SI2000 CALLISTO821+ ROUTER USER GUIDEdata.iskratel.com/maloprodaja/calisto/calisto user guide.pdf · 2013-11-26 · 5.6 PPPoE over Ethernet/Bridge routed 83 6 QUALITY OF SERVICE 85

SI2000 CALLISTO821+ ROUTER USER GUIDE

Copyright© 2005 Iskratel, Ltd.

All rights reserved.

SI2000 Callisto821+ Router User Guide

KSS5320A2-ATE-010 2/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Index: 1 SI2000 CALLISTO821+ ROUTER 6

1.1 Features of SI2000 Callisto821+ Router 6 1.2 Using SI2000 Callisto821+ Router 6 1.2.1 Internet access 6 1.2.2 Security 7 1.3 Package contents 7

2 GETTING STARTED 8

2.1 Installation of hardware 8 2.1.1 Ports 8

WAN 8 RES (Reset button) 8 Ethernet 10Base-T/100Base-T port 8 AC power socket 8

2.1.2 Light indicators 9 2.1.3 Ethernet (UTP) cables 10 2.2 Preliminary setup 11 2.2.1 LAN and TCP/IP setup 11

User defined IP address 11 Obtain an IP automatically 12

2.2.2 Telnet management connection 12 2.2.3 WEB management connection 14 3 MANAGING SI2000 CALLISTO821+ ROUTER 16

3.1 Telnet management 16 3.1.1 CLI terminology 16

Transport 16 Interface 16 Object 17 List 17 Example: Attaching a transport to an interface 17

3.1.2 CLI command groups 18 3.1.3 CLI conventions 19

add 19 delete 19 clear 20 set 20 show 20

3.1.4 Help with completing CLI commands 21 3.1.5 User accounts 22

Adding new users 22 User passwords 23 Changing user settings 23

3.2 WEB management 24 3.2.1 About WEB management 24

Status 25 Quick start 25 System 25 Configuration 25


KSS5320A2-ATE-010 3/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.2.2 Status page 25 Status 25 Advanced Diagnostics 25 Port Connection Status 26 WAN Status 26 LAN Status 26 Hardware Status 26 Defined Interfaces 27

3.2.3 Quick Start page 27 Creating a login using DHCP 28

3.2.4 System page 30 Event Log 30 Remote Access 31 Firmware Update 32 Backup / Restore 32 Restart Router 32

3.2.5 Configuration page 33 Save Configuration 33 Authentication 34 LAN Connections 37 WAN Connections 39 Security 43 ZIPB 44 IP Routes 46 DHCP server 48 DHCP relay 52 DNS client 54 DNS relay 55 Bridge 55

3.3 Ports 56 3.3.1 ADSL Port 57 3.3.2 Ethernet ports 57 3.4 System (backup, restore, reset) 58 3.4.1 Backup / Restore 58

Backup configuration 58 Restore configuration 59

3.4.2 Restart 60 Restart 60

3.5 Firmware upgrade 61 3.5.1 Upgrade 61

Update 61 4 BRIDGED CONFIGURATIONS 62

4.1 Creating new bridged connection 62 4.2 Changing ATM QoS parameters of the connection 64 4.3 Changing scheduler profile 65 4.4 Changing bridge interface settings 66 4.5 Bridge settings 67 4.6 Interface configuration 68 4.7 VLAN Configuration 68 4.7.1 Creating new VLAN 69 4.8 Forward All/Unregistered Configuration 71


KSS5320A2-ATE-010 4/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

5 ROUTED CONNECTIONS 72

5.1 About routed configurations 72 5.2 PPPoE routed 72 5.2.1 Computer configuration 72 5.2.2 Creating connection 73 5.2.3 Modifying connection 76 5.3 RFC1483 routed 77 5.4 PPPoA routed 79 5.5 IPoA routed 81 5.6 PPPoE over Ethernet/Bridge routed 83

6 QUALITY OF SERVICE 85

6.1 ATM Quality of Service 85 6.2 Ethernet based Quality of Service 85 6.2.1 Configuring Scheduler 86

Listing current scheduler profiles 86 Creating new scheduler profile 87 Difference between priority and wf2qplus scheduling 87

7 INTERNET ACCESS 88 7.1.1 Encapsulation 89

IPoA 89 RFC1483 89 PPPoE 89 PPPoA 89

7.1.2 VPI and VCI 90 7.1.3 Multiplexing 91

VC-based multiplexing 91 LLC-based multiplexing 91

7.1.4 WAN IP Address 91 8 SECURITY OPTIONS 92

8.1 Security 92 8.1.1 Enabling security 93

Enabling security 93 Enabling Firewall and Intrusion Detection 93 Setting a default security level 93

8.1.2 Configuring security interfaces 94 Configuring security interfaces 94

8.2 NAT 95 Global IP Address Pools 95 Reserved Mappings 95 DMZ 95

8.2.1 Configuring NAT 96 Configuring NAT 96

8.2.2 NAT Global Address 97 Configuring NAT global addresses 97

8.2.3 NAT Reserved Mapping 99 Configuring NAT reserved mapping 99

8.3 Firewall 100 Port Filtering 100 Validators 100


KSS5320A2-ATE-010 5/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Triggers 100 Intrusion Detection 100

8.3.1 Firewall policies 101 Configuring Firewall policies 101 Configuring Portfilters 102 Configuring Validators 104

8.3.2 Triggers 105 Configuring Triggers 105

8.3.3 Intrusion Detection Settings 107 Configuring Intrusion Detection Settings 107

9 TROUBLESHOOTING 108

9.1 Recovery mode 108 9.1.1 Flash memory 108

Main flash memory 108 Recovery flash memory 108

9.1.2 Updating main flash memory 108 Configuring LAN interface on PC 108 Updating flash memory 109

9.2 Dealing with difficulties 109


KSS5320A2-ATE-010 6/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

1 SI2000 CALLISTO821+ ROUTER

1.1 Features of SI2000 Callisto821+ Router

Your SI2000 Callisto821+ Router router features: - high speed data transmission on single twisted copper pair for Internet access - full rate operations up to 24 Mbit/s in downstream - 10/100BaseT Ethernet port for LAN or PC connection - PPPoE (RFC2516) connection support for accessing the Internet - PPP over CHAP or PAP - support for PPP over ATM - support for IP over ATM - RFC1483 bridged and routed support - IEEE 802.1q VLAN support - IEEE 802.1p Ethernet based quality of service - DHCP server for easy IP address management - DHCP relay - DNS client - DNS relaying - WEB management and Telnet management over CLI (Command Line Interface) for LAN users - firmware upgrade over WEB management - support for VC based and LLC based multiplexing - NAT (Network Address Translation) for single IP address Internet connection, used by the whole LAN

community - firewall filtering functions, allowing better network security and management - intrusion detection

1.2 Using SI2000 Callisto821+ Router

1.2.1 Internet access

Your SI2000 Callisto821+ Router can also be used for high speed Internet connections. The TCP/IP standards, most commonly used for using the Internet, are supported by the router. The PPPoE connections in dial-up or dial-in mode are also possible. In order to use your SI2000 Callisto821+ Router for Internet access, there must be a DSLAM installed at a provider company's infrastructure near you. DSLAM is a rack of ADSL line cards that links many customer ADSL connections to a single high speed ine. A typical Internet access application is shown below on figure 2.

You can also use NAT (Network Address Translation) services that your SI2000 Callisto821+ Router provides when setting up an Internet connection. This feature allows multiple users on LAN to use the Internet connection, basing on one IP address. The DNS server and DNS relaying is also supported.


KSS5320A2-ATE-010 7/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Figure 1: Example of Internet access connection

1.2.2 Security

Connecting your computer to the Internet exposes it to a wide range of risks. The SI2000 Callisto821+ Router comes with security functions to safeguard your system and data. Three types of interfaces can be controlled by the Firewall: Internal (LAN), external (WAN) and DMZ (DeMilitarized Zone). A DMZ is usually used by a company that wants to host its own Internet services without sacrificing unauthorized access to its private network. Typically, the DMZ contains devices accessible to Internet traffic such as HTTP, FTP, DNS and SMTP servers. You can configure the Firewall to allow or block access from one interface type to another interface type. You can configure the Firewall by using a default Security level, by Firewall port filters, by Firewall validators and by Security triggers.

1.3 Package contents

SI2000 Callisto821+ Router package comes with following items: 1. SI2000 Callisto821+ Router unit 2. AC adapter 3. Ethernet UTP cord 4. CD-ROM containing user's guide

internet

DSLAM

DSL line

ethernet cable

ATM


KSS5320A2-ATE-010 8/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

2 GETTING STARTED

2.1 Installation of hardware

2.1.1 Ports

The following figure shows the rear panel of your SI2000 Callisto821+ Router.

Figure 2: The rear panel of the SI2000 Callisto821+ Router

WAN

This port is used for connecting the ADSL cable to your phone jack. Connect the SI2000 Callisto821+ Router to the ADSL port to access the Internet.

RES (Reset button)

This button is used to reset the configuration of the router to factory default values. You must hold this button while the router is starting-up until ALM led will start flashing fast (about 30 seconds). Callisto821+ will use factory default settings only for the time it is running. If you want to preserve factory default settings save the configuration.

Ethernet 10Base-T/100Base-T port

Use a straight-through or crossover ethernet cable (2.1.3Ethernet (UTP) cables) to connect your SI2000 Callisto821+ Router to a computer or any other device. It is possible to manage the settings of the router with telnet connection using this port. The factory setting for IP address is 192.168.1.1.

AC power socket

Plug the power cable to ensure power to the SI2000 Callisto821+ Router.


KSS5320A2-ATE-010 9/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

2.1.2 Light indicators

The following figure shows the front panel of your SI2000 Callisto821+ Router.

There are five LEDs on the front panel of the router that indicate the status of your SI2000 Callisto821+ Router. The description is given in table 1. table 1: LEDs description LED Status Description PWR on Power on.

off Power off or fatal malfunction.

100M/10M on Ethernet link is established. No ethernet activity. off No ethernet link established.

blinking Ethernet activity. WAN on ADSL line is established. off ADSL interface is not functional. blinking slow ADSL interface is in handshake mode looking for DSLAM blinking fast ADSL interface detected DSLAM on the other side and

negotiating link parameters. ALM blinking malfunction

Figure 3: The front panel of the SI2000 Callisto821+ Router


KSS5320A2-ATE-010 10/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

2.1.3 Ethernet (UTP) cables

You should use a straight-through Ethernet cable to connect your SI2000 Callisto821+ Router to a computer directly or use a crossover cable to connect to an external hub. The explanation on what does that mean follows. There are 8 contacts on UTP connector, described in the next table. The UTP connectors are shown on figure 5 :

table 2: UTP contacts Contact MDI signal

1 TD+ 2 TD- 3 RD+ 4 Not used by 10Base-T 5 Not used by 10Base-T 6 RD- 7 Not used by 10Base-T 8 Not used by 10Base-T

In case of straight-through cable, the contacts on both sides of the cable are connected in the same way, like shown on the left side of figure 6. In case of crossover cable, the contacts on both sides of the cable are connected cross-over, like shown on the right side of figure 6.

Figure 5: Ethernet cable: straight-through connected cable (left) and crossover connected cable (right)

Figure 4: The UTP connectors


KSS5320A2-ATE-010 11/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

2.2 Preliminary setup

2.2.1 LAN and TCP/IP setup

This section of the manual provides important information to keep in mind when setting up the first connection between your computer and SI2000 Callisto821+ Router. The factory default settings of the SI2000 Callisto821+ Router have values listed bellow:

Local IP address: 192.168.1.1 Subnet mask: 255.255.255.0 DHCP server: Disabled

User defined IP address

The default option is to set up the connection by yourself. In this case you must specify the IP address of your system. Be careful that the subnet values of your system and the router are the same, e.g. 192.168.1.0 (IP address 192.168.1.1 for router and IP address 192.168.1.2 for computer). Example is shown on the picture bellow.

The IP address of the router can also be changed, you can learn about that under the 2.2.2Telnet management connection and 2.2.3WEB management connection sections of the Getting started chapter.

Figure 6: User defined IP address set up for Local Area Connection on computer


KSS5320A2-ATE-010 12/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Obtain an IP automatically

If you enable DHCP server in Callisto821+, is the easiest way to set up a connection to configure the LAN adapter on your system to obtain an IP automatically. This can be done in your operational system by managing the Local Area Connection Properties. The TCP/IP protocol must be installed on your system and set to obtain an IP address automatically. Example is shown on the figure 7.

2.2.2 Telnet management connection

This section of the document describes the basic principles on how to manage the basic settings of the SI2000 Callisto821+ Router using the Telnet client terminal connection. In order to set up the Telnet Client connection, the router and the computer must reside in the same IP network (e.g. 192.168.1.0). To establish a Telnet connection do the following:

1. Open the Command Prompt. 2. Type in the command for accessing certain IP address over Telnet Client connection:

telnet <ipaddress> e.g. telnet 192.168.1.1 for default settings of the SI2000 Callisto821+ Router.

3. The initial screen of Command Line Interface (CLI) will appear:

Figure 7: IP obtain automatically set up for Local Area connection on computer


KSS5320A2-ATE-010 13/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

To login to the system for the first time, at Login prompt, enter the following user name and password:

Login: admin Password: admin

To change Local IP address of the router, do next:

Type in the CLI prompt:

ip set interface iplan ipaddress <ipaddress> where <ipaddress> is the desired IP address, e.g. 192.168.5.123.

Attention! When the IP address of the SI2000 Callisto821+ Router has been changed, the current terminal session in the Telnet management will no longer be possible. You have to establish the new one using the IP address you have given to the Callisto821+. When changing the IP address of the SI2000 Callisto821+ Router be careful that the subnet values (for example 192.168.2.0 and 192.168.2.) of the Callisto821+ and Personal Computer always stay the same! If that is not the case, the LAN communication between both systems will not be possible. If you have set the IP address with subnet different from the computer ones (the subnet value of the router and the PC do not match) for the router, you have to change the IP settings of the Personal Computer, so that the subnet values will match again!

Figure 8: The initial screen of the CLI window in Telnet Client


KSS5320A2-ATE-010 14/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

2.2.3 WEB management connection

SI2000 Callisto821+ Router has embedded WEB server included in the firmware. This section of the document describes the basic principles on how to manage the settings of the SI2000 Callisto821+ Router using WEB management connection with any web browser. To access Web management connection enter the URL at your web browser:

http://<ipaddress> e.g. http://192.168.1.1

where <ipaddress> is the Local IP address of the SI2000 Callisto821+ Router, e.g. 192.168.1.1 for factory default settings. The IP addresses of router and computer must be parts of the same IP network (e.g. 192.168.1.0).

You are asked to enter username and password:

Enter the user name admin and password admin.

Figure 9: The welcome page of WEB management pages

The Status page is displayed. To change Local IP address of the router, do next:


KSS5320A2-ATE-010 15/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Click on LAN Settings below Status line in the Status page. The default IP address is not shown in the table that appears. You can edit default IP address by using the Change default LAN port IP address button below. The following page will appear:

Now just type in the desired IP address in the Primary IP Address boxes and click on Apply button. New IP address will be set.

Once you have changed the IP address of the router, make sure that the IP address of computer is a part of the same network!

Figure 10: Changing IP address with Web management


KSS5320A2-ATE-010 16/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3 MANAGING SI2000 CALLISTO821+ ROUTER

3.1 Telnet management

Telnet Client uses the Telnet Protocol, part of the TCP/IP suite of protocols, to connect to a remote computer over a network. In order to set up the Telnet Client connection, the router and the computer must be parts of the same IP network (e.g. 192.168.1.0). The CLI is the Command Line Interface for configuring SI2000 Callisto821+ Router, using the Telnet Protocol. This chapter provides you with basic CLI description. For further information refer to SI2000 Callisto821+ Router CLI Reference Manual.

3.1.1 CLI terminology

In order to use the Telnet Client with the CLI command prompt, you need to understand the following CLI terms:

Transport

A transport is a layer 2 session and everything below it. You can create a transport and attach it to a bridge or router so that data can be bridged or routed via the attached transport. For example, see Attaching a transport to an interface in this chapter. Your SI2000 Callisto821+ Router supports following transports: - PPPoA - PPPoE - RFC1483 - IPoA - Ethernet

Interface

Bridges and routers both also have interfaces. A single transport is attached to a bridge or router via an interface. For example, see Attaching a transport to an interface in this chapter.


KSS5320A2-ATE-010 17/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Object

An object is anything that you can create and manipulate as a single entity, for example interfaces, transports, static routes and NAT rules.

List

Objects are numbered entries in a list. For example if you have created more than one IP interface, the following command:

ip list interfaces produces a list of numbered interface objects. Object numbers are displayed in the first column under heading ID. Example is shown in the next figure:

Example: Attaching a transport to an interface

...To attach a transport to a bridge or router, you need to : 1. Create a transport. In the following command, an Ethernet transport is created and named ether1

and the port name is specified (ethernet): ethernet add transport ether1 ethernet

2. Create an interface. In the following command, a bridge interface is created and called bridgeintf:

bridge add interface bridgeintf

3. Attach the transport to the interface. In the following command, the ether1 ethernet transport is attached to the bridgeintf bridge interface:

bridge attach bridgeintf ether1

Figure 11: List of objects


KSS5320A2-ATE-010 18/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.1.2 CLI command groups

Your SI2000 Callisto821+ Router has an associated group of commands available in the CLI for configuring the device over Telnet Client. Each command in the group starts with the same command string, e.g. all router configuration commands start with ip. The typical CLI command groups that are embedded in your SI2000 Callisto821+ Router are listed in this chapter along with a simple explanation of the use. The bold and italic part of text is the command string. ald / Algorithmic dropper Used for: add, configure and remove ALD profiles ip / Router configuration Used for: add, configure and remove IP interfaces. bridge / Bridge configuration Used for: add, configure and remove bridge interfaces. ethernet /Ethernet configuration Used for: create and remove ethernet transports and provide statistics. rfc1483 / RFC1483 configuration Used for: create, configure and remove RFC transports. ipoa / IPoA configuration Used for: create, configure and remove IP over ATM transports. pppoa / PPPoA configuration Used for: create, configure and remove PPP over ATM server and client transports. pppoe / PPPoE configuration Used for: create, configure and remove PPP over ethernet server and client transports. dhcpserver / DHCP server configuration Used for: define the DHCP network topology. dhcpclient / DHCP client configuration Used for: add, change and remove DHCP client interface declarations. dhcprelay / DHCP relay configuration Used for: add and remove DHCP server addresses for relaying. dnsrelay / DNS relay configuration Used for: add and remove DNS server addresses. dnsclient / DNS client configuration Used for: add and remove DNS client addresses. igmp / IGMP configuration Used for: configure igmp behavior for IP stack. logger / Log to a remote host using syslog Used for: configure syslog.


KSS5320A2-ATE-010 19/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

security / Security configuration Used for: enable the security module, create, configure and remove security interfaces and create or configure triggers. nat / NAT configuration Used for: enable/ disable NAT (Network Address Translation) objects, create, configure and remove global address pools and reserve mappings. scheduler / Configuration commands for scheduler Used for: add and remove scheduler profiles. sntpclient / DNS client Simple Network Time Protocol Client commands Used for: add and remove SNTP server addresses. firewall / Firewall configuration Used for: create, configure and remove port filters and validators. Control Intrusion Detection. transports / Transports configuration Used for: display and delete existing transport configuration details. port / Port configuration Used for: configure and display port information. system / System administration commands Used for: perform system maintenance tasks. user / User commands Used for: add and remove users for accessing the device.

3.1.3 CLI conventions

The CLI of your SI2000 Callisto821+ Router uses standard, intuitive command names that can be used in different instances:

add

Use this command to add and name objects (e.g. interfaces or transports). The add command requires attributes to be specified as arguments in a certain order. For example, to create an Ethernet transport, you need to specify the transport name and system port:

ethernet add transport <name> <port>

delete

The delete command deletes named objects or numbered objects, as displayed during using the list command:

ethernet delete transport {<name> <number>}


KSS5320A2-ATE-010 20/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

clear

The clear command deletes all named entities that belong to an object, for example the following command:

firewall clear policies deletes all of the policy objects that belong to the Firewall. You should use the clear command with caution, as the above example also deletes all validators and portfilters that belong to the policies.

set

The set command changes a value or multiple values within the system, for example:

ip set interface {<name>|<number>} ipaddress <ipaddress>

show

The show command lists current configuration and statistics for an object or module. For example, the command:

bridge show may give the following response, depending on your bridge configurations:

--> bridge show Global bridge configuration: MAC Address: 0:1:38:2a:9f:bb Number of Interfaces: 4 Type: TRANSPARENT Filter Age: 300 seconds Unicast-Learning: HYBRID Multicast-Learning: HVM Interface VLAN ID: ENABLED Traffic Classes: ENABLED Tagging: ENABLED Acceptable Frame Type: ENABLED Ingress Filtering: ENABLED VLAN Bridge Configuration: VLAN Version Number: 1 Maximum VLAN ID: 4094 Maximum Number of VLANS: 20 Current Number of VLANS: 1

figure 13: Example of show command.


KSS5320A2-ATE-010 21/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.1.4 Help with completing CLI commands

You can tab-complete unique keywords in CLI commands. For example, if you type the first few characters of a keyword in a command, then press [Tab] key:

bridge s [Tab]

and the keyword is automatically completed:

bridge show If you type a command keyword and want to find out what the next syntax options are, type ‘[Spacebar]?’. For example:

bridge ? which displays a list of valid keywords that you can use after bridge:

add Add an interface/VLAN/FDB entry/egress interfaces. attach Attach an interface with a transport. clear Clear interfaces/VLANs/FDB entries/egress interfaces. delete Delete an interface/VLAN/FDB entry/egress interface. detach Detach an interface from the transport it is attached to. flush Flush all the dynamic entries for an interface. list List interfaces/VLANs/FDB entries/egress interfaces. set Set bridge/interface level parameters. show Show interface/VLAN/FDB entry/egress interface.

figure 14: A list of keywords that you can use after the bridge command.

You can also enter

help which will display some general help information about the CLI.


KSS5320A2-ATE-010 22/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.1.5 User accounts

Admin is the only user account which is set up on the system by default. An admin user has super-user level access, so you can create new user accounts and access permissions from this account. To login to the system using admin username do as follows:

Login: admin Password: admin

To log out of the system, enter the command:

user logout and the initial screen of the CLI management will appear. To display the information about the user accounts enter in the CLI prompt line:

system list users and the following information is returned:

figure 15: The list of user accounts in the CLI system.

Adding new users

There are two types of users that you can add to the system: 1.1 a user that can access the system using dial-in connection, for example, using PPP connection.

To add dial-in user account, use the command:

system add user <name> [''comment''] e.g. system add user tritonuser ''dial-in user access''

1.2 a login user who can login to the system via a Telnet connection or WEB managment.

To add login user account, use the command:

system add login <name> [''comment''] e.g. system add login tritonmng ''login user access''


KSS5320A2-ATE-010 23/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

User passwords

To change the password for the user you are currently logged in as, use the command:

user password and then enter the new password twice as the figure shows:

figure 16: Changing user account password. To change the password for a different user, enter the command:

user change <name> and the system will log you on as another user (<name>). Then you can use the user password command to change the password of the desired user. Note that only admin user can use the user change command!

Changing user settings

You may switch between one of the two types of user account (dial-in or login user), or enable both types of user account. In order to do so you can use one of the next two commands. Once again, only the admin user is allowed to change user settings. To enable/disable the dial-in option for login user, enter the following command:

system set user <name> maydialin {enabled/disabled} e.g. system set user tritonmng maydialin enabled

...To enable/disable the login option for dial-in user, enter the following command:

system set user <name> mayconfigure {enabled/disabled} e.g. system set user tritonuser mayconfigure enabled


KSS5320A2-ATE-010 24/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.2 WEB management

Configuring your SI2000 Callisto821+ Router using WEB management has the same effect as configuring it using Telnet Client with CLI but on many occasions it is much easier to do that using WEB management. Throughout this chapter, you will see references to the Command Line Interface (CLI) commands that provide the same functionality as the WEB management.

3.2.1 About WEB management

To access WEB management on your SI2000 Callisto821+ Router, you have to make sure that your Callisto821+ router and the computer with ethernet adapter, with which you are connecting to the router, are parts of the same network. How to establish your first connection is described in the Preliminary setup part of the manual, in the WEB management connection chapter. WEB management provides a series of web pages that you can use to setup and configure your SI2000 Callisto821+ Router. These pages are organized into four main topics. You can select each of the following topics from the menu on the left hand side of the main window, which is shown in figure 17:

figure 17: The main window of WEB management pages.


KSS5320A2-ATE-010 25/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Status

Offers information about the current setup and status of the system.

Quick start

Allows you to set up some authentication and login details which may be required by your ISP.

System

Offers information about the system hardware and options or how to upgrade the firmware and restart the system.

Configuration

Offers information about the current configuration of various system features with options to change configuration. Note that the exact information displayed on each web page depends on the specific configuration you are using and that the following sections can give you only a general overview of the setup and configuration details.

3.2.2 Status page

The status page contains information about the current configuration of your SI2000 Callisto821+ Router. It provides an overview of the current session configuration. The page consists of the following sections:

Status

The Staus section displays the following items: • PPPoE Connection status (connected or disconnected) and the time of duration of the current

connection. • the current WAN IP Address configuration. It also provides a WAN settings hyperlink that allows you to

create, modify or delete your WAN configuration. • the current Local IP Address configuration. It also provides a LAN Settings hyperlink that allows you to

create, modify or delete your LAN configuration.

Advanced Diagnostics

The Advanced Diagnostics section displays the following items: • Connection Authentication details. These are details about your current ISP login settings. It also

provides a Login Settings hyperlink that allows you to create, modify or delete your existing login setup. • PPPoE Dial-On-Demand status. This displays whether you can dial to the system using PPPoE. The IP

address of PPP server is also displayed.


KSS5320A2-ATE-010 26/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Port Connection Status

The Port connection status section displays the following items about your port connections: • Port. List of the ports available on your SI2000 Callisto821+ Router. • Type. Displays the kind of traffic that can be transported on each port. • Connected. Informs you which of the ports on your SI2000 Callisto821+ Router are currently

connected: represents the port that is currently connected. represents the port that is currently disconnected.

• Line State. Information about connection status.

WAN Status

The WAN status section displays the following status information about your WAN configuration: • IP Address Type. Whether the WAN IP address is used or the address is obtained dynamically from

DHCP server. • WAN Subnet Mask. • Default Gateway. Whether the DHCP server has been configured to give out the WAN IP address as

the default Gateway address. • Primary DNS. Whether a Primary DNS IP address has been set. The WAN status section also provides two hyperlinks: • IP Address Settings. This hyperlink allows you to create, modify or delete your WAN configuration. • DNS Client Settings. This hyperlink allows you to create, modify or delete your DNS Client

configuration.

LAN Status

The LAN status section displays the following status information about your LAN settings on SI2000 Callisto821+ Router: • LAN Subnet Mask. • Act as Local DHCP Server (Yes/No). • Link to DHCP server settings • MAC Address. The actual MAC address for the Ethernet block in the communications processor

which is used in your SI2000 Callisto821+ Router is being displayed.

Hardware Status

The Hardware status section displays the following information about your SI2000 Callisto821+ Router: 1. Up-Time. Displays the length of time (in hours:minutes:seconds) that your current session has

been connected for. 2. Version. Information about the firmware release version which has been used to build the image

running on your SI2000 Callisto821+ Router. 3. Vendor. Displays the name of the Vendor supplying your SI2000 Callisto821+ Router. The Vendor

is IskraTEL.


KSS5320A2-ATE-010 27/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Defined Interfaces

The Defined Interfaces section lists LAN and WAN interfaces that have been defined on your SI2000 Callisto821+ Router. Each interface listed has a Show Statistics hyperlink associated with it. Click on this for detailed information about some/all of the following (depending on the interface type and configuration): • the interface • connection details • port configuration • service parameters

3.2.3 Quick Start page

The Quick Start page allows you to configure your WAN login connection. First, from the left-hand menu, click on Quick Start. In order to access the Quick Start page you will have to enter a username and a password for the admin user (admin, admin). The Quick Start page is displayed.

Figure 18: The Quick Start No Login/DHCP page.

There are two types of login that you can configure. The first way to login is using a DHCP address from your ISP, instead of having a login account. The other way is to login using PPPoE. This allows a user to login remotely via PPPoE.


KSS5320A2-ATE-010 28/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Creating a login using DHCP

To create a login connection using DHCP, you need to: 1. From the Login Type section, click on the No Login/DHCP radio button. The DHCP Login Options

form is displayed, shown in Figure 15. 2. Complete the DHCP Login Options:

• If you want your ISP server to automatically recognize your own host name, type a Special DHCP host name.

• If you want LAN DHCP clients to use a specific domain name, type a Domain Name for Clients to send with DNS Requests.

3. Once you have configured the DHCP login options, click on Apply. The Quick Start page is

refreshed, and the following confirmation message appears near the top of the page:

Settings successfully changed

These actions have the same effect as typing the following CLI commands (with the correct values added):

dhcpclient interfaceconfig add sent option <host-name> dhcpserver subnet add option <domain-name> dhcpclient update dhcpserver update


KSS5320A2-ATE-010 29/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Creating a PPPoE login To create a PPPoE login connection you need to:

1. From the Login Type section, click on the PPPoE Login radio button. Then click on Apply. The PPPoE Login Setup form is displayed.

Attention! In order to set up a proper PPPoE login connection, the ATM channel VPI and VCI settings must be the same as those your ISP gave you. The default settings are VPI=0 and VCI=100. If these settings are not compatible with your ISP settings, you will have to change the settings for the ATM channel of the PPPoE connection. The procedure is described in the chapter Internet access , section VPI and VCI.

Figure 19: The Quick Start PPPoE Login page.

2. Complete the PPPoE Login Setup section to enable a user to login to the remote end:

• PPPoE Username and Password. Type a dial-out username and password, which will be required when PPP negotiation takes place and is supplied to the remote PPP server for authentication.

3. Complete the PPPoE Login Options section:

a. PPPoE Service Name. Type the PPPoE tag that identifies a specific service acceptable to the PPPoE client.

b. Dial on Demand check box. Check this box if you want PPPoE to automatically connect to TCP/IP whenever a user requests TCP/IP packets from public destinations.

c. Auto-disconnect idle time (secs). If you have checked the Dial on Demand box, type the length of time a PPPoE session connected to an ISP can remain idle before the session is disabled.

d. Keep-Alive check box. Check this box if you want PPPoE to send regular Link Control Protocol (LCP) echo request frames. If no reply to the request is received, the PPP connection is torn down.

e. Domain Name for Clients to send with DNS Requests text box. Type a domain name if you want LAN DHCP clients to use a specific domain name.


KSS5320A2-ATE-010 30/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

2. Once you have configured the PPPoE login options, click on Apply. The Quick Start page is refreshed, and the following confirmation message appears near the top of the page:

Settings successfully changed

These actions have the same effect as typing the following CLI commands (with the correct values added):

pppoe set transport username pppoe set transport password pppoe set transport servicename pppoe set transport autoconnect pppoe set transport idletimeout pppoe set transport lcpechoevery dhcpserver subnet add option domain-name dhcpserver update

3.2.4 System page

The System menu contains options which describe the SI2000 Callisto821+ Router and allow low-level changes to be made, such as updating the image on the system. From the left-hand menu, click on System. The following sub-headings are displayed:

Event Log

The Event Log page is automatically displayed when a configuration error occurs. From the System menu, click on Event Log. The following page is displayed:

Figure 20: The System Error Log page.


KSS5320A2-ATE-010 31/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

On the page there is a table displayed, containing all configuration errors experienced by your SI2000 Callisto821+ Router during a current session. The table also tells you:

• when the error occurred (in seconds since your system was restarted). • which process the error occurred in. • brief descriptions of the Error

Remote Access

This option allows you to enable temporary remote access to your SI2000 Callisto821+ Router using Network Address Translation (NAT). Attention! In order to configure remote access, you first need to enable the firewall and create an external to internal firewall policy. For more information, see Security section. Once you have configured your Security do as follows to enable Remote Access:

1. Click on Remote Access from the System menu to display the following page:

figure 21: The Remote Access page.

2. Type in the length of time that you want to allow remote access for. Click on Enable. 3. The Remote Access page is displayed, confirming the number of seconds remaining for remote

access. There is also a Disable button that allows you to stop remote access before the specified time ends.


KSS5320A2-ATE-010 32/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Firmware Update

This option allows you to upload firmware images to the SI2000 Callisto821+ Router using HTTP. An .tar archive is uploaded to the RAM of your SI2000 Callisto821+ Router. The archive is unpacked automatically, files are validated and then written to Flash memory. The details are described in the chapter 3.5.1Upgrade. Attention! Be sure that the SI2000 Callisto821+ Router always has power supply during the Update in progress. Interruptions of power supply during Update may severely damage your Callisto821+ router and you will have to contact your Dealer or Product service. See 10.1Recovery mode for troubleshooting in case of malfunctions.

Backup / Restore

This option allows you to backup the configuration on your SI2000 Callisto821+ Router to the computer and then restore it from the same place. The details are described in the chapter 3.4.1Backup / Restore.

Restart Router

This option allows you to restart your SI2000 Callisto821+ Router. The details are described in the chapter 3.4.2Restart.


KSS5320A2-ATE-010 33/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.2.5 Configuration page

The Configuration menu contains options for configuring features on SI2000 Callisto821+ Router including basic LAN and WAN connections and DHCP and DNS settings. Attention! Most of the features contain sensible default settings. You are unlikely to have to reconfigure every feature included in the Configuration menu. From the left-hand menu, click on Configuration. The following sub-headings are displayed:

Save Configuration

This option allows you to save your current configuration to flash memory: 1. From the Configuration menu, click on Save config. The following page is displayed:

figure 22: The Save configuration page.

2. Click on the Save button to save your current configuration in the im.conf file in FlashFS. The

Save button has the same effect as typing the following CLI command:

system config save After a short time the configuration is saved and the following confirmation message is displayed: Configuration saved. Attention! Do not turn off the power supply or reset the Callisto821+ before the confirmation message is displayed! This may severely damage your Callisto821+ and you will have to contact your Dealer or Product service. See 10.1Recovery mode for troubleshooting in case of malfunctions.


KSS5320A2-ATE-010 34/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Authentication

This option allows you to administer accounts for users who access the SI2000 Callisto821+ Router. To access the Authentication option, click on the Authentication from the Configuration menu. The following

page is displayed:

figure 23: The Authentication page.


KSS5320A2-ATE-010 35/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

To create a new login account: 1. Click on the Create a new user button. The following page is displayed:

figure 24: The Create user page.

2. Type details for the new user into the username, password and comment text boxes, and select a

May login? option: • true means that the user can login but not dial in • false means that the user can dial in but not login

3. Click on the Create button. The Authentication page is displayed. The table now contains details for the user that you have just created.


KSS5320A2-ATE-010 36/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

To edit / delete a login account: • The Authentication page table contains an Edit user hyperlink for each user account entry. Click on a

link. The following page is displayed:

figure 25: The Edit user page. This page allows you to:

1. update details for a specific user account. Modify the necessary text boxes then click on the Apply button.

2. delete a user account. Click on the Delete this user button. • Once you have edited or deleted a user account, the Authentication page is displayed and the table

reflects any changes that you have made on the edit user page.


KSS5320A2-ATE-010 37/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

LAN Connections

This option allows you to configure the IP address and subnet of the default LAN connection to the SI2000 Callisto821+ Router, configure a secondary IP address on the same subnet as the primary IP address and create virtual interfaces; multiple virtual interfaces can be associated with the existing primary LAN interface. From the Configuration menu, click on LAN connections. The following page is displayed:

figure 26: The LAN Connections page.


KSS5320A2-ATE-010 38/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

To configure primary and secondary LAN connection click on LAN connections from the Configuration menu and then click on the Change default LAN port IP address button. The following page will display:

figure 27: The LAN Connections Default LAN Ports page.

1. The Default LAN Port section contains two subsections:

• IP address and subnet mask details of your primary LAN connection. To edit these details, click in the appropriate text box and type new primary address details. This has the same effect as entering the following CLI command (with the correct values added):

ip set interface <name> ipaddress ip set interface <name> netmask

• Secondary IP address details. To create/configure a secondary IP address, click in the Secondary IP Address text box and type new address details. This has the same effect as entering the following CLI command (with the correct values added):

ip interface <name> add secondaryipaddress

2. Once you have configured the IP address(es), click on the Apply button. A message is displayed confirming that your address information is being updated. If you have changed the primary IP address, you may need to enter the new address in your web browser address box.


KSS5320A2-ATE-010 39/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

To create Virtual Interfaces: 1. Click on the Create a new virtual interface... hyperlink at the bottom of the LAN connections

Default LAN Port page. On the Create virtual interface page, type the IP address and netmask of the virtual interface, then click on the Apply button.

2. The LAN connections page is displayed. The virtual interfaces section contains a table listing the names of the virtual interface(s). Each virtual interface is called item# by default.

3. Each virtual interface name has an Edit and a Delete link associated with it. To edit a service:

• Click on the Edit link. • Change the options for the existing virtual interface, then click on Change. The page is reset

and the new values are displayed. ...To delete a service:

• Click on the Delete link. • Check the details displayed, then click on the Delete this connection button.

These actions have the same effect as entering the following CLI commands (with the correct values added):

ip add interface ip attachvirtual ip set interface ip delete interface

WAN Connections

This option allows you to create and configure WAN connections for your SI2000 Callisto821+ Router. You can also create virtual interfaces on routed services. From the Configuration menu, click on WAN connections. The WAN connections page is displayed:

figure 28: The WAN Connections page.


KSS5320A2-ATE-010 40/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

To create a WAN service: 1. Click on Create a new service. A page is displayed containing a list of WAN service options:

figure 29: The WAN Connection: create service page.

2. Select an option, then click on Configure. You need to add detailed configuration information

about the WAN service that you are creating. 3. Click on Apply. The WAN connections page is displayed. The table now contains details of the

service that you have just created. Configuring the service type has the same effect as entering the following CLI command (with the correct values added):

<module> add transport ip add interface ip attach or bridge add interface bridge attach


KSS5320A2-ATE-010 41/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

To edit a WAN service: • Click on the Edit link for a specific service. The WAN connection edit page is displayed:

figure 30: The WAN Connection: edit service page.

• Change the values for the existing service. If you want to carry out advanced editing, click on the

links at the top off the edit page. The links that appear depend on the type of service that you are configuring. For example, for an RFC 1483 routed service, you can choose from the following advanced editing links:

Edit ‘Service’ Edit ‘RFC1483’ Edit ‘Atm Channel’ Edit ‘Classifier’ Edit ‘Bun Vector Attr’ Edit ‘Scheduler’ Edit ‘Bridge Interface’

• Click on Change. The edit page is displayed and changes are applied to the service. To delete a WAN service:

3. At the WAN connections page, click on the Delete link for a specific service. The WAN connection: delete page is displayed.

4. Check the details displayed, then click on the Delete this connection button. This has the same effect as entering the following CLI commands (with the correct values added):

ip delete interface or bridge delete interface


KSS5320A2-ATE-010 42/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

To create a virtual interface (routed services only): 1. Click on the Virtual I / f link for a specific service. The Virtual interface page is displayed. 2. Click on the Create a new virtual interface... hyperlink. On the Create virtual interface page, type

the IP address and netmask of the virtual interface, then click on the Apply button. 3. The WAN connections page is displayed. If you click on the VirtualI/f link, the Virtual interface

page displays a table listing the names of existing virtual interfaces. Each virtual interface is called item# by default. This has the same effect as entering the following CLI commands (with the correct values added):

ip add interface <module> add transport ip attachvirtual


KSS5320A2-ATE-010 43/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Security

This option allows you to configure Security, NAT and Firewall as follows. The detailed options are described in the Chapter 5, Security settings. The quick overview of the Security options follows. Your SI2000 Callisto821+ Router allows you to use:

1. Security options in WEB management: 2. enable Security, 3. configure Security interfaces, 4. configure triggers.

5. NAT options in WEB management: 6. enable NAT between interfaces, 7. configure global addresses, 8. configure reserved mapping.

9. Firewall options in WEB management: 10. enable Firewall and Firewall Intrusion Detection settings, 11. set the Firewall security level 12. configure Firewall policies, port filters and validators, 13. configure Intrusion Detection settings, 14. configure security logging.

To get to the page that contains the Security settings, do the following: From the Configuration menu, click on Security. The following page is displayed:

figure 40: The Security state page.


KSS5320A2-ATE-010 44/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

ZIPB

Click on the ZIPB link on the navigation bar. ZIPB stands for "Zero Installation PPP Bridge". It is a way to ensure that a home user can be assigned a public IP address through the modem, and can then access the Internet without having to configure NAT on the modem, or install PPP software on the home computer. ZIPB mode becomes active when it has been enabled, IPCP negotiation has completed over the WAN PPP link, and a DHCPDISCOVER has been received on the modem LAN interface from the PC. By default, ZIPB has been disabled on Callisto821+.

To activate ZIPB:

1. Click Enable button on main ZIPB page. This has the same effect as entering the following CLI command:

zipb enable

ZIPB needs to link one LAN interface and one WAN interface. If no interfaces are chosen, ZIPB will automatically use the first suitable interfaces it finds. ZIPB will also do this if you choose an IP interface incorrectly. Note: Some settings will not take effect until you disable and re-enable ZIPB.


KSS5320A2-ATE-010 45/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

ZIPB advanced configuration consists of following parameters you can change: • LAN interface: Select a LAN interface from the drop-down list. • WAN interface: Select a WAN interface from the drop-down list. • LAN IP address spoof method: Select an option from the drop-down list. When ZIPB becomes

active, a public IP address will be assigned to the PC on the LAN. However, in order to pass traffic, an IP address on the same subnet as the public IP address must be invented and assigned to the modem LAN interface. This drop down list allows the user to choose how this LAN IP address is invented, or "spoofed". For most users the default method, Top of subnet, is fine, and simply chooses the highest address available on the subnet, which is not the subnet broadcast address. Similarly, Bottom of subnet will take the lowest legal address on the subnet. The Increment method will add 1 to the offered public IP address; again ensuring that the subnet broadcast address is not used (if it would be used, then 1 will be subtracted instead). Finally, choosing Manual mode allows the user to directly control what address is used by entering it into the Manual LAN IP address field. Care must be taken with this last option to ensure that the chosen address is on the correct subnet.

• LAN subnet mask selection method: This option is very similar to the LAN IP address spoof method option, except that the LAN interface subnet mask is involved here. The choices are Natural, which will simply use the natural subnet mask for the IP interface chosen by the spoof method, or Manual, which allows the user to specify the mask by entering a value into the Manual LAN subnet mask field.

• LAN DHCP server lease time: This is the DHCP lease time, in seconds, for any IP address offered by the DHCP server to the LAN PC. This is very short by default to ensure that configuration changes are acted upon quickly (for example, a public IP address becoming available). It also allows the modem to detect when the home PC has been shut down.

• LAN PC power down time: If a lease has been granted to the LAN PC for a public IP address, and it then expires, this option determines the length of time, in seconds, before ZIPB assumes that the LAN PC has been shut down. If the LAN PC does not come back up within this time, then the WAN PPP link will be disabled and the public IP address "returned" to the Service Provider.


KSS5320A2-ATE-010 46/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

IP Routes

This option allows you to create static IP routes to destination addresses via an IP interface name or a Gateway address. From the Configuration menu, click on IP routes. The Edit Routes page is displayed:

figure 31: The Edti Routes page.

This page lists the following information about existing routes: • Whether the route is valid or invalid • Destination IP address • Gateway address • Netmask address This has the same effect as entering the following CLI command:

ip list routes


KSS5320A2-ATE-010 47/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

To edit a route: 1. To edit the destination, gateway and netmask address of a route, click in the relevant text box,

update the information then click on Apply. This has the same effect as entering the following CLI command (with the correct values added):

ip set route destination ip set route gateway

2. To edit the cost and interface setting for the route, click on the Advanced Options hyperlink for a

specific route and update the relevant information. Click on OK. This has the same effect as entering the following CLI command (with the correct values added):

ip set route cost ip set route interface

To delete a route:

1. To delete an existing route, check the Delete? box for a specific route. 2. Click on Apply.

This has the same effect as entering the following CLI command (with the correct values added):

ip delete route To create an Ip V4 Route:

1. Click on the Create new Ip V4 Route hyperlink. The following page is displayed:

figure 32: The Create Ip V4 Route page.


KSS5320A2-ATE-010 48/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

2. Complete the Create Ip V4 Route form in order to configure the route. Adding a route has the same effect as entering the following CLI command (with the correct values added):

ip add route

and you can use the following CLI commands to set the properties of the route (with the correct values added):

ip set route destination ip set route cost ip set route gateway ip set route interface

3. When you have typed the details, click on OK. The Edit Routes page is displayed. The table now contains details of the route that you have just created. This has the same effect as entering the following CLI command:

ip list routes

DHCP server

This option allows you to enable/disable the DHCP server and create, configure and delete DHCP server subnets and DHCP fixed IP /MAC mappings. From the Configuration menu, click on DHCP server. The following page is displayed:

figure 33: The DHCP Server page.


KSS5320A2-ATE-010 49/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Attention! If DHCP relay is enabled, DHCP server will be disabled by default. You can not enable DHCP server unless you disable DHCP relay. To enable / disable the DHCP server: • Click on the Enable/Disable button at the top of the page. • The DHCP server is enabled by default. If you click on the Disable button, DHCP server is disabled and

the button changes to Enable. This has the same effect as entering the following CLI command (with the correct values added):

dhcpserver enable dhcpserver disable

To create a DHCP server subnet:

1. Click on the Create new Subnet link. The following page is displayed:

figure 34: The DHCP Server subnet configuration page.

2. This page allows you to: 3. Set the value and netmask of the subnet (either manually or by selecting an IP interface

whose value and mask is used instead), and set the maximum and default lease times. This has the same effect as entering the following CLI commands (with the correct values added):

dhcpserver add subnet dhcpserver set subnet defaultleasetime dhcpserver set subnet maxleasetime


KSS5320A2-ATE-010 50/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

4. Set the DHCP address range (or use a default range of 20 addresses). This has the same effect as entering the following CLI commands (with the correct values added):

dhcpserver add subnet or dhcpserver subnet add iprange

5. Set the Primary and Secondary DNS Server addresses or set your SI2000 Callisto821+

Router to give out its own IP address as the DNS Server address. This has the same effect as entering the following CLI commands (with the correct values added):

dhcpserver subnet add option name-server “primary-dns, secondary-dns” or dhcpserver set subnet hostisdnsserver

6. Set your SI2000 Callisto821+ Router to give out its own IP address as the default Gateway

address. This has the same effect as entering the following CLI command (with the correct values added):

dhcpserver set subnet hostisdefaultgateway

7. Once you have entered new configuration details for your DHCP server, click on OK. The DHCP

Server page is displayed, containing details of your new subnet. To edit a DHCP server subnet:

1. Click on the Advanced Options link for a specific subnet. The Edit DHCP server subnet page is displayed. This allows you to edit all of the values that were set when the subnet was created.

2. This page also allows you to add additional option information. At the bottom of the page, click on the Create new DHCP option link. The following page is displayed:

figure 35: The DHCP Server configuration option page.


KSS5320A2-ATE-010 51/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3. Click on the Option name drop-down list and select a name. Type a value that matches the

selected option name in the Option value text box. Click on OK. This has the same effect as entering the following CLI command (with the correct values added):

dhcpserver subnet add option

4. The Edit DHCP server subnet page is displayed, and details of your new option are displayed

under the sub-heading Additional option information. To delete an existing option, check the Delete? box for a specific option and click OK.

To create a fixed host:

1. Click on the Create new Fixed Host link. The following page is displayed:

figure 36: The fixed host IP/MAC mapping page.

2. Complete the following:

• Type in the IP address that will be given to the host with the specified MAC address. • Type in the MAC address and the maximum lease time (default is 86400 seconds).

This has the same effect as typing the following CLI command (with the correct values added):

dhcpserver add fixedhost

3. Click on OK. The DHCP Server page is displayed, and details of your new fixed host are displayed

under the sub-heading Existing DHCP fixed IP/MAC mappings. To edit a fixed mapping, click on the IP address, MAC address or max lease time, type a new entry and click Apply. To delete a fixed mapping, check the Delete? box for a specific mapping and click Apply.


KSS5320A2-ATE-010 52/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

This has the same effect as typing the following CLI commands (with the correct values added):

dhcpserver set fixedhost ipaddress dhcpserver set fixedhost macaddress dhcpserver set fixedhost maxleasetime dhcpserver delete fixedhost

DHCP relay

This option allows you to enable/disable the DHCP relay, to add DHCP servers to the DHCP relay list and to configure or delete server entries on the DHCP relay list. From the Configuration menu, click on DHCP relay. The following page is displayed:

figure 37: The DHCP relay page.

To enable / disable DHCP relay:

1. Click on the Enable/Disable button at the top of the page. If you click on the Disable button, DHCP server is disabled and the button changes to Enable. This has the same effect as entering the following CLI command (with the correct values added):

dhcprelay enable dhcprelay disable

Attention! If DHCP relay is enabled, DHCP server will be disabled by default. You can not enable DHCP server unless you disable DHCP relay.


KSS5320A2-ATE-010 53/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

To add a DHCP server to the DHCP relay list: 1. In the Add new DHCP server section, type an address in the NewDHCP server IP address text

box. 2. Click on Apply. The address is displayed in the Edit DHCP serverlist section.

To edit / delete entries in the DHCP relay list::

• To edit an entry, click on an IP address and type a new entry, then click on Apply. • To delete an entry, check the Delete? box for a specific IP address, then click on Apply.

These actions have the same effect as entering the following CLI commands (with the correct values added): dhcprelay add server dhcprelay update dhcprelay list servers dhcprelay delete server


KSS5320A2-ATE-010 54/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

DNS client

This option allows you to create a list of server addresses. This enables you to retrieve a domain name for a given IP address. DNS client option also allows you to create a domain search list. DNS client uses this list when a user asks for the IP address list for an incomplete domain name. From the Configuration menu, click on DNS client. The following page is displayed:

figure 38: The DNS client page.

To configure DNS servers:

1. Type the IP address of the unknown domain name in the DNS servers text box. 2. Click Add. The IP address appears in the DNS servers table. You can add a maximum of three

server IP addresses. Each IP address entry has a Delete button associated with it. Click on Delete to remove an IP address from this list. Adding/deleting IP addresses has the same effect as entering the following CLI commands (with the correct values added):

dnsclient add server dnsclient list server dnsclient delete server

To configure DNS search domains:

1. Type a search string in the Domain search order text box. 2. Click Add. The search string is displayed in the Domain search order table. You can add a

maximum of six search strings. Each search string entry has a Delete button associated with it. Click on Delete to remove a string from this list. Adding/deleting domain search strings has the same effect as entering the following CLI commands (with the correct values added):

dnsclient add searchdomain dnsclient list searchdomain dnsclient delete searchdomain


KSS5320A2-ATE-010 55/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

DNS relay

This option allows you to create, configure and delete DNS relay’s primary and secondary DNS servers. DNS relay can forward DNS queries to the DNS servers on this list. From the Configuration menu, click on DNS Relay. The following page is displayed:

figure 39: The DNS relay page.

To configure DNS relay list:

1. In the Add new DNS server section, type an address in the New DNS server IP address text box. 2. Click on Apply. The address is displayed in the Edit DHCP server list section. To edit an entry,

click on an IP address and type a new entry, then click on Apply. To delete an entry, check the Delete? Box for an IP address, then click on Apply. These actions have the same effect as entering the following CLI commands (with the correct values added):

dnsrelay add server dnsrelay update dnsrelay list servers dnsrelay delete server

Bridge

Bridge section allows you to configure VLAN enabled bridging functionality. Please refer to section 5Bridged configurations for more detailed information.


KSS5320A2-ATE-010 56/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.3 Ports

This section allows you to configure different ports of your Callisto821+ router. Click on the port you want to configure in the navigation bar on left side of the window.


KSS5320A2-ATE-010 57/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.3.1 ADSL Port

Using ADSL port parameters you can monitor the state of you ADSL line. Although there are several parameters which can be changed it is advisable not to change anything. Automatic configuration of ADSL parameters is selected as default configuration for ADSL port. This will give you the best possible results as your SI2000 Callisto821+ Router will negotiate ADSL settings with the DSLAM of your DSL service provider.

Useful are some counters and values:

Name Description

Tx Bit Rate Downstream speed in bits per second

Rx Bit Rate Upstream speed in bits per second

3.3.2 Ethernet ports

Using Ethernet ports section you can monitor basic Ethernet parameters:

Name Description

Connected Link status of ethernet interface

Full duplex Is link full duplex or half duplex

Link speed Speed of the link


KSS5320A2-ATE-010 58/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.4 System (backup, restore, reset)

3.4.1 Backup / Restore

This option allows you to backup the configuration on your SI2000 Callisto821+ Router to the computer and then restore it from the same place.

Backup configuration

To backup the configuration of the Callisto821+ do as follows: 1. From the System menu, click on Backup/restore. The following page is displayed:

figure 42: The Backup / Restore page.

2. From the Backup Configuration section, click on the Backup button. The File Download window is

displayed. Click to select the Save this file to disk button. From the Save As window, select a file in which to save your backup configuration. Click on Save. These actions have the same effect as typing the following CLI command (with the correct values added):

system config backup


KSS5320A2-ATE-010 59/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Restore configuration

To restore the configuration to the Callisto821+ do as follows: 1. From the System menu, click on Backup/restore. 2. In the Restore Configuration section, click in the Configuration File text box and type the network

path of the file that you wish to restore. If you do not know the path details, click on the Browse button and locate the file using the Choose file box.

3. Click on the Restore button. The page is refreshed with a Configuration Restored message and details of the number of bytes uploaded. These actions have the same effect as typing the following CLI command (with the correct values added):

system config restore


KSS5320A2-ATE-010 60/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.4.2 Restart

This option allows you to restart your SI2000 Callisto821+ Router.

Restart

To restart your Callisto821+ do as follows: • From the System menu, click on Restart. The following page is displayed:

figure 43: The Restart page.

• Click on the Restart button to reset the SI2000 Callisto821+ Router. The Restart page also provides

you with the option of restarting and restoring the factory default settings. Click in the Reset to factory default settings box to check it, then click on the Restart button. Read the console status output in the Telnet Client window to check how the reset is progressing. The factory default settings are described in the 2.2Preliminary setup chapter.

• Once the login and password prompt is displayed at the console, you can login as usual (with login = admin, password = admin), then refresh the browser that is running Callisto821+ WEB management. The Status page is displayed and your SI2000 Callisto821+ Router has been reset.

The Restart button has the same effect as typing the following CLI command:

system restart

Checking the Reset to factory default settings check box has the same effect as typing the following CLI command:

system config restore factory


KSS5320A2-ATE-010 61/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

3.5 Firmware upgrade

Attention! Be sure that the SI2000 Callisto821+ Router always has power supply during the Update in progress. Interruptions of power supply during Update may severely damage your Callisto821+ and you will have to contact your Dealer or Product service. See 10.1Recovery mode for troubleshooting in case of malfunctions.

3.5.1 Upgrade

This option allows you to upload firmware images to the SI2000 Callisto821+ Router using HTTP. An .img archive is uploaded to the RAM of your SI2000 Callisto821+ Router. The archive is unpacked automatically, files are validated and then written to Flash memory.

Update

To update your Callisto821+ firmware do as follows: 1. From the System menu, click Update. The following page is displayed:

figure 44: The firmware Update page.

2. Type in the network location of the new firmware image that you want to upload, or use the

Browse button to browse through the network and select the file. Click on Update. 3. Once the file has been uploaded to the RAM of SI2000 Callisto821+ Router, it is written to Flash.

A status page is displayed confirming that the upload is complete and telling you how much of the file (in bytes and as a percentage) has been written to Flash.

4. Once the file has been written to Flash, the firmware Update page is refreshed. The page confirms completion of the update and asks you to restart your SI2000 Callisto821+ Router in order to use the new firmware. Click on Restart.


KSS5320A2-ATE-010 62/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

4 BRIDGED CONFIGURATIONS

SI2000 Callisto821+ Router can be configured to operate in bridged mode. This allows Callisto821+ to be used as a simple modem instead of more complex router device. Such configuration is suitable for large deployments where no device configuration is expected. Bridge module is capable of 802.1q and 802.1p processing.

4.1 Creating new bridged connection

To create new bridged connection point your web browser to Callisto821+ IP address and click WAN connections under Configuration section in navigation bar. The system will provide several options. You can select between two protocols available for bridging Ethernet packets over ATM DSL link:

1. RFC1483 bridged 2. PPPoE bridged

Select the one appropriate for your network configuration and click Configure.

Enter a name for you connection into Description field and set correct ATM VPI/VCI settings. You can choose between two encapsulation methods: – LLC/SNAP: LLC header will be added to Ethernet packets before sending them over AAL5 connection – VcMux (null): Ethernet packets will be sent over AAL5 connection without any additional headers.


KSS5320A2-ATE-010 63/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

The option used depends on the configuration of your DSLAM, however LLC/SNAP should be used in IskraTEL environment.

After you clicked Apply button, the newly created connection is seen under WAN connections:


KSS5320A2-ATE-010 64/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

4.2 Changing ATM QoS parameters of the connection

Once you have created a connection you can change it's ATM QoS parameters in order to achieve correct quality of service behavior. You can do this by clicking Edit link in WAN connections section. Click Edit ATM link.

There are several parameters you can change or adjust.


KSS5320A2-ATE-010 65/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

4.3 Changing scheduler profile

You can associate scheduler profile with your bridged connection if you want to use 802.1p traffic priority mechanism. Enter the name of scheduler profile into Sch Profile field and press Change. After associating scheduler profile with your connection you must save configuration and restart the router. Refer to chapter about scheduler for more detailed information about 802.1p priority queuing.


KSS5320A2-ATE-010 66/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

4.4 Changing bridge interface settings

In Edit bridge interface section you can configure various bridge parameters for this connection.

Name Description

Ether Filter Type This option is used to select which packets will be sent over this connection and which not. Possible options are: - All: All packets - Ip: Only IP and ARP packets - Pppoe: Only PPPoE packets - Igmp: Only IGMP packets - IpWithoutIgmp: All IP and ARP packets except IGMP - None: No packets at all

Port Filter This option allows you to select which other bridge interfaces/ports this connection can communicate with. Default value is All. You can write several port names separated with commas.

Port Pvid Pvid is default VLAN ID. It is used by bridge when untagged traffic is received on this connection to add VLAN tags to the frames. If PVID is equal 1, frames will not be tagged. Otherwise appropriate tag will be added to all untagged frames. Tagged frames will be kept unchanged.

Ingress Filtering Status Enable or disable ingress filtering on this connection.

Frame Access Type Type of ethernet frames allowed to be transferred on this connection. Either ALL or VLAN tagged only.

Port Default User Priority Default user priority is 802.1p priority field used for untagged packets. Same rules as for PVID apply.

Num Traffic Classes Number of 802.1p traffic classes bridge is aware of. Default value is 8.

Regen Priority0 -7 Array of this fields is used to change priority of all traffic. Default value is 1-1 setting which does nothing.

Traffic Class Map0 - 7 Used to map different 802.1p priority classes into different output queues.


KSS5320A2-ATE-010 67/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

4.5 Bridge settings

This chapter describes bridge operation inside Callisto821+. Bridge is a software process which forwards Ethernet packets from one interface to another. Interface can be physical Ethernet or virtual ATM connection with appropriate encapsulation method as described in previous chapters. Bridge can be configured from main bridge configuration page in Configuration section.

Two parameters can be set on the main page:

Name Description

Filter Age Time in seconds bridge remembers previously learned MAC address.

Traffic Class Mapping If this option is enabled, bridge will map traffic accordingly to 802.1p header values to different output queues. This option basically enables or disables 802.1p quality of service.

On the bottom of main bridge configuration page there are several links which point to more specific settings. Interface Configuration is used for configuring bridge interfaces which are in most cases either physical Ethernet ports or virtual ATM connections. VLAN Configuration is the place to set VLAN behavior of the bridge. Forward All/Unregistered Configuration is used to define bridge's behavior for multicast Ethernet traffic. Interface Statistics/Flushing and VLAN Port Statistics is used for displaying various statistics information.


KSS5320A2-ATE-010 68/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

4.6 Interface configuration

This page displays all interfaces attached to the bridge. Usually there are WAN connections created by user as described in 4.3.1Creating new bridged connection and permanent LAN connections. Options available to change are the same as described in 4.3.4Changing bridge interface settings. Where ever they are changed the results will be the same.

4.7 VLAN Configuration

Note: The number of configured VLANs is limited to 20. In this section you can set up VLAN configuration of the bridge module. Be aware that you must also setup 4.3.8Ethernet Switch accordingly otherwise VLANs will not work as expected.

Each VLAN used in the system must be added into this section. For untagged traffic special VLAN with predefined name is created by default. Even if you delete it and would like to add it back later, you must use the same name and settings. Name:....................................................................................................................................................................................................................................................................................................... DefaultVlan VLAN ID: ................................................................................................................................................. 1 FDB Name: ........................................................................................................................... DefaultFdb


KSS5320A2-ATE-010 69/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

4.7.1 Creating new VLAN

Click Create new VLAN link at the bottom of VLAN main page.

Enter a descriptive name of your VLAN into Name field. For Vlan Id select a number smaller than 4096 but not equal to 1 if you are not creating DefaultVlan for untagged traffic. For Fdb Name select DefaultFdb only for DefaultVlan otherwise select one of Qbridge names. It is advisable to select different Qbridge name for each VLAN. FdbName represents the MAC database bridge uses to learn MAC addresses. Using different Fdbs for each VLAN allows different frame forwarding rules for each VLAN. This is useful when one device is communicating using different VLANs over different bridge interfaces. After you have created new VLAN it will not contain any interfaces. Each VLAN usually contains at least two interfaces. One is used for traffic to come into the bridge, another for the traffic to leave the bridge. In simple network configurations the first one is local ethernet port while the second one is virtual ATM connection (e.g. rfc1483 bridged connection). You can use Edit links for each VLAN to add interfaces. Interface can be added to VLAN in two different modes: Tagged port is interface which sends and receives tagged frames. If you will attach a Rfc1483 connection as tagged to VLAN with VLAN ID 40, frames on Rfc1483 connection will have VLAN tags. Same RFC1483 connection can be added as tagged to several VLANs which means that several VLANs will be sent and received over the same RFC1483 connection.


KSS5320A2-ATE-010 70/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Untagged port is used when you do not want to transport VLAN tags over RFC1483 connection. If interface is added to VLAN as untagged, bridge will remove VLAN tag when transmitting to this interface and add default port VLAN ID Pvid when receiving frames from this interface. If interface is added as untagged to DefaultVlan bridge will not add VLAN tags if Pvid is 1. There should be only one untagged interface per one RFC1483 connection to avoid mixing of traffic.


KSS5320A2-ATE-010 71/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

4.8 Forward All/Unregistered Configuration

This section allows you to change multicast traffic settings. By default the bridge in Callisto821+ will not allow any multicast traffic. If you want to transport multicast frames over bridged connection, you must enable it by adding appropriate ports into Forward All/Unregistred Configuration section. You must enable multicast traffic for each FDB (FdbName), so consequentially for each VLAN you have created before. This allows you to enable multicasting only for video VLAN for example. Click on Edit link for FWDALLMCAST and FWDUNREGMCAST.

Add all ports/interfaces of the VLAN.


KSS5320A2-ATE-010 72/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

5 ROUTED CONNECTIONS

5.1 About routed configurations

This chapter will describe to you how to configure your SI2000 Callisto821+ Router in different routed configurations to establish LAN to WAN connection. All of the configurations in this section use the SI2000 Callisto821+ Router ip module to route between Ethernet and an ATM protocol.

5.2 PPPoE routed

Most likely this is the most widely used configuration in DSL access networks today as many Internet Service Providers use PPPoE protocol for accessing the Internet. Traditionally for establishing PPPoE connection a client software running on personal computer is needed, but when using SI2000 Callisto821+ Router in PPPoE routed mode PPPoE software on PC is no longer needed. In this mode you can also enable NAT and allow several local computer to access the Internet over the same DSL line.

5.2.1 Computer configuration

In order to create routing configuration, you must assign IP addresses to computers running in your network. If you use default IP address of your SI2000 Callisto821+ Router which is 192.168.1.1 you will need to assign an IP address from IP subnet 192.168.1.0 to all of your computers. If you plan to configure your computers you will need to set at least the following: IP address: something between 192.168.1.2 and 192.168.1.254 Subnet mask: 255.255.255.0 Default gateway: 192.168.1.1 Primary DNS: 192.168.1.1 Note: Each computer must have its unique IP address. If you do not want to configure each client computer you can use DHCP server inside your SI2000 Callisto821+ Router to automatically configure all computers in your network. You must enable DHCP Server in your router. Please refer to chapter 3.2.5Configuration page for more information about the procedure. You should also configure your computers to get IP address automatically. Most operating systems (Windows, Linux, Mac OS X, ...) come with this setting enabled as default configuration. Refer to operating system manuals for more information.


KSS5320A2-ATE-010 73/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

5.2.2 Creating connection

In the navigation bar on the left side click WAN Connections link. By default there should be one bridged connection in the system. It is most likely you will want to delete this connection as you will not need it.

Select Create a new service link.


KSS5320A2-ATE-010 74/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Select PPPoE Routed and click Configure button to proceed.

In this section you must configure required settings for establishing PPPoE connection. Description: Enter a descriptive name for your connection. This value is for your reference only.


KSS5320A2-ATE-010 75/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

VPI: ATM VPI (Virtual Path Identifier) is a number representing ATM path. You should get this number from you Service provider. VCI: ATM VCI (Virtual Channel Identifier) is a number representing ATM channel. You should get this number from you Service provider. If you do not know these numbers your connection will not work. PPPoE Auto Connect: This option sets the way Callisto821+ handles the connection. If it is set to enabled connection will be established only when one of the computers on the network requires Internet access. This should be left disabled for most configurations as it makes no sense to disconnect from the Internet when using DSL technology. Discover IP subnet from IPCP: If you want to get IP subnet mask from your network provider automatically enable this option. PPP Ipv6CP: Enable this option if your service provider uses IPv6. In most configurations it should be left disabled. WAN IP address: Enter the IP address your service provider has assigned you here. If you do not have such address leave it as 0.0.0.0. Callisto821+ will get it automatically. Enable NAT on this interface: If your service provider gives you only one IP address select this option in order to allow more than one computer connecting to the Intenet. Access concentrator: Enter the name of PPPoE access concentrator you want your router to connect to. If you do not know this value leave it blank. Service name: Enter the name of PPPoE service you want your router to connect to. If you do not know this value leave it blank. LLC header mode: Enable or disable LLC header mode. HDLC header mode: Enable or disable HDLC header mode. Authentication: Select the type of authentication you service provider supports. Available choices are No Authentication, PAP and CHAP. When using PAP or CHAP do not forget to enter valid username and password. User name: Type in the username to access the Internet. Password: Type in the password to access the Internet. User Idle Timeout (in minutes): Time in minutes of inactivity of your computer Callisto821+ will wait before disconnecting from PPPoE Access Concentrator. Value 0 means infinite time. Press Configure button to create new connection. You will now see newly created connection among other connections in WAN Configuration section.


KSS5320A2-ATE-010 76/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

5.2.3 Modifying connection

If you click on Edit link of your connection you can change various parameters. In Edit PPPoE section you can change parameters you have previously entered during connection creation. Sections Edit Atm Channel and Edit Scheduler are the same as for bridged connections. Please refer to 4.3Changing ATM QoS parameters of the connection and 4.4Changing scheduler profile for more information. In Edit Ip Interface you can configure various IP related settings. Be sure to enable Tcp Mss Clamp. Go to Edit Tcp Mss Clamp section and set it to true. This might prevent you not being able to view certain WEB pages in the Internet.


KSS5320A2-ATE-010 77/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

5.3 RFC1483 routed

If you service provider uses RFC1483 in routed configuration you must create RFC1483 routed connection instead of PPPoE connection. Select RFC 1483 routed when creating new WAN connection.


KSS5320A2-ATE-010 78/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

You will get the following page:

Description: Enter the name of this connection. This name is for your reference only. VPI: ATM VPI (Virtual Path Identifier) is a number representing ATM path. You should get this number from you Service provider. VCI: ATM VCI (Virtual Channel Identifier) is a number representing ATM channel. You should get this number from you Service provider. If you do not know these numbers your connection will not work. Encapsulation method: Either LLC/SNAP or VcMux (null). The meaning of this parameter is explained in chapter 4.2Creating new bridged connection. Use DHCP: Select this option if you want your Callisto821+ to get an IP address dynamically using DHCP protocol. WAN IP address: Select this option and enter an IP address manually if no DHCP support is present in your network. Enable NAT on this interface: If your service provider gives you only one IP address select this option in order to allow more than one computer connecting to the Internet. After connection is created you can change its parameters the same way as described in 5.2.3Modifying connection.


KSS5320A2-ATE-010 79/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

5.4 PPPoA routed

When you want to use PPP over ATM as a protocol for your routed connection select PPPoA Routed when creating new connection.


KSS5320A2-ATE-010 80/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

You will need to enter the following settings:

PPPoA is similar to PPPoE so also the parameters are almost the same. Basically PPPoA differs from PPPoE in the protocol used to transport PPP frames. In case of PPPoE it is Ethernet, but in case of PPPoA it is ATM directly. Description: Enter a descriptive name for your connection. This value is for your reference only. VPI: ATM VPI (Virtual Path Identifier) is a number representing ATM path. You should get this number from you Service provider. VCI: ATM VCI (Virtual Channel Identifier) is a number representing ATM channel. You should get this number from you Service provider. If you do not know these numbers your connection will not work. WAN IP address: Enter the IP address your service provider has assigned you here. If you do not have such address leave it as 0.0.0.0. Callisto821+ will get it automatically. Enable NAT on this interface: If your service provider gives you only one IP address select this option in order to allow more than one computer connecting to the Intenet. LLC header mode: Enable or disable LLC header mode. HDLC header mode: Enable or disable HDLC header mode. Authentication: Select the type of authentication you service provider supports. Available choices are No Authentication, PAP and CHAP. When using PAP or CHAP do not forget to enter valid username and password. User name: Type in the username to access the Internet. Password: Type in the password to access the Internet. Press Configure button to create new connection. The parameters you can change for PPPoA connection are similar to PPPoE connection's parameters.


KSS5320A2-ATE-010 81/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

5.5 IPoA routed

IP over ATM is even less complex protocol than any others. You can easily connect two devices because this protocol is not master/slave oriented. When creating new WAN Connection select IPoA routed:

You need to enter only very basic parameters for IPoA connection.


KSS5320A2-ATE-010 82/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Description: Enter the name of this connection. This name is for your reference only. VPI: ATM VPI (Virtual Path Identifier) is a number representing ATM path. You should get this number from you Service provider. VCI: ATM VCI (Virtual Channel Identifier) is a number representing ATM channel. You should get this number from you Service provider. If you do not know these numbers your connection will not work. Use DHCP: Select this option if you want your Callisto821+ to get an IP address dynamically using DHCP protocol. WAN IP address: Select this option and enter an IP address manually if no DHCP support is present in your network. Enable NAT on this interface: If your service provider gives you only one IP address select this option in order to allow more than one computer connecting to the Internet. Press Configure button to create new connection.


KSS5320A2-ATE-010 83/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

5.6 PPPoE over Ethernet/Bridge routed

This connection type is very useful when you want your SI2000 Callisto821+ Router to operate in mixed bridge-router mode. It is quite often the case your service provider can offer you certain services (video services, VoIP telephony, ...) only when your DSL CPE is configured as bridge. This configuration makes possible to perform bridge functionality for above mentioned services and also perform routing functionality for accessing the Internet. You must be however using PPPoE to connect to the internet. To be able to use such configuration you must have one bridge connection created. Refer to chapter 4.2Creating new bridged connection on how to create it. When you have created it, click on Create a new service link in WAN Connections section and select PPPoE over Ethernet/Bridge routed.


KSS5320A2-ATE-010 84/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

You will see almost the same parameters as in the case of creating normal PPPoE connection.

Instead of ATM VPI/VCI settings there is a port name to choose from drop-down list. This name represents the transport used for transporting PPPoE frames. In most cases this transport would be previously created bridged connection. Description: Enter a descriptive name for your connection. This value is for your reference only. Port: Select pppoe here. PPPoE Auto Connect: This option sets the way Callisto821+ handles the connection. If it is set to enabled connection will be established only when one of the computers on the network requires Internet access. This should be left disabled for most configurations as it makes no sense to disconnect from the Internet when using DSL technology. WAN IP address: Enter the IP address your service provider has assigned you here. If you do not have such address leave it as 0.0.0.0. Callisto821+ will get it automatically. Enable NAT on this interface: If your service provider gives you only one IP address select this option in order to allow more than one computer connecting to the Intenet. Access concentrator: Enter the name of PPPoE access concentrator you want your router to connect to. If you do not know this value leave it blank. Service name: Enter the name of PPPoE service you want your router to connect to. If you do not know this value leave it blank. LLC header mode: Enable or disable LLC header mode. HDLC header mode: Enable or disable HDLC header mode. Authentication: Select the type of authentication you service provider supports. Available choices are No Authentication, PAP and CHAP. When using PAP or CHAP do not forget to enter valid username and password. User name: Type in the username to access the Internet. Password: Type in the password to access the Internet. User Idle Timeout (in minutes): Time in minutes of inactivity of your computer Callisto821+ will wait before disconnecting from PPPoE Access Concentrator. Value 0 means infinite time. Press Configure button to create new connection.


KSS5320A2-ATE-010 85/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

6 QUALITY OF SERVICE

SI2000 Callisto821+ Router Is capable of providing quality of service on two layers: – ATM layer using different QoS traffic classes – Ethernet layer using IEEE 802.1p mechanism

6.1 ATM Quality of Service

ATM QoS parameters can easily be set for each ATM virtual connection under WAN Connections section as described in 5.2Changing ATM QoS parameters of the connection. You should be aware of the fact that ATM shaping in Callisto821+ is not working exactly as classical ATM shapers. It has built in specific features which are required for DSL CPE device. The major difference is that different QoS classes have different service priorities. Starting with highest:

1. CBR 2. VBR-rt 3. VBR 4. UBR

This means setting CBR to 200 cells/second will not consume the bandwidth of 200 cells/second all the time but will consume it only when the CBR service will require so. If CBR does need all it's PCR speed, it will be given to VBR-rt, VBR, UBR...

6.2 Ethernet based Quality of Service

In addition to ATM based Quality of Service Callisto821+ also offers Ethernet based QoS. This is very useful where several VLANs are transmitted over the same ATM RFC1483 virtual connection. ATM QoS mechanisms only provide quality of service among several ATM virtual connections, but not within the same virtual connection. When using several VLANs over one ATM RFC1483 this is exactly the case. QoS should be provided on Ethernet layer. This is achieved using IEEE 802.1p mechanisms.


KSS5320A2-ATE-010 86/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

The drawing above on the left side shows the process of classifying input traffic into several queues. The drawing on the right side shows the process of sending the packets out to DSL line. Different 802.1p priorities are taken into account when forwarding packets to single output queue. IEEE 802.1p defines 8 different priorities. Priority 7 is the highest, priority 0 is the lowest. As describes in earlier sections of this user manual, priority for untagged traffic can be set in Ethernet Switch section. However this is not the only way to set the priority information of the frames. If you use Ethernet terminal, which is capable of tagging its ethernet traffic, it can add priority information by itself. Priority information is processed by bridge and scheduler processes.

6.2.1 Configuring Scheduler

Scheduler is the module inside Callisto821+, which performs output queuing of all traffic if enabled for given connection (5.3Changing scheduler profile). Scheduler can be configured using CLI. Refer to 3.1Telnet management for more details. Please refer to CLI Reference Manual for more detailed information about Scheduler CLI Commands.

Listing current scheduler profiles

By typing scheduler list profiles, you can view which scheduler profiles are in the system. ...........................................................................

--> scheduler list profiles Scheduler Profiles: ID | Name -----|-------------------- 1 | defwan --------------------------

7

7

5

5

5

2

2

2

2

7

52

5

Vo IPQu e u e

In t e rn e tQu e u e

Vid e oQu e u e

2

2

2

2

7

7

5

5

5

2

2

2

2

77

5

55

2

222

1 32

xD S L o u t p u t q u e u e ( p a c k e t o rd e r a s t ra n s m it t e d t o D S L l in e )

2

2

Vo IPQu e u e

In t e rn e tQu e u e

Vid e oQu e u e


KSS5320A2-ATE-010 87/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Creating new scheduler profile

To create new scheduler profile type scheduler add profile <ProfileName> priority to create priority based scheduling profile where <ProfileName> is the name of scheduler profile.

--> scheduler add profile defwan priority To create weighted fair queuing scheduler profile type scheduler add profile <ProfileName> wf2qplus.

--> scheduler add profile defwan wf2qplus

Difference between priority and wf2qplus scheduling

Priority based queuing will basically always serve the queue with highest priority. Only if the one with the highest priority does not contain any packets the mechanism will start serving lower priority queue. This can apparently lead to lower priority queue starvation. On the other hand, wf2qplus algorithm will give certain queue only as much bandwidth as configured by it's weight. Weights are defined as percent of the bandwidth. In the example bellow packets are arriving in the system as shown on the first picture. Queue 7 has most packets.

If priority based mechanism will be used (picture on the left), all packets from queue 7 will be sent before any packet from queue 6 will be sent. This is good enough for some applications while it is not for others

Picture on the right shows the situation where wf2qplus algorithm was used. Priority queue 7 used weight 50. This gave it only 50% of the whole bandwidth so the other 50% was given to other queues.

t0

vrsta7

vrsta2

vrsta3

vrsta4

vrsta5

vrsta6

vrsta1

vrsta0

t0

vrsta7

vrsta2

vrsta3

vrsta4

vrsta5

vrsta6

vrsta1

vrsta0t

0

vrsta7

vrsta2

vrsta3

vrsta4

vrsta5

vrsta6

vrsta1

vrsta0


KSS5320A2-ATE-010 88/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

7 INTERNET ACCESS

This chapter will describe to you how to configure the LAN and WAN parameters of your SI2000 Callisto821+ Router to access the internet. Assume that the following network is setup:

figure 69: The Network setup for Internet access.

The default parameters of the SI2000 Callisto821+ Router are listed in the chapter 2.2Preliminary setup. These parameters should work for the majority of installations. If the parameters are not satisfactory, read 2.2.2Telnet management connection how to change them. The whole network is separated into two parts. The part of the network that is limited to the immediate area, usually the same building or floor of a building is named LAN (Local Area Network). A WAN (Wide Area Network) on the other hand is an outside connection at another network or the Internet. If you look at the figure 69 the WAN network in your case consists of ADSL line, DSLAM, ATM line, ISP premises and Internet. All you have to do is to setup in your SI2000 Callisto821+ Router in the way that your ISP needs to. These settings are:

1. Encapsulation 2. VCI and VPI 3. Multiplexing (VC or LLC based) 4. WAN IP Address (if it is given by your ISP)

We will not exactly describe the proceedings how to set up the WAN connection using all those settings, because that is already done in previous chapters for all encapsulations that Callisto821+ supports. All you have to do is to setup a WAN connection with encapsulation required by your ISP. But as mentioned before be careful with the next features:

internet

DSLAM

DSL line

ethernet cable

ATM


KSS5320A2-ATE-010 89/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

7.1.1 Encapsulation

Be sure to use the same encapsulation method required by your ISP. SI2000 Callisto821+ Router supports the methods that are listed bellow:

IPoA

SI2000 Callisto821+ Router allows users of IP traffic to migrate to ATM as an underlying data transport while continuing to use existing system applications designed for legacy IP systems. IP over ATM is therefore supported.

RFC1483

RFC1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5. The first method allows multiplexing of multiple protocols over a single ATM virtual circuit (LLC based multiplexing) and the second method assumes that each protocol is carried over a separate ATM virtual circuit (VC based multiplexing)

PPPoE

Point to Point Protocol over Ethernet provides access control and billing functionality in a manner similar to dial-up services using PPP. Your SI2000 Callisto821+ Router can be configured as a PPPoE Client (for home use, as a home modem) and also as a PPPoE Access Concentrator. For details read 5.2 PPPoE routed.

PPPoA

Point to Point Protocol allows users to establish a connection in a similar manner as PPPoE, only that in PPPoA case, the encapsulation runs directly on AAL5 level. The PPP layer treats the underlying ATM AAL5 layer service as a bit-synchronous point-to-point link. In this context, the PPP link corresponds to an ATM AAL5 virtual connection. For details read 5.4 PPPoA Routed.


KSS5320A2-ATE-010 90/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

7.1.2 VPI and VCI

When you are setting up a configuration, no mater what the encapsulation is, on the WAN side of your Callisto821+, the VPI (Virtual Path Identifier) and VCI (Virtual Channel Identifier) values that you type in must be the same as required by your ISP. In our examples we mostly used VCI 32 and VPI 1. Be sure to enter the values, given to you by your ISP and not those that we used in our examples. The valid range for the VPI is 0 to 255 and for the VCI 32 to 65535 (0 to 31 is reserved for local management of ATM traffic). You can change the VPI and VCI values by selecting WAN connections from Configuration section in the WEB management. Then select the Edit... hyperlink from the Service Name you want to change the VCI and VPI values. Then click on Edit 'ATM channel' and next page is displayed:

figure 70: The WAN connection Edit ATM channel page.

Change the values in Tx VCi, Tx VPi, Rx VCi and Rx VPi arrays to the desired values. The Tx VCi, Rx VCi and Tx VPi, Rx VPi must match.


KSS5320A2-ATE-010 91/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

7.1.3 Multiplexing

There are two conventions to identify what protocols the virtual circuit (VC) is carrying. Be sure to use the multiplexing method required by your ISP.

VC-based multiplexing

In this case, by prior mutual agreement, each protocol is assigned to a specific virtual circuit, for example, VC1 carries IP, etc. VC-based multiplexing may be dominant where dynamic creation of large numbers of ATM VCs is fast and economical.

LLC-based multiplexing

In this case one VC carries multiple protocols identifying information being contained in each packet header. Despite the extra bandwidth and processing overhead, this method may be advantageous if it is not practical to have a separate VC for each carried protocol, for example, if charging heavily depends on the number of simultaneous VCs.

7.1.4 WAN IP Address

When creating a WAN connection on your SI2000 Callisto821+ Router you have to enter the required IP address that your ISP gave you. It is also possible that the WAN IP address will not be given by your ISP, in that case it will be given to the Callisto821+ by the DHCP server from your ISP.


KSS5320A2-ATE-010 92/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

8 SECURITY OPTIONS

8.1 Security

This chapter will describe how to manage the security settings on your SI2000 Callisto821+ Router. The Callisto821+ security software helps the user setup and enforce security policies. These policies define which kind of traffic is allowed to pass through a gateway and from whom the traffic is allowed. This software provides functionalities as port filtering, triggers, validation (IP filtering), NAT (Network Address Translation), intrusion, DOS (Denial of Service) attack protection, DMZ (DeMilitarized Zone) and logging. The security package provides a stateful firewall. This means that the security mechanism maintains information concerning the packets it receives. It uses this information to make decisions dynamically on whether or not to allow the packet through. From the Configuration menu, click on Security. The page that contains default Security settings is displayed:

figure 71: The Security state page.


KSS5320A2-ATE-010 93/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

8.1.1 Enabling security

Enabling security

You must enable Security before you can enable Firewall and/or Intrusion Detection. In the Security State section:

1. Click on the Security Enabled button. 2. Click on Change State to update the Security State section.

This has the same effect as typing the following CLI commands:

security enable security status

Enabling Firewall and Intrusion Detection

You must create a security interface before you can enable Firewall and/or Intrusion Detection. Once you have created a security interface:

1. Click on the Firewall Enabled and/or Intrusion Detection Enabled buttons. 2. Click on Change State to update the Security State section.

This has the same effect as typing the following CLI commands (depending on which state you want to enable):

firewall enable firewall enable IDS security status

Setting a default security level

You must have Security and Firewall enabled in order to set a default Security level. 1. From the Security Level section, click on the Security Level drop-down list. 2. Click on the level that you want to set; none, high, medium or low. 3. Click on the Change Level button.

This has the same effect as typing the following CLI command:

firewall set securitylevel


KSS5320A2-ATE-010 94/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

8.1.2 Configuring security interfaces

Configuring security interfaces

Security interfaces are based on existing LAN and WAN services. You must create a LAN or WAN service for every security interface that you want to configure.

1. From the Security Interfaces section, click on Add Interface. The Firewall: Add Interface page is displayed:

figure 72: The Security: Add interface page.

2. Click on the Name drop-down list and select the service that you want to base your security interface

on. 3. Click on the Interface Type drop-down list and specify what kind of interface it is depending on how it

connects to the network. You can choose between external, internal or DMZ. 4. Click on Apply. The Security page is displayed. The Security Interfaces section contains a table that

displays information about each security interface that you have created: • Name - name of service that the security interface is based on. • Type of network connection specified. • NAT setting. It contains hyperlinks that allow you to configure NAT. • Delete Interface... hyperlink. Click on this to display the Security: Delete Interface page.

Check the interface details, then click on the Delete button. These actions have the same effect as entering the following CLI commands:

security add interface security list interfaces security delete interface


KSS5320A2-ATE-010 95/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

8.2 NAT

Network Address Translation is a feature that keeps private network addresses private when accessing a public network. You should be familiar with the next terms when using NAT features:

Global IP Address Pools

A Global Address Pool is a pool of addresses seen from the outside network. By default, each outside interface creates a Global Address Pool with a single address – the address assigned to that interface. For outbound sessions, an address is picked from a pool by hashing the source IP address for a pool index and then hashing again for an address index. For inbound sessions, it is necessary to create a reserved mapping. See below for more information on reserved mappings.

Reserved Mappings

A reserved mapping is used so that NAT knows where to route packets on inbound sessions. The reserved mapping will map a specific global address and port to an inside address and port. Reserved mappings can also be used so that different inside hosts can share a global address by mapping different ports to different hosts. For example, Host A is an FTP server and Host B is a web server. By mapping the FTP port to Host A and the HTTP port to Host B, both inside hosts can share the same global address. Setting the protocol number to 255(0xFF) means that the mapping will apply to all protocols. Setting the port number to 65535(0xFFFF) for TCP or UDP protocols means that the mapping will apply to all port numbers for that protocol.

DMZ

Sometimes an organization wishes to allow access to certain hosts on its network, but not to all hosts. For example, an organization may provide patches to its software via an FTP server. However, it does not want FTP access to any hosts other than the FTP server. This can be accomplished by having a second inside network with less restrictive policies than the main internal network. This second network is called a De-Militarized Zone (DMZ). The SI2000 Callisto821+ Router security package allows separate policies for traffic between DMZ interfaces and external or internal interfaces. There are however, several restrictions: If NAT is used for hosts on both the DMZ network and internal network, then there must be a separate global address pool for DMZ interfaces which does not overlap any global address pools for internal interfaces. In addition, for outbound sessions, there must be reserved mappings for the DMZ hosts that do not map to the “real” address of the external interface.


KSS5320A2-ATE-010 96/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

8.2.1 Configuring NAT

Configuring NAT

To configure NAT, you need to: 1. Enable Security. 2. Create at least two different security interface types based on existing LAN or WAN services. 3. Once you have created more than one security interface, the NAT column in the Security Interfaces

table tells you that you can enable NAT between the existing security interface and a network interface type. For example, if you create an external interface and an internal interface, your table will look like this:

figure 73: The Security: interfaces table page.

The NAT column for the external interface tells you that you can enable NAT to internal interfaces. If you also had a DMZ interface configured, this column would also include an Enable NAT to DMZ interfaces button.

4. To enable NAT between the external interface and the internal interface type, click on Enable NAT to internal interfaces. The Security page is refreshed and NAT is enabled. To disable NAT between these interfaces, click on Disable NAT to internal interfaces. These actions have the same effect as entering the following CLI commands:

nat enable nat disable

Once you have enabled NAT between interfaces, you can: • configure global addresses. • configure reserved mapping.


KSS5320A2-ATE-010 97/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

8.2.2 NAT Global Address

Global address pools allow you to create a pool of outside network addresses that is visible outside your network. Before you can configure global addresses, you need to configure NAT.

Configuring NAT global addresses

To set up a global address pool on your existing NAT enabled interfaces: 1. From the NAT Security Interfaces table, click on the Advanced NAT Configuration hyperlink for the

interface that you want to add a global pool to. The following page is displayed:

figure 74: The Advanced NAT Configuration page.


KSS5320A2-ATE-010 98/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

2. Click on Add Global Address Pool The following page is displayed:

figure 75: The NAT Add Global Address Pool page.

3. This page allows you to create a pool of network IP addresses that are visible outside your network.

Add values for the following table entries: • Interface type; the internal address type that you want to map your external global IP

addresses to. Click on the drop-down list and select an interface type. • Use Subnet Configuration; there are two ways to specify a range of IP addresses. You can

either Use Subnet Mask (specify the subnet mask address of the IP address) or Use IP Address Range (specify the first and last IP address in the range). Click on the drop-down list and select a method.

• type in the IP Address that is visible outside the network • Subnet Mask/IP Address 2; the value you specify here depends on the subnet configuration

that you are using. If you chose Use Subnet Mask, type in the subnet mask of the IP address. If you chose Use IP Address Range, type in the last IP address in the range of addresses that make up the global address pool.

4. Once you have configured the table, click on Add global address pool. The table is refreshed and the global address pool is added to your NAT configuration.

... To delete a global address pool, click on the Delete hyperlink, then click on the Delete Global Address Pool button. These actions have the same effect as typing the following CLI commands:

nat add globalpool nat list globalpools nat delete globalpool

Click on Return to Interface List to display the Security Interface Configuration page. To create a reserved mapping, click on the Add Reserved Mapping hyperlink.


KSS5320A2-ATE-010 99/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

8.2.3 NAT Reserved Mapping

Reserved mapping allows you to map an outside security interface or an IP address from a global pool to an individual IP address inside the network. Mapping is based on transport type and port number. Before you can configure reserved mapping, you need to configure NAT.

Configuring NAT reserved mapping

To set up a reserved mapping on your existing NAT enabled interfaces: 4. From the NAT Security Interfaces table, click on the Advanced NAT Configuration hyperlink for the

interface that you want to add reserved mapping to. The Advanced NAT Configuration page is displayed.

5. Click on the Add Reserved Mapping hyperlink. The following page is displayed:

figure 76: The NAT Add Reserved Mapping page.

6. This page allows you to configure your reserved mapping. Add specific values for the following

table entries: • Global IP Address; if you are mapping from a global IP address, type the address here. If

you are mapping from a security interface (e.g. Default ppp interface), type 0.0.0.0. • Internal IP Address; the IP address of an individual host inside your network. • Transport Type; specify the transport type that you want to map from the outside interface to

the inside. • Port Number; the port number that your transport uses externally and internally within your

LAN. 7. Once you have configured the table, click on Add reserved mapping. The table is refreshed and

the reserved mapping is added to your NAT configuration.

To delete a reserved mapping setup, click on the Delete hyperlink, then click on the Delete Reserved Mapping button.


KSS5320A2-ATE-010 100/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

These actions have the same effect as typing the following CLI commands:

nat add resvmap globalip nat add resvmap interfacename nat list resvmaps nat delete resvmap

Click on Return to Interface List to display the Security Interface Configuration page.

8.3 Firewall

You should be familiar with the next terms when using Firewall features:

Port Filtering

Port filters are rules that determine how a packet should be handled. The rules define the protocol type, the range of source and destination ports numbers and an indication of whether or not the packet should be allowed. When a packet arrives the filter list is searched for a match that will indicate if the packet should be allowed or not. If there is no match in the list the default action is to deny the packet. Filters may overlap as the search finds the most specific rule.

Validators

Validators are similar to port filters. They are rules to define handling of packets based on the source or destination IP address. Validators allow ranges of IP addresses to be specified and the action to be taken on packets from or to addresses in that range. This is a powerful mechanism that allows users to block packets from certain addresses while allowing others.

Triggers

Security triggers are used to deal with application protocols that create separate sessions. Some application protocols open secondary connections during normal operations. The most common example of this is FTP, see RFC 959. An FTP client establishes a connection to a server using port 21, but data transfers are done on a separate connection. The port number, and who makes the connection, can vary depending on the FTP client. To allow FTP to work without triggers, you would have to set up port filters allowing the correct port numbers through. Naturally this is a significant security risk. You can avoid this risk by using security triggers. Triggers tell the security mechanism to expect these secondary sessions and how to handle them. Rather than allowing a range of port numbers, triggers handle the situation dynamically, allowing the secondary sessions only when appropriate. The trigger mechanism works without having to understand the application protocol or reading the payload of the packet, although this does happen when using NAT.

Intrusion Detection

The SI2000 Callisto821+ Router security provides protection from a number of attacks. Some attacks cause a host to be blacklisted (i.e., no traffic from that host is accepted under any circumstances) for a period of time. Other attacks are simply logged.


KSS5320A2-ATE-010 101/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

8.3.1 Firewall policies

Configuring Firewall policies

A policy is the collective term for the rules that apply to incoming and outgoing traffic between two interface types. Before you can create a Firewall policy, you need to enable Firewall.

1. To display policy details, click on Security Policy Configuration in Policies, Triggers, Intrusion Detection, Logging section of main security page. The following page is displayed and contains a Current Firewall Policies table:

figure 78: The Current Policy Configuration table page.

The table contains details of each Firewall policy. You can now configure the policies to include portfilters and validators.


KSS5320A2-ATE-010 102/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Configuring Portfilters

A portfilter is an individual rule that determines what kind of traffic can pass between two interfaces specified in an existing policy. ... To configure a portfilter:

• From the Current Security Policies table, click on the Port Filters link for the policy that you want to configure. The page displayed contains three Add Filter hyperlinks that allow you to create three different kinds of portfilter:

• For a TCP or UDP portfilter click on Add TCP or UDP Filter. The following page is displayed:

figure 79: The Add TCP Port Filter page.

Specify the start and end of the port range for the TCP or UDP protocol that you want to filter. You can specify the range for source and destination port numbers . For information on application port numbers, see http://www.ietf.org/rfc/rfc1700.txt . Then use the Direction drop-down lists to specify whether you want to allow/block inbound traffic, and allow/block outbound traffic. Click on Apply. The Firewall Port Filters page is displayed, containing details of the TCP portfilter that you have just added.


KSS5320A2-ATE-010 103/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

• For a non-TCP/UDP portfilter click on Add Raw IP Filter. The following page is displayed:

figure 80: The Add Raw IP Filter page.

Specify the protocol number in the Transport Type text box, for example, for IGMP, enter protocol number 2. For more information on protocol numbers, see http://www.ietf.org/rfc/rfc1700.txt . Then use the Direction drop-down lists to specify whether you want to allow/block inbound traffic, and allow/block outbound traffic. Click on Apply. The Firewall Port Filters page is displayed, containing details of the IP portfilter that you have just added.

• Each portfilter displayed in the Firewall Port Filters page has a Delete hyperlink assigned to it. To delete a portfilter, click on this link, then at the confirmation page, click on the Delete button. The portfilter is removed from the Firewall configuration. These actions have the same effect as typing the following CLI commands:

firewall add portfilter firewall list portfilters firewall delete portfilter


KSS5320A2-ATE-010 104/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Configuring Validators

A validator allows/blocks traffic based on the source/destination IP address and netmask. Traffic will be allowed or blocked depending on the validator configuration specified when the policy was created. To configure a validator:

1. From the Current Firewall Policies table, click on the Host Validators link for the policy that you want to configure. The Configure Validators page is displayed. Click on the Add Host Validator link. The following page is displayed:

figure 81: The Add Host Validator page.

2. In the Host IP Address text box, type the IP address that you want to allow/block. 3. In the Host Subnet Mask text box, type the IP mask address. If you want to filter a range of

addresses, you can specify the mask, for example, 255.255.255.0. If you want to filter a single IP address, use the specific IP mask address, for example, 255.255.255.255.

4. Click on the Direction drop-down list and select the direction of traffic that you want the validator to filter.

5. Click on Apply. The Configure Validators page is displayed, containing details of the host validator that you have just added.

6. Each portfilter displayed in the Configure Validators page has a Delete Host Validator hyperlink assigned to it. To delete a validator, click on this link, then at the confirmation page, click on the Delete Host Validator button. The validator is removed from the Firewall configuration.


KSS5320A2-ATE-010 105/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

8.3.2 Triggers

Configuring Triggers

A trigger allows an application to open a secondary port in order to transport packets. The most common applications that require secondary ports are FTP and NetMeeting. To configure a trigger:

1. Go to the Policies, Triggers and Intrusion Detection section of the Security Interface Configuration. Click on Firewall Trigger Configuration. The Firewall Trigger Configuration page is displayed. There are no triggers defined at this time. Click on the New Trigger link. The following page is displayed:

figure 83: The Add Trigger page.

2. Configure the trigger as follows:

• Transport Type; select a transport type from the drop-down list, depending on whether you are adding a trigger for a TCP or a UDP application.

• Port Number Start; type the start of the trigger port range that the primary session uses. • Port Number End; type the end of the trigger port range that the primary session uses. • Secondary Port Number Start; type the start of the trigger port range that the secondary

session uses. • Secondary Port Number End; type the end of the trigger port range that the secondary

session uses. • Allow Multiple Hosts; select allow if you want a secondary session to be initiated to/from

different remote hosts. Select block if you want a secondary session to be initiated only to/from the same remote host.

• Max Activity Interval; type the maximum interval time (in milliseconds) between the use of secondary port sessions.

• Enable Session Chaining; select Allow or Block depending on whether you want to allow multi-level TCP session chaining.


KSS5320A2-ATE-010 106/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

• Enable UDP Session Chaining; select Allow or Block depending on whether you want to allow multi-level UDP and TCP session chaining. You must set Enable Session Chaining to Allow if you want this to work.

• Binary Address Replacement; select Allow or Block depending on whether you want to use binary address replacement on an existing trigger.

• Address Translation Type; specify what type of address replacement is set on a trigger. You must set Binary Address Replacement to Allow if you want this to work.

3. Once you have configured the trigger, click on Apply. The Firewall Trigger Configuration page is displayed, containing details of the trigger that you have just configured.

4. Each trigger displayed in the Firewall Trigger Configuration page has a Delete hyperlink assigned to it. To delete a trigger, click on this link, then at the confirmation page, click on the Delete button. The Firewall Trigger Configuration page is displayed and details of the deleted trigger have been removed. There are two hyperlinks on the page:

• To add a new trigger, click on New Trigger. • To display the Security Interface Configuration page, click on Return to Interface List.


security add trigger security list triggers security set trigger endport security set trigger startport security set trigger multihost security set trigger maxactinterval security set trigger sessionchaining security set trigger security set trigger UDPsessionchaining security set trigger binaryaddressreplacement security set trigger addressreplacement


KSS5320A2-ATE-010 107/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

8.3.3 Intrusion Detection Settings

Configuring Intrusion Detection Settings

Intrusion Detection settings allow you to protect your network from intrusions such as denial of service (DOS) attacks, port scanning and web spoofing. To configure Intrusion Detection settings:

1. Go to the Policies, Triggers, Intrusion Detection, Logging section of the Security Interface Configuration page. Click on Configure Intrusion Detection. The Firewall Configure Intrusion Detection page is displayed, containing default settings:

2. Configure Intrusion Detection as follows: 3. Use Blacklist; select true or false depending on whether you want external hosts to be

blacklisted if the Firewall detects an intrusion from that host. Click on the Clear Blacklist button at the bottom of the page to clear blacklisting of an external host. The Security Interface Configuration page is displayed.

4. Use Victim Protection; select true or false depending on whether you want to protect a victim from an attempted web spoofing attack.

5. DOS Attack Block Duration; type the length of time (in seconds) that the Firewall blocks suspicious hosts for once a DOS attack attempt has been detected.

6. Scan Attack Block Duration; type the length of time (in seconds) that the Firewall blocks suspicious hosts for after it has detected scan activity.

7. Victim Protection Block Duration; type the length of time (in seconds) that the Firewall blocks packets destined for the victim of a spoofing style attack.

8. Maximum TCP Open Handshaking Count; type in the maximum number of unfinished TCP handshaking sessions (per second) that are allowed by Firewall before a SYN Flood is detected.

9. Maximum Ping Count; type in the maximum number of pings (per second) that are allowed before the Firewall detects an Echo Storm DOS attack.

10. Maximum ICMP Count; type in the maximum number of ICMP packets (per second) that are allowed by the Firewall before an ICMP Flood DOS is detected.

11. Once you have configured Intrusion Detection, click on Apply. The Intrusion Detection settings are applied to the Firewall, and the Security Interface Configuration page is displayed.


security enable firewall enable IDS firewall set IDS blacklist firewall set IDS victimprotection firewall set IDS DOSattackblock firewall set IDS SCANattackblock firewall set IDS MaxTCPopenhandshake firewall set IDS MaxPING firewall set IDS MaxICMP firewall set IDS blacklist clear


KSS5320A2-ATE-010 108/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

9 TROUBLESHOOTING

9.1 Recovery mode

You will now that the SI2000 Callisto821+ Router is running in recovery mode when both WAN and ALM LEDs are blinking fast.

9.1.1 Flash memory

Main flash memory

The flash memory in your Callisto821+ is divided into two parts. The first part contains data that is necessary for normal functioning of your Callisto821+, the main flash partition. The firmware is written in this part of flash memory. Main part of flash memory is also used for saving configurations from Telnet management or WEB management. When we were dealing with information on how to save configurations, the attention text was written. If the Callisto821+ is turned off or reset before the confirmation message 'saved' is displayed, the main part of flash memory is defected. The same problem occurs when upgrading firmware and the power supply is turned off during the procedure.

Recovery flash memory

The second part of flash memory is used for the SI2000 Callisto821+ Router to boot in recovery mode. In a case when the main part of flash memory is defected, the Callisto821+ will boot in recovery mode and you will have to manually write the data to the main partition.

9.1.2 Updating main flash memory

In a case when the main part of flash memory is defected, the Callisto821+ will boot in recovery mode and you will have to manually update the main partition. The ethernet connection to your PC is still possible when Callisto821+ is running in recovery. IP address is set to 192.168.1.1 and can not be changed. The procedure of updating the main flash memory from recovery mode can be divided into three sections:

Configuring LAN interface on PC

To properly configure the PC we will tell once again that the IP address of the Callisto821+ in recovery mode is set to 192.168.1.1 and because of that you will have to configure the LAN interface on PC to the same subnet value as the Callisto821+ has: 192.168.1.0. To learn how to change the IP address of the PC, see the User defined IP address section of the LAN and TCP/IP settings chapter.


KSS5320A2-ATE-010 109/109

© T

he c

onte

nts

of th

is d

ocum

ent i

s th

e pr

oper

ty o

f IS

KRAT

EL

KRAN

J, S

LOVE

NIA

, and

may

not

be

copi

ed, r

epro

duce

d or d

iscl

osed

to a

third

par

ty w

ithou

t writ

ten

cons

ent o

f the

ow

ner

Updating flash memory

Move to the folder where the .tar file is. For updating the flash memory, write the following command in Linux/Unix terminal or Windows Command prompt:

recovery <name of tar file> While updating in progress, the ALM LED will be blinking. When the blinking stops, the procedure is finished and the router will be rebooted with new software. If the SI2000 Callisto821+ Router does not restart in the normal mode after finishing this procedure, you will have to contact your Dealer or Product service.

9.2 Dealing with difficulties

Difficulty Suggestion No LEDs turn on when the power on Callisto821+ is ON.

Make sure that the Callisto821+'s power adapter is connected with the power socket. If this connection is OK, contact your Dealer or Product service.

Connection with Telnet or WEB management can not be established.

Check the connection to the Ethernet port and make sure that cable is plugged in. Make sure that the subnet value on the PC LAN interface matches with the one on the Callisto821+. If you can not discover the IP address of the Callisto821+ turn off the device and turn it back on while holding RST button to restore default configuration where IP address is known to be 192.168.1.1.

Access to the internet is not possible.

Make sure that you entered the right information you got from your ISP. Check the username, password, VCI, VPI, encapsulation. Check the cables connected to the Ethernet port.

Some WEB pages are accessible and some not.

When SI2000 Callisto821+ Router is configured as PPPoE Client it may occur that some WEB pages will be downloadable and some not. Sometimes, over some IP paths, a TCP/IP node may send small amounts of data (typically less than 1500 bytes) with no difficulty, but transmission attempts with larger amounts of data hang and then time out. Often this is observed as a unidirectional problem: large data transfers succeed in one direction but fail in the other direction. This problem is likely caused by the TCP MSS value. Enable TCP MSS Clamp in IP interface settings of your WAN connection.

Documents

SI2000 CALLISTO821+ ROUTER USER GUIDEdata.iskratel.com/maloprodaja/calisto/calisto user guide.pdf · 2013-11-26 · 5.6 PPPoE over Ethernet/Bridge routed 83 6 QUALITY OF SERVICE 85