateway enabled
See also
DHCPSERVER SET SUBNET HOSTISDNSSERVER
5.1.5.1.45 DHCPSERVER SET SUBNET HOSTISDNSSERVER
Syntax
DHCPSERVER SET SUBNET {<name>|<number>} HOSTISDNSSERVER
{ENABLED | DISABLED}
Description
This command tells the DHCP server to give out its own host IP address as the DNS
server address. This is useful when combined with DNS Relay.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-32
Option
Description
Default Value
name
An existing subnet. To display subnet names, use
the DHCPSERVER LIST SUBNETS command.
N/A
number
An existing subnet. To display subnet numbers, use
the DHCPSERVER LIST SUBNETS command.
N/A
enabled
Allows DHCP server to give out its own host IP
address as the DNS server address.
disabled
disabled
Disallows DHCP server from giving out its own
host IP address as the DNS server address.
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Dynamic Host Configuration Protocol
Example
--> dhcpserver set subnet sub1 hostisdnsserver enabled
See also
DHCPSERVER LIST SUBNETS
5.1.5.1.46 DHCPSERVER SET SUBNET MAXLEASETIME
Syntax
DHCPSERVER SET SUBNET {<name>|<number>} MAXLEASETIME <maxleasetime>
Description
This command sets the maximum lease time for an existing subnet. This command setting
overrides the global maximum lease time setting for this particular subnet.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
number
An existing subnet. To display subnet numbers, use
the DHCPSERVER LIST SUBNETS command.
N/A
maxleasetime
The maximum time (in seconds) that a subnet
assigns to a lease if the client requesting the lease
does not ask for a specific expiry time.
86400
Example
--> dhcpserver set subnet sub1 maxleasetime 70000
See also
DHCPSERVER SHOW SUBNET
5.1.5.1.47 DHCPSERVER SET SUBNET SUBNET
Syntax
DHCPSERVER SET SUBNET {<name>|<number>} SUBNET <ip address>
<netmask>
Description
This command allows you to change the IP address and netmask used by an existing
DHCP server subnet.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-33
Dynamic Host Configuration Protocol
Option
name
DHCP Server command reference
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
number
An existing subnet. To display subnet numbers, use
the DHCPSERVER LIST SUBNETS command.
N/A
ip address
The new IP address for the subnet (format:
192.168.102.3)
N/A
netmask
The new netmask address for the subnet, for example: 255.255.255.0
N/A
Example
--> dhcpserver set subnet sub1 subnet 239.252.197.0 255.255.255.0
See also
DHCPSERVER LIST SUBNETS
5.1.5.1.48 DHCPSERVER SUBNET ADD IPRANGE
Syntax
DHCPSERVER SUBNET {<name>|<number>} ADD IPRANGE <startaddr>
<endaddr>
Description
This command adds a pool of IP addresses to an existing subnet. DHCP server can allocate IP addresses from this pool to clients on request.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-34
Option
Description
Default Value
name
An existing subnet. To display subnet names, use the
DHCPSERVER LIST SUBNETS command.
N/A
number
An existing subnet. To display subnet numbers, use the
DHCPSERVER LIST SUBNETS command.
N/A
startaddr
The first IP address in the pool of addresses. The IP
address is displayed in the following format:
192.168.102.3
N/A
endaddr
The last IP address in the pool of addresses. The IP
address is displayed in the following format:
192.168.102.3
N/A
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Dynamic Host Configuration Protocol
Example
--> dhcpserver subnet sub1 add iprange 239.252.197.0 239.252.197.107
See also
DHCPSERVER ADD SUBNET
DHCPSERVER LIST SUBNETS
DHCPSERVER SUBNET LIST IPRANGES
5.1.5.1.49 DHCPSERVER SUBNET ADD OPTION
Syntax
DHCPSERVER SUBNET {<name>|<number>} ADD OPTION <identifier>
<value>
Description
This command allows you to configure the DHCP server using the options detailed in
RFC2132. To display a list of available options, use the command DHCPSERVER LIST
OPTIONS.
The heading of each option in the list contains the option identifier and the required value
(in italics) for that specific option. The following is an extract from the option list:
•
option auto-configure flag;
This option, based on RFC2563, controls whether clients on this subnet are allowed to
perform the IP address auto configuration.
It only applies in cases where the DHCP server is unwilling or unable to supply an IP
address lease. In this case, if this option is set to 1, then the DHCP server will not intervene to prevent clients from using auto-configuration to determine an IP address. If this
option is set to 0, the DHCP server will explicitly forbid the use of IP address auto-configuration on the network.
If this option is not explicitly configured, then it will be assumed that auto-configuration is
allowed on the network.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing subnet. To display subnet names, use the
DHCPSERVER LIST SUBNETS command.
N/A
iMG/RG Software Reference Manual (System Administration)
5-35
Dynamic Host Configuration Protocol
DHCP Server command reference
number
An existing subnet. To display subnet numbers, use the
DHCPSERVER LIST SUBNETS command.
N/A
identifier
A text string that identifies a DHCP server configuration
option.
N/A
value
The value associated with the option identifier.
N/A
Example
--> dhcpserver subnet sub1 add option auto-configure 1
See also
DHCPCLIENT SET INTERFACECONFIG AUTOIP ENABLED|DISABLED
Note:
For a list of options that you can choose from, see DHCPSERVER LIST OPTIONS
For information on RFC 2132, see http://www.ietf.org/rfc/rfc2132.txt
5.1.5.1.50 DHCPSERVER SUBNET ADD POOL
Syntax
DHCPSERVER SUBNET <name> ADD POOL <poolname> <startaddr>
<endaddr>
Description
This command allows you to configure the DHCP server adding a pool to the specified
subnet
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
the name of the subnet
N/A
poolname
Name of the pool to be added
N/A
startaddr
Starting IP address for the Pool IP range
N/A
endaddr
Ending IP address for the Pool IP range
N/A
--> dhcpserver subnet sub1 add pool mypool 10.17.90.1 10.17.90.128
5.1.5.1.51 DHCPSERVER SUBNET CLEAR IPRANGES
Syntax
DHCPSERVER SUBNET {<name>|<number>} CLEAR IPRANGES
Description
This command deletes all of the IP ranges set for an existing subnet.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-36
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Dynamic Host Configuration Protocol
Option
Description
Default Value
name
An existing subnet. To display subnet names, use
the DHCPSERVER LIST SUBNETS command.
N/A
number
An existing subnet. To display subnet numbers,
use the DHCPSERVER LIST SUBNETS
command.
N/A
Example
--> dhcpserver subnet sub1 clear ipranges
See also
DHCPSERVER SUBNET LIST IPRANGES
DHCPSERVER SUBNET DELETE IPRANGE
5.1.5.1.52 DHCPSERVER SUBNET CLEAR OPTIONS
Syntax
DHCPSERVER SUBNET {<name>|<number>} CLEAR OPTIONS
Description
This command deletes the options set for an existing subnet.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing subnet. To display subnet names, use
the DHCPSERVER LIST SUBNETS command.
N/A
number
An existing subnet. To display subnet numbers,
use the DHCPSERVER LIST SUBNETS
command.
N/A
Example
--> dhcpserver subnet sub1 clear options
See also
DHCPSERVER ADD SUBNET
DHCPSERVER LIST SUBNETS
DHCPSERVER SUBNET DELETE OPTION
5.1.5.1.53 DHCPSERVER SUBNET CLEAR POOLS
Syntax
DHCPSERVER SUBNET <name> CLEAR POOLS
iMG/RG Software Reference Manual (System Administration)
5-37
Dynamic Host Configuration Protocol
DHCP Server command reference
Description
This command delete all the pools of the specified subnet
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
An existing subnet. To display subnet names, use
the DHCPSERVER LIST SUBNETS command.
N/A
--> dhcpserver subnet sub1 clear pools
5.1.5.1.54 DHCPSERVER SUBNET DELETE IPRANGE
Syntax
DHCPSERVER SUBNET {<name>|<number>} DELETE IPRANGE <rangeid>
Description
This command deletes a single IP range from an existing subnet.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
number
An existing subnet. To display subnet numbers, use the
N/A
DHCPSERVER LIST SUBNETS COMMAND.
range-id
A number that identifies an IP range. To list the existing
range-ids for a subnet, use the DHCPSERVER SUBNET LIST IPRANGES command.
Example
--> dhcpserver subnet sub1 delete iprange 1
See also
DHCPSERVER LIST SUBNETS
DHCPSERVER SUBNET LIST IPRANGES
N/A
5.1.5.1.55 DHCPSERVER SUBNET DELETE OPTION
Syntax
5-38
DHCPSERVER SUBNET {<name>|<number>} DELETE OPTION <option
number>
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Dynamic Host Configuration Protocol
Description
This command deletes a single option that was created using the DHCPSERVER SUBNET ADD OPTION command. Once deleted, the option will no longer be given out by
the DHCP server.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing subnet. To display subnet names, use the
DHCPSERVER LIST SUBNETS command.
N/A
number
An existing subnet. To display subnet numbers, use the
DHCPSERVER LIST SUBNETS command.
N/A
option number
An existing option. To list all existing options, use the
DHCPSERVER SUBNET LIST OPTIONS command.
N/A
Example
--> dhcpserver subnet sub1 delete option 2
See also
DHCPSERVER
DHCPSERVER
DHCPSERVER
DHCPSERVER
ADD SUBNET
CLEAR SUBNETS
LIST SUBNETS
SUBNET LIST OPTIONS
5.1.5.1.56 DHCPSERVER SUBNET DELETE POOL
Syntax
DHCPSERVER SUBNET <name> DELETE POOL <poolname>
Description
This command deletes a single pool that was created using the DHCPSERVER SUBNET
ADD POOL command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
An existing subnet. To display subnet names, use the
DHCPSERVER LIST SUBNETS command.
N/A
poolname
Name/Id of the pool to be deleted from the subnet.
N/A
--> dhcpserver subnet sub1 delete pool mypool
iMG/RG Software Reference Manual (System Administration)
5-39
Dynamic Host Configuration Protocol
DHCP Server command reference
5.1.5.1.57 DHCPSERVER SUBNET LIST IPRANGES
Syntax
DHCPSERVER SUBNET {<name>|<number>} LIST IPRANGES
Description
This command lists the IP range(s) for an existing subnet that has been added using the
dhcpserver add subnet command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
number
An existing subnet. To display subnet numbers, use THE
N/A
DHCPSERVER LIST SUBNETS command.
Example
--> dhcpserver subnet sub1 list ipranges
IP Ranges for subnet: sub1
ID | Start Address
|
End Address
-----|------------------|-----------------1 | 192.168.102.0
| 192.168.102.100
2 | 192.168.102.200 | 192.168.102.300
------------------------------------------See also
DHCPSERVER LIST SUBNETS
DHCPSERVER ADD SUBNET
5.1.5.1.58 DHCPSERVER SUBNET LIST OPTIONS
Syntax
DHCPSERVER SUBNET {<name>|<number>} LIST OPTIONS
Description
This command lists the options for an existing subnet that has been added using the
dhcpserver add subnet command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-40
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Option
name
Dynamic Host Configuration Protocol
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
number
Example
An existing subnet. To display subnet numbers, use the
DHCPSERVER LIST SUBNETS command.
N/A
--> dhcpserver subnet sub1 list options
Options for subnet: sub1
ID |
Identifier
|
Value
-----|------------------|-----------------1 | ip-forwarding
| false
2 | subnet-mask
| 255.255.255.0
------------------------------------------See also
DHCPSERVER ADD
DHCPSERVER LIST SUBNETS
5.1.5.1.59 DHCPSERVER SUBNET LIST POOLS
Syntax
DHCPSERVER SUBNET <name> LIST POOLS
Description
This command lists the pools for an existing subnet that has been added using the dhcpserver subnet add pool command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
An existing subnet. To display subnet names, use
the DHCPSERVER LIST SUBNETS command.
N/A
--> dhcpserver subnet sub1 list pools
5.1.5.1.60 DHCPSERVER SUBNET POOL ADD ALLOWCLASS
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> ADD ALLOWCLASS
<CLASSNAME>
iMG/RG Software Reference Manual (System Administration)
5-41
Dynamic Host Configuration Protocol
DHCP Server command reference
Description
This command adds a class to be allowed by the pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
An existing subnet. To display subnet names, use
the DHCPSERVER LIST SUBNETS command.
N/A
poolname
Name/Id of the pool
N/A
classname
Name of the class to be allowed by the pool
N/A
--> dhcpserver subnet sub1 pool mypool add allowclass myclass
5.1.5.1.61 DHCPSERVER SUBNET POOL ADD DENYCLASS
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> ADD DENYCLASS
<CLASSNAME>
Description
This command adds a class to be denied by the Pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
5-42
Option
Description
Default Value
name
An existing subnet. To display subnet names, use
the DHCPSERVER LIST SUBNETS command.
N/A
poolname
Name/Id of the pool
N/A
classname
Name of the class to be denied by the pool
N/A
--> dhcpserver subnet sub1 pool mypool add denyclass myclass
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Dynamic Host Configuration Protocol
5.1.5.1.62 DHCPSERVER SUBNET POOL ADD OPTION
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> ADD OPTION <identifier> <value>
Description
This command add an option to the specified pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
An existing subnet. To display subnet names, use
the DHCPSERVER LIST SUBNETS command.
N/A
poolname
Name/Id of the pool
N/A
identifier
The identifier of the option available from command dhcpserver list options
identifier
value
The value of the option
value
--> dhcpserver subnet sub1 pool mypool add option auto-configure 1
5.1.5.1.63 DHCPSERVER SUBNET POOL ADD POOLRANGE
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> ADD POOLRANGE
<startaddr> <endaddr>
Description
This command allows you to configure the DHCP server adding a poolrange to the specified pool
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
the name of the subnet
N/A
poolname
Name of the pool to be added
N/A
startaddr
Starting IP address for the poolrange IP range
N/A
endaddr
Ending IP address for the poolrange IP range
N/A
iMG/RG Software Reference Manual (System Administration)
5-43
Dynamic Host Configuration Protocol
Example
DHCP Server command reference
--> dhcpserver subnet sub1 add pool mypool poolrange 10.17.90.1 10.17.90.128
5.1.5.1.64 DHCPSERVER SUBNET POOL CLEAR ALLOWCLASS
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> CLEAR ALLOWCLASS
Description
This command clear all the allowed class fro a pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
poolname
Example
Name/Id of the pool
N/A
--> dhcpserver subnet sub1 pool mypool clear allowclass
5.1.5.1.65 DHCPSERVER SUBNET POOL CLEAR DENYCLASS
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> CLEAR DENYCLASS
<CLASSNAME>
Description
This command clear all the class denied by the Pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
poolname
Example
Name/Id of the pool
N/A
--> dhcpserver subnet sub1 pool mypool clear denyclass
5.1.5.1.66 DHCPSERVER SUBNET POOL CLEAR OPTIONS
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> CLEAR OPTIONS
Description
This command deletes all options from a specified pool.
5-44
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Options
Dynamic Host Configuration Protocol
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
poolname
Example
Name/Id of the pool
N/A
--> dhcpserver subnet sub1 pool mypool clear options
5.1.5.1.67 DHCPSERVER SUBNET POOL CLEAR POOLRANGE
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> CLEAR POOLRANGE
Description
This command clear all the poolranges on the poolname
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
the name of the subnet
N/A
poolname
Name of the pool to be added
N/A
--> dhcpserver subnet sub1 pool mypool clear poolrange
5.1.5.1.68 DHCPSERVER SUBNET POOL DELETE ALLOWCLASS
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> DELETE ALLOWCLASS
<CLASSNAME>
Description
This command delete a class allowed by the pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-45
Dynamic Host Configuration Protocol
Option
name
DHCP Server command reference
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
Example
poolname
Name/Id of the pool
N/A
classname
Name of the class to be allowed by the pool
N/A
--> dhcpserver subnet sub1 pool mypool delete allowclass myclass
5.1.5.1.69 DHCPSERVER SUBNET POOL DELETE DENYCLASS
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> DELETE DENYCLASS
<CLASSNAME>
Description
This command delete a class to be denied by the Pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
Example
poolname
Name/Id of the pool
N/A
classname
Name of the class to be denied by the pool
N/A
--> dhcpserver subnet sub1 pool mypool delete denyclass myclass
5.1.5.1.70 DHCPSERVER SUBNET POOL DELETE OPTION
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> ADD OPTION <identifier>
Description
This command delete an option form the specified pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-46
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Option
name
Dynamic Host Configuration Protocol
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
Example
poolname
Name/Id of the pool
N/A
identifier
The identifier of the option available from command
dhcpserver list options
identifier
--> dhcpserver subnet sub1 pool mypool delete option auto-configure
5.1.5.1.71 DHCPSERVER SUBNET POOL DELETE POOLRANGE
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> DELETE POOLRANGE
<id>
Description
This command allows you to configure the DHCP server adding a poolrange to the specified pool
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
the name of the subnet
N/A
poolname
Name of the pool to be added
N/A
id
iprange Id. to be deleted from the pool
N/A
--> dhcpserver subnet sub1 delete pool mypool poolrange 1
5.1.5.1.72 DHCPSERVER SUBNET POOL LIST ALLOWCLASS
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> LIST ALLOWCLASS
Description
This command list class allowed by the pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-47
Dynamic Host Configuration Protocol
Option
name
DHCP Server command reference
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
poolname
Example
Name/Id of the pool
N/A
--> dhcpserver subnet sub1 pool mypool list allowclass
5.1.5.1.73 DHCPSERVER SUBNET POOL LIST DENYCLASS
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> LIST DENYCLASS
Description
This command list class to be denied by the Pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
poolname
Example
Name/Id of the pool
N/A
--> dhcpserver subnet sub1 pool mypool list denyclass
5.1.5.1.74 DHCPSERVER SUBNET POOL LIST OPTION
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> LIST OPTION
Description
This command list options form the specified pool.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
name
Description
Default Value
An existing subnet. To display subnet names, use the
N/A
DHCPSERVER LIST SUBNETS command.
poolname
5-48
Name/Id of the pool
iMG/RG Software Reference Manual (System Administration)
N/A
DHCP Server command reference
Example
Dynamic Host Configuration Protocol
--> dhcpserver subnet sub1 pool mypool list options
5.1.5.1.75 DHCPSERVER SUBNET POOL LIST POOLRANGE
Syntax
DHCPSERVER SUBNET <name> POOL <poolname> LIST POOLRANGE
Description
This command allows you to list the poolrange of a pool
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
name
the name of the subnet
N/A
poolname
Name of the pool to be added
N/A
--> dhcpserver subnet sub1 delete pool mypool poolrange 1
5.1.5.1.76 DHCPSERVER ENABLE|DISABLE
Syntax
DHCPSERVER {ENABLE|DISABLE}
Description
This command enables/disables the DHCP server. You must have the DHCP server
enabled in order to carry out any DHCP server configuration. If you try configuring
DHCP server when DHCPSERVER DISABLE is set, the CLI issues a warning message.
You can enable both DHCP server and DHCP relay simultaneously by specifying individual interfaces for the server and relay to bind to. You cannot bind the same interface to
both server and relay - you must use different interfaces for each.
If you have set DHCP server to operate on an existing IP interface and you want to make
configuration changes to that IP interface, you must first disable DHCP server, then reenable it once your IP configuration is complete.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
enable
Enables configuration of the DHCP server.
enable
disable
Disables configuration of the DHCP server.
iMG/RG Software Reference Manual (System Administration)
5-49
Dynamic Host Configuration Protocol
DHCP Server command reference
Example
--> dhcpserver enable
See also
DHCPRELAY ENABLE|DISABLE
DHCPSERVER ADD INTERFACE
5.1.5.1.77 DHCPSERVER FORCERENEW
Syntax
DHCPSERVER FORCERENEW <ipaddress>
Description
This command prompts the DHCP server to issue a DHCPFORCERENEW message to
the DHCP client at the given IP address.
Note that the server will only do this if the DHCP client is on one of the subnets the
DHCP server has been configured to serve. The client must also be configured to accept
DHCPFORCERENEW messages using the DHCPCLIENT SET INTERFACECONFIG
FORCERENEW ENABLED command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
ipaddress
The IP address that the DHCP server issues the
DHCPFORCERENEW message to.
N/A
Example
--> dhcpserver forcerenew 192.168.1.1
See also
DHCPCLIENT SET INTERFACECONFIG FORCERENEW
5.1.5.1.78 DHCPSERVER LIST OPTIONS
Syntax
DHCPSERVER LIST OPTIONS
Description
This command lists the option data types available for DHCP server. These options are
detailed in RFC2132.
You can configure the DHCP server using any of the options listed.
5-50
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Example
Dynamic Host Configuration Protocol
--> dhcpserver list options
subnet-mask
static-routes
nisplus-servers
time-offset
trailer-encapsulation
tftp-server-name
routers
arp-cache-timeout
bootfile-name
time-servers
ieee802-3-encapsulation
mobile-ip-home-agent
ien116-name-servers
default-tcp-ttl
smtp-server
domain-name-servers
tcp-keepalive-interval
pop-server
log-servers
tcp-keepalive-garbage
nntp-server
cookie-servers
nis-domain
www-server
lpr-servers
nis-servers
finger-server
impress-servers
ntp-servers
irc-server
resource-location-servers
vendor-encapsulated-options
streettalk-server
host-name
netbios-name-servers
boot-size
netbios-dd-server
streettalk-directory-assistance-server
merit-dump
netbios-node-type
user-class
domain-name
netbios-scope
option-78
swap-server
font-servers
option-79
root-path
x-display-manager
option-80
extensions-path
dhcp-requested-address
option-81
ip-forwarding
dhcp-lease-time
option-82
non-local-source-routing
dhcp-option-overload
option-83
policy-filter
dhcp-message-type
option-84
max-dgram-reassembly
dhcp-server-identifier
nds-servers
default-ip-ttl
dhcp-parameter-request-list
nds-tree-name
path-mtu-aging-timeout
dhcp-message
nds-context
path-mtu-plateau-table
dhcp-max-message-size
option-88
interface-mtu
dhcp-renewal-time
option-89
all-subnets-local
dhcp-rebinding-time
option-115
broadcast-address
dhcp-class-identifier
auto-configure
perform-mask-discovery
dhcp-client-identifier
option-117
mask-supplier
option-62
option-254
router-discovery
option-63
option-end
router-solicitation-address
nisplus-domain
See also
DHCPSERVER SUBNET ADD OPTION
For info DHCPSERVER SET ALLOWUNKNOWNCLIENTS
Syntax
DHCPSERVER SET ALLOWUNKNOWNCLIENTS {ENABLED|DISABLED}
Description
This command enables/disables the dynamic assignment of addresses to unknown clients.
iMG/RG Software Reference Manual (System Administration)
5-51
Dynamic Host Configuration Protocol
Options
DHCP Server command reference
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
enabled
IP addresses are dynamically assigned to unknown clients
Enabled
disabled
IP addresses are not dynamically assigned to unknown clients
Example
--> dhcpserver set allowunknownclients disabled
See also
DHCPCLIENT SET INTERFACECONFIG CLIENTID
5.1.5.1.79 DHCPSERVER LIST HOST
Syntax
DHCPSERVER LIST HOSTS
Description
This command lists the hosts assigned from the server.
Example
--> dhcpserver list hosts
5.1.5.1.80 DHCPSERVER SET ALLOWUNKNOWNCLIENTS
Syntax
DHCPSERVER SET ALLOWUNKNOWNCLIENTS {ENABLED|DISABLED}
Description
This command enables/disables the dynamic assignment of addresses to unknown clients.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
enabled
IP addresses are dynamically assigned to unknown clients
Enabled
disabled
IP addresses are not dynamically assigned to unknown clients
Example
--> dhcpserver set allowunknownclients disabled
See also
DHCPCLIENT SET INTERFACECONFIG CLIENTID
5.1.5.1.81 DHCPSERVER SET BOOTP
Syntax
DHCPSERVER SET BOOTP {ENABLED|DISABLED}
Description
This command determines whether DHCP server can respond to BOOTP requests.
5-52
iMG/RG Software Reference Manual (System Administration)
DHCP Server command reference
Options
Example
Dynamic Host Configuration Protocol
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
enabled
DHCP server responds to BOOTP queries.
Enabled
disabled
DHCP server does not respond to BOOTP queries.
--> dhcpserver set bootp disabled
5.1.5.1.82 DHCPSERVER SET DEFAULTLEASETIME
Syntax
DHCPSERVER SET DEFAULTLEASETIME <defaultleasetime>
Description
This command sets the global default lease time for DHCP server.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
defaultleasetime
The default time (in seconds) assigned to a lease if
the client requesting the lease does not ask for a
specific expiry time.
43200
Example
--> dhcpserver set defaultleasetime 50000
See also
DHCPSERVER SET SUBNET MAXLEASETIME
5.1.5.1.83 DHCPSERVER SET MAXLEASETIME
Syntax
DHCPSERVER SET MAXLEASETIME <maxleasetime>
Description
This command sets the global maximum lease time for DHCP server.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-53
Dynamic Host Configuration Protocol
DHCP Server command reference
Option
Description
Default Value
maxleasetime
The maximum time (in seconds) for a lease when
the client requesting the lease does not ask for a
specific expiry time
86400
Example
--> dhcpserver set maxleasetime 90000
See also
DHCPSERVER SET DEFAULTLEASETIME
5.1.5.1.84 DHCPSERVER SHOW
Syntax
DHCPSERVER SHOW
Description
This command displays the following global configuration information about the DHCP
server:
Example
•
Status of the server (enabled/disabled)
•
Global default lease time
•
Global maximum lease time
•
Bootp requests setting (enable/disable)
•
Allow unknown clients setting (enable/disable)
--> dhcpserver show
Global DHCP Server Configuration:
Status: ENABLED
Default lease time: 43200 seconds
Max. lease time: 86400 seconds
Allow BOOTP requests: true
Allow unknown clients: true
See also
DHCPSERVER SHOW SUBNET
5.1.5.1.85 DHCPSERVER UPDATE
Syntax
DHCPSERVER UPDATE
Description
This command updates the DHCP server configuration. Changes made to the server
configuration will not take effect until this command has been entered.
Example
--> dhcpserver update
dhcpserver: Reset request acknowledged. Reset imminent.
5-54
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
Dynamic Host Configuration Protocol
5.1.6 DHCP Client command reference
This section describes the commands available on the AT-RG624/634 Residential Gateway to enable, configure
and manage the DHCP Client module.
5.1.6.1 DHCP client CLI commands
The table below lists the DHCP client commands provided by the CLI:DHCP client CLI commands
TABLE 5-2
DHCP client CLI commands
Commands
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E Modular
A
B
C
DHCPCLIENT ADD INTERFACECONFIG
X
X
X
X
X
X
X
X
X
DHCPCLIENT CLEAR INTERFACECONFIGS
X
X
X
X
X
X
X
X
X
DHCPCLIENT DELETE INTERFACECONFIG
X
X
X
X
X
X
X
X
X
DHCPCLIENT INTERFACECONFIG ADD REQUESTED OPTION
X
X
X
X
X
X
X
X
X
DHCPCLIENT INTERFACECONFIG ADD REQUIRED OPTION
X
X
X
X
X
X
X
X
X
DHCPCLIENT INTERFACECONFIG ADD SENT OPTION
X
X
X
X
X
X
X
X
X
DHCPCLIENT INTERFACECONFIG CLEAR SENT OPTIONS
X
X
X
X
X
X
X
X
X
DHCPCLIENT INTERFACECONFIG CLEAR REQUESTED OPTIONS
X
X
X
X
X
X
X
X
X
DHCPCLIENT INTERFACECONFIG DELETE REQUESTED OPTION
X
X
X
X
X
X
X
X
X
DHCPCLIENT INTERFACECONFIG DELETE SENT OPTION
X
X
X
X
X
X
X
X
X
DHCPCLIENT INTERFACECONFIG LIST REQUESTED OPTIONS
X
X
X
X
X
X
X
X
X
DHCPCLIENT INTERFACECONFIG LIST SENT OPTIONS
X
X
X
X
X
X
X
X
X
DHCPCLIENT LIST INTERFACECONFIGS
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET BACKOFF
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG AUTOIP ENABLED|DISABLED
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG CLIENTID
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG DEFAULTROUTE ENABLED|DISABLED
X
X
X
X
X
X
X
X
X
iMG/RG Software Reference Manual (System Administration)
5-55
Dynamic Host Configuration Protocol
DHCP Client command reference
Fiber Fiber Fiber Fiber Fiber
ADSL ADSL ADSL
A
B
C
D
E Modular
A
B
C
Commands
DHCPCLIENT SET INTERFACECONFIG DHCPINFORM ENABLED|DISABLED
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG DHCPSERVERPOOLSIZE
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG DHCPSERVERINTERFACE
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG FORCERENEW
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG GIVEDNSTOCLIENT ENABLED|DISABLED
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG GIVEDNSTORELAY ENABLED|DISABLED
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG INTERFACE
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG NOCLIENTID
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG REQUESTEDLEASETIME
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INTERFACECONFIG SERVER
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET BROADCAST-FLAG
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INITIALINTERVAL
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET INITIALINTERVAL
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET REBOOT
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET RETRY
X
X
X
X
X
X
X
X
X
DHCPCLIENT SET FORCE-BROADCAST-RENEW
X
X
X
X
X
X
X
X
X
DHCPCLIENT SHOW
X
X
X
X
X
X
X
X
X
5.1.6.1.1 DHCPCLIENT ADD INTERFACECONFIG
Syntax
DHCPCLIENT ADD INTERFACECONFIG <name> <ipinterface>
Description
This command configures DHCP client parameters for negotiation over an existing IP
interface. The client interface can only set the IP configuration if the IP interface has
DHCP enabled.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-56
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
Dynamic Host Configuration Protocol
Option
Description
Default Value
name
An arbitrary name that identifies the client interface. It
can be made up of one or more letters or a combination of letters and digits, but it cannot start with a digit.
N/A
ip interface
An IP address or An existing IP interface. The interface
must have DHCP enabled. To display interface names,
use the IP LIST INTERFACES command.
N/A
Example
--> dhcpclient add interfaceconfig config1 ip1
See also
DHCPCLIENT LIST INTERFACECONFIGS
IP LIST INTERFACES
IP SET INTERFACE DHCP
5.1.6.1.2 DHCPCLIENT CLEAR INTERFACECONFIGS
Syntax
DHCPCLIENT CLEAR INTERFACECONFIGS
Description
This command deletes all existing DHCP client interface configurations.
Example
--> dhcpclient clear interfaceconfigs
See also
DHCPCLIENT LIST INTERFACECONFIGS
5.1.6.1.3 DHCPCLIENT DELETE INTERFACECONFIG
Syntax
DHCPCLIENT DELETE INTERFACECONFIG {<name>|<number>}
Description
This command deletes a single DHCP client interface configuration.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-57
Dynamic Host Configuration Protocol
DHCP Client command reference
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLI-
N/A
ENT LIST INTERFACECONFIGS
command.
Example
--> dhcpclient delete interfaceconfig config1
See also
DHCPCLIENT LIST INTERFACECONFIGS
5.1.6.1.4 DHCPCLIENT INTERFACECONFIG ADD REQUESTED OPTION
Syntax
DHCPCLIENT INTERFACECONFIG {<name>|<number>} ADD REQUESTED
OPTION <option>
Description
This command tells the DHCP client to request a specified option from a DHCP server.
The requested option is not compulsory - if the option was not included in a lease
offered by DHCP server, the DHCP client would still accept the offer.
Options are detailed in RFC 2132.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLI-
N/A
ENT LIST INTERFACECONFIGS
command.
option
Example
5-58
A text string that identifies a DHCP server configuration option.
N/A
--> dhcpclient interfaceconfig client1 add requested option irc-server
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
See also
Dynamic Host Configuration Protocol
DHCPCLIENT INTERFACECONFIG ADD REQUESTED OPTION
DHCPCLIENT INTERFACECONFIG ADD REQUIRED OPTION
For information on RFC 2132, see http://www.ietf.org/rfc/rfc2132.txt
5.1.6.1.5 DHCPCLIENT INTERFACECONFIG ADD REQUIRED OPTION
Syntax
DHCPCLIENT INTERFACECONFIG {<name>|<number>} ADD REQUIRED
OPTION <option>
Description
This command tells DHCP client that it requires a specified option from DHCP server.
The required option is compulsory - if the option was not included in a lease offered by
DHCP server, the DHCP client would ignore the offer.
Options are detailed in RFC 2132.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLI-
N/A
ENT LIST INTERFACECONFIGS
command.
option
A text string that identifies a DHCP server configuration option.
N/A
Example
--> dhcpclient interfaceconfig client1 add required option domain-name
See also
DHCPCLIENT INTERFACECONFIG ADD REQUESTED OPTION
DHCPCLIENT INTERFACECONFIG ADD REQUIRED OPTION
5.1.6.1.6 DHCPCLIENT INTERFACECONFIG ADD SENT OPTION
Syntax
DHCPCLIENT INTERFACECONFIG {<NAME>|<NUMBER>} ADD SENT OPTION
{SUBNET-MASK|DHCPLEASE-TIME|DHCP-CLIENT-IDENTIFIER|ROUTERS|DOMAIN-NAME-SERVERS} <VALUE>
iMG/RG Software Reference Manual (System Administration)
5-59
Dynamic Host Configuration Protocol
DHCP Client command reference
Description
This command tells the DHCP client to send a value for the given DHCP configuration
option to a DHCP server. The DHCP server’s response depends on the type of option
being sent out.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLI-
N/A
ENT LIST INTERFACECONFIGS
command.
Example
subnet-mask
A text string that identifies a DHCP server configuration option.
N/A
dhcp-leasetime
An option that can be used to request a specific
lease duration by the client.
N/A
dhcp-clientidentifier
An option that can be used to specify the client
identifier in a host declaration so that a DHCP
server can find the host record by matching
against the client identifier.
N/A
Routers
An option that provides IP address of a known
router to the ARTMOS DHCP configuration
when DHCP server configuration is given.
N/A
Domainnameservers
An option that requests the IP address of any
DNS server.
N/A
value
The value associated with the option identifier.
N/A
--> dhcpclient interfaceconfig client1 add sent option host-name ‘“vancouver”’
This command example tells the DHCP client to send the DHCP host-name option to
the DHCP server with the value “vancouver”. Note that for options with string-type values associated with them, the option value must be in double-quotes (“ ”). Also, the
entire string including the double quotes must be inside single quotes (‘’) to ensure that
the CLI treats the double quotes literally.
5-60
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
See also
Dynamic Host Configuration Protocol
DHCPCLIENT LIST INTERFACECONFIGS
DHCPCLIENT INTERFACECONFIG LIST SENT OPTIONS
5.1.6.1.7 DHCPCLIENT INTERFACECONFIG CLEAR SENT OPTIONS
Syntax
DHCPCLIENT INTERFACECONFIG {<name>|<number>} CLEAR SENT
OPTIONS
Description
This command deletes all options that were previously added to an interfaceconfig using
the DHCPCLIENT INTERFACECONFIG ADD SENT OPTION command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLI-
N/A
ENT LIST INTERFACECONFIGS
command.
Example
--> dhcpclient interfaceconfig client1 clear sent options
See also
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
LIST INTERFACECONFIGS
INTERFACECONFIG LIST SENT OPTIONS
INTERFACECONFIG ADD SENT OPTION
INTERFACECONFIG DELETE SENT OPTION
5.1.6.1.8 DHCPCLIENT INTERFACECONFIG CLEAR REQUESTED OPTIONS
Syntax
DHCPCLIENT INTERFACECONFIG {<name>|<number>} CLEAR REQUESTED
OPTIONS
Description
This command deletes all options that were previously added to an interfaceconfig using
the DHCPCLIENT INTERFACECONFIG ADD REQUESTED/REQUIRED OPTION
commands.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-61
Dynamic Host Configuration Protocol
DHCP Client command reference
Option
Description
Default Value
name
An existing DHCP client interface. To display client
interface names, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client
interface numbers, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
Example
--> dhcpclient interfaceconfig client1 clear requested options
See also
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
LIST INTERFACECONFIGS
INTERFACECONFIG ADD REQUESTED OPTION
INTERFACECONFIG ADD REQUIRED OPTION
INTERFACECONFIG DELETE REQUESTED OPTION
5.1.6.1.9 DHCPCLIENT INTERFACECONFIG DELETE REQUESTED OPTION
Syntax
DHCPCLIENT INTERFACECONFIG {<name>|<number>} DELETE
REQUESTED OPTION <option number>
Description
This command deletes a single option that was previously added to an interfaceconfig
using the dhcpclient interfaceconfig add requested/required option commands.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client
interface names, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client
interface numbers, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
option number
A number that identifies an option that is requested
from the DHCP server by the DHCP client. To display
option numbers, use the DHCPCLIENT INTER-
N/A
FACECONFIG LIST REQUESTED OPTIONS
command.
5-62
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
Dynamic Host Configuration Protocol
Example
--> dhcpclient interfaceconfig client1 delete requested option 1
See also
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
LIST INTERFACECONFIGS
INTERFACECONFIG ADD REQUESTED OPTION
INTERFACECONFIG ADD REQUIRED OPTION
INTERFACECONFIG CLEAR REQUESTED OPTIONS
5.1.6.1.10 DHCPCLIENT INTERFACECONFIG DELETE SENT OPTION
Syntax
DHCPCLIENT INTERFACECONFIG {<name>|<number>} DELETE SENT
OPTION <option number>
Description
This command deletes a single option that was previously added to an interfaceconfig
using the DHCPCLIENT INTERFACECONFIG ADD SENT OPTION command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client
interface names, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client
interface numbers, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
option number
A number that identifies an option that is sent from the
DHCP client to the DHCP server. To display option
numbers, use the DHCPCLIENT INTERFACECONFIG LIST SENT OPTIONS command.
N/A
Example
--> dhcpclient interfaceconfig client1 delete sent option 5
See also
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
LIST INTERFACECONFIGS
INTERFACECONFIG LIST SENT OPTIONS
INTERFACECONFIG ADD SENT OPTION
INTERFACECONFIG CLEAR SENT OPTIONS
5.1.6.1.11 DHCPCLIENT INTERFACECONFIG LIST REQUESTED OPTIONS
Syntax
DHCPCLIENT INTERFACECONFIG {<name>|<number>} LIST REQUESTED
OPTIONS
iMG/RG Software Reference Manual (System Administration)
5-63
Dynamic Host Configuration Protocol
Description
DHCP Client command reference
This command lists the options that the DHCP client requests and/or requires from the
DHCP server. These options were set using the dhcpclient interfaceconfig add
requested/required option commands. The following information is displayed:
•
Option identification number
•
Option identifier (name)
•
Requirement status - true for options that were added using the dhcpclient interfaceconfig add required option command, false for options added using the dhcpclient interfaceconfig add requested option command.
Options and their values are detailed in RFC2132.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLI-
N/A
ENT LIST INTERFACECONFIGS
command.
Example
--> dhcpclient interfaceconfig client1 list requested options
ID |
Identifier
| Is option required?
-----|--------------------|--------------------1 | host-name
| true
2 | domain-name
| false
-----------------------------------------------See also
DHCPCLIENT INTERFACECONFIG ADD REQUESTED OPTION
DHCPCLIENT INTERFACECONFIG ADD REQUIRED OPTION
DHCPSERVER SUBNET ADD OPTION
For information on RFC 2132, see http://www.ietf.org/rfc/rfc2132.txt
5.1.6.1.12 DHCPCLIENT INTERFACECONFIG LIST SENT OPTIONS
Syntax
5-64
DHCPCLIENT INTERFACECONFIG {<name>|<number>} LIST SENT
OPTIONS
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
Description
Dynamic Host Configuration Protocol
This command displays a list of the options that the DHCP client sends to the DHCP
server. These options were set using the dhcpclient interfaceconfig add sent option command. The following information is displayed:
•
Option identification number
•
Option identifier (name)
•
Suggested value
Options and their values are detailed in RFC2132.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLIENT LIST INTERFACECONFIGS command.
N/A
--> dhcpclient interfaceconfig client1 list sent options
DHCP client options to be sent to server for client1:
ID |
Identifier
| Suggested Value
-----|--------------------|--------------------1 | host-name
| vancouver
2 | domain-name
| alliedtelesyn
-----------------------------------------------See also
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
DHCPSERVER
INTERFACECONFIG ADD SENT OPTION
INTERFACECONFIG CLEAR SENT OPTIONS
INTERFACECONFIG DELETE SENT OPTION
SUBNET ADD OPTION
For information on RFC 2132, see http://www.ietf.org/rfc/rfc2132.txt
5.1.6.1.13 DHCPCLIENT LIST INTERFACECONFIGS
Syntax
DHCPCLIENT LIST INTERFACECONFIGS
Description
This command lists the following information about existing DHCP client interfaces:
iMG/RG Software Reference Manual (System Administration)
5-65
Dynamic Host Configuration Protocol
Example
DHCP Client command reference
•
Interface identification number
•
Interface name
•
IP interface configured by the client interface
•
Requested lease time (in seconds)
•
Client identifier (if set)
•
Status of ip address auto-configuration (true or false)
--> dhcpclient list interfaceconfigs
DHCP Client Declarations:
Requested
ID |
Name | Interface | Lease Time | Client ID
| AutoIP
-----|---------|-----------|------------|-------------------|------1 | client1 | ip1
| 9000
| 00:11:22:33:44:5a | true
--------------------------------------------------------------------
See also
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
DHCPCLIENT
SHOW
SET INTERFACECONFIG REQUESTEDLEASETIME
SET INTERFACECONFIG CLIENTID
SET INTERFACECONFIG AUTOIP ENABLED|DISABLED
5.1.6.1.14 DHCPCLIENT SET BACKOFF
Syntax
DHCPCLIENT SET BACKOFF <backofftime>
Description
This command sets the global maximum time (in seconds) that a DHCP client interface
will ‘back off’ between issuing individual DHCP requests. This prevents many clients trying to configure themselves at the same time, and sending too many requests at once.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
backofftime
The maximum number of seconds that the DHCP
client can pause for between unsuccessful DHCP
negotiations.
120
Example
--> dhcpclient set backoff 200
See also
DHCPCLIENT SHOW
5-66
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
Dynamic Host Configuration Protocol
5.1.6.1.15 DHCPCLIENT SET INTERFACECONFIG AUTOIP ENABLED|DISABLED
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} AUTOIP
{ENABLED | DISABLED}
Description
This command enables/disables IP address auto-configuration (Auto-IP).
Auto-IP automatically configures an IP address when a DHCP client fails to contact a
DHCP server and cannot obtain a lease. An IP address on the 169.254 subnet is automatically created, and ARP requests are issued for the suggested IP address. The address is
abandoned if it already exists on the network or if any other host on the network issues
an ARP probe for that IP address.
Once an IP address has been automatically configured, the DHCP client continues to
check whether it can contact a DHCP server. If the client can contact a DHCP server and
obtain a legitimate lease, the legitimate lease will supersede the auto-configured IP
address.
Note:
Even if you have enabled Auto-IP using this command, you will not be able to use IP address autoconfiguration if a DHCP server on the same network does not allow it. See the dhcpserver subnet add
option command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client
interface names, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client
interface numbers, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
enabled
Enables Auto-IP on a specified dhcp client.
enabled
disabled
Disables Auto-IP on a specified dhcp client.
Example
--> dhcpclient set interfaceconfig mycfg autoip enabled
See also
DHCPSERVER SUBNET ADD OPTION
For further information on the RFC standard for DHCP IP address auto-configuration, see http://www.ietf.org/
rfc/rfc2563.txt
iMG/RG Software Reference Manual (System Administration)
5-67
Dynamic Host Configuration Protocol
DHCP Client command reference
5.1.6.1.16 DHCPCLIENT SET INTERFACECONFIG CLIENTID
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} CLIENTID <clientid>
Description
This command sets a unique client identifier that DHCP server uses to identify the client.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
client id
A unique identifier that DHCP server can use to
identify the client. By default it is the MAC address
of the CPE. The client ID can be a MAC address
or a text string such as the hostname. The string
must be entered as hexadecimal values separated
by colon.
N/A
Example
--> dhcpclient set interfaceconfig client1 clientid 00:11.22.33.44.5a
See also
DHCPCLIENT LIST INTERFACECONFIGS
5.1.6.1.17 DHCPCLIENT SET INTERFACECONFIG DEFAULTROUTE ENABLED|DISABLED
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>}
DEFAULTROUTE {ENABLED|DISABLED}
Description
This command enables/disables whether DHCP client makes use of default gateway
information received from a DHCP server. If no DHCP interfaceconfigs have been added
to the system, by default DHCP client will use default gateway information received from
DHCP server.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-68
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
Dynamic Host Configuration Protocol
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
enabled
DHCP client uses default gateway information it
receives from DHCP server.
enabled
disabled
DHCP client does not use default gateway information it receives from DHCP server.
Example
--> dhcpclient set interfaceconfig client1 defaultroute disabled
See also
DHCPCLIENT LIST INTERFACECONFIGS
5.1.6.1.18 DHCPCLIENT SET INTERFACECONFIG DHCPINFORM ENABLED|DISABLED
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} DHCPINFORM
{ENABLED|DISABLED}
Description
This command enables/disables whether DHCP client uses the dhcpinform message
type. This DHCP message type is used whenever a client has obtained an IP address or
subnet mask (for example, the address has been manually configured or obtained through
PPP/IPCP), but wishes to obtain extra configuration parameters (such as DNS servers or
default gateway) from a DHCP server.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client
interface names, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
iMG/RG Software Reference Manual (System Administration)
5-69
Dynamic Host Configuration Protocol
DHCP Client command reference
number
An existing DHCP client interface. To display client
interface numbers, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
enabled
Enables the dhcpinform message type. IP address
and subnet mask will not be negotiated if this mode
is selected.
disabled
disabled
Disables the dhcpinform message type.
Example
--> dhcpclient set interfaceconfig client1 dhcpinform disabled
See also
DHCPCLIENT LIST INTERFACECONFIGS
DHCPCLIENT SET INTERFACECONFIG SERVER
5.1.6.1.19 DHCPCLIENT SET INTERFACECONFIG DHCPSERVERPOOLSIZE
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} DHCPSERVERPOOLSIZE <pool size>
Description
This command tells DHCP client to configure a DHCP server on the LAN if the given
address pool size is set to a number greater than 0. The LAN DHCP server is configured
using parameters received by a DHCP client interface on the WAN. Information such as
DNS server addresses can then be distributed to LAN clients. The new DHCP server
gives out the default gateway address as its LAN IP address.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLI-
N/A
ENT LIST INTERFACECONFIGS
command.
pool size
5-70
The number of DHCP client addresses in a pool.
The first address in the pool is the address
immediately after the LAN DHCP address. For
example, if the LAN DHCP address is
192.168.102.3, the first address in the pool will
be 192.168.102.4.
iMG/RG Software Reference Manual (System Administration)
N/A
DHCP Client command reference
Dynamic Host Configuration Protocol
Example
--> dhcpclient set interfaceconfig client1 dhcpserverpoolsize 5
See also
DHCPCLIENT LIST INTERFACECONFIGS
5.1.6.1.20 DHCPCLIENT SET INTERFACECONFIG DHCPSERVERINTERFACE
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} DHCPSERVERINTERFACE <interface name>
Description
This command allows the user to specify an existing IP interface on which the automatically configured DHCP server can be created. If the interface name does not correspond
with an existing IP interface, or no interface name is given, the DHCP server will be
placed on the first LAN interface that it finds.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
interface name
The name that identifies an existing IP interface.
To display IP interface names, use the IP LIST
INTERFACES command.
N/A
Example
--> dhcpclient set interfaceconfig client1 dhcpserverinterface ip2
See also
DHCPCLIENT LIST INTERFACECONFIG
DHCPCLIENT SET INTERFACECONFIG DHCPSERVERPOOLSIZE
IP LIST INTERFACES
5.1.6.1.21 DHCPCLIENT SET INTERFACECONFIG FORCERENEW
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} FORCERENEW
{ENABLED | DISABLED}
Description
This command sets whether the DHCP client is allowed to respond to DHCPFORCERENEW requests received on the appropriate interface. If such a request is accepted, the
iMG/RG Software Reference Manual (System Administration)
5-71
Dynamic Host Configuration Protocol
DHCP Client command reference
DHCP client will attempt to renew its lease early or, if using DHCPINFORM, will
attempt to obtain a new set of configuration parameters from the DHCP server.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLIENT LIST INTERFACECONFIGS command.
N/A
enabled
DHCP client responds to DHCPFORCERENEW requests
disabled
disabled
DHCP client does not respond to DHCPFORCERENEW
requests
Example
--> dhcpclient set interfaceconfig forcerenew enabled
See also
DHCPCLIENT SET INTERFACECONFIG DHCPINFORM ENABLED|DISABLED
DHCPSERVER FORCERENEW
5.1.6.1.22 DHCPCLIENT SET INTERFACECONFIG GIVEDNSTOCLIENT ENABLED|DISABLED
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} GIVEDNSTOCLIENT {ENABLED|DISABLED}
Description
This command enables/disables whether DHCP client passes received DNS server
addresses to DNS client. If no DHCP interfaceconfigs have been added to the system, by
default DHCP client will not pass DNS server addresses to DNS client.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-72
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
Dynamic Host Configuration Protocol
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLIENT LIST INTERFACECONFIGS command.
N/A
enabled
DHCP client passes DNS server addresses to DNS client.
disabled
disabled
DHCP client does not pass DNS server addresses to DNS
client.
Example
--> dhcpclient set interfaceconfig client1 givednstoclient disabled
See also
DHCPCLIENT LIST INTERFACECONFIGS
5.1.6.1.23 DHCPCLIENT SET INTERFACECONFIG GIVEDNSTORELAY ENABLED|DISABLED
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} GIVEDNSTORELAY {ENABLED|DISABLED}
Description
This command enables/disables whether DHCP client passes received DNS server
addresses to DNS relay. If no DHCP interfaceconfigs have been added to the system, by
default DHCP client will pass DNS server addresses to DNS relay.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client
interface names, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
iMG/RG Software Reference Manual (System Administration)
5-73
Dynamic Host Configuration Protocol
DHCP Client command reference
number
An existing DHCP client interface. To display client
interface numbers, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
enabled
DHCP client passes DNS server addresses to DNS
relay.
enabled
disabled
DHCP client does not pass DNS server addresses to
DNS relay.
Example
--> dhcpclient set interfaceconfig client1 givednstorelay disabled
See also
DHCPCLIENT LIST INTERFACECONFIGS
5.1.6.1.24 DHCPCLIENT SET INTERFACECONFIG INTERFACE
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} INTERFACE
<ipinterface>
Description
This command sets the IP interface that will have its configuration set by the DHCP client interface. The client interface can only set the IP configuration if the IP interface has
DHCP enabled, using the ip set interface dhcp command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client
interface names, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client
interface numbers, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
ipinterface
An existing IP interface with DHCP enabled. To
display interface names, use the IP LIST
INTERFACES command.
N/A
Example
--> dhcpclient set interfaceconfig client1 interface ip2
See also
DHCPCLIENT LIST INTERFACECONFIGS
IP LIST INTERFACES
IP SET INTERFACE DHCP
5-74
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
Dynamic Host Configuration Protocol
5.1.6.1.25 DHCPCLIENT SET INTERFACECONFIG NOCLIENTID
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} NOCLIENTID
Description
This command deletes a client identifier from a DHCP client. The DHCP server must
have ‘allowunknownclients’ enabled in order to work with DHCP clients that are not specifically named in DHCP server configuration or its lease database.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLIENT LIST INTERFACECONFIGS command.
N/A
Example
--> dhcpclient set interfaceconfig client1 noclientid
See also
DHCPCLIENT SET INTERFACECONFIG CLIENTID
DHCPSERVER SET ALLOWUNKNOWNCLIENTS
5.1.6.1.26 DHCPCLIENT SET INTERFACECONFIG REQUESTEDLEASETIME
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} REQUESTEDLEASETIME <requestedleasetime>
Description
The DHCP client requests a specific lease time from the DHCP server for the allocated
IP addresses. This command determines the length of lease time requested. The DHCP
server will ‘cap’ a requested lease time if it is too large.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-75
Dynamic Host Configuration Protocol
DHCP Client command reference
Option
Description
Default Value
name
An existing DHCP client interface. To display client
interface names, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client
interface numbers, use the DHCPCLIENT LIST
INTERFACECONFIGS command.
N/A
requested lease
time
The lease time (in seconds) that a DHCP client
requests from the DHCP server.
86400
Example
--> dhcpclient set interfaceconfig client1 requestedleasetime 70000
See also
DHCPCLIENT LIST INTERFACECONFIGS
DHCPSERVER SET MAXLEASETIME
DHCPSERVER SET DEFAULTLEASETIME
5.1.6.1.27 DHCPCLIENT SET INTERFACECONFIG SERVER
Syntax
DHCPCLIENT SET INTERFACECONFIG {<name>|<number>} SERVER
<ipaddress>
Description
If dhcpclient set dhcpinform has been set to enabled, this command will unicast the first
DHCPINFORM message to the specific DHCP server at the specified IP address. If the
first unicast fails, the DHCPINFORM will default to broadcasting its messages.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-76
iMG/RG Software Reference Manual (System Administration)
DHCP Client command reference
Dynamic Host Configuration Protocol
Option
Description
Default Value
name
An existing DHCP client interface. To display client interface names, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
number
An existing DHCP client interface. To display client interface numbers, use the DHCPCLIENT
LIST INTERFACECONFIGS command.
N/A
ipaddress
The IP address of a DHCP server that DHCP client can use to obtain configuration parameters.
The IP address is displayed in the following format:
192.168.102.3
N/A
Example
--> dhcpclient set interfaceconfig client1 server 192.168.101.2
See also
DHCPCLIENT SET INTERFACECONFIG DHCPINFORM ENABLED|DISABLED
5.1.6.1.28 DHCPCLIENT SET BROADCAST-FLAG
Syntax
DHCPCLIENT SET BROADCAST-FLAG ENABLE|DISBALE
Description
This command set the broadcast flag in the dhcpclient request. The default value is enable
Example
--> dhcpclient set broadcast-flag disable
5.1.6.1.29 DHCPCLIENT SET INITIALINTERVAL
Syntax
DHCPCLIENT SET INITIALINTERVAL <initialinterval>
Description
This command sets the first polling interval for the DHCP client
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
initialintervall
The time (in seconds) between the first and the second DHCP request.
10
--> dhcpclient set initialintervall 3600
iMG/RG Software Reference Manual (System Administration)
5-77
Dynamic Host Configuration Protocol
DHCP Client command reference
5.1.6.1.30 DHCPCLIENT SET REBOOT
Syntax
DHCPCLIENT SET REBOOT <reboottime>
Description
When the DHCP client is restarted, it tries to reacquire the last address that it had. This
command sets the time between the client trying to reacquire its last address and giving
up then trying to discover a new address.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
reboottime
The time (in seconds) between a client attempt to
reacquire its previous IP address and its giving up to
find a new one.
10
--> dhcpclient set reboot 5
5.1.6.1.31 DHCPCLIENT SET RETRY
Syntax
DHCPCLIENT SET RETRY <RETRYTIME>
Description
This command sets the time that must pass after the client has determined that no
DHCP server is present before it tries again to contact a DHCP server.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
retrytime
The time (in seconds) that must pass after the client
has determined that no DHCP server is present
before it tries again to contact a DHCP server.
300
--> dhcpclient set retry 150
5.1.6.1.32 DHCPCLIENT SET FORCE-BROADCAST-RENEW
Syntax
DHCPCLIENT SET FORCE-BROADCAST-RENEW {ENABLED|DISABLED}
Description
This command force the dhcpclient to renew the ip address always in broadcast mode.
DHCPREQUEST are sent to a broadcast address instead to be sent in unicast mode to
the DHCP server.
5-78
iMG/RG Software Reference Manual (System Administration)
DHCP Relay Command Reference
Dynamic Host Configuration Protocol
The command does not have effect until the DHCPCLIENT UPDATE command is
entered.
To retrieve the current settings, use the DHCPCLIENT SHOW command.
Options
Example
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
enabled
Force the dhcpclient to renew the ip address
always in broadcast mode
disabled
Do not force the dhcpclient to renew the ip
address always in broadcast mode,
Default Value
disabled
--> dhcpclient set force-broadcast-renew enabled
5.1.6.1.33 DHCPCLIENT SHOW
Syntax
DHCPCLIENT SHOW
Description
This command displays the following global configuration information about DHCP client:
Example
•
reboot time
•
retry time
•
maximum backoff time
•
ip renewal mode
--> dhcpclient show
Global DHCP Client Configuration:
Reboot time: 10
Retry time: 300
Max. backoff time: 120
Broadcast Renew: false
See also
DHCPCLIENT SET REBOOT
DHCPCLIENT SET RETRY
DHCPCLIENT SET BACKOFF
5.1.7 DHCP Relay Command Reference
This section describes the commands available on AT-RG624/634/644 Residential Gateway to enable, configure
and manage DHCP Relay module.
iMG/RG Software Reference Manual (System Administration)
5-79
Dynamic Host Configuration Protocol
DHCP Relay Command Reference
5.1.7.1 DHCP relay CLI commands
The table below lists the DHCP relay commands provided by the CLI:
TABLE 5-3
DHCP Relay Commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
DHCPRELAY ADD SERVER
X
X
X
X
X
X
X
X
X
DHCPRELAY CLEAR SERVERS
X
X
X
X
X
X
X
X
X
DHCPRELAY DELETE SERVER
X
X
X
X
X
X
X
X
X
DHCPRELAY ENABLE|DISABLE
X
X
X
X
X
X
X
X
X
DHCPRELAY LIST SERVERS
X
X
X
X
X
X
X
X
X
DHCPRELAY SHOW
X
X
X
X
X
X
X
X
X
DHCPRELAY UPDATE
X
X
X
X
X
X
X
X
X
Commands
5.1.7.1.1 DHCPRELAY ADD SERVER
Syntax
DHCPRELAY ADD SERVER <IPADDRESS>
Description
This command adds the IP address of a DHCP server to the DHCP relay's list of server
IP addresses. The relay can store a maximum of 10 DHCP server addresses. Any new
server IP addresses added are not actually used until the DHCPRELAY UPDATE command has been entered.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
ipaddress
The IP address of a DHCP server that DHCP relay
can use. The IP address is displayed in the IPv4 format
(e.g 192.168.102.3)
N/A
Example
--> dhcprelay add server 239.252.197.0
See also
dhcpserver list subnets
dhcprelay update
5-80
iMG/RG Software Reference Manual (System Administration)
DHCP Relay Command Reference
Dynamic Host Configuration Protocol
5.1.7.1.2 DHCPRELAY CLEAR SERVERS
Syntax
dhcprelay clear servers
Description
This command deletes all DHCP server IP addresses stored in DHCP relay's list of server
IP addresses.
Example
--> dhcprelay clear servers
See also
dhcprelay delete server
5.1.7.1.3 DHCPRELAY DELETE SERVER
Syntax
DHCPRELAY DELETE SERVER <NUMBER>
Description
This command deletes a single DHCP server address stored in the DHCP relay's list of
server IP addresses.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
number
A number that identifies the DHCP server in the
DHCP relay’s list of servers. To display server numbers, use the dhcprelay list servers command.
N/A
Example
--> dhcprelay delete server 3
See also
dhcprelay list servers
dhcprelay clear servers
5.1.7.1.4 DHCPRELAY ENABLE|DISABLE
Syntax
DHCPRELAY {ENABLE|DISABLE}
Description
This command enables/disables DHCP relay.
DHCP relay must be enabled in order to carry out any DHCP relay configuration.
Note:
DHCP relay and DHCP server cannot be enabled at the same time. Trying to configure DHCP relay when
DHCP server is enabled results in CLI warning message.
Options
The following table gives the range of values for each option which can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-81
Dynamic Host Configuration Protocol
DHCP Relay Command Reference
Option
Description
Default Value
enable
Enables configuration of DHCP relay.
enable
disable
Disables configuration of DHCP relay.
enable
Example
--> dhcprelay enable
See also
dhcpserver enable|disable
5.1.7.1.5 DHCPRELAY LIST SERVERS
Syntax
DHCPRELAY LIST SERVERS
Description
This command displays the DHCP relay's list of DHCP server IP addresses with their
identification numbers.
Example
--> dhcprelay list servers
DHCP Servers:
ID | IP Address
-----|-----------------1 | 192.168.102.3
2 | 239.252.197.0
-----------------------See also
dhcpserver list subnets
5.1.7.1.6 DHCPRELAY SHOW
Syntax
DHCPRELAY SHOW
Description
This command tells you whether DHCP relay is enabled or disabled.
Example
--> dhcprelay show server
Global DHCP Relay Configuration:
Status: ENABLED
See also
DHCPRELAY ENABLE|DISABLE
5.1.7.1.7 DHCPRELAY UPDATE
Syntax
5-82
DHCPRELAY UPDATE
iMG/RG Software Reference Manual (System Administration)
DHCP Relay Command Reference
Domain name system - DNS
Description
This command updates the DHCP relay configuration. Changes made to the relay configuration will not take effect until this command has been entered.
Example
--> dhcprelay update
dhcprelay: Reset request acknowledged. Reset imminent.
5.2 Domain name system - DNS
DNS is an abbreviation for Domain Name System, a system for naming computers and network services that is
organized into a hierarchy of domains. DNS naming is used in TCP/IP networks, such as the Internet, to locate
computers and services through user-friendly names. When a user enters a DNS name in an application, DNS
services can resolve the name to other information associated with the name, such as an IP address.
For example, most users prefer a friendly name such as alliedtelesyn.com to locate a computer such as a mail or
Web server on a network. A friendly name can be easier to learn and remember. However, computers communicate over a network by using numeric addresses. To make use of network resources easier, name services
such as DNS provide a way to map the user-friendly name for a computer or service to its numeric address. If
you have ever used a Web browser, you have used DNS.
The following graphic shows a basic use of DNS, which is finding the IP address of a computer based on its
name.
DNS Server Data
host.alliedtelesis.com
192.168.1.20
What is IP address for host.alliedtelesis.com?
host.alliedtelesis.com = 192.168.1.20
DNS Client
DNS Server
FIGURE 5-1
Domain Name System
In this example, a client computer queries a server, asking for the IP address of a computer configured to use
host.alliedtelesyn.com as its DNS domain name. Because the server is able to answer the query based on its
local database, it replies with an answer containing the requested information, which is a host (A) resource
record that contains the IP address information for host.alliedtelesyn.com. The example shows a simple DNS
query between a single client and server. In practice, DNS queries can be more involved than this and include
additional steps not shown here.
iMG/RG Software Reference Manual (System Administration)
5-83
Domain name system - DNS
DNS Relay
5.2.1 DNS Relay
gateway can act as a DNS relay. So, DNS packets that arrive at the Residential Gateway, addressed to the Residential Gateway, will be relayed on to a known DNS Server.
In this way, devices on the LAN can treat the Residential Gateway as though it were the DNS Server. Only the
Residential Gateway needs to know the address of the real DNS Server looking into it is internal DNS Relay
servers list.
It's possible configure the DHCP server running on the internal Residential Gateway's IP interface in order to
offer the IP address of it's internal IP interface as DNS server's IP address for the internal hosts DNS requests.
It's also possible write a file named dnsrelaylandb with information about host attributes and a domain name
and IP address mask. When DNS relay will receive a DNS request it will check if the answer to this request is
in this file and in this case it will answer to the question; if it hasn’t enough information it will forward the
request to a DNS server.
It is possible to nominate both a primary and a secondary DNS server to contact. DNS responses received
from the server are then forwarded back to the original host making the DHCP request.
Both UDP and TCP DNS requests are supported.
The DNS relay does not bind itself to any one specific interface or interface type, but rather will listen for traffic on all available IP interfaces. It relies on the well known UDP and TCP port number for a DNS server (port
number 53) for receiving DNS traffic.
5.2.2 DNS Client
The ggatewayateway is provided with an internal DNS client, to use this function you must add DNS server
addresses that will be used by the Residential Gateway ONLY for its own lookups.
5.2.3 DNS Relay command reference
This section describes the commands available on the gateway to enable, configure and manage the DNS Relay
module.
5.2.3.1 DNS Relay CLI commands
The table below lists the DNSrelay commands provided by the CLI:
5-84
iMG/RG Software Reference Manual (System Administration)
DNS Relay command reference
TABLE 5-4
Domain name system - DNS
DNS Relay Commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
DNSRELAY ADD LOCALDATABASE
X
X
X
X
X
X
X
X
X
DNSRELAY ADD SERVER
X
X
X
X
X
X
X
X
X
DNSRELAY CLEAR SERVERS
X
X
X
X
X
X
X
X
X
DNSRELAY DELETE SERVER
X
X
X
X
X
X
X
X
X
DNSRELAY ENABLE|DISABLE
X
X
X
X
X
X
X
X
X
DNSRELAY ENABLE|DISABLE
X
X
X
X
X
X
X
X
X
DNSRELAY SHOW
X
X
X
X
X
X
X
X
X
DNSRELAY LIST SERVERS
X
X
X
X
X
X
X
X
X
DNSRELAY SET HOSTNAME
X
X
X
X
X
X
X
X
X
DNSRELAY SET DYNAMICSERVERPRIORITY
X
X
X
X
X
X
X
X
X
DNSRELAY SET LANDOMAINNAME
X
X
X
X
X
X
X
X
X
DNSRELAY SHOW LANDOMAINNAME
X
X
X
X
X
X
X
X
X
Commands
5.2.3.1.1 DNSRELAY ADD LOCALDATABASE
Syntax
DNSRELAY ADD LOCALDATABASE <database> HOSTNAME <name> IPADDRSESS <ipaddress>
Description
This command create a local database specifying hostname and IP address.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
database
The name of the database
N/A
name
The name of the host
N/A
ip-address
The IP address of a the host
0.0.0.0
iMG/RG Software Reference Manual (System Administration)
5-85
Domain name system - DNS
DNS Relay command reference
5.2.3.1.2 DNSRELAY ADD SERVER
Syntax
DNSRELAY ADD SERVER <ip-address>
Description
This command adds the IP address of a DNS server to DNS relay’s list of server IP
addresses. The relay can store a maximum of 10 DNS server addresses.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
ip-address
The IP address of a DNS server that DNS relay can
use, in the format: 192.168.102.3
0.0.0.0
--> dnsrelay add server 239.252.197.0
DNS server set to 0.0.0.0
DNS server set to 239.252.197.0
See also
DNSRELAY LIST SERVERS
5.2.3.1.3 DNSRELAY CLEAR SERVERS
Syntax
DNSRELAY CLEAR SERVERS
Description
This command deletes all DNS server IP addresses stored in DNS relay’s list of server IP
addresses.
Example
--> dnsrelay clear servers
See also
DNSRELAY DELETE SERVER
5.2.3.1.4 DNSRELAY DELETE SERVER
Syntax
DNSRELAY DELETE SERVER <id-number>
Description
This command deletes a single DNS server address stored in DNS relay’s list of server IP
addresses.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
5-86
iMG/RG Software Reference Manual (System Administration)
DNS Relay command reference
Domain name system - DNS
Option
Description
Default Value
ID number
A number that identifies the DNS server in the DNS
relay list. To display server numbers, use the
DNSRELAY LIST SERVERS command.
N/A
Example
--> dnsrelay delete server 3
See also
DNSRELAY LIST SERVERS
5.2.3.1.5 DNSRELAY ENABLE|DISABLE
Syntax
DNSRELAY {ENABLE | DISABLE}
Description
This command enables/disables DNS relay on your device. You must have DNS relay
enabled in order to carry out any DNS relay configuration. If you try configuring DNS
relay before you have entered the dnsrelay enable command, the CLI issues a warning
message.
To display the current state of DNS relay, use the DNSRELAY SHOW command
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
enable
Enables dnsrelay.
enable
disable
Disables dnsrelay.
Example
--> dnsrelay disable
See also
DNSRELAY LIST SERVERS
5.2.3.1.6 DNSRELAY SHOW
Syntax
DNSRELAY SHOW
Description
This command indicates the status of DNS relay, enabled or disabled.
Example
--> dnsrelay show
Global DNS Relay Configuration:
Status: ENABLED
iMG/RG Software Reference Manual (System Administration)
5-87
Domain name system - DNS
See also
DNS Relay command reference
DNSRELAY LIST SERVERS
5.2.3.1.7 DNSRELAY LIST SERVERS
Syntax
DNSRELAY LIST SERVERS
Description
This command displays the DNS relay’s list of DNS server IP addresses with their identification numbers.
Example
--> dnsrelay list servers
DNS Relay Servers:
ID | IP Address
-----|-----------------1 | 239.252.197.0
-----------------------5.2.3.1.8 DNSRELAY SET HOSTNAME
Syntax
DNSRELAY SET HOSTNAME <name>
Description
This command sets the host name of your device.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
The hostname that identifies your device.
N/A
Example
--> dnsrelay set hostname myhost
See also
DNSRELAY SET LANDOMAINNAME
DHCPSERVER SET SUBNET ASSIGNAUTODOMAIN
5.2.3.1.9 DNSRELAY SET DYNAMICSERVERPRIORITY
Syntax
DNSRELAY SET DYNAMICSERVERPRIORITY ENABLE|DISABLE
Description
This command enable or disable the dynamic server priority when more than one server
is available.
5.2.3.1.10 DNSRELAY SET LANDOMAINNAME
Syntax
5-88
DNSRELAY SET LANDOMAINNAME <name>
iMG/RG Software Reference Manual (System Administration)
DNS Client command reference
Domain name system - DNS
Description
This command sets the LAN domain name of your device. DHCP server can then be
configured to give out this address to DHCP clients.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
The LAN domain name that identifies your device.
N/A
Example
--> dnsrelay set landomainname alliedtelesyn.com
See also
DNSRELAY SET LANDOMAINNAME
DHCPSERVER SET SUBNET ASSIGNAUTODOMAIN
5.2.3.1.11 DNSRELAY SHOW LANDOMAINNAME
Syntax
dnsrelay show landomainname
Description
This command displays the domain name used by the DNS relay to determine if a host
name request is for the local database.
Example
--> dnsrelay show landomainname
LAN Domain Name: alliedtelesyn.com
See also
DNSRELAY SET LANDOMAINNAME
5.2.4 DNS Client command reference
This section describes the commands available on the gateway to enable, configure and manage the DNS Client
module.
5.2.4.1 DNS Client CLI commands
The table below lists the DNSclient commands provided by the CLI:
iMG/RG Software Reference Manual (System Administration)
5-89
Domain name system - DNS
TABLE 5-5
DNS Client command reference
DNS Client Commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
DNSCLIENT ADD SEARCHDOMAIN
X
X
X
X
X
X
X
X
X
DNSCLIENT ADD SERVER
X
X
X
X
X
X
X
X
X
DNSCLIENT CLEAR SEARCHDOMAINS
X
X
X
X
X
X
X
X
X
DNSCLIENT CLEAR SERVERS
X
X
X
X
X
X
X
X
X
DNSCLIENT DELETE SEARCHDOMAIN
X
X
X
X
X
X
X
X
X
DNSCLIENT DELETE SERVER
X
X
X
X
X
X
X
X
X
DNSCLIENT DELETE SERVER
X
X
X
X
X
X
X
X
X
DNSCLIENT LIST SEARCHDOMAINS
X
X
X
X
X
X
X
X
X
DNSCLIENT LIST SERVERS
X
X
X
X
X
X
X
X
X
Commands
5.2.4.1.1 DNSCLIENT ADD SEARCHDOMAIN
Syntax
DNSCLIENT ADD SEARCHDOMAIN <searchstring>
Description
This command creates a domain search list. The DNS client uses this list when a user
asks for the IP address list for an incomplete domain name. The search string specified
replaces any previous search strings added previously using this command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
searchstring
A search string used to find the IP address for an
incomplete domain name. You can have a maximum
of 6 incomplete domain names in the search string.
N/A
Example
--> dnsclient add searchdomain alliedtelesyn.com
See also
DNSCLIENT LIST SEARCHDOMAINS
5.2.4.1.2 DNSCLIENT ADD SERVER
Syntax
5-90
DNSCLIENT ADD SERVER <ipaddress>
iMG/RG Software Reference Manual (System Administration)
DNS Client command reference
Domain name system - DNS
Description
This command adds a server IP address to the server list. This enables you to retrieve a
domain name for a given IP address.
Options
The following table gives the range of values for each that can be specified with this command and a default value (if applicable).
Option
Description
Default Value
ipaddress
The IP address of the server that has an unknown
domain name. You can add a maximum of 3
addresses to the server list, in the format:
192.168.102.3
N/A
Example
--> dnsclient add server 192.168.219.196
See also
DNSCLIENT LIST SERVERS
5.2.4.1.3 DNSCLIENT CLEAR SEARCHDOMAINS
Syntax
DNSCLIENT CLEAR SEARCHDOMAINS
Description
This command deletes all domain names from the domain search list.
Example
--> dnsclient clear searchdomains
See also
DNSCLIENT ADD SEARCHDOMAIN
DNSCLIENT DELETE SEARCHDOMAIN
5.2.4.1.4 DNSCLIENT CLEAR SERVERS
Syntax
DNSCLIENT CLEAR SERVERS
Description
This command deletes all the server IP addresses to the server list.
Example
--> dnsclient clear servers
See also
DNSCLIENT ADD SEARCHDOMAIN
DNSCLIENT DELETE SERVER
5.2.4.1.5 DNSCLIENT DELETE SEARCHDOMAIN
Syntax
DNSCLIENT DELETE SEARCHDOMAIN <searchstring>
Description
This command deletes a single domain name from the domain search list.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-91
Domain name system - DNS
DNS Client command reference
Option
Description
Default Value
searchstring
A number that identifies a search string used to find
the IP address for an incomplete domain name. To
list domain search strings, use the DNSCLIENT
LIST SEARCHDOMAINS command.
N/A
Example
--> dnsclient delete searchdomain 1
See also
DNSCLIENT CLEAR SEARCHDOMAINS
DNSCLIENT LIST SEARCHDOMAINS
5.2.4.1.6 DNSCLIENT DELETE SERVER
Syntax
DNSCLIENT DELETE SERVER <number>
Description
This command deletes a single server IP addresses from the server list.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
number
The server number that identifies an IP address of
the server that has an unknown domain name. To
display server numbers, use the DNSCLIENT
LIST SERVERS command.
N/A
Example
--> dnsclient delete server 1
See also
DNSCLIENT CLEAR SERVERS
DNSCLIENT LIST SERVERS
5.2.4.1.7 DNSCLIENT LIST SEARCHDOMAINS
Syntax
DNSCLIENT LIST SEARCHDOMAINS
Description
This command lists the domain search strings that you have added to DNS client using
the DNSCLIENT ADD SEARCHDOMAIN command. DNS client uses this list when a
user asks for the IP address list for an incomplete domain name.
Example
--> dnsclient list searchdomains
ID
| Domain
-----|---------------------
5-92
iMG/RG Software Reference Manual (System Administration)
SNTP features
SNTP
1 | alliedtelesyn.com
--------------------------5.2.4.1.8 DNSCLIENT LIST SERVERS
Syntax
DNSCLIENT LIST SERVERS
Description
This command lists the server IP addresses that you have added to DNS client using the
DNSCLIENT ADD SERVER command. DNS client uses this list to retrieve a domain
name for a given IP address.
Example
--> dnsclient list servers
DNS Client Servers:
ID | IP Address
----|-----------------1 | 192.168.100.7
2 | 192.168.100.1
------------------------
5.3 SNTP
The SNTP Version 4 client is an OSI Layer 7 application that allows the synchronization of gateway system clock
to global sources of time-based information using UDP.
Its detailed implementation, which is described in RFC 2030, provides a complete and simplified method to
access international time servers to receive, organize and adjust the time-synchronization of the local system.
The SNTP client described herein is a scaled down version of the Network Time Protocol (NTP) which is specified in RFC 1305. The main difference between an SNTP and an NTP client is the fact that most SNTP clients
will interact with, at most, a single (S)NTP server. Also, SNTP Version 4 clients include an ‘anycast’ mode in
addition to unicast and broadcast access modes not available in past versions of NTP/SNTP clients
5.3.1 SNTP features
The following features are available on the gateway:
• Boot time and runtime synchronization of the system clock can both be configured
• SNTP in the gateway system can function in one of three transfer modes:
• Unicast Mode
The SNTP client sends to a server, located at a specific previously configured address, a request for time
synchronization and expects a reply only from that particular server
• Broadcast /Multicast Mode
A multicast NTP server periodically transmits a message to the local subnet broadcast address. The cli-
iMG/RG Software Reference Manual (System Administration)
5-93
SNTP
Time zones and daylight savings (summer time)
ent is configured to listen, and receives the synchronized time-based information. The client then configures itself based on this information, but sends no reply
• Anycast Mode
When the client is configured in anycast mode, it sends out a sync request to a local subnet broadcast
address. One or several anycast SNTP servers can respond with an individual timestamp and a unicast
address. The client subsequently binds to the first response it receives and continues its operations in a
unicast mode with that particular server. Any other server responses that are received by the client
afterwards are ignored
• 64 local time zones (which include summertime /daylight savings time) configurations are supported (see
Table 6).
• Automatic periodic timeserver polling is configurable
• Configuration of packet time-outs and retry transmissions is supported
• Getting NTP Time Server IP Addresses via DNS lookup can be used
The SNTP client mode session uses the standard remote UDP port 123 for all data transfers. Port 123 will be
used in both the Source Port and Destination Port fields of the UDP header.
5.3.2 Time zones and daylight savings (summer time) conversion
Daylight Savings (a.k.a. Summer Time) time zones are configurable using the SNTP client. There is also a builtin firm ware mechanism for the automatic change to/from a standard time/daylight savings time. All the major
world time zone changes are supported.
5.3.3 SNTP command reference
This section describes the commands available on gateway tgatewayo enable, configure and manage SNTP
module.
5.3.3.1 SNTP CLI commands
The table below lists the SNTPclient commands provided by the CLI:
5-94
iMG/RG Software Reference Manual (System Administration)
SNTP command reference
TABLE 5-6
SNTP
DNS Client Commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
SNTPCLIENT ADD SERVER
X
X
X
X
X
X
X
X
X
SNTPCLIENT CLEAR SERVERS
X
X
X
X
X
X
X
X
X
SNTPCLIENT DELETE SERVER
X
X
X
X
X
X
X
X
X
SNTPCLIENT LIST SERVERS
X
X
X
X
X
X
X
X
X
SNTPCLIENT SET DAYLIGHTSAVINGTIME
X
X
X
X
X
X
X
X
X
SNTPCLIENT SET TIMEZONE
X
X
X
X
X
X
X
X
X
SNTPCLIENT SET MODE
X
X
X
X
X
X
X
X
X
SNTPCLIENT SET POLLINTV
X
X
X
X
X
X
X
X
X
SNTPCLIENT SYNC
X
X
X
X
X
X
X
X
X
SNTPCLIENT SET TIMEOUT
X
X
X
X
X
X
X
X
X
SNTPCLIENT SET RETRIES
X
X
X
X
X
X
X
X
X
SNTP SHOW STATUS
X
X
X
X
X
X
X
X
X
SNTPCLIENT SET CLOCK
X
X
X
X
X
X
X
X
X
Commands
5.3.3.1.1 SNTPCLIENT ADD SERVER
Syntax
SNTPCLIENT ADD SERVER {IPADDRESS <sntpipaddress> | HOSTNAME
<sntphostname>}
Description
This command creates the dedicated unicast server for which the SNTP client can synchronize its time. You can add a server either by specifying the IP address or the hostname.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
iMG/RG Software Reference Manual (System Administration)
5-95
SNTP
SNTP command reference
Example
Option
Description
Default Value
sntpipaddress
The IP address of the dedicated unicast server
that SNTP can use to synchronize its time.
N/A
sntphostname
The hostname of the dedicated unicast server
that SNTP can use to synchronize its time.
N/A
Example 1 - IP address
--> sntpclient add server ipaddress 129.6.15.28
Example 2 - hostname
--> sntpclient add server hostname time-a.nist.gov
5.3.3.1.2 SNTPCLIENT CLEAR SERVERS
Syntax
SNTPCLIENT CLEAR SERVERS
Description
This command deletes the servers added using the sntpclient add server command.
Example
--> sntpclient clear servers
See also
SNTPCLIENT ADD SERVER
5.3.3.1.3 SNTPCLIENT DELETE SERVER
Syntax
SNTPCLIENT DELETE SERVER <serverid>
Description
This command deletes a single server previously added using the sntpclient add server
command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
serverid
Description
Default Value
The server ID displayed by the SNTPCLIENT LIST
N/A
SERVERS command.
Example
--> sntpclient delete server 1
See also
SNTPCLIENT ADD SERVER
SNTPCLIENT LIST SERVERS
5-96
iMG/RG Software Reference Manual (System Administration)
SNTP command reference
SNTP
5.3.3.1.4 SNTPCLIENT LIST SERVERS
Syntax
SNTPCLIENT LIST SERVERS
Description
This command lists the servers added using the SNTPCLIENT ADD SERVER command.
Example
--> sntpclient list servers
SNTPClient Servers:
ID | IP Address
-----|-----------------1 | 239.252.197.0
-----------------------See also
SNTPCLIENT ADD SERVER
5.3.3.1.5 SNTPCLIENT SET DAYLIGHTSAVINGTIME
Syntax
SNTPCLIENT SET DAYLIGHTSAVINGTIME ENABLE|DISABLE
Description
This command sets the SNTP client to automatically switch between the standard time
and the daylight saving time according to the time zone.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
enable
Enables the selected time synchronous access mode.
N/A
disable
Disables the selected time synchronous access mode.
N/A
--> sntpclient set daylightsavigntime enable
5.3.3.1.6 SNTPCLIENT SET TIMEZONE
Syntax
SNTPCLIENT SET TIMEZONE <timezone>
Description
This command sets the local time zone abbreviation as a parameter and configures the
local system to be up to + 13 hours of the Universal Time Coordinate (UTC). Sixty-four
of the world’s most prominent time zones are represented (including those using standard time and summer/daylight savings time).
Options
The following table gives the 64 time zone abbreviations that you can use in this command to set the timezone difference for the system timer. The table also contains the dif-
iMG/RG Software Reference Manual (System Administration)
5-97
SNTP
SNTP command reference
ference in time (in hours and minutes) from the UTC, and a description of the area of
the world (from west to east) where the time difference is calculated:
TABLE 5-7
5-98
Time Abbreviations when Setting Timezone Difference
Time Zone
+ UTC
World Area of Time Zone
IDLW
-1200
International Date Line West
NT
-1100
Nome
HST
-1000
Hawaii Standard
AKST
-0900
Alaska Standard
YST
-0900
Yukon Standard
YDT
-0800
Yukon Daylight
PST
-0800
US Pacific Standard
MST
-0700
US Mountain Standard
MDT
-0600
US Mountain Daylight
CST
-0600
US Central Standard
EST
-0500
US Eastern Standard
AST
-0400
Atlantic Standard
NFST
-0330
Newfoundland Standard
NFT
-0330
Newfoundland
BRA
-0300
Brazil Standard
ADT
-0300
Atlantic Daylight
NDT
-0230
Newfoundland Daylight
AT
-0200
Azores
WAT
-0100
West Africa
GMT
+0000
Greenwich Mean
UTC
+0000
Universal (Coordinated)
WET
+0000
Western European
CET
+0100
Central European
FWT
+0100
French Winter
iMG/RG Software Reference Manual (System Administration)
SNTP command reference
TABLE 5-7
SNTP
Time Abbreviations when Setting Timezone Difference (Continued)
MET
+0100
Middle European
MEWT
+0100
Middle European Winter
SWT
+0100
Swedish Winter
BST
+0100
British Summer
EET
+0200
Eastern Europe
FST
+0200
French Summer
MEST
+0200
Middle European Summer
SST
+0200
Swedish Summer
IST
+0200
Israeli Standard
IDT
+0300
Israeli Daylight
BT
+0300
Baghdad
IT
+0330
Iran
USZ3
+0400
Russian Volga
USZ4
+0500
Russian Ural
INST
+0530
Indian Standard
USZ5
+0600
Russian West-Siberian
NST
+0630
North Sumatra
WAST
+0700
West Australian Standard
USZ6
+0700
Russian Yenisei
JT
+0730
Java
CCT
+0800
China Coast
WADT
+0800
West Australian Daylight
ROK
+0900
Korean Standard
KST
+0900
Korean Standard
JST
+0900
Japan Standard
CAST
+0930
Central Australian Standard
KDT
+1000
Korean Daylight
iMG/RG Software Reference Manual (System Administration)
5-99
SNTP
SNTP command reference
TABLE 5-7
Example
Time Abbreviations when Setting Timezone Difference (Continued)
EAST
+1000
Eastern Australian Standard
GST
+1000
Guam Standard
CADT
+1030
Central Australian Daylight
EADT
+1100
Eastern Australian Daylight
IDLE
+1200
International Date Line East
NZST
+1200
New Zealand Standard
NZT
+1200
New Zealand
NZDT
+1300
New Zealand Daylight
In the example below, the time zone is set to Unites States Eastern Standard Time, which
is five hours earlier than UTC (-0500):
--> sntpclient set timezone EST
5.3.3.1.7 SNTPCLIENT SET MODE
Syntax
SNTPCLIENT SET MODE {UNICAST|BROADCAST|ANYCAST} {ENABLE|DISABLE}
Description
This command enables/disables the STNP client in a particular time synchronous access
mode. There are three modes to choose from, and each mode has enable and disable
options:
Unicast mode
•
Enable
the mode uses a unicast server and the IP address or hostname in the SNTP server
association list is used to synchronize the client time with the server. The SNTP client attempts to contact the specific server in the association in order to receive a
timestamp when the SNTPCLIENT SYNC COMMAND is issued.
•
Disable
the unicast server is removed from the association list.
Broadcast mode
5-100
•
Enable
allows the SNTP client to accept time synchronization broadcast packets from an
SNTP server located on the network, and updated the local system time accordingly.
•
Disable
stops synchronization via broadcast mode
iMG/RG Software Reference Manual (System Administration)
SNTP command reference
SNTP
Anycast mode
Options
•
Enable
the SNTP client sends time synchronized broadcast packets to the network and subsequently expects a reply from a valid timeserver. The client then uses the first reply
it receives to establish a link for future sync operations in unicast mode. This server
will then be added to the server association list. The client ignores any later replies
from servers after the first one is received.
The enabled anycast mode takes precedence over any entries currently in the associations list when the SNTPCLIENT SYNC command is issued. The entry will then be
substituted for any existing entry in the unicast association list.
•
Disable
stops synchronization via anycast mode.
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
unicast
Sets the time synchronous access mode to use the unicast
server.
N/A
broadcast
Sets the time synchronous access mode to use the broadcast
server.
N/A
anycast
Sets the time synchronous access mode to use the anycast
server.
N/A
enable
Enables the selected time synchronous access mode.
N/A
disable
Enables the selected time synchronous access mode.
N/A
Example
--> sntpclient set mode anycast enable
See also
SNTPCLIENT ADD SERVER
SNTP SHOW STATUS
5.3.3.1.8 SNTPCLIENT SET POLLINTV
Syntax
SNTPCLIENT SET POLLINTV <pollintv>
Description
This command sets the SNTP client to automatically send a time synchronization request
(specific to the mode) to the network at a specific interval. If the poll-interval is set to 0,
the polling mechanism will be disabled.
iMG/RG Software Reference Manual (System Administration)
5-101
SNTP
SNTP command reference
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
pollintv
Sets the polling interval (in minutes) that SNTP client will
sync with a designated server. This can be any value between
0 and 30.
0 (disabled)
--> sntpclient set pollintv 10
5.3.3.1.9 SNTPCLIENT SYNC
Syntax
SNTPCLIENT SYNC
Description
This command forces the SNTP client to immediately synchronize the local time with the
server located in the association list (if unicast) or, if anycast is enabled, initiate an anycast
sequence to the network.
Example
--> sntpclient sync
See also
SNTPCLIENT ADD SERVER
5.3.3.1.10 SNTPCLIENT SET TIMEOUT
Syntax
SNTPCLIENT SET TIMEOUT <timeout>
Description
This command sets the received packet response timeout value (in seconds) upon sync
request initiation. After timeout, if the SNTPCLIENT RETRY command value is set, an
attempt will be retried.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
timeout
Sets the received packet response timeout value (in seconds). This can be any value between 0 and 30.
5 seconds
Example
--> sntpclient set timeout 10
See also
SNTPCLIENT SET RETRIES
5-102
iMG/RG Software Reference Manual (System Administration)
SNTP command reference
SNTP
5.3.3.1.11 SNTPCLIENT SET RETRIES
Syntax
SNTPCLIENT SET RETRIES <retries>
Description
This command sets the number of packet retry attempts when no response is received
from a timeserver. The SNTP client will send another packet for synchronization after a
timeout.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
retries
Sets the number (between 0-10) of packet retry attempts
made when no response is received from a timeserver.
2
Example
--> sntpclient set retries 4
See also
SNTPCLIENT SET TIMEOUT
5.3.3.1.12 SNTP SHOW STATUS
Syntax
SNTPCLIENT SHOW STATUS
Description
This command displays the SNTP client status information.
Example
--> sntpclient show status
- SNTP CLIENT STATUS ---------------------Clock Synchronized:
SNTP Standard Version Number:
SNTP Mode(s) Configured:
Local Time:
Local Timezone:
Time Difference +- UTC:
Server Stratum:
Precision:
Root Delay:
Dispersion:
Server Reference ID:
Round Trip Delay:
Local Clock Offset:
Resync Poll Interval:
Packet Retry Timeout:
TRUE
4
Unicast
Mon, 14 Sep 2009 - 05:36:26
EST, US Eastern Standard Time
-4:00
3
1/1048576 of a second
+0.618 second(s)
0.5578 second(s)
10.17.90.68
0 second(s)
-17999 second(s)
20 minute(s)
5 second(s)
iMG/RG Software Reference Manual (System Administration)
5-103
SNTP
SNTP command reference
Packet Retry Attempts:
Daylight Saving :
Daylight Saving Done :
sntpclient list servers
See also
2
Enabled
True
SNTPCLIENT LIST SERVERS
5.3.3.1.13 SNTPCLIENT SET CLOCK
Syntax
SNTPCLIENT SET CLOCK <sntpclock>
Description
This command sets the system clock to a specific time and date. This command can be
used as an alternative to synchronizing the local system clock via internal or external
timeservers.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
sntpclock
Sets the time and date of the system clock in
the following format: yyyy:mm:dd:hh:mm:ss
N/A
The following command sets the system clock to 11:10:13pm, 29th December 2003:
--> sntpclient set clock 2003:12:29:23:10:13
5-104
iMG/RG Software Reference Manual (System Administration)
MGCP Functional Description
VoIP MGCP
6. Voice Service
6.1 VoIP MGCP
The MGCP (Media Gateway Control Protocol) is a protocol that assumes a call control architecture where the
call control ‘intelligence’ is outside the gateways and is handled by external call control elements, the call agent.
MGCP assumes that the gateways have limited storage and functionality.
So, there are two MGCP entities: Call Agent (Media Gateway Controller, MGC) which handles the call control
‘intelligence’, that means the call signaling and the call processing functions and the Media Gateway (MG) that
provides conversion between the audio signals carried on telephone circuits and data packets carried over
Internet or packets networks and expects to execute command sent by the Call Agent.
iMG/RG/iBG devices implement the Media gateway side.
MGCP is a master/slave protocol, while the call agent is mandatory and manages the calls and conferences and
supports the services provided, the endpoint is unaware of the calls and conferences and does not maintain call
states, it is simply expected to execute commands sent by the call agent.
6.1.1 MGCP Functional Description
6.1.1.1 Endpoints
iMG/RG/iBG devices support the configuration of each FXS (Foreign Exchange Station) voice port as a separate
MGCP analogue endpoint allowing a different level of services (number of phone lines) to be delivered.
Each voice port is identified univocal through an endpoint identifier that, by default, takes the following syntax:
Syntax
aaln/<slot>@[$IP]
where:
AALN -Analog Access Line eNdpoint. This name indicates that the endpoint is analog type (only FXS voice
interfaces are supported).
<slot> - indicates the index of the voice port. Physical voice ports start with index 0, the second physical voice
port uses index 1 and so on.
$IP - it’s the ip address of the ip interface where the MGCP protocol is enabled. It is typically used in a multi
host configuration where more than one IP interface is configured in the system or when the ip interface is
dynamic and therefore the value is dynamically assigned by the network.
iMG/RG Software Reference Manual (Voice Service)
6-1
VoIP MGCP
Piggyback
6.1.1.2 Custom endpoints syntax
iMG/RG/iBG devices allow analog endpoint MGCP identifiers to be customized to meet VoIP network configuration requirements.
The syntax of each endpoint identifier can be set to any string but must include at least a local name description
in the format:
aaln/<slot>
The local and domain name part of an endpoint identifier can use also special keywords identified by the “$”
sign that are automatically replaced by the value of the attribute that they represent.
The following two special keywords are supported:
$IP - when used, this keyword is automatically replaced by the ip address value (in IPv4 dotted format) of the ip
interface where MGCP protocol has been enabled.
$MAC - when used, this keyword is automatically replaced by the MAC address of the iMG/RG/iBG device.
It’s therefore possible create complex endpoint identifiers like the following:
aaln/0@[$IP] that will be translated at runtime for example in: aaln/0@[172.30.1.1]
aaln/0@$IP that will be translated at runtime for example in: aaln/0@172.30.1.1
aaln/0@$MAC that will be translated at runtime for example in: aaln/0@00:0d:da:01:fe:ac
$MAC:aaln/0@[$IP] that will be translated at runtime for example in: 00:0d:da:01:fe:ac:aaln/0@[172.30.1.1]
aaln/0@any-string-here
To specify a new endpoint syntax for an existing voice port the following command is used:
voip mgcp protocol set endpoint-syntax <ep-syntax> port <voice-port>
where
<ep-syntax> is the endpoint identifier string as described above
<voice-port> is the name of the physical voice port (tel1, tel2,...)
6.1.2 Piggyback
iMG/RG/iBG devices support piggy-back MGCP message handling.
As reported in RFC 2705, piggy-back refers to the support for a Call Agent to send several messages at the
same time to the same gateway using the same UDP packet and separating each MGCP message by a line of
text that contain a single dot.
Support for piggy-back is enabled by default on MG/RG/iBG devices and can be disabled/enabled via the following command:
voip mgcp protocol set piggyback disable|enable
6-2
iMG/RG Software Reference Manual (Voice Service)
Wildcard
VoIP MGCP
6.1.3 Wildcard
MG/RG/iBG support wild card endpoint identifiers.
By default wild card support is disabled.
It can be enabled/disabled via the following CLI command:
voip mgcp protocol set wildcard enable|disable
When wild card support is enabled, MG/RG/iBG replace the local name description part of the endpoint identifier with the “*” char on RSIP messages.
In this case only one RSIP message is sent in order to notify to the call agent that all the endpoints have been
taken out-of-service and are being replaced in service.
6.1.4 Heartbeat
iMG/RG/iBG support the heartbeat mechanism to detect whether User Agents are still active.
Each iMG/RG/iBG voice port has a unique User Agent permanently associated to it.
Heartbeat mechanism is typically requested on deployments that use Network Address Translation (NAT).
The reason for this requirement is that if a NAT binding expires, there is no way for a Call Agent to send an
incoming call to the User Agent as NAT bindings are generated via outgoing UDP packets.
Using a heartbeat mechanism allows the User Agent to detect loss of the NAT binding (due for example to DSL
uplink fails) and recreate it if required.
The heartbeat mechanism is implemented through the use of Audit commands as AuditConnection and AuditEndpoint
iMG/RG/iBG User Agents support a configurable heartbeat timer. The User Agent then waits for either the end
of this timer, the reception of a command for the endpoint from the Call Agent, or the detection of a local user
activity for the endpoint, such as for example an off-hook transition.
If the heartbeat timer expires the User Agent enters the “disconnected” procedure.The User Agents run a further disconnect timer and if they do not receive a command from the Call Agent or detect local activity before
the timer expires, the User Agent sends an RSIP disconnected command to the Call Agent.
If it does not receive a response it continues to periodically retry to contact the provisioned Call Agents.
If the Call Agent is using the above heartbeat mechanism, the heartbeat timer should be set to a value that
allows the Call Agent to send an audit command sufficiently often that the User Agent will see at least 3 audit
commands in the heartbeat time interval. This is to prevent a single packet loss causing the User Agent to
become “disconnected”.
By default heartbeat is disabled and can be enabled via the following command:
voip mgcp protocol set heartbeat enable|disable
iMG/RG Software Reference Manual (Voice Service)
6-3
VoIP MGCP
Call Agent Failover
When heartbeat is enabled, each endpoint (or User Agent) supervises the operative status of Call Agent independently on the status of the other endpoints.
It’s possible force a specific User Agent to check for Call Agent activity and to be master also for the other
User Agents. If the specific endpoint does not receive a command from the Call Agent within the heartbeat
timer time-out it forces all the User Agents to enter into the disconnected procedure.
To activate this behavior is necessary enable the heartbeat and then enter the following command:
By default heartbeat is disabled and can be enabled via the following command:
voip mgcp protocol set heartbeat port <endpoint-name>
To return to the default behavior is necessary disable the heartbeat and then re-enabling it.
6.1.5 Call Agent Failover
iMG/RG/iBG support dual Call Agents failover mechanism to switch between inactive to active call agents in
order to support high availability services.
The failover mechanism is triggered any time a request sent by the User Agents does not get any answer from
the Call Agent within the round-trip time-out.
In this case if more than one call agent is configured, the User Agent will re-send the same command toward
the second call agent. As soon the User Agent get an answer from the second call agent, the second call agent
becomes the active call agent and will be used for all the subsequent requests.
The process repeats any time a call agent is not reachable switching in this way the communications between
primary call agent to secondary call agent and vice versa.
It’s possible display the current active call agent checking the marker “*” character on the call agent list.
The active call agent is the call agent marked with the “*” char.
By default the first call agent in the call agents list is the call agent that iMG/RG/iBG will attempt to contact
firstly.
It’s possible changing the call agent order of preference specifying the attribute master:
voip mgcp callagent set <call-agent-name> master
Only one call agent at time can be master.
6.1.6 Functional Differences for VoIP MGCP in Product Categories
The table below is intended to identify what is common amongst the product families - as well as where there
are differences - to highlight those differences. To determine which family your device belongs to - please refer
to the preface.
6-4
iMG/RG Software Reference Manual (Voice Service)
VOIP MGCP command reference
TABLE 6-1
VoIP MGCP
Functional Mapping for VoIP MGCP
Fiber Fiber Fiber Fiber Fiber
A
B
C
D
E
Functions
Modular
ADSL
A
ADSL
B
ADSL
C
Endpoints
X
X
X
X
X
X
X
X
X
Piggyback
X
X
X
X
X
X
X
X
X
Wildcard
X
X
X
X
X
X
X
X
X
Heartbeat
X
X
X
X
X
X
X
X
X
Call Agent Failover
X
X
X
X
X
X
X
X
X
6.1.7 VOIP MGCP command reference
This section describes the commands available on iMG/RG/iBG to configure and manage the MGCP protocol
module.
6.1.7.1 VoIP MGCP CLI commands
The table below lists the voip mgcp commands provided by the CLI:
TABLE 6-2
VoIP MGCP commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
VOIP MGCP PROTOCOL DISABLE
X
X
X
X
X
X
X
X
X
VOIP MGCP PROTOCOL ENABLE
X
X
X
X
X
X
X
X
X
VOIP MGCP PROTOCOL RESTART
X
X
X
X
X
X
X
X
X
VOIP MGCP PROTOCOL SET DEFAULTPORT
X
X
X
X
X
X
X
X
X
VOIP MGCP PROTOCOL SET HEARTBEAT
X
X
X
X
X
X
X
X
X
VOIP MGCP PROTOCOL SET NAT
X
X
X
X
X
X
X
X
X
VOIP MGCP PROTOCOL SET NETINTERFACE
X
X
X
X
X
X
X
X
X
VOIP MGCP PROTOCOL SET PIGGYBACK
X
X
X
X
X
X
X
X
X
VOIP MGCP PROTOCOL SET PROFILE
X
X
X
X
X
X
X
X
X
VOIP MGCP PROTOCOL SET REFRESH-TIME
X
X
X
X
X
X
X
X
X
Functions
iMG/RG Software Reference Manual (Voice Service)
Fiber
ADSL ADSL ADSL
E
A
B
C
Modular
6-5
VoIP MGCP
VOIP MGCP command reference
TABLE 6-2
VoIP MGCP commands (Continued)
Fiber
A
Fiber
B
Fiber
C
Fiber
D
VOIP MGCP PROTOCOL SET ROUNDTRIPTIME
X
X
X
X
X
X
X
X
X
VOIP MGCP PROTOCOL SHOW
X
X
X
X
X
X
X
X
X
VOIP MGCP CALLAGENT CREATE
X
X
X
X
X
X
X
X
X
VOIP MGCP CALLAGENT SET MASTER
X
X
X
X
X
X
X
X
X
VOIP MGCP CALLAGENT DELETE
X
X
X
X
X
X
X
X
X
VOIP MGCP CALLAGENT LIST
X
X
X
X
X
X
X
X
X
Functions
Fiber
ADSL ADSL ADSL
E
Modular
A
B
C
6.1.7.1.1 VOIP MGCP PROTOCOL DISABLE
Syntax
VOIP MGCP PROTOCOL DISABLE
Description
This command stops the VoIP MGCP signalling protocol and releases all the resources
associated to it.
This command is typically used when it's necessary to change the VoIP signalling protocol, i.e. from MGCP to SIP.
To simply restart the MGCP module, use the VOIP MGCP PROTOCOL RESTART command. It doesn't remove any resources defined for the protocol.
To enable the MGCP module, use the VOIP MGCP PROTOCOL ENABLE command.
Example
--> voip mgcp protocol disable
See also
VOIP MGCP PROTOCOL RESTART
VOIP MGCP PROTOCOL ENABLE
6.1.7.1.2 VOIP MGCP PROTOCOL ENABLE
Syntax
VOIP MGCP PROTOCOL ENABLE
Description
This command turns on the MGCP signaling module.
To bind the MGCP module to a specific IP interface use the VOIP MGCP PROTOCOL
SET NETINTERFACE command.
Binding the MGCP module to a specific IP interface defines the value of the source IP
address for signalling and voice packets.
6-6
iMG/RG Software Reference Manual (Voice Service)
VOIP MGCP command reference
VoIP MGCP
Description
--> voip mgcp protocol enable
See also
VOIP MGCP PROTOCOL SHOW
VOIP MGCP PROTOCOL DISABLE
6.1.7.1.3 VOIP MGCP PROTOCOL RESTART
Syntax
VOIP MGCP PROTOCOL RESTART
Description
This command restarts the VoIP MGCP signaling protocol module.
Any pending and active calls are released.
This command doesn't release any resources previously created during module configuration.
Example
--> voip mgcp protocol restart
See also
VOIP MGCP PROTOCOL ENABLE
6.1.7.1.4 VOIP MGCP PROTOCOL SET DEFAULTPORT
Syntax
VOIP MGCP PROTOCOL SET DEFAULTPORT <ipport>
Description
This command sets the default listening/sending port used for MGCP signaling messages.
By default, when the MGCP module is attached to an IP interface using the VOIP MGCP
PROTOCOL SET NETINTERFACE command, the following default value is used:
defaultport:2427
Changing the signaling port causes the MGCP module to restart.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
ipport
UDP/TCP port number used for signalling messages. Available values are in the range 1026 to
65534. Only even values can be accepted
2427
Example
--> voip mgcp protocol set defaultport 2427
See also
VOIP MGCP PROTOCOL ENABLE
iMG/RG Software Reference Manual (Voice Service)
6-7
VoIP MGCP
VOIP MGCP command reference
6.1.7.2 VOIP MGCP PROTOCOL SET ENDPOINT-SYNTAX
Syntax
VOIP MGCP PROTOCOL SET ENDPOINT-SYNTAX <ep-syntax> port
<portname>
Description
This command allows to customize the endpoint identifier (EPID) used inside MGCP
messages. The endpoint identifier syntax can be created using some variables listed in the
following table:
Variable
Description
TBD
TBD
$IP
It will be replaced with the gateway’s IP Address
$MAC
It will be replaced with the gateway’s MAC Address
$HOST
It will be replaced with the gateway’s System name
(If the system name is not configured the IP address will be used).
The endpoint identifier syntax default value depends on the used MGCP profile. The following table lists all the
combinations.
6-8
iMG/RG Software Reference Manual (Voice Service)
VOIP MGCP command reference
TABLE 6-3
VoIP MGCP
Possible Combinations for MGCP Profile
TBD
TBD
NONE, AGS, GB and SIEMENS
aaln/0@[$IP] for endpoint tel1
aaln/1@[$IP] for endpoint tel2
aaln/2@[$IP] for endpoint tel3
aaln/3@[$IP] for endpoint tel4
MARCONI
aaln/1@[$IP] for endpoint tel1
aaln/2@[$IP] for endpoint tel2
aaln/3@[$IP] for endpoint tel3
aaln/4@[$IP] for endpoint tel4
SPHERE
$MAC:aaln/0@[$IP] for endpoint tel1
$MAC:aaln/1@[$IP] for endpoint tel2
$MAC:aaln/2@[$IP] for endpoint tel3
$MAC:aaln/3@[$IP] for endpoint tel4
CISCOBTS
aaln/0@$IP for endpoint tel1
aaln/1@$IP for endpoint tel2
aaln/2@$IP for endpoint tel3
aaln/3@$IP for endpoint tel4
If system name is not set and/or it is not configured by DHCP, $HOST variable must be replaced by the IP
address.
Options
Example
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
ep-syntax
It is the endpoint identifier used by the gateway
and by the Call Agent in the command messages.
-
Suppose to have a device with the following parameter values:
IP Address=10.17.90.135
MAC Address=10:20:30:40:50:61
System name=gatewat-90-135
iMG/RG Software Reference Manual (Voice Service)
6-9
VoIP MGCP
VOIP MGCP command reference
Example
--> voip mgcp prot set endpoint-syntax aaln/0@[$IP] port tel1
The endpoint identifier is: aaln/0@[10.17.90.135]
Example
--> voip mgcp prot set endpoint-syntax $MAC:aaln/0@[$IP]
port tel1
The endpoint identifier is: 102030405061:aaln/0@[10.17.90.135]
Example
--> voip mgcp prot set endpoint-syntax $MAC:aaln/1@[$HOST]
port tel2
The endpoint identifier is: 102030405061:aaln/1@[gatewat-90-135]
Example
--> voip mgcp prot set endpoint-syntax tel3@[$HOST] port tel3
The endpoint identifier is: tel3@[gatewat-90-135]
Example
--> voip mgcp prot set endpoint-syntax aaln/0@$IP port tel1
The endpoint identifier is: aaln/0@10.17.90.135
6.1.7.2.1 VOIP MGCP PROTOCOL SET HEARTBEAT
Syntax
VOIP MGCP PROTOCOL SET HEARTBEAT {ENABLE|DISABLE}
Description
This command enables/disables the heartbeat feature. The heartbeat consists on a
MGCP message periodically sent by the gateway to inform the callagent that the end
points are up and running. The heartbeat is implemented only under some specific
MGCP profiles and the sent heartbeat message is different for each profile. The following
table lists the profiles and heartbeat messages.
TBD
TBD
sphere
NTFY 48 000dda010203:aaln/0[192.168.1.10] MGCP 1.0
X: 1234567
N: hb
nuera
RSIP 48 aaln/0[192.168.1.10] MGCP 1.0 NCS 1.0
RM: x-refresh
siemens
RSIP 48 aaln/0[192.168.1.10] MGCP 1.0
RM: x-keepalive
Example
--> voip mgcp protocol set heartbeat enable
See also
VOIP MGCP PROTOCOL SET PROFILE
VOIP MGCP PROTOCOL SET REFRESH-TIME
6-10
iMG/RG Software Reference Manual (Voice Service)
VOIP MGCP command reference
VoIP MGCP
6.1.7.2.2 VOIP MGCP PROTOCOL SET NAT
Syntax
VOIP MGCP PROTOCOL SET NAT {NONE | <host>}
Description
This command sets the NAT host reference. Any MGCP message with local reference is
hidden by the NAT address value.
Changing the NAT reference causes the MGCP module to restart.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
--> voip mgcp protocol set nat 10.17.90.110
Option
Description
Default Value
host
The address that must displayed in the MGCP messages. It
can be expressed in hostname format or IPv4 format. A
Hostname can be a maximum of 255 characters long.
None
Example
--> voip mgcp protocol set nat at-img600.voip.atkk.com
See also
VOIP MGCP PROTOCOL ENABLE
6.1.7.2.3 VOIP MGCP PROTOCOL SET NETINTERFACE
Syntax
VOIP MGCP PROTOCOL SET NETINTERFACE <interface_name>
Description
This command sets the IP interface used to access the VoIP network.
Signaling and voice packets will use the Source IP address defined for the selected interface.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
interface_name
An existing IP interface. To display interface names, use
the IP LIST INTERFACES command.
N/A
Example
--> voip MGCP protocol set netinterface ip0
See also
VOIP MGCP PROTOCOL ENABLE
6.1.7.2.4 VOIP MGCP PROTOCOL SET PIGGYBACK
Syntax
VOIP MGCP PROTOCOL SET PIGGYBACK {ENABLE|DISABLE}
iMG/RG Software Reference Manual (Voice Service)
6-11
VoIP MGCP
VOIP MGCP command reference
Description
This command enables/disables the MGCP piggy-back feature as described in RFC3435
(3.5.5 Piggy backing). This feature is enabled by default. This command allow the user to
disable it.
Example
--> voip mgcp protocol set piggyback disable
6.1.7.2.5 VOIP MGCP PROTOCOL SET PROFILE
Syntax
VOIP MGCP PROTOCOL SET PROFILE <profile>
Description
This command sets specific customer MGCP call agent profile. This command is used to
fix inter operability constraints when the MGCP module has to work with call agent that
could differ from a standard implementation.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
profile
The specific customer call-agent type. Possible values are:
ags, audiocodes, ciscobts, gb, huawei, marconi, metaswitch,
ncs, netcentrex, nuera, siemens, sphere, sttnortel and none.
none
--> voip mgcp protocol set profile ags
6.1.7.2.6 VOIP MGCP PROTOCOL SET REFRESH-TIME
Syntax
VOIP MGCP PROTOCOL SET REFRESH-TIME <sec>
Description
This command sets the refresh time used by the heartbeat feature. In other words, this
command sets the seconds between two successive heartbeat messages. In some profiles
the heartbeat messages is sent if there are not activity (no other MGCP messages) sent/
received by the endpoint.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
6-12
Option
Description
Default Value
sec
Number of seconds between two heartbeat message.
none
--> voip mgcp protocol set refresh-time 30
iMG/RG Software Reference Manual (Voice Service)
VOIP MGCP command reference
VoIP MGCP
6.1.7.2.7 VOIP MGCP PROTOCOL SET ROUNDTRIPTIME
Syntax
VOIP MGCP PROTOCOL SET ROUNDTRIPTIME <msec>
Description
This command sets the maximum time out that an MGCP message needs to be acknowledged by the call agent before the same message is retrasmitted.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Example
Option
Description
Default Value
msec
Maximum number of milliseconds that the system
wait for an answer from the call agent.
1000
--> voip mgcp protocol set roundtriptime 1500
6.1.7.2.8 VOIP MGCP PROTOCOL SHOW
Syntax
VOIP MGCP PROTOCOL SHOW [<name>]
Description
This command displays basic MGCP module configuration parameters set by the VOIP
MGCP PROTOCOL ENABLE command.
Options
The following table gives the range of values for each option, which can be specified with
this command, and a default value (if applicable).
Example
Option
Description
Default Value
name
An existing access port. To display the existing
access port names, use the VOIP EP LIST command.
N/A
--> voip mgcp protocol show
Gateway base protocol: MGCP
--------------------------------------------------------Profile:
sphere
Basic, Generic Media, DTMF, Line
Supported packages:
Piggy-Back:
Enable
Network interface:
ip0
Default port:
2427
NAT:
None
HeartBeat:
Enable
iMG/RG Software Reference Manual (Voice Service)
6-13
VoIP MGCP
VOIP MGCP command reference
HeartBeat Refresh Time:
Round-trip time:
Maximum re-transmition time:
Network loss rate:
TEL1 Syntax Name:
TEL2 Syntax Name:
Example
15
10000 msecs.
30 secs.
0 %
aaln/0@[$IP]
aaln/1@[$IP]
-> voip mgcp protocol show tel1
Gateway base protocol: MGCP end-point tel1
--------------------------------------------------------Operational state:
Normal
Notified call-agent:
None
Digit-map: (default)
x.T
(current)
See also
x
VOIP MGCP PROTOCOL ENABLE
6.1.7.2.9 VOIP MGCP CALLAGENT CREATE
Syntax
OIP MGCP CALLAGENT CREATE <name> CONTACT <host>
Description
This command set the call agent address. More than one call agent can be defined to
increase system robustness in case of server failure.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
An arbitrary name that identifies the call agent. The
name must not be present already. The name can be a
maximum of 16 characters long; cannot start with a digit
and cannot contain dots '.' or slash symbols '/'.
N/A
host
The hostname or IPv4 address of the call agent. Host can
be a maximum of 256 chars long (when using hostname
format).
N/A
Example
--> voip mgcp callagent create default contact 192.168.102.3
See also
VOIP MGCP CALLAGENT LIST
VOIP MGCP CALLAGENT DELETE
6-14
iMG/RG Software Reference Manual (Voice Service)
VOIP MGCP command reference
VoIP MGCP
6.1.7.2.10 VOIP MGCP CALLAGENT SET MASTER
Syntax
VOIP MGCP CALLAGENT SET <name> MASTER
Description
This command set an existing call agent as Master. The Master call agent is the call agent
that is attempted to be used firstly. In case of failure of the communication with it, the
other call agent in the list will be used.
Example
--> voip mgcp callagent set default master
See also
VOIP MGCP CALLAGENT LIST
VOIP MGCP CALLAGENT DELETE
6.1.7.2.11 VOIP MGCP CALLAGENT DELETE
Syntax
VOIP MGCP CALLAGENT DELETE <name>
Description
This command deletes a previously defined call agent created using the VOIP MGCP
CALLAGENT CREATE command.
To show the list of existing CALLAGENT entries, use the VOIP MGCP CALLAGENT
LIST command.
Options
The following table gives the range of values for each option that can be specified with
this command and a default value (if applicable).
Option
Description
Default Value
name
A name (or the ID value) that identifies an existing call
agent. To display the existing calla agent entries, use the
VOIP MGCP CALLAGENT LIST command.
N/A
Example
--> voip mgcp callagent delete default
See also
VOIP MGCP CALLAGENT CREATE
VOIP MGCP CALLAGENT LIST
6.1.7.2.12 VOIP MGCP CALLAGENT LIST
Syntax
VOIP MGCP CALLAGENT LIST
Description
This command lists information about CALLAGENT entries added using the VOIP MGCP
CALLAGENT CREATE command.
The following information is displayed:
Call agent ID numbers
iMG/RG Software Reference Manual (Voice Service)
6-15
VoIP SIP
iMG SIP Overview
Call agent names
Note:
If a call agent name is longer than 32 chars, the name is shown in a short format (only the initial part of
the name is displayed).
Example
--> voip sip fdb list
Gateway call-agents:
ID |
Name
| Master |
Contact
-----|------------|----------|--------------------1 | default
| true * | 172.39.1.201
--------------------------------------------------See also
VOIP MGCP CALLAGENT CREATE
VOIP MGCP CALLAGENT SHOW
6.2 VoIP SIP
This chapter describes how to configure the iMG for connection to a VoIP network using the SIP protocol.
6.2.1 iMG SIP Overview
6.2.1.1 iMG call processes
The iMG can communicate with the following devices:
•
•
•
•
Another VoIP terminal on the IP network, such as another iMG.
Any LAN SIP endpoint on the IP network, for instance:
A Soft Phone
An IP phone directly connected to the IP network
6.2.1.2 Calls involving another terminal
The following example shown in Figure 6-1 illustrates how to reach a phone or fax on another iMG terminal.
6-16
iMG/RG Software Reference Manual (Voice Service)
iMG SIP Overview
VoIP SIP
VOIP IP
Network
Analog
Phone
Analog
Phone
A
B
Unit
Unit
SIP Server
FIGURE 6-1
Phone --> iMG(A) --> iMG(B) --> Phone
A user makes a call with the phone connected to an iMG, which in turn contacts another iMG, which completes
the connection to the phone that is attached to it.
6.2.1.3 Calls Involving a Terminal and a SIP Endpoint
The following examples illustrate how a phone connected to an iMG terminal can communicate with a LAN SIP
endpoint on the IP network. Such endpoints could be:
• A Soft Phone
• An IP phone directly connected to the IP network
A user makes a call with the phone connected to an iMG, which reaches the corresponding LAN SIP endpoint
on the IP network (Figure 6-2).
iMG/RG Software Reference Manual (Voice Service)
6-17
VoIP SIP
VoIP SIP Servers, Users & the Forwarding Data-
SIP IP Phone
VOIP IP
Network
Analog
(or Digital Phone)
A
Unit
SIP Server
FIGURE 6-2
Phone --> iMG(A) --> SIP IP Phone
6.2.2 VoIP SIP Servers, Users & the Forwarding Database
The VoIP SIP subsystem on iMG residential gateways is based on the concept of SIP servers, local users, call forwarding rules and access ports.
The following section describes SIP servers, local users and forwarding database.
• SIP servers are servers where local users register themselves (Location Servers) and where calls are routed
(Proxy Servers) when an outgoing call is going to be set up.
• Users are entities uniquely identified in the system by a name with an associated phone number. The User's
phone number represents the user's address on the local system.
• Forwarding rules are local call routing rules used to forward an incoming call from a local user to a remote
system or to a remote user. Forwarding rules are also used for locally originated calls when the called party
6-18
iMG/RG Software Reference Manual (Voice Service)
VoIP SIP Servers, Users & the Forwarding Database
VoIP SIP
is not a local user and the call must be routed to a specific contact that typically is different from the proxy
server.
Definition of SIP servers, users and optionally forwarding database rules, are three basic steps in correctly configuring the VoIP SIP subsystem (see Figure 8).
Default
Configuration
Signaling Protocol
Config. (SIP)
Forwarding
Database
Access Port
Creation
Users
Creation
Access Port
Configuration
User
Binding
Incoming/Outgoing
Calls
FIGURE 6-3
VoIP subsystem configuration - basic steps
6.2.2.1 SIP servers
6.2.2.1.1 Location servers
The SIP module needs to know where locally defined users attempt to register their contact in the network.
The VOIP SIP LOCATIONSERVER CREATE command is used to set the location servers used to register users.
It is possible to define more that one location server in order to increase system reliability in case the first location server cannot be reached.
iMG/RG Software Reference Manual (Voice Service)
6-19
VoIP SIP
VoIP SIP Servers, Users & the Forwarding Data-
The system will attempt to register the local users on all the location servers available in the location server list
(see VOIP SIP LOCATIONSERVER LIST command) until the first registration phase achieves a positive result.
Once a successful registration with a server has been achieved no further registration requests will be performed even if other location servers are defined.
In the case that more than one location server is defined in the system, it's possible to set a location server as
Master: all registration requests will start with the master location server, independently of the position of that
server in the location servers list. In the case where registration with the master location server fails, the Location Server list will be used examined to find alternative location server(s) to which registration requests will
then be sent.
Note:
If no location servers are defined, the iMG uses the server addresses defined in the Proxy Server list
instead.
Note:
If users are defined without specifying a user domain (see VOIP SIP USER CREATE command), the
user domain will automatically be associated with the location server address where the user is
registered.
6.2.2.1.2 Proxy servers
When an outgoing call cannot be handled by a local number or a well defined forwarding rule it must resolved
by an external proxy server. In this case the SIP module needs to know which proxy server should be used.
The VOIP SIP PROXYSERVER CREATE command is used to inform the system of the proxy servers that can be
contacted when an outgoing call is to be established.
Similarly to location servers, it is possible to define more that one proxy server in order to increase system
reliability.
The system will attempt to contact all the proxy servers available in the proxy server list (see VOIP SIP PROXYSERVER LIST command) until the first server answers to the INVITE request. In that case no further INVITE
requests are sent to the other proxy servers even if the called user cannot be reached.
In the case that more than one proxy server is defined in the system, it is possible to set a proxy server as Master. All INVITE requests will start with the master proxy server, indep