advertisement
Chapter 1
Getting to know your BCM50a Integrated Router
31
This chapter introduces the main features and applications of the BCM50a
Integrated Router.
Introducing the BCM50a Integrated Router
The BCM50a Integrated Router is an ideal secure gateway for all data passing between the Internet and the Local Area Network (LAN).
Your BCM50a Integrated Router integrates high-speed 10/100 Megabits per second (Mb/s) autonegotiating LAN interfaces and a high-speed Asymmetrical
Digital Subscriber Line Plus (ADSL2+) port into a single package. The BCM50a
Integrated Router is ideal for high-speed Internet browsing and making
LAN-to-LAN connections to remote networks. By integrating Digital Subscriber
Line (DSL) and Network Address Translation (NAT), the BCM50a Integrated
Router provides easy installation and Internet access. By integrating firewall and
Virtual Private Network (VPN) capabilities, the BCM50a Integrated Router is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Features
This section lists the key features of the BCM50a Integrated Router.
Table 1 Feature specifications
Feature
Number of static routes
Number of NAT sessions
Specification
12
4096
BCM50a Integrated Router Configuration — Basics
32 Chapter 1 Getting to know your BCM50a Integrated Router
Table 1 Feature specifications
Feature Specification
Number of SUA (Single User Account) servers
Number of address mapping rules
Number of configurable VPN rules (gateway policies)
Number of configurable IPSec VPN IP policies (network policies)
Number of concurrent IKE (Internet Key Exchange) Phase 1 Security
Associations:
These correspond to the gateway policies.
Number of concurrent IPSec VPN tunnels (Phase 2 Security
Associations):
These correspond to the network policies and are also monitorable and manageable. For example, 5 IKE gateway policies could each use 12
IPSec tunnels for a total of 60 phase 2 IPSec VPN tunnels. This total includes both branch office tunnels and VPN client-termination tunnels.
Number of IP pools that can be used to assign IP addresses to remote users for VPN client termination
60
3
Number of configurable split networks for VPN client termination 16
Number of configurable inverse split networks for VPN client termination 16
Number of configurable subnets per split network for VPN client termination
64
12
10
10
60
10
Physical features
High-speed Internet access
Your BCM50a Integrated Router supports ADSL2+ (Asymmetrical Digital
Subscriber Line) for high transmission speeds and long connection distances.
ADSL standards
• Multimode standard (ANSI (American National Standards Institute) T1.413,
Issue 2; G.dmt (G.992.1 Discrete Multitone Modulation)
• EOC (Embedded Operations Channel) specified in ITU-T
(Telecommunication Standardization Sector of the International
Telecommunications Union) G.992.1
• ADSL2 G.dmt.bis (G.992.3)
• ADSL2+ (G.992.5)
N0115790
Chapter 1 Getting to know your BCM50a Integrated Router 33
• Extended-reach ADSL (ER ADSL)
• SRA (Seamless Rate Adaptation)
• Autonegotiating rate adaptation
• ADSL physical connection ATM (Asynchronous Transfer Mode) AAL5
(Adaptation Layer type 5)·
• Multiprotocol over AAL5 (Request For Comments (RFC) 2684/1483)
• Support Point-to-Point-Protocol over ATM AAL5 (PPPoA) (RFC 2364)
• PPP over Ethernet support for DSL (Digital Subscriber Line) connection
(RFC 2516)
• Support Virtual Circuit (VC) based and LLC (Logical Link Control) based multiplexing
• Support OAM (Operational, Administration and Maintenance) VC Hunt
• I.610 F4/F5 OAM
Networking compatibility
Your BCM50a Integrated Router is compatible with the major ADSL Digital
Subscriber Line Access Multiplexer (DSLAM) providers, making configuration as simple as possible.
Multiplexing
The BCM50a Integrated Router supports VC-based and LLC-based multiplexing.
Encapsulation
The BCM50a Integrated Router supports PPPoA (RFC 2364 - PPP over ATM
Adaptation Layer 5), RFC 1483 encapsulation over ATM, MAC (Media Access
Control) encapsulated routing (ENET encapsulation) as well as PPP over Ethernet
(RFC 2516).
Four-Port switch
A combination of switch and router makes your BCM50a Integrated Router a cost-effective and viable network solution. You can connect up to four computers or phones to the BCM50a Integrated Router without the cost of a switch. Use a switch to add more than four computers or phones to your LAN.
BCM50a Integrated Router Configuration — Basics
34 Chapter 1 Getting to know your BCM50a Integrated Router
Autonegotiating 10/100 Mb/s Ethernet LAN
The LAN interfaces automatically detect if they are on a 10 or a 100 Mb/s
Ethernet.
Autosensing 10/100 Mb/s Ethernet LAN
The LAN interfaces automatically adjust to either a crossover or straight through
Ethernet cable.
Time and date
Using the BCM50a Integrated Router, you can get the current time and date from an external server when you turn on your BCM50a Integrated Router. You can also set the time manually.
Reset button
There is a 'Cold Reset Router' button that is accessible from the Element Manager
Administration/Utilities/Reset page.Use this button to restore the factory default password to setup and the IP address to 192.168.1.1, subnet mask 255.255.255.0, and DHCP server enabled with a pool of 126 IP addresses starting at 192.168.1.2.
Nonphysical features
IPSec VPN capability
Establish Virtual Private Network (VPN) tunnels to connect home or office computers to your company network using data encryption and the Internet; thus providing secure communications without the expense of leased site-to-site lines.
VPN is based on the IPSec standard and is fully interoperable with other
IPSec-based VPN products.
Nortel Contivity Client Termination
The BCM50a Integrated Router supports VPN connections from computers using
Nortel Contivity VPN Client 3.0, 5.01, 5.11, 6.01, 6.02, or 7.01 software.
N0115790
Chapter 1 Getting to know your BCM50a Integrated Router 35
Certificates
The BCM50a Integrated Router can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. Certificates provide a way to exchange public keys for use in authentication.
SSH
The BCM50a Integrated Router uses the SSH (Secure Shell) secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network.
HTTPS
HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol that encrypts and decrypts web sessions. Use HTTPS for secure
WebGUI access to the BCM50a Integrated Router.
Firewall
The BCM50a Integrated Router has a stateful inspection firewall with DoS
(Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN (Wide Area Network) to the LAN is blocked unless it is initiated from the LAN. The BCM50a Integrated Router firewall supports TCP/UDP inspection, DoS detection and protection, real time alerts, reports and logs.
Brute force password guessing protection
The BCM50a Integrated Router has a special protection mechanism to discourage brute force password guessing attacks on the BCM50a Integrated Router management interfaces. You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords.
BCM50a Integrated Router Configuration — Basics
36 Chapter 1 Getting to know your BCM50a Integrated Router
Content filtering
The BCM50a Integrated Router can block web features such as ActiveX controls,
Java applets, and cookies, as well as disable web proxies. The BCM50a Integrated
Router can block specific URLs by using the keyword feature. The administrator can also define time periods and days during which content filtering is enabled.
Packet filtering
The packet filtering mechanism blocks unwanted traffic from entering or leaving your network.
Universal Plug and Play (UPnP)
Using the standard TCP/IP protocol, the BCM50a Integrated Router and other
UPnP-enabled devices can dynamically join a network, obtain an IP address, and convey its capabilities to other devices on the network.
Call scheduling
Configure call time periods to restrict and allow access for users on remote nodes.
PPPoE
PPPoE facilitates the interaction of a host with an Internet modem to achieve access to high-speed data networks through a familiar dial-up networking user interface.
Dynamic DNS support
With Dynamic DNS (Domain Name System) support, you can have a static host name alias for a dynamic IP address, so the host is more easily accessible from various locations on the Internet. You must register for this service with a
Dynamic DNS service provider.
N0115790
Chapter 1 Getting to know your BCM50a Integrated Router 37
IP Multicast
The BCM50a Integrated Router can use IP multicast to deliver IP packets to a specific group of hosts. IGMP (Internet Group Management Protocol) is the protocol used to support multicast groups. The BCM50a Integrated Router supports versions 1 and 2.
IP Alias
Using IP Alias, you can partition a physical network into logical networks over the same Ethernet interface. The BCM50a Integrated Router supports three logical LAN interfaces through its single physical Ethernet LAN interface with the BCM50a Integrated Router itself as the gateway for each LAN network.
Central Network Management
With Central Network Management (CNM), an enterprise or service provider network administrator can manage your BCM50a Integrated Router. The enterprise or service provider network administrator can configure your BCM50a
Integrated Router, perform firmware upgrades, and do troubleshooting for you.
SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information between network devices. SNMP is a member of the
TCP/IP protocol suite. Your BCM50a Integrated Router supports SNMP agent functionality, which means that a manager station can manage and monitor the
BCM50a Integrated Router through the network. The BCM50a Integrated Router supports SNMP versions 1 and 2 (SNMPv1 and SNMPv2).
Network Address Translation (NAT)
NAT (Network Address Translation — NAT, RFC 1631) translate multiple IP addresses used within one network to different IP addresses known within another network.
BCM50a Integrated Router Configuration — Basics
38 Chapter 1 Getting to know your BCM50a Integrated Router
Traffic Redirect
Traffic Redirect forwards WAN traffic to a backup gateway when the BCM50a
Integrated Router cannot connect to the Internet, thus acting as an auxiliary backup when your regular WAN connection fails.
Port Forwarding
Use this feature to forward incoming service requests to a server on your local network. You can enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server.
DHCP (Dynamic Host Configuration Protocol)
With DHCP (Dynamic Host Configuration Protocol), individual client computers can obtain the TCP/IP configuration at start-up from a centralized DHCP server.
The BCM50a Integrated Router has built in DHCP server capability, enabled by default, which means it can assign IP addresses, an IP default gateway, and DNS servers to all systems that support the DHCP client. The BCM50a Integrated
Router can also act as a surrogate DHCP server, where it relays IP address assignment from another DHCP server to the clients.
Full network management
The embedded web configurator is an all platform, web based utility that you can use to easily manage and configure the BCM50a Integrated Router. Most functions of the BCM50a Integrated Router are also software configurable through the SMT (System Management Terminal) interface. The SMT is a menu driven interface that you can access over a Telnet connection.
Logging and tracing
The BCM50a Integrated Router supports the following logging and tracing functions to help with management:
• Built in message logging and packet tracing
• Unix syslog facility support
N0115790
Chapter 1 Getting to know your BCM50a Integrated Router 39
Upgrade BCM50a Integrated Router Firmware
The firmware of the BCM50a Integrated Router can be upgraded manually through the WebGUI.
Embedded FTP and TFTP Servers
The embedded FTP and TFTP servers enable fast firmware upgrades, as well as configuration file backups and restoration.
Applications for the BCM50a Integrated Router
Secure broadband internet access and VPN
The BCM50a Integrated Router provides broadband Internet access through
ADSL. The BCM50a Integrated Router also provides IP address sharing and a firewall protected local network with traffic management.
The BCM50a Integrated Router VPN is an ideal, cost effective way to connect branch offices and business partners over the Internet without the need (and expense) of leased lines between sites. The LAN computers can share the VPN tunnels for secure connections to remote computers.
BCM50a Integrated Router Configuration — Basics
40 Chapter 1 Getting to know your BCM50a Integrated Router
Figure 1 Secure Internet Access and VPN Application
BCM50a Integrated Router
Caution: Electro-static Discharge can disrupt the router. Use appropriate handling precautions to avoid ESD. Avoid touching the connectors on the router, particularly when it is in use.
N0115790
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 Contents
- 17 Figures
- 23 Tables
- 27 Preface
- 27 Before you begin
- 27 Text conventions
- 28 Related publications
- 28 Hard copy technical manuals
- 28 How to get Help
- 29 Getting Help from the Nortel Web site
- 29 Getting Help over the phone from a Nortel Solutions Center
- 29 Getting Help from a specialist by using an Express Routing Code
- 30 Getting Help through a Nortel distributor or reseller
- 31 Getting to know your BCM50a Integrated Router
- 31 Introducing the BCM50a Integrated Router
- 31 Features
- 32 Physical features
- 34 Nonphysical features
- 39 Applications for the BCM50a Integrated Router
- 39 Secure broadband internet access and VPN
- 41 Introducing the WebGUI
- 41 WebGUI overview
- 41 Accessing the BCM50a Integrated Router WebGUI
- 44 Restoring the factory-default configuration settings
- 44 Navigating the BCM50a Integrated Router WebGUI
- 47 Wizard setup
- 47 Wizard overview
- 47 Encapsulation
- 47 ENET ENCAP
- 48 PPP over Ethernet
- 48 PPPoA
- 48 RFC 1483
- 48 Multiplexing
- 49 VC-based multiplexing
- 49 LLC-based multiplexing
- 49 VPI and VCI
- 49 Wizard setup configuration: first screen
- 51 IP address and subnet mask
- 51 IP address assignment
- 52 IP assignment with PPPoA or PPPoE encapsulation
- 52 IP assignment with RFC 1483 encapsulation
- 52 IP assignment with ENET ENCAP encapsulation
- 52 Private IP addresses
- 53 Nailed-up connection (only with PPP)
- 53 NAT
- 53 Wizard setup configuration: second screen
- 59 DHCP setup
- 59 IP pool setup
- 59 Wizard setup configuration: third screen
- 63 Wizard setup configuration: connection tests
- 63 Test your Internet connection
- 65 User Notes
- 65 General Notes
- 68 Advanced Router Configuration
- 75 System screens
- 75 System overview
- 75 DNS overview
- 75 Private DNS server
- 76 Configuring General Setup
- 79 Dynamic DNS
- 79 DYNDNS wildcard
- 79 Configuring Dynamic DNS
- 81 Configuring Password
- 83 Predefined NTP time server list
- 84 Configuring Time and Date
- 88 ALG
- 88 Configuring ALG
- 89 LAN screens
- 89 LAN overview
- 89 DHCP setup
- 89 IP pool setup
- 90 DNS servers
- 90 LAN TCP/IP
- 90 Factory LAN defaults
- 90 RIP setup
- 91 Multicast
- 92 Configuring IP
- 95 Configuring Static DHCP
- 97 Configuring IP Alias
- 99 WAN screens
- 99 WAN overview
- 99 TCP/IP Priority (metric)
- 100 Configuring General
- 102 PPPoE encapsulation
- 103 Configuring WAN ISP
- 105 Configuring WAN IP
- 109 Traffic redirect
- 111 Configuring Traffic Redirect
- 112 Configuring Dial Backup
- 117 Advanced Modem Setup
- 117 AT Command Strings
- 117 DTR Signal
- 117 Response Strings
- 118 Configuring Advanced Modem Setup
- 121 Network Address Translation (NAT) Screens
- 121 NAT overview
- 121 NAT definitions
- 122 What NAT does
- 123 How NAT works
- 124 NAT application
- 125 NAT mapping types
- 126 Using NAT
- 126 SUA (Single User Account) versus NAT
- 127 SUA Server
- 127 Default server IP address
- 128 Port forwarding: Services and Port Numbers
- 128 Configuring servers behind SUA (example)
- 129 Configuring SUA Server
- 131 Configuring Address Mapping
- 135 Trigger Port Forwarding
- 135 Trigger Port Forwarding example
- 136 Two points to remember about Trigger Ports
- 137 Configuring Trigger Port Forwarding
- 139 Static Route screens
- 139 Static Route overview
- 140 Configuring IP Static Route
- 142 Configuring Route entry
- 145 Firewalls
- 145 Firewall overview
- 145 Types of firewalls
- 146 Packet filtering firewalls
- 146 Application level firewalls
- 146 Stateful Inspection firewalls
- 147 Introduction to the BCM50a Integrated Router firewall
- 148 Denial of Service
- 148 Basics
- 149 Types of DoS attacks
- 153 Stateful inspection
- 154 Stateful inspection process
- 155 Stateful inspection and the BCM50a Integrated Router
- 156 TCP security
- 157 UDP/ICMP security
- 157 Upper layer protocols
- 158 Guidelines for enhancing security with your firewall
- 158 Packet filtering vs. firewall
- 159 Packet filtering:
- 159 Firewall
- 161 Firewall screens
- 161 Access methods
- 161 Firewall policies overview
- 163 Rule logic overview
- 163 Rule checklist
- 163 Security ramifications
- 164 Key fields for configuring rules
- 164 Connection direction examples
- 165 LAN to WAN rules
- 166 WAN to LAN rules
- 166 Configuring firewall
- 170 Configuring firewall rules
- 173 Configuring source and destination addresses
- 174 Configuring custom ports
- 175 Example firewall rule
- 178 Predefined services
- 181 Alerts
- 182 Configuring attack alert
- 182 Threshold values
- 182 Half-open sessions
- 187 Content filtering
- 187 Introduction to content filtering
- 187 Restrict web features
- 187 Days and Times
- 188 Configure Content Filtering
- 191 VPN
- 191 VPN
- 191 IPSec
- 191 BCM50a Integrated Router VPN functions
- 192 VPN screens overview
- 193 Other terminology
- 193 VPN applications
- 194 IPSec architecture
- 195 IPSec algorithms
- 196 AH (Authentication Header) protocol
- 196 ESP (Encapsulating Security Payload) protocol
- 197 Key management
- 198 Encapsulation
- 198 Transport mode
- 199 Tunnel mode
- 199 IPSec and NAT
- 200 Secure Gateway Address
- 201 Dynamic Secure Gateway Address
- 201 Summary screen
- 204 Keep Alive
- 204 Nailed up
- 205 NAT Traversal
- 206 NAT Traversal configuration
- 206 Preshared key
- 206 Configuring Contivity Client VPN Rule Setup
- 208 Configuring Advanced Setup
- 210 ID Type and content
- 211 ID type and content examples
- 212 My IP Address
- 213 Configuring Branch Office VPN Rule Setup
- 222 Configuring an IP Policy
- 228 Port forwarding server
- 228 Configuring a port forwarding server
- 230 IKE phases
- 232 Negotiation Mode
- 232 Preshared key
- 233 Diffie-Hellman (DH) Key Groups
- 233 Perfect Forward Secrecy (PFS)
- 233 Configuring advanced Branch office setup
- 237 SA Monitor
- 239 Global settings
- 240 VPN Client Termination
- 244 VPN Client Termination IP pool summary
- 246 VPN Client Termination IP pool edit
- 247 VPN Client Termination advanced
- 253 Certificates
- 253 Certificates overview
- 254 Advantages of certificates
- 254 Self-signed certificates
- 255 Configuration summary
- 255 My Certificates
- 258 Certificate file formats
- 259 Importing a certificate
- 261 Creating a certificate
- 265 My Certificate details
- 269 Trusted CAs
- 272 Importing a Trusted CA certificate
- 273 Trusted CA Certificate details
- 277 Trusted remote hosts
- 279 Verifying a certificate of a trusted remote host
- 279 Trusted remote host certificate fingerprints
- 281 Importing a certificate of a trusted remote host
- 282 Trusted remote host certificate details
- 286 Directory servers
- 287 Add or edit a directory server
- 291 Bandwidth management
- 291 Bandwidth management overview
- 292 Bandwidth classes and filters
- 292 Proportional bandwidth allocation
- 292 Application based bandwidth management
- 292 Subnet based bandwidth management
- 293 Application and subnet based bandwidth management
- 293 Reserving bandwidth for nonbandwidth class traffic
- 294 Configuring summary
- 295 Configuring class setup
- 297 Bandwidth Manager Class Configuration
- 300 Bandwidth management statistics
- 302 Monitor
- 303 Authentication server
- 303 Introduction to Local User database
- 303 Local User database
- 305 Edit Local User Database
- 308 Current split networks
- 309 Current split networks edit
- 311 Configuring RADIUS
- 315 Remote management screens
- 315 Remote management overview
- 315 Remote management limitations
- 316 Remote management and NAT
- 316 System timeout
- 317 Introduction to HTTPS
- 318 Configuring WWW
- 320 HTTPS example
- 321 Internet Explorer warning messages
- 321 Netscape Navigator warning messages
- 323 Avoiding the browser warning messages
- 324 Logon screen
- 329 SSH overview
- 330 How SSH works
- 331 SSH implementation on the BCM50a Integrated Router
- 331 Requirements for using SSH
- 331 Configuring SSH
- 333 Secure Telnet using SSH examples
- 333 Example 1: Microsoft Windows
- 334 Example 2: Linux
- 335 Secure FTP using SSH example
- 336 Telnet
- 337 Configuring TELNET
- 338 Configuring FTP
- 339 Configuring SNMP
- 341 Supported MIBs
- 341 SNMP Traps
- 342 REMOTE MANAGEMENT: SNMP
- 343 Configuring DNS
- 344 Configuring Security
- 347 UPnP
- 347 Universal Plug and Play overview
- 347 How do I know if I am using UPnP?
- 347 NAT Traversal
- 348 Cautions with UPnP
- 348 UPnP implementation
- 348 Configuring UPnP
- 350 Displaying UPnP port mapping
- 351 Installing UPnP in Windows example
- 352 Installing UPnP in Windows Me
- 353 Installing UPnP in Windows XP
- 354 Using UPnP in Windows XP example
- 355 Autodiscover Your UPnP-enabled Network Device
- 357 WebGUI easy access
- 359 Logs Screens
- 359 Configuring View Log
- 361 Configuring Log settings
- 364 Configuring Reports
- 367 Viewing Web site hits
- 369 Viewing Protocol/Port
- 370 Viewing LAN IP address
- 372 Reports specifications
- 373 Call scheduling screens
- 373 Call scheduling introduction
- 373 Call schedule summary
- 375 Call scheduling edit
- 377 Applying Schedule Sets to a remote node
- 379 Maintenance
- 379 Maintenance overview
- 379 Status screen
- 381 System statistics
- 383 DHCP Table screen
- 384 Diagnostic Screen
- 386 F/W Upload screen
- 389 Configuration screen
- 389 Back to Factory Defaults
- 390 Backup configuration
- 390 Restore configuration
- 392 Restart screen
- 393 Troubleshooting
- 393 Problems Starting Up the BCM50a Integrated Router
- 394 Problems with the LAN LED
- 394 Problems with the LAN interface
- 395 Problems with the WAN interface
- 395 Problems with Internet access
- 396 Problems accessing an Internet Web site
- 396 Problems with the password
- 396 Problems with the WebGUI
- 396 Problems with Remote Management
- 397 Allowing Pop-up Windows, JavaScript and Java Permissions
- 397 Internet Explorer Pop-up Blockers
- 401 Internet Explorer JavaScript
- 403 Internet Explorer Java Permissions
- 405 Netscape Pop-up Blockers
- 409 Netscape Java Permissions and JavaScript
- 413 Log Descriptions
- 422 VPN/IPSec Logs
- 423 VPN Responder IPSec Log
- 431 Log Commands
- 431 Configuring what you want the BCM50a Integrated Router to log
- 432 Displaying Logs
- 433 Log Command Example
- 435 Index