TP-Link SafeStream TL-ER6120, User Manual

Page 1: ...TL ER6120 Gigabit Dual WAN VPN Router REV1 2 0 1910010936 ...

Page 2: ...rcial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense This devi...

Page 3: ...e power source Don t disassemble the product or make repairs yourself You run the risk of electric shock and voiding the limited warranty If you need service please contact us Avoid water and wet locations 安全諮詢及注意事項 請使用原裝電源供應器或只能按照本產品注明的電源類型使用本產品 清潔本產品之前請先拔掉電源線 請勿使用液體 噴霧清潔劑或濕布進行清潔 注意防潮 請勿將水或其他液體潑灑到本產品上 插槽與開口供通風使用 以確保本產品的操作可靠並防止過熱 請勿堵塞或覆蓋開口 請勿將本產品置放於靠近熱源的地方 除非有正常的通風 否則不可放在密閉位置中 請不要私自打開機殼 不要嘗試自行維修本產...

Page 4: ... Overview of the Router 4 2 2 Features 5 2 3 Appearance 6 2 3 1 Front Panel 6 2 3 2 Rear Panel 7 Chapter 3 Configuration 9 3 1 Network 9 3 1 1 Status 9 3 1 2 System Mode 9 3 1 3 WAN 12 3 1 4 LAN 28 3 1 5 DMZ 31 3 1 6 MAC Address 33 3 1 7 Switch 34 3 2 User Group 41 3 2 1 Group 41 3 2 2 User 42 3 2 3 View 42 3 3 Advanced 44 3 3 1 NAT 44 3 3 2 Traffic Control 52 ...

Page 5: ... 4 5 App Control 77 3 5 VPN 79 3 5 1 IKE 79 3 5 2 IPsec 83 3 5 3 L2TP PPTP 90 3 6 Services 94 3 6 1 PPPoE Server 94 3 6 2 E Bulletin 100 3 6 3 Dynamic DNS 102 3 6 4 UPnP 108 3 7 Maintenance 109 3 7 1 Admin Setup 109 3 7 2 Management 112 3 7 3 License 114 3 7 4 Statistics 115 3 7 5 Diagnostics 117 3 7 6 Time 119 3 7 7 Logs 122 Chapter 4 Application 124 4 1 Network Requirements 124 ...

Page 6: ...ment 133 4 3 4 Network Security 137 Chapter 5 CLI 143 5 1 Configuration 143 5 2 Interface Mode 146 5 3 Online Help 147 5 4 Command Introduction 149 5 4 1 ip 149 5 4 2 ip mac 149 5 4 3 sys 150 5 4 4 user 151 5 4 5 history 152 5 4 6 exit 153 Appendix A Hardware Specifications 154 Appendix B FAQ 155 Appendix C Glossary 157 ...

Page 7: ... ER6120 Router One Power Cord One Console Cable One Ground Cable Two mounting brackets and other fittings Installation Guide Resource CD Note Make sure that the package contains the above items If any of the listed items is damaged or missing please contact with your distributor ...

Page 8: ...located under the Advanced menu Bold font indicates a toolbar icon menu or menu item Font indicate a button Symbols in this Guide Symbol Description Note Ignoring this type of note might result in a malfunction or damage to the device Tips This format indicates important information that helps you make better use of your device 1 3 Overview of this Guide Chapter 1 About This Guide Introduces the g...

Page 9: ...s Lists the hardware specifications of this router Appendix B FAQ Provides the possible solutions to the problems that may occur during the installation and operation of the router Appendix C Glossary Lists the glossary used in this guide ...

Page 10: ... Server mode to allow the staff on business or remote branch office to access the headquarter network Online Behavior Management Complete Functions of Access Rules can allow managers to select the network service levels to block or allow applications of FTP downloading Email Web browsing and so on Deploying One Click restricting of IM P2P applications to save time energy while reserving exceptiona...

Page 11: ...the router from remote places 2 2 Features Hardware 2 gigabit WAN ports 2 gigabit LAN ports 1 gigabit LAN DMZ port and 1 Console port Built in high quality power supply with non fun system design for quietness Possesses standard sized 19 inch outfit for standard rack Supports Professional 4kV common mode lightning protection Complies with IEEE 802 3 IEEE 802 3u IEEE 802 3ab standards Supports AH E...

Page 12: ... PPTP L2TP Server Client Traffic Control Supports Bandwidth Control Supports Session Limit Security Built in firewall supporting URL MAC Filtering Supports Access Control Supports Attack Defense Supports IP MAC Binding Supports GARP Gratuitous ARP Deploys One Click restricting of IM P2P applications 2 3 Appearance 2 3 1 Front Panel The front panel of TL ER6120 is shown as the following figure LEDs...

Page 13: ...ption WAN 1 2 The WAN port is for connecting the router to a DSL Cable modem or Ethernet by the RJ45 cable LAN 1 3 The LAN port is for connecting the router to the local PCs or switches by the RJ45 cable DMZ 3 The DMZ port is for connecting the router to the servers Console N A The Console port is for connecting with the serial port of a computer or terminal to monitor and configure the router Res...

Page 14: ...e sure the voltage of the power supply meets the requirement of the input voltage 100 240V 50 60Hz Grounding Terminal nism You can also ground the router through the PE Protecting Earth cable of AC cord or with Ground Cable The router already comes with lightning protection mecha Note Please use only the power cord provided with this router ...

Page 15: ...formation related to this router Choose the menu Network Status to load the following page Figure 3 1 Status 3 1 2 System Mode The TL ER6120 can work in three modes NAT Non NAT and Classic If your router is hosting your local network s connection to the Internet with a network topology as the Figure 3 2 shown you can set it to NAT mode ...

Page 16: ...ork environment with a network topology as the Figure 3 3 shown and forwards the packets between these two networks by the Routing rules you can set it to Non NAT mode Figure 3 3 Network Topology Non NAT Mode If your router is connected in a combined network topology as the Figure 3 4 shown you can set it to Classic Mode ...

Page 17: ...sses are in different subnet of LAN port For example If the LAN port of the router is set to 192 168 0 1 for IP address and 255 255 255 0 for the Subnet Mask then the subnet of LAN port is 192 168 0 0 24 The packet with 192 168 0 123 as its source IP address can be transported by NAT whereas the packet with 20 31 76 80 as its source IP address will be dropped Non NAT Mode In this mode the router f...

Page 18: ...e following six Internet connection types Static IP Dynamic IP PPPoE Russian PPPoE L2TP Russian L2TP PPTP Russian PPTP and BigPond To configure the WAN please first select the type of Internet connection provided by your ISP Internet Service Provider Tips It s allowed to set the IP addresses of both the WAN ports within the same subnet However to guarantee a normal communication make sure that the...

Page 19: ... to keep the default value if no other MTU value is provided by your ISP Primary DNS Enter the IP address of your ISP s Primary DNS Domain Name Server If you are not clear please consult your ISP It s not allowed to access the Internet via domain name if the Primary DNS field is blank Secondary DNS Optional If a Secondary DNS Server address is available enter it Upstream Bandwidth Specify the band...

Page 20: ... to give a name for the router It s blank by default MTU MTU Maximum Transmission Unit is the maximum data unit transmitted by the physical network It can be set in the range of 576 1500 The default MTU is 1500 It is recommended to keep the default value if no other MTU value is provided by your ISP Get IP Address by Unicast The broadcast requirement may not be supported by a few ISPs Select this ...

Page 21: ... indicates that the Dynamic IP connection type is not applied Connecting indicates that the router is obtaining the IP parameters from your ISP Connected indicates that the router has successfully obtained the IP parameters from your ISP Disconnected indicates that the IP address has been manually released or the request of the router gets no response from your ISP Please check your network connec...

Page 22: ...rnet Service Provider has provided the account information for the PPPoE connection please choose the PPPoE connection type Used mainly for DSL Internet service Figure 3 8 WAN PPPoE The following items are displayed on this screen ...

Page 23: ...o keep the connection always on The connection can be re established automatically when it is down Time based Select this option to keep the connection on during the Active time you set PPPoE Advanced Settings Check here to enable PPPoE advanced settings Keep Alive Once PPPoE is connected the router will send keep alive packets every Keep Alive Interval sec and Keep Alive Retry Times to make sure ...

Page 24: ...t is displayed Subnet Address If Static IP is selected configure the subnet address of WAN port If Dynamic IP is selected the obtained subnet address of WAN port is displayed Status Displays the status of secondary connection Upstream Bandwidth Specify the bandwidth for transmitting packets on the port Downstream Bandwidth Specify the bandwidth for receiving packets on the port PPPoE Status Status...

Page 25: ...e IP address assigned by your ISP Gateway Address Displays the Gateway Address assigned by your ISP Primary DNS Displays the IP address of your ISP s Primary DNS Secondary DNS Displays the IP address of your ISP s Secondary DNS 4 L2TP If your ISP Internet Service Provider has provided the account information for the L2TP connection please choose the L2TP connection type ...

Page 26: ...on and release the Account Name Enter the Account Name provided by your ISP If you are not clear Password ded by your ISP layed on this screen Connection T Select L2TP if your ISP provides a L2TP connection Click Connect to dial up to the Internet and obtain the IP current IP address please consult your ISP Enter the Password provi ...

Page 27: ... bandwidth for transmitting packets on the port Server IP Enter the Server IP provided by your ISP MTU Max 576 1460 The default MTU is 1460 It is recommended to keep the default value if no other MTU value is provided by yo Active Mode You can select the proper Active Mode according to your need Manual Select this option to manual is optimum for the dial up connection charged on time down Connecti...

Page 28: ...e request of the router has no response from your ISP Please ensure that your settings are correct and your network is connected well Consult your ISP if this problem remains IP Address Displays the IP address assigned by your ISP Primary DNS Displays the IP address of your ISP s Primary DNS Secondary DNS Displays the IP address of your ISP s Secondary DNS 5 PPTP If your ISP Internet Service Provi...

Page 29: ...vides a PPTP connection Click and release the current IP address d by your ISP If you are not clear please consult your ISP Password Enter the Password provided by your ISP Connect to dial up to the Internet and obtain the IP address Click Disconnect to disconnect the Internet connection Account Name Enter the Account Name provide ...

Page 30: ...igure the default gateway If Dynamic IP is selected the obtained default gateway is displayed Primary DNS Secondary DNS If Static IP is selected configure the DNS If Dynamic IP is selected the obtained DNS is displayed Upstream Bandwidth Specify the bandwidth for transmitting packets on the port Downstream Bandwidth Specify the bandwidth for receiving packets on the port Server IP Enter the Server...

Page 31: ... been manually terminated or the request of the router has no response from your ISP Please ensure that your settings are correct and your network is connected well Consult your ISP if this problem remains IP Address Displays the IP address assigned by your ISP Primary DNS Disp P s Primary DNS Secondary DNS Displays the IP address of your ISP s Secondary DNS 6 BigPond If you vice P connection plea...

Page 32: ...ease consult your ISP Auth Server Enter the address of authentication server It can be IP address or the address of Auth Server is a server name Select BigPond if your ISP pro Disconnect to disconnect the Internet connection and release the current IP address Enter the Account Name provided by your ISP If you are not clear please consult your ISP Enter the Password provide server name Auth Domain ...

Page 33: ... BigPond connection Connecting indicates that the router is obtaining the IP Connected indicates that the router has successfully obtained the IP parameters from your ISP sure that your settings are correct and your network is connected well Consult your ISP if this problem remains by your ISP Default Gateway Displays the IP address of the default gateway assigned by your ISP Auth M Manual Select ...

Page 34: ...llowing items are on this screen address The Hosts in LAN can access the router via this IP address It can be changed according to your network Enter the Subnet Mask Note If the LAN IP address is changed you must use the new IP address to log into the router To guarantee a normal communication be sure to dress and the Subnet Mask of the Hosts on set the Gateway ad the LAN to th address and 3 1 4 2...

Page 35: ...IP address The default address is 192 168 0 254 Lease Time Specify the length of time the DHCP server will reserve the IP address for each computer After the IP address expired the client will be automatically assigned a new one Default Gateway Optional Enter the Gateway address to be assigned It is recommended to enter the IP address of the LAN port of the router Default Domain O f your network a...

Page 36: ... Optional If a Secondary DNS Server DHCP Client Figure 3 14 DHCP Client You ca on of the DHCP clients in this table Click the Refresh button for the updated DHCP Reservation feature allows you to reserve an IP address for the specified MAC address The address will always get the same IP address every time when it accesses the n view the informati information 3 1 4 4 DHCP Reservation client with th...

Page 37: ...t s recommended that users bind the IP address and the MAC address in 3 4 1 1 IP MAC Binding then import the entries from the IP MAC binding table to the List of Reserved Address in buck by clicking Import button in Figure 3 15 DHCP Reservation 3 1 5 DMZ DMZ Demilitarized Zone is a network which has fewer default firewall restrictions than the LAN does TL ER6120 provides a DMZ port to allow all th...

Page 38: ... within DMZ to public IP addresses for transport over Internet The Hosts Z can directly communicate with LAN using the private IP addresses within the different in DM subnet of LAN Figure 3 17 DMZ Private Mode 3 1 5 1 DMZ This page allows you to configure the DMZ port of TL ER6120 Choose the menu Network DMZ DMZ to load the following page Figure 3 18 DMZ ...

Page 39: ...ernet nor address r mally If an IP ange is provided by your ISP please configure the DHCP pool based ess range 3 1 6 MAC Address The MAC Media Access Contro need to be changed commonly Set the MAC Address for LAN port In a complex network topology with all the ARP bound devices if you want to use TL ER6120 instead the devices under this te their ARP binding tables d the MAC address of the dial up ...

Page 40: ...C apply Current MAC Clo It s only available for WAN port Click the Restore Factory MAC button to address of the PC you are currently using to configure the router Then click Save to Note To avo of MAC ad id a conflict dress on the local area network it s not allowed to set the MAC address of the router s LAN port to th ss of the current management PC 3 1 7 Switch Some basic switch port man ich fac...

Page 41: ...e number of normal broadcast packets received or transmitted on the port Pause Displays the number of flow control frames received or transmitted on the port Multicast Displays the number of normal multicast packets received or transmitted on the port Undersize Displays the number of the received frames including error frames that are less than 64 bytes long Unicast Displays the number of normal u...

Page 42: ... maximum frame including error frames clear all the traffic statistics Tips The Port 1 2 3 4 5 mentioned in this User Guide refers to the WAN1 2 port and LAN1 2 3 port on the router 3 1 7 2 Port Mirror the packets obta rd copies of packets from one multiple ports mirrored port to a specific port mirroring port Usually the mirroring port is connected to a data diagn is us network Port Mirror ining ...

Page 43: ...e Mirrored Port from which the traffic is mirrored One or multiple The entry in Figure 3 21 indicates The outgoing packets sent by port 1 port 2 port 3 and port 5 mirrored ports will be copied to port 4 mirroring port Ingress Egress When this mode is selected both the incoming and mirroring port Mirroring Port Mirrored ports can be selected as the mirrored ports Tips If both the mirrored port and ...

Page 44: ...3 to be the Mirroring Port to monitor all the packets of the other ports 3 Select all the other ports to be the Mirrored Ports 4 Click the Save button to 3 1 7 3 Rate Control On this page you can control the traffic rate for the specific packets o network flow Figure 3 22 Rate Control The following items are displayed on this screen Rate Control Port Displays the port number Ingress Limit Specify ...

Page 45: ...ps and the transmitting rate for all the egress packets will not exceed 1Mbps 3 1 7 4 Port Config On this page you can configure the basic parameters for the ports Choose the menu Network Switch Port Config to load the following page Ingress Mode Select the Ingress Mode for each port Options include All Frames Select this option to limit multicast frame Ingress Rate Specify the limit rate for the ...

Page 46: ...ou to divide the physical LAN into multiple logical LANs so as to control the communication among the ports The VLAN function creating VLANs in a can prevent the broadcast storm in LANs and enhance the network security By physical LAN you can divide the LAN into multiple logical LANs each of which N communicate with one another as if they with one another directly Therefore broadcast p TL ER6120 p...

Page 47: ...he configurations of Port VLAN You re recommended to check or reconfigure the Port VLAN if the status of DMZ is changed 3 2 User Group The User Group function is used to d management so that you can trol Session Limit and Access Control etc on per 3 2 On this page you can define the group for management Choose the User Group group different users for unifie perform other applications such as Bandw...

Page 48: ...oad the following page Figure 3 27 User Configuration The following items are displayed on this screen annot be the network address or broadcast address of the port Description List of User vie 3 2 3 View On this p Choose the menu User Group View to load the following page User Config User Name Specify a unique name for the user IP Address Enter the IP Address of the user It c Give a description t...

Page 49: ...ect the name of the desired Group Group Structure Available Member Displays the Users and the Groups which can be added into this group Selected Member Displays the members of this group including Users and Groups User Name Select the name of th Displays the Groups to whic Group Nam Click this button to view the tree structure of this group All the members of this group will be displayed including...

Page 50: ...On this page you can set up the NAT function Choose the menu Advanced NAT age 3 3 Advanced NAT Setup to load the following p Figure 3 29 NAT Setup The ispl NAPT Source Port Range Enter the source port range between 2049 and 65000 the span of which Enable or disable NAT DMZ NAT DMZ is a special service of NAT application which can be considered as a default forwarding rule When xternal e Host IP Ad...

Page 51: ... 3 30 indicates The IP address of host1 in local network is 192 168 0 128 and the WAN IP address after NAT mapping is specified to be 222 135 48 128 The data packets are transmitted from WAN1 port DMZ Forwarding and this entry are both activated Mapping IP Address Enter the Original IP to WAN port and DMZ in LAN Mode terface ct an interface for forwarding data packets MZ Forwardin ble or disable D...

Page 52: ...Status Activate or inactivate the entry list of Rules You can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 31 indicates that This is a Multi Nets NAT entry named tplink1 The subnet under the LAN port of the router is 192 168 2 0 24 and this entry is activated After the corresponding Static Route entry is set the hosts within this subnet can ac...

Page 53: ...osts within VLAN2 and VLAN3 desire to access the Internet The network topology is shown as the following Application Example Network Requirements The LAN subnet of TL ER6120 is 192 168 0 0 24 the subnet of VLAN2 under a thre Configuration procedure 1 Establish the Multi Nets NAT entries with Subnet Mask of VLAN2 and VLAN3 The configured entries are as follows ...

Page 54: ... The Static Route entry is as follows 3 3 1 4 Virtual Server Virtual server sets up public services in your private network such as DNS Email and FTP and d to the LAN server enu Advanced NAT Virtual Server to load the following page defines a service port All the service requests to this port will be transmitte appointed by the router via IP address Choose the m Figure 3 32 Virtual Server The foll...

Page 55: ...35 The external ports of different entries should be different whereas the internal ports can be the same L In this table you can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 3 data packets from Interne of the router will be redirected to the port 65534 65535 of the LAN host with IP address of 192 168 0 103 and this entry is activated 3 3 1 g ...

Page 56: ...s will not open Trigger Protocol Select the protocol used for trigger port Incoming Port Enter the incoming port number or range of port numbers The incoming port will open for follow up connection after the trigger port n d for incoming port Name Enter a name for Port Triggering entries Up to 28 characters can be entered Trigger Port Enter the trigger port number or the initiates connectio Incomi...

Page 57: ... 5354 the incoming port 5355 will open for TCP and 3 3 1 6 ALG Some special protocols such as FTP H 323 SIP IPsec and PPTP will work properly only when ALG Application Layer Gateway service is enabled Choose the menu Advanced NAT ALG to load the following page 00 List of Rules In this table you can view the information of the entries and edit them by the Action buttons LAN host initiate UDP protoc...

Page 58: ... Advanced Traffic Control Setup to load the following page SIP ALG Enable or disable SIP ALG The default setting is en IPsec ALG Enable or disable IPsec ALG The default setting is enabled It is recommended to keep default if no special re PPTP ALG Traffic l l the bandwidth by configuring rules for limiting various data flows In th can be reasonably dist 3 3 2 1 Setup Figure 3 35 Configuration The ...

Page 59: ...erface Bandwidth Interface Di the bandwidth of each WAN port for transmitting data The Bandwidth of WAN port can be configured on WAN page the bandwidth of each WAN port for receiving data The am Bandwidth of WAN port can be configured o Note T eam Downstream Band he Upstr width of WAN port you set must not be more than the bandwidth provided by ISP Otherwise the Traffic Control will be invalid If...

Page 60: ...Bandwidth Up Specify the Limited Upstream Bandwidth for this entry Guaranteed Bandwidth Down Specify the Guaranteed Downstream Bandwidth for this entry Limited Bandwidth Down Specify the Limited Downstream Bandwidth for this entry Bandwidth Control Rule Direction arrowhead indicates the data stream direction The DMZ port displays in the drop down list only when the DMZ port is WAN ALL rules are ad...

Page 61: ...ce for this rule is s ed u ufficient and not us p It is impossible to satisfy idth if the total guaranteed bandwidth specified all the guaranteed bandw by all Bandwidth Control rules for certain interface exceeds the physical bandwidth of this interface When DMZ port is disabled it is only allowed deleting operation to the related rules 3 3 3 Session Limit The a UD nite If some local hosts transmi...

Page 62: ...t Choose the menu Advanced Session Limit Session List to load the following page The following items are displayed on this screen Group Select a group to define the controlled users Max Sessions Enter the max Sessions for the users Description Give a description for the entry Status Activate or You can view the information of the entries and edit them by the Action buttons group1 is 100 and this e...

Page 63: ...nation IP address or destination port will be forwarded to multi connected applications Check the box before Enable Bandwidth Based Balance Routing and select the WAN port below Load Balance of the specified WAN port will be enabled automatically if no routing rules are set Then click th tton to apply the box befo Application Optimized Routing checked the router will consider the ation IP addre th...

Page 64: ...0 0 0 0 means any IP is acceptable Source Port Enter the source Port range for the entry which is effective only when the protocol is TCP UDP or TCP UDP The default value is 1 65535 which means any port is acceptable Destination Port Enter the destination port range for the entry which is effective only when the protocol is TCP UDP or TCP UDP The default value is 1 65535 which means any port is ac...

Page 65: ...he menu Advanced Load Balance Link Backup to load the following page Status Activate or inactivate the entry on of the entries and edit them by the Action buttons 92 168 0 199 an tion IP between 116 10 20 28 and 116 10 20 29 will be forwarded from the port and protocol This entry is activated d and will take e 3 Li router will switch all the new sessions from dropped line automatically n line netw...

Page 66: ...t e time is from the start time of the day to the end time of the next day Status Activate or inactivate the entry List of Rules You can view the information of the entries and edit them by the Action buttons The first entry in Figure 3 41 indicates WAN1 is the primary port and WAN2 is the backup port General WAN Ports Displays all the WAN ports in use You can drag the light blue WAN button to pri...

Page 67: ...s screen me will display in the drop down list of Protocol on Access Rule page Number Enter the Number of the protocol in the range of 0 255 L ol You can view the inform ntries and edit them by the Action buttons Protocol Name Enter a name to indicate a protocol The na ist of Protoc ation of the e Note The system predefined proto nnot be configured 3 3 5 Routing 3 3 5 1 Static Route Routin process...

Page 68: ... items are displayed on this screen Static Route Destination Enter the destination host the route leads to Subnet Mask Enter the Subnet Mask of the destination network Next Hop Enter the gateway IP address to which the packet should be sent next Interface Select the physical network interface through which this route is Metric he smaller the value is the higher the priority is The default value is...

Page 69: ...t 192 168 0 0 24 LAN2 and LAN3 are under a layer 3 switch and they use network segments 192 168 2 0 24 and 192 168 3 0 24 respectively The IP address of the cascading LAN port between the layer 3 switch and the router is 192 168 0 2 Now the hosts within LAN1 desire to access the hosts within LAN2 and LAN3 The network topology is shown as the following Configuration procedure 1 On the Static Route ...

Page 70: ... table m ini I v to RIPv2 gradually Compared with RIPv1 RIPv2 supports VLSM Var Classless Inter Domain TL ER6120 supports both RIPv1 version and RIPv2 version thus you can configure the RIP version base Cho 2 RIP timal path W medium sized networks atures of easy configuration management and implementation it is widely used such as the campus network than 15 Optima path indicates the path with the ...

Page 71: ...try in Figure 3 44 indicates when receiving packets with destination IP is 116 10 20 28 the router will select WAN1 e destination IP as next hop and forward data via this port The IP address of next hop is 116 10 1 254 and the hop count is 1 The e try is Authentication network situation and the All Interface All Interfaces is ist of RIP which is in the same network with th ffective time of this en...

Page 72: ...es are stored ARP protocol etwork segment to communicate with one another or access to external network via Gateway However since ARP protocol is implemented with the premise that all the H eways are sks during ARP Implementation Procedure in the actual complex network The attacker may send the ARP spoofing packets with false IP address to MAC address mapping entries and then the device will autom...

Page 73: ...he options You should import the IP and MAC address of the host to IP MAC Binding List and enable the corresponding entry before enabling Permit the packets matching the IP MAC Binding entries only When suffered ARP attack the correct ARP information will be sent to the device suffering attack initiatively by GARP Gratuitous ARP packets thus the error ARP information of the device will be replaced...

Page 74: ...in At the moment you should restore the router to factory default and login again ning f Scanning Result age 3 4 1 2 ARP Scan ARP Scanning feature enables the router to scan the IP address and corresponding MAC address and display them on the List o Choose the menu Firewall Anti ARP Spoofing ARP Scanning to load the following p Figure 3 47 ARP Scanning Enter the start and the end IP addresses into...

Page 75: ...ormation of the hosts which communicated with the router recently will be saved in the ARP list Choose the menu Firewall Anti ARP Spoofing ARP List to load the following page Figure 3 48 ARP List configuration of List of Scanning Result on 3 4 1 2 ARP Scanning page The unbound IP MAC informatio removed from the list if it has no regarded as the aging time of th 3 4 2 Attack Defense With A se funct...

Page 76: ... e Flood Defense options and specify the corresponding re maly refers to the abnormal packets It is recommended to select all the Packet Anomaly Defense options llowing items are on this screen in select all th thresholds Keep the default settings if you are not su Packet Anomaly Packet Ano Defense Enable Attack Defense Logs With this box checked the router will record the defense logs ...

Page 77: ... situation MAC Filtering MAC Address List of Rules You can view the informatio y the Action buttons 3 4 4 ntrol 3 4 4 1 URL Filtering URL Uniform Resource Locator specifies where an identified resource is available and the mechanism for retrieving it URL Filter functions to filter the Internet URL address so as to provide a convenient way for controlling the access to Internet from LAN hosts The f...

Page 78: ...situation URL Filtering Rule Object Select the range in which the URL Filtering takes effect ANY URL Filtering will take effect to all the users Group URL Filtering will take effect to all the users in group Select the mode for URL Filtering Keyword indicates that all the URL ecified keywords will be filtered URL Path n it exactly matches the specified URL Effective Time Specify the time for the e...

Page 79: ...www aabbcc com as the following figure shows then specify the effective time and click the Add button to make the setting take effect List of Rules You can view the information of the entries and edit them by the Action buttons 3 4 4 2 Web Filtering On thi u can filter the d Choose the menu Firewall Ac s page yo esired web components cess Control Web Filtering to load the following page Figure 3 5...

Page 80: ...ple if you select Interface Select interface for the entry The entry will take effect when the interface to which the data is flowing is selected WAN LAN or DMZ refers to all the WAN LAN or DMZ interfaces llowing item d on this screen Policy Block When this option is selected the packets obeyed the rule wil Allow When this option is selected the packets obeyed the rule will be allowed to pass thro...

Page 81: ... the end of the list by default List of Rules edit them by the Action buttons The smaller the The first entry in Figure 3 53 indicates The TELNET packets transmitted from the hosts within the network of 192 168 0 0 24 Tuesday to Saturday Source three ways IP MASK Enter an IP address or subnet mask 0 0 0 0 32 means any IP Group Select a predefined group of users You You can view the information of ...

Page 82: ...you to specify the protocol and port number to be filt Figure 3 54 Service The following items are displayed on this screen Service Name Ent name should not be more than 28 ame will display in the drop down list of Protocol on Access Rule page Dest Port Enter the start and end ports to make a destination port range for the service The start port number cannot be greater than the end port number er...

Page 83: ...system cannot be modified 1 Contro the Application Rules function App Control Control Rules to load the fo Figure 3 55 Application Rules Check the box before Enable Application Control to make the Application Control function take effect The specified application used by the specified local users will be not allowed to access the Internet if the Application Control entry is enabled The following i...

Page 84: ...and Sunday This entry is enabled Control Rules Object Specify the object for the entry Yo Group If select Group as object you can select the group in the drop down list To establish new group please refer to 3 2 1 Group checkbox The applications include IM Web IM SNS P2P Media Basic and Proxy The default setting is to limit all the applications in the application list except for Basic and Proxy Ef...

Page 85: ...nd then click the Up 3 5 VPN VPN Virtual Private Network is a private network established via the p Figure 3 57 VPN Network Topology As the packets are encapsulated and de encapsulated in the router the tunneling topology implemented by encapsulating packets is transparent to users The tunneling protocols supported by TL ER6120 contain Layer 3 IPsec and Layer 2 L2TP PPTP PN to ensure a secure comm...

Page 86: ...1 to negotiate the parameters for create IPsec SA to secure t figure the related parameters for IKE negotiation IKE IKE Policy to load the following page Figure 3 58 IKE Policy The fo re displa IKE Pol cy Policy Name ique name to the IKE policy for identification and The IKE policy can be applied to IPsec policy llowing items a yed on this screen i Specify a un management purposes ...

Page 87: ... uses a name as the ID as the ID in IKE negotiation IKE Proposal Pre shared Ke ace DPD Dead Peer Detect function If enabled the IKE ther the IKE DPD Interva List of IKE Policy In this table you can view the information of IKE Policies and edit them by the action buttons Exchange Mode peer uses the same mode Main Main mode provides identity pro n IKE negotiation add Remote ID The remote gateway IP ...

Page 88: ...DES DES Data Encryption Standard encrypts a 64 bit block of plain text with a 56 bit key 3DES Triple DES encrypts a plain text with 168 bit key AES128 Uses the AES algorithm and 128 bit key for encryption AES192 Uses the AES algorithm and 192 bit key for encryption AES256 Uses the AES algorithm and 256 bit key for encryption The following items are displayed on this screen IKE Proposal Proposal Na...

Page 89: ...se IPsec protocol to negotiate the data encryption algorithm and the security protocols for checking the integrity of the transmission data and exchange the key to data de encryption IPsec has two important security protocols AH Authentication Header and ESP Encap Security Payload AH is used to guara the packet has been tampered during transmission the receiver will drop this packet when validatin...

Page 90: ...mask g items are displayed on this screen You can enable dis ction for the router here Specify a unique name to the IPsec policy Up to 28 characters can be entered Select the network mode for IPsec policy Options include LAN to LAN Select this option when the client is a network Client to LAN Select this option when the client is a host Local Subnet PCs on your LAN are covered by this policy ...

Page 91: ...ote peer should be set to the IP address of Enter the Remote Gateway It can be IP address or Domain name Policy Mode Select the negotiation mode for the policy IKE The parameters for the VPN tunnel are generated automatically via IKE negotiations are manually inputted and no key negotiation is needed Specify the IKE policy If there is no policy selection add new policy on VPN IKE IKE Policy page S...

Page 92: ...oing SPI Specify the Outgoing SPI Security Parameter Index manually The Outgoing SPI here must match the Incoming SPI value at the other end of the tunnel and vice versa AH Authentication Key Out Specify the outbound AH Authentication Key manually if AH protocol is used in the corresponding IPsec Proposal The outbound key here must match the inbound AH authentication nnel and vice versa outbound E...

Page 93: ...can view the information of IPsec policies and edit them by the action buttons 60 indicates this is an IPsec tunnel the local subnet is 19 bnet is 192 168 3 0 24 and this tunnel is using IKE automatic negotiation It is Tips 0 0 0 0 0 32 indicates all IP addresses Refer to Appendix T 3 5 2 2 IPsec Pro On this page you c Choose the menu VPN roubleshooting 5 for the configuration of subnet posal an d...

Page 94: ...e less than the 64th power of 2 in bits and generates a 160 bit message digest ESP Authentication Select the algorithm used to verify the integrity of the data for ESP authentication Options include MD5 MD5 Message Digest Algorithm takes a message of arbitrary length and generates a 128 bit message digest SHA S rithm takes a message less than the IPsec Proposal Specify a unique name management pur...

Page 95: ...ge Figure 3 62 IPsec SA Figure 3 62 displays the connection status of the NO 1 entry in the List of IPsec policy in Figure 3 60 As shown in the figure the router is using WAN2 for tunnel connection and the IP address of WAN2 and the default gateway of remote peer are 172 30 70 151 and 172 30 70 161 respectively Security protocol and other parameters for IPsec tunnel and the remote router should be...

Page 96: ... Protocol Table depicts the difference between L2TP and PPTP Protocol Media Tunnel Length of Header Authentication PPTP IP network Single tunnel 6 bytes at least Not supported L2TP IP network of UDP frame relay virtual circuit X 25 virtual circuit Multiple tunnels 4 bytes at least Supported 3 5 3 1 L2TP PPTP Tunnel you can configure the L2TP PPTP VPN Choose the On this page menu VPN L2TP PPTP L2TP...

Page 97: ...rver and Internet Hello Interval Primary Secondary Enter the Primary Secondary DNS server address The default IP is el Protocol Select the protocol for VPN tunnel Options include L2TP and PPTP d on this screen General Specify whether to enabl Specify the interval to send hello packets DNS 0 0 0 0 which means the LAN IP of the router is used as the DNS server address L2TP PPTP Tunn ...

Page 98: ...tunnel will be encrypted by MPPE Pre shard Key Enter the Pre shared Key for IKE authentication This item is available Mode Specify the working mode for this router Options include Client In this mode the device sends a request to the remote L2TP PPTP Server In this mode the router responds the request from the remote client for establishing a tunnel Account Name Enter the account name of L2TP PPTP...

Page 99: ...nd the router is configured in Client mode The remote server is 116 10 10 10 and the remote subnet is 192 168 2 0 24 This entry is enabled 3 5 3 2 IP Address Poo Client IP L2TP PPTP server The default IP 0 0 0 0 means any IP address is acceptable IP Address Pool Select the IP Pool Name to specify the address range for the server s IP assignment This item is available for Server mode combination of...

Page 100: ...of L2TP PPTP Tunnel splays the connection status of the NO 1 entry in the list of tunnel in Figure 3 64 This tunnel has been successfully established Each tunnel has a Tunnel ID and a Session ID The ID value in cl to that in erver is shown as the figure below Figure 3 65 di ient corresponds server The connection information of this tunnel in the s tablished a tun Every time a tunnel connection is ...

Page 101: ...neral Dial up Access Only the user with Exceptional IP can access the Internet PPPoE User Isolation communicate with one other ary DNS server address The default is Max Sessions Specify the maximum number of the sessions for PPPoE server The default is 256 his screen PPPoE Server Specify whether to enable the PPPoE Server function Specify whether to enable the Dial up Access Only function If enabl...

Page 102: ...ication protocol for Local Authentication is more secured for it adopts three handshakes and does transfer password in plain text MS CHAP put forward by Microsoft adopts a different encryption algorithm of CHAP MS CHAP It is available when Remote Authentication is selected RADIUS on Dial In User Service provides an r address for Shared Key Enter the Shared Key for Remote authentication It should b...

Page 103: ... the start and the end IP address for IP Pool The start IP address should not exceed the end address and the IP address ranges must not List of IP Pool In this table you can view the information of IP Address Pools and edit them by the Action 3 6 On t you ca Choose the menu Services nt to load the following page t purposes overlap buttons 1 3 Account his page n configure the PPPoE account PPPoE Se...

Page 104: ...or the client IP Address Pool It s available on Dynamic mode Select an IP Address Pool to make a range to assign dynamic IPs Max Sessions Specify the maximum number of sessions for the client The default value is 1 Specify the Expiration Date of the account The default is 2099 1 1 Description Enter the description for management and search purposes Up to 28 characters can be entered Account Name E...

Page 105: ...nd edit them by the Action buttons 3 6 1 4 Exceptional IP When the Dial up Access Only function is enabled only the Dial in Users and the user with PPPoE Server Exceptional IP to load the following page Select a MAC Binding type from the pull down list Options include Disable Select this option to disable the MAC Binding function Manual Select this option to bind the ac account log on to the serve...

Page 106: ...tion of Exceptional IPs and edit them by the Action buttons 3 6 1 5 List of Account On this page you can view the detailed information of all accounts you have established Choose the menu Services PPPoE Server List of Account to load the following page Figure 3 70 List of Account Figure 3 70 displays the connection information of PPPoE users Click to disconnect the account Click the Disconnect All...

Page 107: ...tronic bulletin function llowing General Enable E Bulletin Specify whether to enabl Interval Specify the interval to release the bulletin Enable Logs Specify whether to log the E Bulletin E Bulletin Title Enter a title for the bulletin Content Enter the content of the bulletin ...

Page 108: ...bled Group is created on User Group Group page Effective Time the object at the sam Publisher Enter the name of the bulletin s publisher Tips For the configuration for groups and u Group section DDNS Dynamic DNS service allows you to assign a fixed domain name to a dynamic WAN IP addr s the names As many ISPs use DHCP to blic IP addresses in WAN the public IP address assigned to the client is unfi...

Page 109: ...both of which are established based on Web server router as a DD t cannot provide DDNS service Prior to usin official websites of DDNS service provide NS client On this page you can configure ose the menu Services Dynamic DNS DynDNS to load the following page Figure 3 72 DynDNS DDNS The following items are displayed on this screen Dyndns DDNS Account Name Enter the DDNS account If you have not to ...

Page 110: ...rver Authorization fails The Account Name Please check and enter it again Account an view the existing DDNS entries or edit them by the Action button On this page you can configure NO IP menu Services Dynamic DNS No IP to load the following page Figure 3 73 NO IP DDNS The following items are displayed on this screen No IP DDNS Account Name Enter the Account Name of your DDNS account If you have no...

Page 111: ...3 6 3 3 PeanutHul On this page you can confi Choose the menu Services Dynamic DNS PeanutHull to load the following page provider Activate o WAN Port Displays the WAN port for which No IP DDN DDNS Status Displays the current status of DDNS servic Connecting client is connecting to the server Online DDNS works normally Authorization f w the existing DDNS entries or edit them by the Action button l g...

Page 112: ...ard service DDNS Status Displays the current status of DDNS service Offline DDNS service is disabled Connecting client is connecting to the server Online DDNS works normally Authorization fails The Account Name or Password is incorrect Domain Name the domain names obtained from the DDNS server Up to 16 domain names can be displayed here List of PeanutHull Account In this table you can vie ting DDN...

Page 113: ...r DDNS service provider Domain Name 4 Optional Enter the Domain Name that you registered with your DDNS service provider Optional Enter the Domain Name that you registered with your DDNS The following items are displayed on this screen Comexe DDNS Account Name Enter the Account Name of your DDNS account If you have no registered click Go to register to go to the website of Comexe fo register Passw...

Page 114: ...essenger installed in Windows XP and Windows ME system is using UPnP protocol when audio and video communications are processing On this page you can configure UPnP service Choose the menu Services UPnP to load the following page DDNS Se DDNS Status Displays the current status of DDNS service Offline DDNS service is disabled Connecting Client is connecting to the ser List of Comexe Account In this...

Page 115: ...tions in the host support UPnP service As some Trojan and viruses can open the specific port using UPnP service resulting in hacker attack on the host be careful of using UPnP service 3 7 Maintenance 3 7 1 Admin Setup 3 7 1 1 Administrator On this page you can modify the factory default user name and password of the router Choose the menu Maintenance Admin Setup Administrator to load the following...

Page 116: ...port Choose the menu Maintenance Admin Setup Login Parameter to load the following page 3 7 1 2 Login Parameter On this page you can co Figure 3 78 Login Parameter The following items are displayed on this screen General Web Management Port Enter the Web Management Port for the router ement Port Enter the Telnet Management Port for the router d Utility after a specified period Web Idle Timeout of ...

Page 117: ...4 in the Su age and enable the entry as the follow shows Allow the IP address within 210 10 10 0 24 se 210 10 10 50 remotely bnet Mask field on Remote Management p ing figure Then type the corresponding port num as the following figure shows ber in Web Management Port and Telnet Management Port fields Finally start the web browser and type 210 10 10 50 in the URL field to log in the Web manag ment...

Page 118: ...s fo access the router from external n Status List of Subnet In this lis The first entry in Figure 3 79 indicates that The hosts with IP address in subnet of 192 168 2 0 24 are allowed to access the router and this entry is activated 3 7 2 Ma 2 1 Factory Defaults Figure 3 80 Factory Defaults default values The default IP address is 192 168 0 1 the default login user name and password are both admi...

Page 119: ...uration or enter the exact path to the saved file in the text box Then click the Import button to restore the saved setting Import Click the Browse button to locate the update file for the device Note To avoid any damage please don t power down the router while being restored Configurations may be lost if the configuration file you imported varies greatly from current configurations 3 7 2 3 Reboot...

Page 120: ...tions and better performance Go to http www tp link com to download the updated firmware me of the update file into the File field Or click the Browse button to locate k the Upgrade button to complete Type the path and file na the update file Then clic Note After upgrading the device will reboot automatically To avoid damage please don t turn off the device while upgrading You are suggested to bac...

Page 121: ...atistics Interface T affic Statistics screen displays the det information of WAN ports Choose the menu Maintenance Statistics Interface Traffic Statistics to load the following Figure 3 85 Interface Traffic Statistics The following items are displayed on this screen Interface Traffic Statistics Interface Displays the interface ...

Page 122: ...tics IP Traffic Statistics screen displays the detailed traffic information of each PC on LAN or DMZ Choose the menu Maintenance Statistics IP Traffic Statistics to load the following page Rate Tx Displays the number of packets received on the interface Packets Rx Displays the bytes of packets received on the interface Bytes Rx Bytes Tx Advanced WAN Information Interface IP Fragment Rx Abnormal IP...

Page 123: ...rection Select the direction in the drop down list to get the Flow Statistics of the specified direction IP Traffic Statistics This table displays the detailed traffic information of corresponding PCs Sorted by Select the rule for displaying the traffic information 3 7 5 Diagnostics 3 7 5 1 Diagnostics This router provides Ping test and Tracert test functions for network diagnose Choose the menu M...

Page 124: ...results will be displayed in the t Domain Enter destination IP address or Domain name here Then select a port for testing if Auto is selected the router will select the interface of destination automatically After clicking the Start button the router will send Tracert packets to test the connectivity of the yed on this screen Ping Enter destinati the router will send Ping pa box below Tracert Des ...

Page 125: ... is enabled Display the detecting results time displayed while the router is running On this page you can configure the system time and the settings here will be used for other time based functions like Access Rule PPPoE and Logs e 3 88 Online Dete The following items are displayed on this screen General Port Select the port to be detected Detecting ivate or inactivate Online Detection function W ...

Page 126: ...C S Clock Displays the current date and time of the route Time Zone Displays the curr Status Display Config When this o IP address for the NTP serv Time Zone Select the time zone for t Primary Secondary NTP Server Enter the IP address or domain name o With this option selected you can set the date and time manually With this option selected the administrator PC s clock is utilized Note If Get UTC ...

Page 127: ...predefined DST configuration USA Second Sunday in March 02 00 First Sunday in November 02 00 European Last Sunday in March 01 00 Last Sunday in October 01 00 tober 02 00 Fisrt Sunday in April 03 00 New Zealand Last Sunday in September 02 00 First Sunday in Recurring Mode Specify the DST configuration in recurring mode This configuration is r Time Offset Specify the time adding in minutes when Dayl...

Page 128: ...of router can record classify and manage the system information effectively Choose the menu Maintenance Logs Logs to load the following page When the D efa daylight saving time is o Figure 3 91 Logs List of Logs List of Logs displays the system log information in log buffer Config Enable Auto refresh With this option selected the page will refresh automatically every 5 seconds Severity Displays th...

Page 129: ...unusable alerts 1 Action must be taken immediately critical 2 Critical conditions errors 3 Error conditions warnings 4 Warnings conditions notifications 5 Normal but significant conditions informational 6 Informational messages debugging 7 Debug level messages ...

Page 130: ...icated line as the backup line and has applied a high bandwidth Fiber Access as the main line Remote Access It s required to build an effective and safe communication among the headquarters and the aff on business to access the Mail Server and FTP Server in LAN idth it s required to implement the online behavior management and to specify ork should be able to defend the common attacks from the int...

Page 131: ...ter admin for the User Name and Password both in lower case letters Then click the Login button to log into the router Tips If the LAN IP address is changed you ss to log into the router ort to switch to the connection of WAN2 once the connection of WAN1 is broken down The detailed configurations are as follows 4 3 1 1 System Mode Set the system mode of the router to the NAT mode must use the new ...

Page 132: ...andwidth and the Downstream Bandwidth to 100000Kbps The Upstream Downstream Bandwidth of WAN port you set must not be more than the bandwidth provided by ISP Otherwise the Traffic Control will be invalid Then click the Save button to apply The configuration for the WAN2 port is the same as the WAN1 Figure 4 2 WAN Static IP 4 3 1 3 Link Backup e secondary link menu Advanced Load Balance Link Backup...

Page 133: ...r to establish a remote mobile office which enables the staff on business to access the FTP server and Mail server in the headquarters via PPTP dial up 1 IKE Setting To configure the IKE function you should create an IKE Proposal firstly IKE Proposal Choose the menu VPN IKE IKE Proposal to load the configuration page Settings Proposal Name proposal_IKE_1 Authentication MD5 Encryption 3DES 4 3 2 VP...

Page 134: ...al IKE Policy Choose the menu VPN IKE IKE Policy to load the configuration page Settings Policy Name IKE_1 Exchange Mode Main IKE Proposal proposal_IKE_1 you just created Pre shared Key aabbccddee SA Lifetime 3600 10 DPD Enable DPD Interval Click the Add button to apply ...

Page 135: ...the headquarters 2 IPsec Setting ec funct create an IPsec Proposal firstly sal menu VPN IPs sec Proposal to load the following page al Name sal_IPsec_1 col ESP Encryption 3DES Click the Save button to apply To configure the IPs ion you should IPsec Propo Choose the ec IP Settings Propos propo Security Proto ESP ESP Authentication MD5 ...

Page 136: ...icy Name IPsec_1 Status Activate Mode LAN to LAN Exchange Mode IKE IKE Policy IKE_1 IPsec Proposal proposal_IPsec_1 you just created PFS DH1 SA Lifetime 3600 Click the Add button to add the new entry to the list and click the Save button to apply Local Subnet 192 168 0 0 24 Remote Subnet 172 31 10 0 24 WAN WAN1 Remote Gateway 116 31 85 133 ...

Page 137: ...ss of the router in the headquarters IPsec VPN tunnel fully you can view the connection information on the VPN IPsec IPsec SA page After the of the two peers is established success Figure 4 8 List of IPsec SA 4 3 2 2 PPTP VPN Setting IP Address Pool Choose the menu VPN L2TP PPTP IP Address Pool to load the following page Enter the Pool Name and the IP Address Range as the following figure shown Cl...

Page 138: ...ts to access the local enterprise network and the Internet Then continue with the following settings for the PPTP Tunnel Settings L2TP PPTP Enable Protocol PPTP Tunnel Client to LAN PPTP_Dialup_User you just created dd button to add the new entry to the list and click the Save button to apply Mode Server Account Name PPTP Password abcdefg IP Pool Click the A ...

Page 139: ...fy the network bandwidth limit and session limit for this group The detailed configurations are as follows 4 3 3 1 User Group Create a User Group with all the Hosts in the IP range of 192 168 0 30 192 168 0 50 as its group members Group Choose the menu User Group Group to load the following page Enter the Group Name and the Description to create a Group as the following figure shows Figure 4 9 Gro...

Page 140: ...e OK button to add the Users in bulk User enter the Figure 4 10 User Config Batch View Choose the menu User Group View to load the configuration page Add all the Users you just created into the Group 1 and click the Save button to apply 4 3 3 2 App Control Choose the menu Firewall App Control Control Rules to load the configuration page Check the box before Enable Application Control and click Sav...

Page 141: ...trol you should configur th of interfaces and the detailed th control rule first l Choose the menu Advanced Traffic Control Setup to load the configuration page Check the box before Enable Bandwidth Control and click the Save button to apply 4 3 3 3 Bandwidth Control To enable Bandwid e the total bandwid bandwid 1 Enable Bandwidth Contro Figure 4 12 Bandwidth Setup ...

Page 142: ...ettings Settings Direction LAN WAN1 Group group1 Mode Individual 100 2 Interface B Choose AN1 to lo bandwidth value should be consis Guaranteed Bandwidth Up Down Limited Bandwidth Up Down 800 Effective Time Keep the default value Status Activate Click the Add button to apply Figure 4 14 Bandwidth Control Rule 4 3 3 4 Session Limit Choose the menu Advanced Session Limit Session Limit to load the co...

Page 143: ...tries to ARP List Scanning range u Firewall Anti ARP anning to load the configuration page No ck in the local network is the pr Scanning n to defend ARP att Port Mirror function and Statistics function to m 4 3 4 1 LAN ARP Defense You can configure IP MAC Binding manually or by ARP Scanning For the first time configuration please bind most of the ARP information by ARP Scanning For some special it...

Page 144: ...ion page of 192 168 1 20 and MAC address of 00 11 22 33 44 aa to the list IP Address 192 168 0 20 MAC Address 00 11 22 33 44 aa Status Activate Click the Add button to apply The other entries can be added in the same way 3 Set Attack Defense Choose the menu Firewall Anti ARP Spoofing IP MAC Binding to load the configuration page Select all the items for General and set the GARP packets sending int...

Page 145: ...of the WAN port such as 58 51 128 254 in the Scanning Range field and click the Scan button the MAC address of the WAN port will display in the Scanning Result table After obtaining the MAC address of WAN port from Scanning Result table select this entry then click the Import button to finish the binding operation 4 3 4 3 Attack Defense Choose the menu Firewall Attack Defense Attack Defense to loa...

Page 146: ...Choose the menu Network Switch Port Mirror to load the configuration page Check the box before Enable Port Mirror and select the Ingress Egress mode Select the Port 5 for the Mirroring Port and the Port 3 and the Port e button to apply 4 for the Mirrored ports Click the Sav ...

Page 147: ...f each physical interface of the router as Figure 4 22 shows Figure 4 22 Interface Traffic Statistics Load the IP Traffic Statistics page and Check the box before Enable IP Traffic Statistics and Enable Auto refresh then click the Save button to apply Select the data direction the corresponding IP traffic statistics will display in the Statistics table as Figure 4 23 shows ...

Page 148: ... 142 Figure 4 23 IP Traffic Statistics After all the above steps the enterprise network will be operated based on planning ...

Page 149: ...nd some common CLI commands 5 1 Configuration To log on to the router by the console port on the router please take the following steps 1 Connect the PCs or Terminals to the console port on the router by the provided cable 2 Click Start All Programs Hyper Terminal to open the Hyper Terminal as the Figure 5 1 shown Accessories Communications Figure 5 1 Open Hyper Terminal 3 The Connection Descripti...

Page 150: ...M1 to connect in Figure 5 3 and click OK Figure 5 3 Select the port to connect 5 Configure the port selected in the step above as the following Figure 5 4 shows Configure Bits per second as 115200 Data bits as 8 Parity as None Stop bits as 1 Flow control as None and then click OK ...

Page 151: ...igure 5 4 Port Settings 6 Choose File Properties Settings on the Hyper Terminal window as Figure 5 5 shows then choose VT100 or Auto detect for Emulation and click OK Figure 5 5 Connection Properties Settings ...

Page 152: ...outer the factory default value for both of them is admin when logging in the router by Telnet No password is needed when connecting the console port with the router Then the users get the privilege to the User level and can do some simple operations but cannot modify the router s configurations Privileged EXEC Mode Users can enter Privileged EXEC mode from User EXEC mode by password authenticatio...

Page 153: ...o Privileged EX Mode Use the enable command to ter this mod mode the original password is in TP LINK Use the exit command to disconnect the switch except that the switch is connected through the Console port EC mode EC en e from User EXEC adm Enter the disable command to return to User EX As Figure 5 7 shown Figure 5 7 Interface Mode ark to get all commands of this view and their brief description...

Page 154: ...rds for a command and press the Tab button and the NK dis Press Tab button disable 5 arated by space then a carriage return will display on cr disable Exit the p enable Enter the privileged mode exit history Show command history ip Display or Set ip mac Dis d configuration Type a command and a question mark separated by space If there are keywords in this command character string will be listed Fo...

Page 155: ...des two types normal mode and mode 5 4 Comm TL ER6120 provides a number of CLI commands for users to manage the router and user information For better understanding each comman 1 ip ip ommand is used to view or configure the IP address and subnet mask of the interfaces V TP LINK ip get lan Lan Ip 192 168 0 1 Get the configuration information of LAN port TP LINK ip set lan address 192 168 0 20 Set ...

Page 156: ...This command will restore TP LINK sys export config Export the configuration file Username admin ft 192 168 1 100 and both the user name and password of which is ftp To save config bin to this FTP serv Try to save the confi Save configuration file Note TP F service is required for importing or exporting configuration files and system upgrade The parameter Server address is the IP address of the ho...

Page 157: ...ile update bin succeed file size is 2298608 bytes user name and password of CLI In User EXEC modify the password of the User level users while the username cannot be Level user and Admin Level user share the same username In Privileged ser Server address 192 168 1 10 Username admin Password admin File name config bin The steps are as the above item sho Get configuration fi ile size is 7104 bytes T...

Page 158: ...or TP LINK user set username Enter new username tplink Modify the user name of the Administrator TP LINK user get Username admi Password adm Query the user name an Enter old password Enter new pass Confirm new p Guest TP LINK user get Userna Password admin Note The new user name and password must not exceed 31 characters in length and must consist of numbers or letters All the fields are case sens...

Page 159: ...ry command TP LINK history clear 1 history 2 sys show 3 history 4 history clear Clear the history command 5 4 6 exit The exit command is used to exit the system when logging in by Telnet TP LINK exit Exit CLI TP LINK history View the hi 2 ...

Page 160: ...rts Auto MDI MDIX One 10 100 1000M Auto Negotiation LAN DMZ RJ45 port Auto MDI MDIX Ports One Console Port 10Base T UTP STP of Cat 3 or above 100Base TX UTP STP of Cat 5 or above Transmission Medium 1000Base T UTP STP of Cat 5 Cat 5e Cat 6 LEDs PWR SYS Link Act Speed DMZ Power 100 240V 50 60Hz 0 6A Operating Temperature 0ºC 40ºC Storage Temperature 40ºC 70ºC Operating Humidity 10 90 RH Non condens...

Page 161: ...ing the router to its defaults or your login is dropped down just after a while it s quite possible that your router is attacked by ARP cheating It s recommended to locate and quarantine the source of ARP cheating so as to prevent your network from the attacks 5 Check to see if you have configured the proxy server for IE browser If so please disable the IE proxy server first Q2 What can I do if I ...

Page 162: ...ss B 255 255 0 0 24 which represents the default Subnet Mask value of class C 255 255 255 0 or 255 255 Q3 What can I do if the router with the re accessed by the remote computer ke sure tha f the remote co rt has been modified please log into the router with the new 0 1 XX XX is the new management port number t port has been mapped to the ress such as http 192 168 se vice port unctions of the rout...

Page 163: ...ess DHCP Dynamic Host Configuration Protocol connected to a DHCP server A protocol that automatically configure the TCP IP parameters for the all the PCs that are DMZ Demilitarized Zone pose service such as Internet gaming or videoconferencing A Demilitarized Zone allows one local host to be exposed to the Internet for a special pur DNS Domain Nam Server e An Internet Server that translates the na...

Page 164: ...ocol less Internetwork service IP provides features for addressing type of service specification fragmentation and Network layer protocol in the TCP IP stack offering a connection reassembly and security ISP Internet Service Company that provides Internet access to other companies and Provider individuals IKE Internet Key Exchange IKE establishes a shared security policy and authenticates keys pas...

Page 165: ... connect to the Internet by translatin those addresses into globally routable address space N rver NTP Se NTP Server is used for synchronising the time across computer networks POP3 Post Office Protoc 3 ol on POP3 is intended to permit a workstation to dynamically access a maildrop on a server host in a useful fashi P PPPoE Point to Point Protocol over Ethernet PPPoE is a network protocol for enca...

Page 166: ... UPnP Universal Plug and Play UPnP is a set of networking protocols for primarily residential networks without enterprise class devices that permits networked devices U URL Uniform Resource Locator URL describes the access method and the location of an information resource object on the Internet VLAN Virtual Local Area Network Group of devices on one or more LANs that are configured using manageme...