Configuration Training ~ console ~

Yamaha Router Configuration Training

~ console ~

© Yamaha Corporation 2

Contents

Console operation Log in Set Login & Admin password Basic Command Interface Addressing DHCP Static Routing NAT PPPoE IPsec VPN Static/Dynamic Packet Filtering

© Yamaha Corporation

Before training

3

Please disable Windows firewall.

[Start menu] – [Control Panel] – [Windows Firewall] Select “Turn Windows Firewall on or off”.


Access into the Router ■Basic method of the access

Console（Tera Term)

RTX810


Setup the console environment

1. Install the driver of the USB-Serial

2. Install the Tera Term software

3. Setup the Tera Term parameter Menu → Setup → Serial port

4. Start the router

Parameter Value Baud rate 9600 bit/s

Data 8 bit Parity None Stop 1 bit

Flow control Xon/Xoff


1. Login from Serial Sample:

・The router will start automatically in 10 seconds. ・No password is set in the beginning.


2. How to configure

・Enter the administrator mode to configure the router. ・Use command “ administrator ” to enter the administrator mode. ・No password is set in the beginning.

Sample:

© Yamaha Corporation 8 8

3. How to change passwords

・Use command “ login password ” to change login password. ・Use command “ administrator password ” to change admin password. ・Use command “ save ” to save running configuration to FlashROM.

Sample:

Login password → “ yamaha ” Administrator password → “ router ”


4. Logout

・Use command “ exit ” to logout from login user and admin. ・Enter login password. ・Enter admin password.

© Yamaha Corporation 10 10

5. Basic commands ・ Show Command – ① show config ⑤ show log – ② show ip route ⑥ show status <interface> – ③ show arp ⑦ show ipsec sa – ④ show environment ⑧ show techinfo

・ Maintenance – ① save – ② restart – ③ cold start

・ Network Command – ① ping – ② traceroute – ③ telnet


5. Basic commands (1)

・“ show status lan1 ” shows the status of LAN1. ・“ show log ” shows the syslog of the router.

Sample:


5. Basic commands (2)

・“ show techinfo” shows all information of the router.

Sample:


6. Command help Sample:

・Use key “ ? ” to show command list. ・Use key “ ? ” after word to show command help or other command list.


7. Configuration control (1) Yamaha router has 5 domains for the configuration files on internal memory. These domains are name as number “ 0 ” ～ “ 4 ” and it is possible to do following operations for each domain. - Copy the configuration file - Delete the configuration file - Show the configuration file list - Show the saved configuration file content

Internal memory (Flash ROM)

0 (default)

1 2 3 4 ･･･

･･･

･･･

･･･


7. Configuration control (2) Sample:

・Use command “ save NUM ” to save running-configuration to specific domain on FlashROM. ・Use command “ show config list ” to show saved config list. ・Use command “ copy config P1 P2 ” to copy configuration from P1 to P2. ・Use command “ delete config ” to delete configuration on FlashROM.


8. Interface addressing

172.16.1.0/24 1000::/64

192.168.100.0/24 2000::/64

.1(LAN2)

.1(LAN1)

■Configure IP Address to LAN Interface


8. Interface addressing (1)

① Configure IPv4 address to each LAN address. ② Configure IPv6 address to each LAN address. ・Use command “ save ” to save running configuration to FlashROM.

Command ip <interface> address <IPv4address/mask> ・・・・・・① ipv6 <interface> address <IPv6address/mask> ・・・・・・②

// ①

Sample:

// ②



・“ show status lan1 ” shows the status of LAN1. ・“ show status lan2 ” shows the status of LAN2.

Sample:



・“ show ipv6 address ” shows IPv6 address information.


9. Delete command Sample:

・Use word “ no ” to clear followed command.


10. DHCP server setting

■Enable DHCP Server and Assign DHCP Address to DHCP Clients(PC)

192.168.100.0/24

.1(LAN1)

192.168.100.2 ~ 192.168.100.191

・・・


10. DHCP server setting (1) Command dhcp service server ・・・・・・① dhcp scope <scope_id> <scope/mask> ・・・・・・②

① Enable DHCP Server ② Configure the scope range of DHCP IP addresses.

//① //②

Sample:


10. DHCP server setting (2)

・“ show status dhcp ” shows the status of DHCP lease.

Sample: :


11. Router Advertisement

■Configure the Router Advertisement and send to host.

2000::/64

.1(LAN1)

The computer creates ipv6 address from Router Advertisement 2000::XXXX /64

Router Advertisement


11. Router Advertisement (1) Command ipv6 prefix <prefix_id> <prefix/mask> ・・・・・・① ipv6 <interface> rtadv send <prefix_id> ・・・・・・②

① Configure IPv6 prefix. ② Configure the Router Advertisement.

//①

//②

Sample:


11. Router Advertisement (2)

The computer create IPv6 address from prefix on RA.


Return to factory default setting

//①

//②

//③

① Use command “ cold start ” to return to factory default. ② Router restarts automatically. ・Push “ Enter ” in 10 seconds counting. ③ Restart from config0.


12. Static route setting

■Configure Static Route for Networking.

172.16.2.0/24 3000::/64

172.16.1.0/24 2000::/64

1.1.1.0/24

1000::/64

ping

Router-A Router-B

.1 .2 .1 .1

(LAN1) (LAN1) (LAN2) (LAN2)


12. Static route setting (1)

ip route <network/mask> gateway <nexthop> ・・・① ipv6 route <network/mask> gateway <nexthop>%<interface> ・・・②

① Set static route for 172.16.2.0/24 ② Set static route for 3000::/64 “ default ” means 0.0.0.0

Sample: Router-A

//① //②

Command



ip route <network/mask> gateway <nexthop> ・・・① ipv6 route <network/mask> gateway <nexthop>%<interface> ・・・②

① Set static route for 172.16.1.0/24 ② Set static route for 2000::/64 “ default ” means 0.0.0.0

Sample: Router-B

//① //②

Command



・“ show ip route ” shows the ipv4 routing table of the Router.

・“ show ipv6 route ” shows the ipv6 routing table of the Router.

Sample: Router-A


① Save configuration to config0. ② Restart Router. ・Push “ Enter ” in 10 seconds counting. ③ Restart from config1.

Configuration Change

//①

//②

//③


13. Network Address Translation (NAT)

NAT … the process of modifying IP address information in IP packet headers. the process for private address group to use 1 global IP address.

internet

192.168.100.0/24

・・・

.1

.2 .3 .4

Source Source Port

192.168.100.2 ⇔ 172.16.1.1 : 60000 192.168.100.3 ⇔ 172.16.1.1 : 60001 192.168.100.4 ⇔ 172.16.1.1 : 60002

･･･ 192.168.100.X ⇔ 172.16.1.1 : 6000X

NAT table

.X

172.16.1.1


13. NAT (1)

■Configure NAT for IP Networking

172.16.1.0/24

192.168.100.0/24

.1 (LAN2)

.1 (LAN1)

×

○

Web server 172.16.1.100

Your computer 192.168.100.2

NAT 172.16.1.1

192.168.100.2


13. NAT (2) Command

nat descriptor type <nat_id> masquerade ・・・・・・① nat descriptor address outer <nat_id> <Outer IP Address> ・・・・・・② nat descriptor address inner <nat_id> <Inner IP Address> ・・・・・・③ ip <interface> nat descriptor <nat_id> ・・・・・・④

//①

Sample:

① Enable NAT Select “ masquerade ” to use NAPT.

② Put Global IP Address for translation.

③ Put any private IP Address. “ auto ” means all.

④ Set NAT to the interface.

//② //③

//④


13. NAT (3)

・“ show nat descriptor address ” shows the nat table of the Router.

Sample:


14. Static masquerade

internet

192.168.100.0/24 .1

Destination Port Destination Port 172.16.1.1 : 80 ⇔ 192.168.100.100 : 80

NAT table

.100

Web server on private network

Static masquerade … the process of forwarding the packets which coming to specific port number.

172.16.1.1


14. Static masquerade (1)

NAT

172.16.1.0/24

192.168.100.0/24

.1 (LAN2)

.1 (LAN1)

172.16.1.1:80

192.168.100.100:80

Your computer 172.16.1.2

Web server 192.168.100.100


14. Static masquerade (2) Command

nat descriptor type <nat_id> masquerade ・・・・・・ ① nat descriptor address outer <nat_id> <Outer IP Address> ・・・・・・ ② nat descriptor address inner <nat_id> <Inner IP Address> ・・・・・・ ③ nat descriptor masquerade static <nat_id> <table_num> <Inner IP> <Proto> <Port> ・・・・・・ ④ ip <interface> nat descriptor <nat_id> ・・・・・・ ⑤

//①

Sample: ① Enable NAT Select “ masquerade” to use NAPT.

② Put Global IP Address for translation.

③ Put any private IP Address. “auto” means all.

④ Set Inner IP and Port for port forward.

⑤ Set NAT to the interface.

//② //③

//④

//⑤


14. Static masquerade (3)

・“ show nat descriptor address ” shows the routing table of the Router.

Sample:



//①

//②

//③

① Save configuration to config1. ② Restart Router. ・Push “ Enter ” in 10 seconds counting. ③ Restart from config2.


Static Packet Filtering Condition ・172.16.1.200:80 → 192.168.100.0/24 ： Reject ・172.16.1.100 → 192.168.100.0/24 ： Pass

15. Static packet filtering

■Configure Static Packet Filtering

172.16.1.0/24

192.168.100.0/24

.1 (LAN2)

.1 (LAN1)

Filtering (tcp 80 = HTTP)

× ○ .100 .200

Your computer

Web server


15. Static packet filtering (1) Command

ip filter <Filter_NUM> <Type> <Src_Add> <Dst_Add> <Protocol <Src_Port> <Dst_Port>> ・・ ① ip <Interface> secure filter <Direction> <Filter_Num> ・・ ② * To record the result of Packet Filtering, Configure the filter type such as pass-log and reject-log And also, configure “ syslog notice on ” to show the record on the syslog.

//①

Sample:

① Create Packet Filtering.

② Set filter to the interface.

③ Configure this command to record the result of packet filtering.

//②

//③

2


15. Static packet filtering rule

44

ip filter 1 reject 1.1.1.1 2.2.2.2 tcp 80 * ip filter 2 reject 1.1.1.1 3.3.3.3 udp * * ip filter 3 pass * * * * * ip lan2 secure filter in 1 2 3

Sample filtering configuration: Received packet

TCP src:80 From:1.1.1.1

To:2.2.2.2

UDP From:1.1.1.1

To:3.3.3.3

Discard

NO

NO

YES

all

NO

Pass

YES

YES

In case of above configuration, packets received on LAN2 interface are evaluated in right sequence. ※ The received packet that does not match any filtering are discard. If you want to reject specific packet, you should set all-pass filtering at the last of filter configuration.

Filter1

Filter2

Filter3


15. Static packet filtering (2)

・“ show log ” shows the syslog and results of Packet Filtering.

PASS-LOG

REJECT-LOG


16. Dynamic packet filtering

■Configure Dynamic Packet Filtering (Stateful Inspection)

172.16.1.0/24

192.168.100.0/24

.1 (LAN2)

.1 (LAN1)

Filtering (tcp 80 = HTTP)

○ .100

×

Dynamic Filtering Condition ・LAN1 → LAN2 ： Pass ・LAN2 → LAN1 ： Reject ・Reply packets of LAN1 → LAN2 ： Pass

Your computer

Web server


16. Dynamic packet filtering (1)

Command

ip filter <Filter_Num> <Type> <Src_Add> <Dst_Add> <Protocol <Src_Port> <Dst_Port>> ・・・・・・ ① ip flter dynamic <Dynamic_Filter_Num> <Src_Add> <Dst_Add> <Protocol> ・・・・・・ ② ip <interface> secure filter <Direction> <Filter_Num> dynamic <Dynamic_Filter_Num> ・・・・・・ ③

*NOTE

・To enable Dynamic Filter, Static Packet Filter is needed to be configured in advance. The first packet should be filtered by static filter. Once the packet is filtered by Static Filter, then, Dynamic Filter becomes active. ex} ip lan1 secure filter out 1 dynamic 1 ・For Dynamic Filter, the parameter of <Protocol> is such as ftp, www, domain, smtp, pop3, tcp and udp.


16. Dynamic packet filtering (2) Sample:

//①

//②

//③ //④

//⑤

① Create Static Packet Filtering.

② Create Dynamic Packet Filtering.

③ Set inbound filter to the Interface.

④ Set dynamic filter for outbound filter to the interface.

⑤ Configure this command to record the result of packet filtering.



・“ show ip connection ” shows the session information of Dynamic Filtering.

Sample:



・“ show log ” shows the syslog and results of Packet Filtering. ・“ INSPECT ” means that Packets are filtered by Dynamic Filtering.

Sample:



//①

//②

//③

① Save configuration to config2.

② Restart Router.

・Push “ Enter ” in 10 seconds counting.

③ Restart from config3.


17. Internet Accessing (PPPoE)

172.16.1.0/24

.1 (LAN)

Internet

■Configure PPPoE Setting for Internet Access

(WAN) (WAN)

.1 (LAN)

172.16.2.0/24

Router-B Router-A

PC2 PC1


17. PPPoE (1) Command

pp select <pp_num> ・・・・・・① pppoe use <interface> ・・・・・・② pp always-on <on/off> ・・・・・・③ pp auth accept <auth mthod> ・・・・・・④ pp auth myname <user_id> <user_pass> ・・・・・・⑤ ppp lcp mru <on/off> <frame size> ・・・・・・⑥ ip pp mtu <mtu size> ・・・・・・⑦ ppp ccp type <type> ・・・・・・⑧ ppp ipcp ipaddress <on/off> ・・・・・・⑨ (＊1) ppp ipcp msext <on/off> ・・・・・・⑩ ip pp nat descriptor <nat_id> ・・・・・・⑪ ip pp tcp mss limit <length> ・・・・・・⑫ pp enable <pp_num> ・・・・・・⑬ dns server pp <pp_num> ・・・・・・⑭ ip route <network address/mask> gateway pp <pp_num> ・・・・・・⑮ ＊1 ) this parameter is for dynamic IP Address which assigned from ISP. If you want to use static IP Address, set “ ip pp <IP Address/Mask> ” instead.


17. PPPoE (2) Sample: (Dynamic Global Address)

//① //②

//③ //④

//⑤ //⑥

//⑦ //⑧

//⑨ //⑩

//⑪ //⑫

//⑬

//⑭ //⑮

① Create pp interface ② Choose physical interface ③ Enable always-on connections ④ Choose authentication ⑤ Set USER-ID and Password ⑥ Set LCP MRU parameter ⑦ Set MTU parameter ⑧ Choose compression type ⑨ Enable dynamic IP address ⑩ Enable dynamic DNS address ⑪ Enable nat descriptor for pp ⑫ Enable optimization of MSS ⑬ Enable pp interface ⑭ Set DNS server from ⑩ ⑮ Set static routing

Router A ID: user1, PASS: pass1 Router B ID: user2, PASS: pass2


17. PPPoE (3)

・“ show status pp 1 ” shows the status of pp 1 interface.

Sample:


18. IPsec VPN (Main mode)

172.16.1.0/24

Internet (200.1.1.0/24)

IPSec

Router-B

.202 .201

.1 .1

■Configure IPsec VPN (Main Mode) via Internet

172.16.2.0/24

Router-A

PSK: secret PSK: secret

PC2 PC1 .2 .2


18. IPsec VPN (Main mode) (1)

Command：(Center and Branch)

tunnel select <Tunnel_Num> ・・・・・・① tunnel encapsulation <Type> ・・・・・・② ipsec tunnel <Policy_ID> ・・・・・・③ ipsec sa policy <Policy_ID> <Tunnel_Num> esp <Algorithm> <Authentication> ・・・・・・④ ipsec ike keepalive use <Tunnel_Num> <on/off> ・・・・・・⑤ ipsec ike keepalive log <Tunnel_Num> <on/off> ・・・・・・⑥ ipsec ike local address <Tunnel_Num> <Local_Gateway_Address> ・・・・・・⑦ ipsec ike remote address <Tunnel_Num> <Remote_Gateway_Address> ・・・・・・⑧ ipsec ike pre-shared-key <Tunnel_Num> text <Text_Key> ・・・・・・⑨ tunnel enable <Tun_Num> ・・・・・・⑩ ip route <network address/mask> gateway <Tun_Num> ・・・・・・⑪ ipsec auto refresh <on/off> ・・・・・・⑫


18. IPsec VPN (Main mode) (2) Sample: Router-A

① Create Tunnel Interface ② Select IPsec Policy-ID ③ Create IPsec Policy ④ Enable use of keepalive ⑤ Disable keepalive log ⑥ Set IP address of local GW ⑦ Set IP address of remote GW ⑧ Set pre shared key ⑨ Enable Tunnel Interface ⑩ Set port forwarding for IPsec ⑪ Set port forwarding for IKE ⑫ Set static routing ⑬ Enable Initiation of KeyExchange

//① //②

//③ //④ //⑤

//⑥ //⑦ //⑧

//⑨

//⑩ //⑪

//⑫ //⑬


18. IPsec VPN (Main mode) (3) Sample: Router-B

//① //②

//③ //④ //⑤

//⑥ //⑦ //⑧

//⑨

//⑩ //⑪

//⑫

//⑬

① Create Tunnel Interface ② Select IPsec Policy-ID ③ Create IPsec Policy ④ Enable use of keepalive ⑤ Disable keepalive log ⑥ Set IP address of local GW ⑦ Set IP address of remote GW ⑧ Set pre shared key ⑨ Enable Tunnel Interface ⑩ Set port forwarding for IPsec ⑪ Set port forwarding for IKE ⑫ Set static routing ⑬ Enable Initiation of KeyExchange


18. IPsec VPN (Main mode) (4)

・“ show status tunnel 1 ” shows the status of tunnel 1 interface. ・“ show ipsec sa ” shows the status of ISAKMP SA and IPsec SA.

Sample:


19. IPsec VPN (Aggressive mode)

172.16.1.0/24

Internet (200.1.1.0/24)

IPSec

Router-A Router-B

.201

.1 .1

■Configure IPsec VPN (Aggressive Mode) via Internet

172.16.2.0/24

PSK: secret Remote Name: test

PSK: secret Local Name: test

Dynamic IP Address

PC1 PC2


Command：(Center) Router-A

tunnel select <Tunnel_Num> ・・・・・・① tunnel encapsulation <Type> ・・・・・・② ipsec tunnel <Policy_ID> ・・・・・・③ ipsec sa policy <Policy_ID> <Tunnel_Num> esp <Algorithm> <Authentication> ・・・・・・④ ipsec ike keepalive use <Tunnel_Num> <on/off> ・・・・・・⑤ ipsec ike keepalive log <Tunnel_Num> <on/off> ・・・・・・⑥ ipsec ike local address <Tunnel_Num> <Local_Gateway_Address> ・・・・・・⑦ ipsec ike remote address any ・・・・・・⑧ ipsec ike remote name <Tunnel_Num> <Tex_key> key-id ・・・・・・⑨ ipsec ike pre-shared-key <Tunnel_Num> text <Text_Key> ・・・・・・⑩ tunnel enable <Tun_Num> ・・・・・・⑪ ip route <network address/mask> gateway <Tun_Num> ・・・・・・⑫

19. IPsec VPN (Aggressive mode) (1)


Command：(Branch) Router-B

tunnel select <Tunnel_Num> ・・・・・・① tunnel encapsulation <Type> ・・・・・・② ipsec tunnel <Policy_ID> ・・・・・・③ ipsec sa policy <Policy_ID> <Tunnel_Num> esp <Algorithm> <Authentication> ・・・・・・④ ipsec ike keepalive use <Tunnel_Num> <on/off> ・・・・・・⑤ ipsec ike keepalive log <Tunnel_Num> <on/off> ・・・・・・⑥ ipsec ike local address <Tunnel_Num> <Local_Gateway_Address> ・・・・・・⑦ ipsec ike remote address <Remote_Gateway_Address> ・・・・・・⑧ ipsec ike local name <Tunnel_Num> <Tex_key> key-id ・・・・・・⑨ ipsec ike pre-shared-key <Tunnel_Num> text <Text_Key> ・・・・・・⑩ tunnel enable <Tun_Num> ・・・・・・⑪ ip route <network address/mask> gateway <Tun_Num> ・・・・・・⑫ ipsec auto refresh <on/off> ・・・・・・⑬



19. IPsec VPN (Aggressive mode) (3) Sample: Router-A

//① //②

//③ //④ //⑤

//⑥ //⑦ //⑧ //⑨

//⑩

//⑪ //⑫

//⑬

① Create Tunnel Interface ② Select IPsec Policy-ID ③ Create IPSec Policy ④ Enable use of keepalive ⑤ Disable keepalive log ⑥ Set IP address of local GW ⑦ Accept any IP as remote GW ⑧ Set name of remote GW ⑨ Set pre shared key ⑩ Enable Tunnel Interface ⑪ Set port forwarding for IPsec ⑫ Set port forwarding for IKE ⑬ Set static routing


19. IPsec VPN (Aggressive mode) (4) Sample: Router-B

① Create Tunnel Interface ② Select IPsec Policy-ID ③ Create IPsec Policy ④ Enable use of keepalive ⑤ Disable keepalive log ⑥ Set IP address of local GW ⑦ Set IP address of remote GW ⑧ Set name of local GW ⑨ Set pre shared key ⑩ Enable Tunnel Interface ⑪ Set port forwarding for IPsec ⑫ Set port forwarding for IKE ⑬ Set static routing ⑭ Enable Initiation of Key- Exchange

//① //②

//③ //④ //⑤

//⑥ //⑦ //⑧ //⑨

//⑩

//⑭

//⑫

//⑬

//⑪



・“ show status tunnel 1 ” shows the status of tunnel 1 interface. ・“ show ipsec sa ” shows the status of ISAKMP SA and IPsec SA.

Sample:



・“ show ipsec sa gateway 1 detail ” shows the specific information about ISAKMP and IPsec SA.

Sample:


http://www.yamaha.com/products/en/network/ We will update the information such as

new firmware, sample configuration … etc.

68

Website for Yamaha product

http://www.yamaha.com/products/en/network/

Configuration Training ~ console ~

Documents

Transcript of Configuration Training ~ console ~