Patton OnSite 3210 Series, User Manual

Page 1: ...e 3210 Series G SHDSL VPN Router User Manual Sales Office 1 301 975 1000 Technical Support 1 301 975 1007 E mail support patton com WWW www patton com Part Number 07M3210 GS Rev B Revised February 23...

Page 2: ...h license Patton Electronics warrants all OnSite router components to be free from defects and will at our option repair or replace the product should it fail within one year from the first date of th...

Page 3: ...iguration 37 5 VPN configuration 42 6 Access control list configuration 54 7 Link scheduler configuration 68 8 LEDs status and monitoring 87 9 Contacting Patton for assistance 89 A Compliance informat...

Page 4: ...iptions 19 Applications overview 20 Branch Office virtual private network over Frame Relay service 20 Corporate multi function virtual private network 21 2 Hardware installation 23 Planning the instal...

Page 5: ...figuration task list 44 Creating an IPsec transformation profile 44 Creating an IPsec policy profile 45 Creating modifying an outgoing ACL profile for IPsec 47 Configuration of an IP interface and the...

Page 6: ...r configuration 68 Introduction 69 Configuring access control lists 69 Configuring quality of service QoS 70 Applying scheduling at the bottleneck 70 Using traffic classes 70 Introduction to Schedulin...

Page 7: ...ty Service and Returned Merchandise Authorizations RMAs 90 Warranty coverage 90 Out of warranty service 91 Returns for credit 91 Return for credit policy 91 RMA numbers 91 Shipping instructions 91 A C...

Page 8: ...Adapter 99 C Cabling 100 Introduction 101 Serial console 101 Ethernet 10Base T and 100Base T 102 D Port pin outs 104 Introduction 105 Console port RJ 45 EIA 561 RS 232 105 Ethernet 10Base T and 100Bas...

Page 9: ...e terminal 33 12 Connecting the OnSite VPN Router to the network 35 13 Configuring the G SHDSL card for PPPoE 38 14 Using traffic filters to prevent traffic from being routed to a network 56 15 Deny a...

Page 10: ...mmands 40 8 PVC channels in bridged Ethernet mode 40 9 PVC channels in PPPoE mode 40 10 Diagnostics commans 41 11 Command cross reference 74 12 TOS values and their meaning 81 13 Traffic control info...

Page 11: ...evice Chapter 6 on page 54 provides an overview of IP access control lists and describes the tasks involved in their configuration through the OnSite router Chapter 7 on page 68 describes how to use a...

Page 12: ...T heading calls attention to important information The alert symbol and CAUTION heading indicate a potential hazard Strictly follow the instructions to avoid property damage The shock hazard symbol an...

Page 13: ...ith an external power adapter the adapter shall be a listed Lim ited Power Source For AC powered units ensure that the power cable used with this device meets all applicable standards for the country...

Page 14: ...the proper voltage is present before plugging the power cord into the receptacle Failure to do so could result in equipment damage The interconnecting cables shall be acceptable for external use and s...

Page 15: ...type Parts of commands which are related to elements already named by the user are in boldface italic font Italicized Futura type Variables for which you supply values are in italic font Futura type...

Page 16: ...el 3210 Series overview 17 OnSite 3210 Series detailed description 18 Model code extensions 18 Ports descriptions 19 Applications overview 20 Branch Office virtual private network over Frame Relay ser...

Page 17: ...against unauthorized users while encryption and anti replay capa bilities preserve data confidentiality Patton s powerful CoS and QoS mechanisms provide traffic shaping and prioritization to guarantee...

Page 18: ...et LAN connectivity and a G SHDSL WAN interface see figure 2 Figure 2 OnSite 3210 Series G SHDSL connector Figure 3 OnSite 3210 Series power input connectors Model code extensions A model code extensi...

Page 19: ...ghput supporting ATM QoS Supports multiple PVC and DSLAM interoperability The DSL LEDs are located on either side of the DSL port ACT when lit or blinking shows activity and Link when lit shoes that t...

Page 20: ...ervices The G SHDSL port pro vides WAN access by means of a leased line connection to the network The following sections show some typical applications for the OnSite 3210 Series This chapter describe...

Page 21: ...ng OnSite s multiple frame relay PVC support see figure 6 The enterprise enjoys the benefits of secure multi office virtual private networking with QoS for prioritized traffic flow for mission critica...

Page 22: ...f corporation and Internet traffic is managed by using an ACL using IP addresses as the watershed To configure this application you must configure the following features A serial Frame Relay link as t...

Page 23: ...Network information 26 Network Diagram 26 IP related information 26 Software tools 26 Power source 26 Location and mounting requirements 27 Installing the VPN router 27 Mounting the VPN router 27 Con...

Page 24: ...d by the applicable local and international regulations Ensure that your site is properly prepared before beginning installation Before installing the VPN Router device the following tasks should be c...

Page 25: ...r site log Table 3 Installation checklist Task Verified by Date Network information available recorded in site log Environmental specifications verified Site power voltages verified Installation site...

Page 26: ...addresses and subnet masks used for the V 35 or X 21 serial WAN port IP addresses and subnet masks used for the T1 E1 WAN port IP addresses of central TFTP Server used for configuration upload and do...

Page 27: ...uter should be installed in a dry environment with sufficient space to allow air circulation for cooling Note For proper ventilation leave at least 2 inches 5 cm to the left right front and rear of th...

Page 28: ...e terminated with RJ 45 plugs Note Pins not listed are not used Figure 7 Connecting an OnSite 3210 Series device to a hub Installing the DSL cable The OnSite 3210 comes with a G SHDSL interface Use a...

Page 29: ...cribes installing the power cord into the VPN Router Do the following Note Do not connect the power cord to the power outlet at this time 1 If your unit is equipped with an internal power supply go to...

Page 30: ...9 Congratulations you have finished installing the OnSite VPN Router Now go to chapter 3 Getting started with the OnSite on page 31 The UI and EUI power supplies automatically adjust to accept an inp...

Page 31: ...pter contents Introduction 32 1 Configure IP address 33 Power connection and default configuration 33 Connect with the serial interface 33 Login 34 Changing the IP address 34 2 Connect the OnSite VPN...

Page 32: ...to the network 3 Load configuration Console port Serial interface PC or workstation with VT 100 emulation terminal Ethernet interface ETH0 Network interface PC or workstation or VT 100 emulation term...

Page 33: ...le port is wired as an EIA 561 RS 232 port Use the included Model 16F 561 adapter and cable see figure 11 between the OnSite VPN Router s Console port and a PC or workstation s RS 232 serial interface...

Page 34: ...context IP mode to configure an IP interface 172 16 40 1 cfg context ip router 172 16 40 1 ctx ip router Now you can set your IP address and network mask for the interface eth0 Within this example a c...

Page 35: ...on that you can use it to speed up configuring the OnSite router Simply download the configuration note that matches your application to your PC Adapt the configu ration as described in the configurat...

Page 36: ...Router has been rebooted the new start up configuration will be activated 172 16 1 99 if ip eth0 reload Running configuration has been changed Do you want to copy the running config to the startup co...

Page 37: ...nts Introduction 38 Line Setup 38 Configuring PPPoE 38 Configuration Summary 39 Setting up permanent virtual circuits PVC 40 Using PVC channels in bridged Ethernet mode 40 Using PVC channels with PPPo...

Page 38: ...the back of the device is blinking while the modem attempts to connect and lit when the link is established If the modem keeps blinking check the cabling Configuring PPPoE Figure 13 explains how to co...

Page 39: ...uthentication which is why you bind to a subscriber You can use authentication chap or authentication pap The line bind sub scriber MySubscriber binds the PPPoE session to the PPP subscriber in case a...

Page 40: ...the PVC was a regular Ethernet port Note The bridged PVC connections are internally mapped to VLANs on a virtual Ethernet port 0 2 You will therefore see references to this third Ethernet port when di...

Page 41: ...orking there is probably no compatible authentication protocol configured Make sure authentication chap and authentication pap are included in the subscriber setup If only CHAP failed there may be an...

Page 42: ...an IP interface and the IP router for IPsec 48 Displaying IPsec configuration information 48 Debugging IPsec 49 Sample configurations 50 IPsec tunnel DES encryption 50 OnSite configuration 50 Cisco r...

Page 43: ...combination of the keyed hashing for message authentication HMAC and the message digest version 5 MD5 hash algorithm It requires an authenticator of 128 bit length and calculates a hash of 96 bits ove...

Page 44: ...laying IPsec configuration information Debugging IPsec Creating an IPsec transformation profile The IPsec transformation profile defines which authentication and or encryption protocols which authenti...

Page 45: ...communication Furthermore the profile defines which IPsec transformation profile to apply and whether transport or tunnel mode shall be most effective The SPI identifies a secured communication chann...

Page 46: ...ction Authentication on page 43 and Encryption on page 43 or explicit specification Keys must be available for inbound and out bound directions They can be different for the two directions Make sure t...

Page 47: ...s an ACL if available twice once before and once after encryption authentication So the respective ACLs must permit the encrypted authenticated and the plain traffic For detailed information on how to...

Page 48: ...n This section shows how to display and verify the IPsec configuration information Procedure To display IPsec configuration information Mode Configure Step Command Purpose 1 node cfg context ip router...

Page 49: ...Procedure To debug IPsec connections Mode Configure Example IPsec Debug Output 3210 cfg debug ipsec IPSEC monitor on 23 11 04 ipsec Could not find security association for inbound ESP packet SPI 1201...

Page 50: ...s in the ACL profiles Adjust the IP addresses of the LAN and WAN interfaces Adjust the route for the remote network IPsec tunnel DES encryption OnSite configuration profile ipsec transform DES esp enc...

Page 51: ...1 1 255 255 0 0 interface FastEthernet0 1 ip address 200 200 200 1 255 255 255 252 crypto map VPN_DES ip route 192 168 1 0 255 255 255 0 FastEthernet0 1 IPsec tunnel AES encryption at 256 bit key leng...

Page 52: ...the name of the IPsec policy profile in the ACL profile VPN_Out IPsec tunnel 3DES encryption at 192 bit key length ESP authentication with HMAC MD5 96 OnSite configuration profile ipsec transform TDES...

Page 53: ...4321 authenticator FEDCBA0987654321FEDCBA0987654321 set session key outbound esp 7777 cipher 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF authenticator 1234567890ABCDEF1234567890ABCDEF set transfo...

Page 54: ...ccess control list 57 Creating an access control list profile and enter configuration mode 58 Adding a filter rule to the current access control list profile 58 Adding an ICMP filter rule to the curre...

Page 55: ...hether to forward or drop the packet based on the criteria you specified within the access lists Access list criteria could be the source address of the traffic the destination address of the traffic...

Page 56: ...d between two parts of your network to control traffic entering or exiting a specific part of your internal network To provide the security benefits of access lists you should configure access lists a...

Page 57: ...matching the criteria to be dropped To delete an entire access control list enter configuration mode and use the no form of the profile acl com mand naming the access list to be deleted e g no profile...

Page 58: ...ments that will make up the access control list Use the no form of this command to delete an access control list profile You cannot delete an access control list profile if it is currently linked to a...

Page 59: ...ol list entry that denies access defined according to the command options Keyword Meaning src The source address to be included in the rule An IP address in dotted decimal format e g 64 231 1 10 src w...

Page 60: ...dure describes how to create an ICMP access control list entry that denies access Mode Profile access control list Step Command Purpose 1 node pf acl name permit icmp src src wildcard any host src des...

Page 61: ...d in the rule An IP address in dotted decimal format e g 64 231 1 10 dest wildcard A wildcard for the destination address See src wildcard host dest The address of a single destination host msg name T...

Page 62: ...Profile access control list This procedure describes how to create a TCP UDP or SCTP access control list entry that denies access Mode Profile access control list Step Command Purpose 1 node pf acl n...

Page 63: ...es that a packets port must be equal to the specified port in order to match the rule lt port Optional Indicates that a packets port must be less than the specified port in order to match the rule gt...

Page 64: ...rofile to incoming packets on the interface wan in the IP router context 3210 cfg context ip router 3210 cfg ip router interface wan 3210 cfg if wan use profile acl WanRx in Step Command Purpose 1 nod...

Page 65: ...Mode Administrator execution or any other mode except the operator execution mode Example Displaying an access control list entries The following example shows how to display the access control list...

Page 66: ...bles the debug monitor for access control lists globally 3210 no debug acl Step Command Purpose 1 node cfg context ip router Selects the IP router context 2 node ctx ip router interface if name Select...

Page 67: ...have to be entered are listed below The commands access the OnSite device via a Telnet session running on a host with IP address 172 16 2 13 which accesses the OnSite via IP interface lan 172 16 2 1...

Page 68: ...ist profile 75 Packet classification 75 Creating an access control list 76 Creating a service policy profile 77 Specifying the handling of traffic classes 79 Defining fair queuing weight 79 Defining t...

Page 69: ...apply a rate limit to reduce delay and what a traffic class means Configuring access control lists Packet filtering helps to control packet movement through the network Such control can help to limit...

Page 70: ...e resources really makes a difference Frequently the access link modem is outside of the OnSite and the queueing would happen in the modem which does not distinguish between packet types To improve Qo...

Page 71: ...ter to define the arbitration mode and the order in which packets of different classes are served Introduction to Scheduling Scheduling essentially means to determine the order in which packets of the...

Page 72: ...urce had to strictly obey its limit all following packets would also have to be delayed by the same amount and further collisions would reduce the achieved rate even further To avoid this effect the O...

Page 73: ...n Setting the modem rate To match the data multiplexing of different traffic types to the capacity of the access link is the most common application of the OnSite link scheduler 1 Create a minimal pro...

Page 74: ...to straight forwardly configure OnSite devices In table 11 the Cisco IOS Release 12 2 QoS commands are in contrast with the respective OnSite commands Link scheduler configuration task list To config...

Page 75: ...of packet descriptions like addressed to xyz Those descrip tions are called rules For each packet the list of descriptions is sequentially checked and the first rule that matches decides what happens...

Page 76: ...ic from a Web server The scenario is depicted in figure 20 The IP address of the Web server is used as source address in the permit statement of the IP filter rule for the access control list Figure 2...

Page 77: ...l lists the link arbiter needs rules defining how to handle the different traffic classes For that purpose you create a service policy profile The service policy profile defines how the link arbiter h...

Page 78: ...e name of the link arbiter profile to configure On the second line the global band width limit is set The value defining the bandwidth is given in kilobits per second Each service policy profile must...

Page 79: ...ses the values are relative to each other It is recommended to split 100 which can be read as 100 among all available source classes e g with 20 30 and 50 as value for the respec tive share commands w...

Page 80: ...lass name Excess pack ets are dropped Used in class mode queuing only happens at the leaf of the arbitration hierarchy tree The no form of this command reverts the queue limit to the internal default...

Page 81: ...C791 RFC1349 The precedence field is defined by the first three bits and supports eight levels of priority The low est priority is assigned to 0 and the highest priority is 7 The no form of this comma...

Page 82: ...ritical data Under 802 1p a 4 byte Tag Control Info TCI field is inserted in the Layer 2 header between the Source Address and the MAC Client Type Length field of an Ethernet Frame Table 13 lists the...

Page 83: ...ment aver age kilobits defines the average permitted rate in kbps the value of the second argument kilobits ahead defines the tolerated burst size in kbps ahead of schedule Excess packets are dropped...

Page 84: ...smit direction Providers may use input shaping to improve downlink voice jitter in the absence of voice support The default setting no service policy sets the interface to FIFO queuing Mode Interface...

Page 85: ...0 Displaying link scheduling profile information The show profile service policy command displays link scheduling profile information of an existing ser vice policy profile This command is only availa...

Page 86: ...queues of a profile The following example shows how to enable statistic gathering for all traffic classes 3210 enable 3210 configure 3210 cfg profile service policy sample 3210 pf srvpl sample debug q...

Page 87: ...87 Chapter 8 LEDs status and monitoring Chapter contents Status LEDs 88...

Page 88: ...Off indicates no power applied Run When lit indicates normal operation Flashes once per second during boot startup Ethernet each port Link Lit when Ethernet link is up 100M On when 100 Mbps Ethernet...

Page 89: ...n Support Headquarters in the USA 90 Alternate Patton support for Europe Middle Ease and Africa EMEA 90 Warranty Service and Returned Merchandise Authorizations RMAs 90 Warranty coverage 90 Out of war...

Page 90: ...7 Fax 1 253 663 5693 Alternate Patton support for Europe Middle Ease and Africa EMEA Online support available at http www patton inalp com E mail support email sent to support patton inalp com will be...

Page 91: ...e issued upon receipt and inspection of the equipment 30 to 60 days We will add a 20 restocking charge crediting your account with 80 of the purchase price Over 60 days Products will be accepted for r...

Page 92: ...n Chapter contents Compliance 93 EMC 93 Safety 93 PSTN Regulatory 93 Radio and TV Interference FCC Part 15 93 CE Declaration of Conformity 93 Authorized European Representative 94 FCC Part 68 ACTA Sta...

Page 93: ...not occur in a particular installation If the OnSite router does cause interference to radio or television reception which can be determined by disconnecting the unit the user is encouraged to try to...

Page 94: ...sible Also you will be advised of your right to file a complaint with the FCC if you believe it is necessary The telephone company may make changes in its facilities equipment operations or procedures...

Page 95: ...6 IP services 96 Management 96 Operating environment 96 Operating temperature 96 Operating humidity 96 System 97 Dimensions 97 G SHDSL Daughter Card 98 Power supply 99 Internal AC version 99 12VDC ver...

Page 96: ...FC 1058 and 2453 Programmable static routes ICMP redirect RFC 792 Packet fragmentation DiffServe ToS set or queue per header bits Packet Policing discards excess traffic 802 1p VLAN tagging IPSEC AH E...

Page 97: ...System 97 OnSite Model 3210 User Manual B Specifications System CPU Motorola MPC875 operating at 66 MHz Memory 32 Mbytes SDRAM 8 Mbytes Flash Dimensions 7 3W x 1 6H x 6 1D in 18 5H x 4 1W x 15 5D cm...

Page 98: ...2 Section E 9 TPS TC for ATM transport ITU T G 991 2 Section E 11 TPS TC for PTM transport DSL Connection RJ 11 12 2 wire Management I 610 OAM F4 F5 Management interfaces GUI and Telnet Software upgra...

Page 99: ...ternal SELV source which provides reinforced insulation from the AC mains power and where the DC connector is the disconnect device The source must have a rating of 12 VDC 1 25 A 5VDC Version with Ext...

Page 100: ...100 Appendix C Cabling Chapter contents Introduction 101 Serial console 101 Ethernet 10Base T and 100Base T 102...

Page 101: ...ing a serial terminal Note See section Console port RJ 45 EIA 561 RS 232 on page 105 for console port pin outs The interconnecting cables must be acceptable for external use and must be rated for the...

Page 102: ...are connected to the OnSite over a cable with RJ 45 plugs Use a cross over cable to a host or a straight cable to a hub See figure 25 host and figure 26 on page 103 hub for the different connections...

Page 103: ...Ethernet 10Base T and 100Base T 103 OnSite Model 3210 User Manual C Cabling Figure 26 Ethernet straight through Hub Straight through cable RJ 45 male Tx Tx Rx Rx 1 2 3 6 RJ 45 male 1 Rx 2 Rx 3 Tx 6 Tx...

Page 104: ...104 Appendix D Port pin outs Chapter contents Introduction 105 Console port RJ 45 EIA 561 RS 232 105 Ethernet 10Base T and 100Base T port 106 DSL 106...

Page 105: ...re 27 showing the RJ 45 receptacle with the numerical identification of the pin numbers and functions Figure 27 EIA 561 RJ 45 8 pin port Refer to table 17 which tabulates the pin number signal name an...

Page 106: ...Base T port The Ethernet ports are auto detect MDI X Note Pins not listed are not used DSL Note Pins not listed are not used Table 18 RJ 45 socket Pin Signal Direction 1 TX from OnSite 2 TX from OnSit...

Page 107: ...107 Appendix E OnSite 3210 Series factory configuration Chapter contents Introduction 108...

Page 108: ...rofile dhcp server DHCP network 192 168 1 0 255 255 255 0 include 192 168 1 10 192 168 1 19 lease 2 hours default router 192 168 1 1 context ip router interface eth0 ipaddress 172 16 40 1 255 255 0 0...

Page 109: ...109 Appendix F Installation checklist Chapter contents Introduction 110...

Page 110: ...e 20 Installation checklist Task Verified by Date Network information available recorded in site log Environmental specifications verified Site power voltages verified Installation site pre power chec...