Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Yamaha Router Configuration Training
~ console ~
© Yamaha Corporation 2
Contents
Console operation Log in Set Login & Admin password Basic Command Interface Addressing DHCP Static Routing NAT PPPoE IPsec VPN Static/Dynamic Packet Filtering
© Yamaha Corporation
Before training
3
Please disable Windows firewall.
[Start menu] – [Control Panel] – [Windows Firewall] Select “Turn Windows Firewall on or off”.
© Yamaha Corporation 4
Access into the Router ■Basic method of the access
Console(Tera Term)
RTX810
© Yamaha Corporation 5
Setup the console environment
1. Install the driver of the USB-Serial
2. Install the Tera Term software
3. Setup the Tera Term parameter Menu → Setup → Serial port
4. Start the router
Parameter Value Baud rate 9600 bit/s
Data 8 bit Parity None Stop 1 bit
Flow control Xon/Xoff
© Yamaha Corporation 6
1. Login from Serial Sample:
・The router will start automatically in 10 seconds. ・No password is set in the beginning.
© Yamaha Corporation 7
2. How to configure
・Enter the administrator mode to configure the router. ・Use command “ administrator ” to enter the administrator mode. ・No password is set in the beginning.
Sample:
© Yamaha Corporation 8 8
3. How to change passwords
・Use command “ login password ” to change login password. ・Use command “ administrator password ” to change admin password. ・Use command “ save ” to save running configuration to FlashROM.
Sample:
Login password → “ yamaha ” Administrator password → “ router ”
© Yamaha Corporation 9
4. Logout
・Use command “ exit ” to logout from login user and admin. ・Enter login password. ・Enter admin password.
© Yamaha Corporation 10 10
5. Basic commands ・ Show Command – ① show config ⑤ show log – ② show ip route ⑥ show status <interface> – ③ show arp ⑦ show ipsec sa – ④ show environment ⑧ show techinfo
・ Maintenance – ① save – ② restart – ③ cold start
・ Network Command – ① ping – ② traceroute – ③ telnet
© Yamaha Corporation 11
5. Basic commands (1)
・“ show status lan1 ” shows the status of LAN1. ・“ show log ” shows the syslog of the router.
Sample:
© Yamaha Corporation 12
5. Basic commands (2)
・“ show techinfo” shows all information of the router.
Sample:
© Yamaha Corporation 13
6. Command help Sample:
・Use key “ ? ” to show command list. ・Use key “ ? ” after word to show command help or other command list.
© Yamaha Corporation 14
7. Configuration control (1) Yamaha router has 5 domains for the configuration files on internal memory. These domains are name as number “ 0 ” ~ “ 4 ” and it is possible to do following operations for each domain. - Copy the configuration file - Delete the configuration file - Show the configuration file list - Show the saved configuration file content
Internal memory (Flash ROM)
0 (default)
1 2 3 4 ・・・
・・・
・・・
・・・
© Yamaha Corporation 15
7. Configuration control (2) Sample:
・Use command “ save NUM ” to save running-configuration to specific domain on FlashROM. ・Use command “ show config list ” to show saved config list. ・Use command “ copy config P1 P2 ” to copy configuration from P1 to P2. ・Use command “ delete config ” to delete configuration on FlashROM.
© Yamaha Corporation 16
8. Interface addressing
172.16.1.0/24 1000::/64
192.168.100.0/24 2000::/64
.1(LAN2)
.1(LAN1)
■Configure IP Address to LAN Interface
© Yamaha Corporation 17
8. Interface addressing (1)
① Configure IPv4 address to each LAN address. ② Configure IPv6 address to each LAN address. ・Use command “ save ” to save running configuration to FlashROM.
Command ip <interface> address <IPv4address/mask> ・・・・・・① ipv6 <interface> address <IPv6address/mask> ・・・・・・②
// ①
Sample:
// ②
© Yamaha Corporation 18
8. Interface addressing (2)
・“ show status lan1 ” shows the status of LAN1. ・“ show status lan2 ” shows the status of LAN2.
Sample:
© Yamaha Corporation 19
8. Interface addressing (3)
・“ show ipv6 address ” shows IPv6 address information.
© Yamaha Corporation 20
9. Delete command Sample:
・Use word “ no ” to clear followed command.
© Yamaha Corporation 21
10. DHCP server setting
■Enable DHCP Server and Assign DHCP Address to DHCP Clients(PC)
192.168.100.0/24
.1(LAN1)
192.168.100.2 ~ 192.168.100.191
・・・
© Yamaha Corporation 22
10. DHCP server setting (1) Command dhcp service server ・・・・・・① dhcp scope <scope_id> <scope/mask> ・・・・・・②
① Enable DHCP Server ② Configure the scope range of DHCP IP addresses.
//① //②
Sample:
© Yamaha Corporation 23
10. DHCP server setting (2)
・“ show status dhcp ” shows the status of DHCP lease.
Sample: :
© Yamaha Corporation 24
11. Router Advertisement
■Configure the Router Advertisement and send to host.
2000::/64
.1(LAN1)
The computer creates ipv6 address from Router Advertisement 2000::XXXX /64
Router Advertisement
© Yamaha Corporation 25
11. Router Advertisement (1) Command ipv6 prefix <prefix_id> <prefix/mask> ・・・・・・① ipv6 <interface> rtadv send <prefix_id> ・・・・・・②
① Configure IPv6 prefix. ② Configure the Router Advertisement.
//①
//②
Sample:
© Yamaha Corporation 26
11. Router Advertisement (2)
The computer create IPv6 address from prefix on RA.
© Yamaha Corporation 27
Return to factory default setting
//①
//②
//③
① Use command “ cold start ” to return to factory default. ② Router restarts automatically. ・Push “ Enter ” in 10 seconds counting. ③ Restart from config0.
© Yamaha Corporation 28
12. Static route setting
■Configure Static Route for Networking.
172.16.2.0/24 3000::/64
172.16.1.0/24 2000::/64
1.1.1.0/24
1000::/64
ping
Router-A Router-B
.1 .2 .1 .1
(LAN1) (LAN1) (LAN2) (LAN2)
© Yamaha Corporation 29
12. Static route setting (1)
ip route <network/mask> gateway <nexthop> ・・・① ipv6 route <network/mask> gateway <nexthop>%<interface> ・・・②
① Set static route for 172.16.2.0/24 ② Set static route for 3000::/64 “ default ” means 0.0.0.0
Sample: Router-A
//① //②
Command
© Yamaha Corporation 30
12. Static route setting (2)
ip route <network/mask> gateway <nexthop> ・・・① ipv6 route <network/mask> gateway <nexthop>%<interface> ・・・②
① Set static route for 172.16.1.0/24 ② Set static route for 2000::/64 “ default ” means 0.0.0.0
Sample: Router-B
//① //②
Command
© Yamaha Corporation 31
12. Static route setting (3)
・“ show ip route ” shows the ipv4 routing table of the Router.
・“ show ipv6 route ” shows the ipv6 routing table of the Router.
Sample: Router-A
© Yamaha Corporation 32
① Save configuration to config0. ② Restart Router. ・Push “ Enter ” in 10 seconds counting. ③ Restart from config1.
Configuration Change
//①
//②
//③
© Yamaha Corporation 33
13. Network Address Translation (NAT)
NAT … the process of modifying IP address information in IP packet headers. the process for private address group to use 1 global IP address.
internet
192.168.100.0/24
・・・
.1
.2 .3 .4
Source Source Port
192.168.100.2 ⇔ 172.16.1.1 : 60000 192.168.100.3 ⇔ 172.16.1.1 : 60001 192.168.100.4 ⇔ 172.16.1.1 : 60002
・・・ 192.168.100.X ⇔ 172.16.1.1 : 6000X
NAT table
.X
172.16.1.1
© Yamaha Corporation 34
13. NAT (1)
■Configure NAT for IP Networking
172.16.1.0/24
192.168.100.0/24
.1 (LAN2)
.1 (LAN1)
×
○
Web server 172.16.1.100
Your computer 192.168.100.2
NAT 172.16.1.1
192.168.100.2
© Yamaha Corporation 35
13. NAT (2) Command
nat descriptor type <nat_id> masquerade ・・・・・・① nat descriptor address outer <nat_id> <Outer IP Address> ・・・・・・② nat descriptor address inner <nat_id> <Inner IP Address> ・・・・・・③ ip <interface> nat descriptor <nat_id> ・・・・・・④
//①
Sample:
① Enable NAT Select “ masquerade ” to use NAPT.
② Put Global IP Address for translation.
③ Put any private IP Address. “ auto ” means all.
④ Set NAT to the interface.
//② //③
//④
© Yamaha Corporation 36
13. NAT (3)
・“ show nat descriptor address ” shows the nat table of the Router.
Sample:
© Yamaha Corporation 37
14. Static masquerade
internet
192.168.100.0/24 .1
Destination Port Destination Port 172.16.1.1 : 80 ⇔ 192.168.100.100 : 80
NAT table
.100
Web server on private network
Static masquerade … the process of forwarding the packets which coming to specific port number.
172.16.1.1
© Yamaha Corporation 38
14. Static masquerade (1)
NAT
172.16.1.0/24
192.168.100.0/24
.1 (LAN2)
.1 (LAN1)
172.16.1.1:80
192.168.100.100:80
Your computer 172.16.1.2
Web server 192.168.100.100
© Yamaha Corporation 39
14. Static masquerade (2) Command
nat descriptor type <nat_id> masquerade ・・・・・・ ① nat descriptor address outer <nat_id> <Outer IP Address> ・・・・・・ ② nat descriptor address inner <nat_id> <Inner IP Address> ・・・・・・ ③ nat descriptor masquerade static <nat_id> <table_num> <Inner IP> <Proto> <Port> ・・・・・・ ④ ip <interface> nat descriptor <nat_id> ・・・・・・ ⑤
//①
Sample: ① Enable NAT Select “ masquerade” to use NAPT.
② Put Global IP Address for translation.
③ Put any private IP Address. “auto” means all.
④ Set Inner IP and Port for port forward.
⑤ Set NAT to the interface.
//② //③
//④
//⑤
© Yamaha Corporation 40
14. Static masquerade (3)
・“ show nat descriptor address ” shows the routing table of the Router.
Sample:
© Yamaha Corporation 41
Configuration Change
//①
//②
//③
① Save configuration to config1. ② Restart Router. ・Push “ Enter ” in 10 seconds counting. ③ Restart from config2.
© Yamaha Corporation 42
Static Packet Filtering Condition ・172.16.1.200:80 → 192.168.100.0/24 : Reject ・172.16.1.100 → 192.168.100.0/24 : Pass
15. Static packet filtering
■Configure Static Packet Filtering
172.16.1.0/24
192.168.100.0/24
.1 (LAN2)
.1 (LAN1)
Filtering (tcp 80 = HTTP)
× ○ .100 .200
Your computer
Web server
© Yamaha Corporation 43
15. Static packet filtering (1) Command
ip filter <Filter_NUM> <Type> <Src_Add> <Dst_Add> <Protocol <Src_Port> <Dst_Port>> ・・ ① ip <Interface> secure filter <Direction> <Filter_Num> ・・ ② * To record the result of Packet Filtering, Configure the filter type such as pass-log and reject-log And also, configure “ syslog notice on ” to show the record on the syslog.
//①
Sample:
① Create Packet Filtering.
② Set filter to the interface.
③ Configure this command to record the result of packet filtering.
//②
//③
2
© Yamaha Corporation
15. Static packet filtering rule
44
ip filter 1 reject 1.1.1.1 2.2.2.2 tcp 80 * ip filter 2 reject 1.1.1.1 3.3.3.3 udp * * ip filter 3 pass * * * * * ip lan2 secure filter in 1 2 3
Sample filtering configuration: Received packet
TCP src:80 From:1.1.1.1
To:2.2.2.2
UDP From:1.1.1.1
To:3.3.3.3
Discard
NO
NO
YES
all
NO
Pass
YES
YES
In case of above configuration, packets received on LAN2 interface are evaluated in right sequence. ※ The received packet that does not match any filtering are discard. If you want to reject specific packet, you should set all-pass filtering at the last of filter configuration.
Filter1
Filter2
Filter3
© Yamaha Corporation 45
15. Static packet filtering (2)
・“ show log ” shows the syslog and results of Packet Filtering.
PASS-LOG
REJECT-LOG
© Yamaha Corporation 46
16. Dynamic packet filtering
■Configure Dynamic Packet Filtering (Stateful Inspection)
172.16.1.0/24
192.168.100.0/24
.1 (LAN2)
.1 (LAN1)
Filtering (tcp 80 = HTTP)
○ .100
×
Dynamic Filtering Condition ・LAN1 → LAN2 : Pass ・LAN2 → LAN1 : Reject ・Reply packets of LAN1 → LAN2 : Pass
Your computer
Web server
© Yamaha Corporation 47
16. Dynamic packet filtering (1)
Command
ip filter <Filter_Num> <Type> <Src_Add> <Dst_Add> <Protocol <Src_Port> <Dst_Port>> ・・・・・・ ① ip flter dynamic <Dynamic_Filter_Num> <Src_Add> <Dst_Add> <Protocol> ・・・・・・ ② ip <interface> secure filter <Direction> <Filter_Num> dynamic <Dynamic_Filter_Num> ・・・・・・ ③
*NOTE
・To enable Dynamic Filter, Static Packet Filter is needed to be configured in advance. The first packet should be filtered by static filter. Once the packet is filtered by Static Filter, then, Dynamic Filter becomes active. ex} ip lan1 secure filter out 1 dynamic 1 ・For Dynamic Filter, the parameter of <Protocol> is such as ftp, www, domain, smtp, pop3, tcp and udp.
© Yamaha Corporation 48
16. Dynamic packet filtering (2) Sample:
//①
//②
//③ //④
//⑤
① Create Static Packet Filtering.
② Create Dynamic Packet Filtering.
③ Set inbound filter to the Interface.
④ Set dynamic filter for outbound filter to the interface.
⑤ Configure this command to record the result of packet filtering.
© Yamaha Corporation 49
16. Dynamic packet filtering (3)
・“ show ip connection ” shows the session information of Dynamic Filtering.
Sample:
© Yamaha Corporation 50
16. Dynamic packet filtering (4)
・“ show log ” shows the syslog and results of Packet Filtering. ・“ INSPECT ” means that Packets are filtered by Dynamic Filtering.
Sample:
© Yamaha Corporation 51
Configuration Change
//①
//②
//③
① Save configuration to config2.
② Restart Router.
・Push “ Enter ” in 10 seconds counting.
③ Restart from config3.
© Yamaha Corporation 52
17. Internet Accessing (PPPoE)
172.16.1.0/24
.1 (LAN)
Internet
■Configure PPPoE Setting for Internet Access
(WAN) (WAN)
.1 (LAN)
172.16.2.0/24
Router-B Router-A
PC2 PC1
© Yamaha Corporation 53
17. PPPoE (1) Command
pp select <pp_num> ・・・・・・① pppoe use <interface> ・・・・・・② pp always-on <on/off> ・・・・・・③ pp auth accept <auth mthod> ・・・・・・④ pp auth myname <user_id> <user_pass> ・・・・・・⑤ ppp lcp mru <on/off> <frame size> ・・・・・・⑥ ip pp mtu <mtu size> ・・・・・・⑦ ppp ccp type <type> ・・・・・・⑧ ppp ipcp ipaddress <on/off> ・・・・・・⑨ (*1) ppp ipcp msext <on/off> ・・・・・・⑩ ip pp nat descriptor <nat_id> ・・・・・・⑪ ip pp tcp mss limit <length> ・・・・・・⑫ pp enable <pp_num> ・・・・・・⑬ dns server pp <pp_num> ・・・・・・⑭ ip route <network address/mask> gateway pp <pp_num> ・・・・・・⑮ *1 ) this parameter is for dynamic IP Address which assigned from ISP. If you want to use static IP Address, set “ ip pp <IP Address/Mask> ” instead.
© Yamaha Corporation 54
17. PPPoE (2) Sample: (Dynamic Global Address)
//① //②
//③ //④
//⑤ //⑥
//⑦ //⑧
//⑨ //⑩
//⑪ //⑫
//⑬
//⑭ //⑮
① Create pp interface ② Choose physical interface ③ Enable always-on connections ④ Choose authentication ⑤ Set USER-ID and Password ⑥ Set LCP MRU parameter ⑦ Set MTU parameter ⑧ Choose compression type ⑨ Enable dynamic IP address ⑩ Enable dynamic DNS address ⑪ Enable nat descriptor for pp ⑫ Enable optimization of MSS ⑬ Enable pp interface ⑭ Set DNS server from ⑩ ⑮ Set static routing
Router A ID: user1, PASS: pass1 Router B ID: user2, PASS: pass2
© Yamaha Corporation 55
17. PPPoE (3)
・“ show status pp 1 ” shows the status of pp 1 interface.
Sample:
© Yamaha Corporation 56
18. IPsec VPN (Main mode)
172.16.1.0/24
Internet (200.1.1.0/24)
IPSec
Router-B
.202 .201
.1 .1
■Configure IPsec VPN (Main Mode) via Internet
172.16.2.0/24
Router-A
PSK: secret PSK: secret
PC2 PC1 .2 .2
© Yamaha Corporation 57
18. IPsec VPN (Main mode) (1)
Command:(Center and Branch)
tunnel select <Tunnel_Num> ・・・・・・① tunnel encapsulation <Type> ・・・・・・② ipsec tunnel <Policy_ID> ・・・・・・③ ipsec sa policy <Policy_ID> <Tunnel_Num> esp <Algorithm> <Authentication> ・・・・・・④ ipsec ike keepalive use <Tunnel_Num> <on/off> ・・・・・・⑤ ipsec ike keepalive log <Tunnel_Num> <on/off> ・・・・・・⑥ ipsec ike local address <Tunnel_Num> <Local_Gateway_Address> ・・・・・・⑦ ipsec ike remote address <Tunnel_Num> <Remote_Gateway_Address> ・・・・・・⑧ ipsec ike pre-shared-key <Tunnel_Num> text <Text_Key> ・・・・・・⑨ tunnel enable <Tun_Num> ・・・・・・⑩ ip route <network address/mask> gateway <Tun_Num> ・・・・・・⑪ ipsec auto refresh <on/off> ・・・・・・⑫
© Yamaha Corporation 58
18. IPsec VPN (Main mode) (2) Sample: Router-A
① Create Tunnel Interface ② Select IPsec Policy-ID ③ Create IPsec Policy ④ Enable use of keepalive ⑤ Disable keepalive log ⑥ Set IP address of local GW ⑦ Set IP address of remote GW ⑧ Set pre shared key ⑨ Enable Tunnel Interface ⑩ Set port forwarding for IPsec ⑪ Set port forwarding for IKE ⑫ Set static routing ⑬ Enable Initiation of KeyExchange
//① //②
//③ //④ //⑤
//⑥ //⑦ //⑧
//⑨
//⑩ //⑪
//⑫ //⑬
© Yamaha Corporation 59
18. IPsec VPN (Main mode) (3) Sample: Router-B
//① //②
//③ //④ //⑤
//⑥ //⑦ //⑧
//⑨
//⑩ //⑪
//⑫
//⑬
① Create Tunnel Interface ② Select IPsec Policy-ID ③ Create IPsec Policy ④ Enable use of keepalive ⑤ Disable keepalive log ⑥ Set IP address of local GW ⑦ Set IP address of remote GW ⑧ Set pre shared key ⑨ Enable Tunnel Interface ⑩ Set port forwarding for IPsec ⑪ Set port forwarding for IKE ⑫ Set static routing ⑬ Enable Initiation of KeyExchange
© Yamaha Corporation 60
18. IPsec VPN (Main mode) (4)
・“ show status tunnel 1 ” shows the status of tunnel 1 interface. ・“ show ipsec sa ” shows the status of ISAKMP SA and IPsec SA.
Sample:
© Yamaha Corporation 61
19. IPsec VPN (Aggressive mode)
172.16.1.0/24
Internet (200.1.1.0/24)
IPSec
Router-A Router-B
.201
.1 .1
■Configure IPsec VPN (Aggressive Mode) via Internet
172.16.2.0/24
PSK: secret Remote Name: test
PSK: secret Local Name: test
Dynamic IP Address
PC1 PC2
© Yamaha Corporation 62
Command:(Center) Router-A
tunnel select <Tunnel_Num> ・・・・・・① tunnel encapsulation <Type> ・・・・・・② ipsec tunnel <Policy_ID> ・・・・・・③ ipsec sa policy <Policy_ID> <Tunnel_Num> esp <Algorithm> <Authentication> ・・・・・・④ ipsec ike keepalive use <Tunnel_Num> <on/off> ・・・・・・⑤ ipsec ike keepalive log <Tunnel_Num> <on/off> ・・・・・・⑥ ipsec ike local address <Tunnel_Num> <Local_Gateway_Address> ・・・・・・⑦ ipsec ike remote address any ・・・・・・⑧ ipsec ike remote name <Tunnel_Num> <Tex_key> key-id ・・・・・・⑨ ipsec ike pre-shared-key <Tunnel_Num> text <Text_Key> ・・・・・・⑩ tunnel enable <Tun_Num> ・・・・・・⑪ ip route <network address/mask> gateway <Tun_Num> ・・・・・・⑫
19. IPsec VPN (Aggressive mode) (1)
© Yamaha Corporation 63
Command:(Branch) Router-B
tunnel select <Tunnel_Num> ・・・・・・① tunnel encapsulation <Type> ・・・・・・② ipsec tunnel <Policy_ID> ・・・・・・③ ipsec sa policy <Policy_ID> <Tunnel_Num> esp <Algorithm> <Authentication> ・・・・・・④ ipsec ike keepalive use <Tunnel_Num> <on/off> ・・・・・・⑤ ipsec ike keepalive log <Tunnel_Num> <on/off> ・・・・・・⑥ ipsec ike local address <Tunnel_Num> <Local_Gateway_Address> ・・・・・・⑦ ipsec ike remote address <Remote_Gateway_Address> ・・・・・・⑧ ipsec ike local name <Tunnel_Num> <Tex_key> key-id ・・・・・・⑨ ipsec ike pre-shared-key <Tunnel_Num> text <Text_Key> ・・・・・・⑩ tunnel enable <Tun_Num> ・・・・・・⑪ ip route <network address/mask> gateway <Tun_Num> ・・・・・・⑫ ipsec auto refresh <on/off> ・・・・・・⑬
19. IPsec VPN (Aggressive mode) (2)
© Yamaha Corporation 64
19. IPsec VPN (Aggressive mode) (3) Sample: Router-A
//① //②
//③ //④ //⑤
//⑥ //⑦ //⑧ //⑨
//⑩
//⑪ //⑫
//⑬
① Create Tunnel Interface ② Select IPsec Policy-ID ③ Create IPSec Policy ④ Enable use of keepalive ⑤ Disable keepalive log ⑥ Set IP address of local GW ⑦ Accept any IP as remote GW ⑧ Set name of remote GW ⑨ Set pre shared key ⑩ Enable Tunnel Interface ⑪ Set port forwarding for IPsec ⑫ Set port forwarding for IKE ⑬ Set static routing
© Yamaha Corporation 65
19. IPsec VPN (Aggressive mode) (4) Sample: Router-B
① Create Tunnel Interface ② Select IPsec Policy-ID ③ Create IPsec Policy ④ Enable use of keepalive ⑤ Disable keepalive log ⑥ Set IP address of local GW ⑦ Set IP address of remote GW ⑧ Set name of local GW ⑨ Set pre shared key ⑩ Enable Tunnel Interface ⑪ Set port forwarding for IPsec ⑫ Set port forwarding for IKE ⑬ Set static routing ⑭ Enable Initiation of Key- Exchange
//① //②
//③ //④ //⑤
//⑥ //⑦ //⑧ //⑨
//⑩
//⑭
//⑫
//⑬
//⑪
© Yamaha Corporation 66
19. IPsec VPN (Aggressive mode) (5)
・“ show status tunnel 1 ” shows the status of tunnel 1 interface. ・“ show ipsec sa ” shows the status of ISAKMP SA and IPsec SA.
Sample:
© Yamaha Corporation 67
19. IPsec VPN (Aggressive mode) (6)
・“ show ipsec sa gateway 1 detail ” shows the specific information about ISAKMP and IPsec SA.
Sample:
© Yamaha Corporation
http://www.yamaha.com/products/en/network/ We will update the information such as
new firmware, sample configuration … etc.
68
Website for Yamaha product