Professional Documents
Culture Documents
ii
AT-RG 600 Residential Gateway – Software Reference Manual iii
iv
AT-RG 600 Residential Gateway – Software Reference Manual v
ip list connections.............................................................................................................. 98
ip list interfaces ................................................................................................................. 99
ip list riproutes................................................................................................................... 99
ip list routes..................................................................................................................... 100
ip ping ............................................................................................................................. 100
ip set interface dhcp........................................................................................................ 101
ip set interface ipaddress................................................................................................ 101
ip set interface mtu.......................................................................................................... 102
ip set interface netmask.................................................................................................. 103
ip set interface rip accept................................................................................................ 104
ip set interface rip multicast ............................................................................................ 105
ip set interface rip send................................................................................................... 105
ip set interface tcpmssclamp........................................................................................... 106
ip set rip advertisedefault................................................................................................ 107
ip set rip authentication................................................................................................... 108
ip set rip defaultroutecost................................................................................................ 108
ip set rip hostroutes......................................................................................................... 109
ip set rip password.......................................................................................................... 109
ip set rip poison............................................................................................................... 110
ip set route cost............................................................................................................... 110
ip set route destination.................................................................................................... 111
ip set route gateway........................................................................................................ 112
ip set route interface ....................................................................................................... 113
ip show............................................................................................................................ 113
ip show interface............................................................................................................. 114
ip show route................................................................................................................... 115
CHAPTER 5 Transports ................................................................................................ 116
Transports CLI commands.............................................................................................. 117
transports clear ............................................................................................................... 117
transports delete ............................................................................................................. 117
transports list................................................................................................................... 118
transports show............................................................................................................... 118
CHAPTER 6 Ethernet..................................................................................................... 120
Ethernet CLI commands ................................................................................................. 120
ethernet add transport..................................................................................................... 120
ethernet clear transports................................................................................................. 121
ethernet delete transport................................................................................................. 121
ethernet list ports ............................................................................................................ 122
ethernet list transports .................................................................................................... 122
ethernet show transport .................................................................................................. 122
CHAPTER 7 Security & Firewall................................................................................. 124
Introduction ..................................................................................................................... 124
Application Gateway ....................................................................................................... 124
Stateful Inspection .......................................................................................................... 125
Security support on AT-RG6xx Residential Gateway series........................................... 125
Security Interfaces .......................................................................................................... 126
Dynamic Port Opening and Triggers............................................................................... 127
Non-Activity Timeout....................................................................................................... 128
Session Chaining............................................................................................................ 128
Firewall............................................................................................................................ 129
Policy .............................................................................................................................. 130
Portifilter.......................................................................................................................... 130
Validator.......................................................................................................................... 130
Intrusion Detection.......................................................................................................... 131
Security Command Reference........................................................................................ 133
Security CLI commands.................................................................................................. 133
security add interface...................................................................................................... 133
security add trigger tcp|udp............................................................................................. 134
security add trigger netmeeting....................................................................................... 135
security clear interfaces .................................................................................................. 136
security clear triggers...................................................................................................... 136
security delete interface.................................................................................................. 136
security delete trigger...................................................................................................... 136
security............................................................................................................................ 137
security list interfaces...................................................................................................... 138
security list triggers ......................................................................................................... 138
security set trigger UDPsessionchaining ........................................................................ 138
security set trigger addressreplacement......................................................................... 139
security set trigger binaryaddressreplacement ............................................................... 140
security set trigger endport ............................................................................................. 141
security set trigger maxactinterval .................................................................................. 141
security set trigger multihost ........................................................................................... 142
security set trigger sessionchaining................................................................................ 142
security set trigger startport ............................................................................................ 143
security show interface ................................................................................................... 143
security show trigger....................................................................................................... 143
security status................................................................................................................. 144
Firewall Command Reference ........................................................................................ 146
Firewall CLI commands .................................................................................................. 146
firewall add policy............................................................................................................ 147
firewall add portfilter........................................................................................................ 148
firewall add validator ....................................................................................................... 150
firewall clear policies....................................................................................................... 152
firewall clear portfilters .................................................................................................... 152
firewall delete policy........................................................................................................ 153
firewall delete portfilter.................................................................................................... 153
firewall delete validator ................................................................................................... 154
firewall enable|disable..................................................................................................... 154
firewall enable|disable IDS.............................................................................................. 155
firewall enable|disable blockinglog.................................................................................. 156
firewall enable|disable Intrusionlog ................................................................................. 156
firewall enable|disable sessionlog................................................................................... 156
firewall list policies .......................................................................................................... 157
firewall list portfilters........................................................................................................ 157
firewall list validators ....................................................................................................... 158
firewall set IDS DOSattackblock ..................................................................................... 159
firewall set IDS MaxICMP ............................................................................................... 159
firewall set IDS MaxPING ............................................................................................... 160
firewall set IDS MaxTCPopenhandshake ....................................................................... 160
firewall set IDS SCANattackblock................................................................................... 161
firewall set IDS blacklist .................................................................................................. 162
firewall set IDS victimprotection ...................................................................................... 162
firewall set securitylevel .................................................................................................. 163
firewall show IDS ............................................................................................................ 165
firewall show policy ......................................................................................................... 165
Firewall show portfilter .................................................................................................... 166
firewall show validator..................................................................................................... 167
firewall status .................................................................................................................. 168
CHAPTER 8 Network Address Translation - NAT ................................................. 169
Network Address Translation.......................................................................................... 169
Address conservation ..................................................................................................... 169
Security........................................................................................................................... 170
How does NAT work? ..................................................................................................... 170
What about protocols other than UDP and TCP?........................................................... 172
How can you let sessions into servers on the private LAN? ........................................... 172
vi
AT-RG 600 Residential Gateway – Software Reference Manual vii
viii
AT-RG 600 Residential Gateway – Software Reference Manual ix
x
AT-RG 600 Residential Gateway – Software Reference Manual xi
xii
AT-RG 600 Residential Gateway – Software Reference Manual xiii
xiv
AT-RG 600 Residential Gateway – Software Reference Manual xv
List of figures
Figure 1. IP Packet overview........................................................................................................................... 35
Figure 2. Tagged frame format according to IEEE 802.3ac standard............................................................. 50
Figure 3. VLAN and IP layer architecture (the greyed area surrounds the entities always available in the
system) ..................................................................................................................................................... 54
Figure 4. IP interface over VLAN - basic steps ............................................................................................... 55
Figure 5. IP packet or datagram. ..................................................................................................................... 61
Figure 6. Subdivision of the 32 bits of an Internet address into network and host fields for class A, B and C
networks. .................................................................................................................................................. 63
Figure 7. Security modules on AT-RG6xx Residential Gateway series. ....................................................... 126
Figure 8. Security interfaces on AT-RG6xx Residential Gateway series. ..................................................... 127
Figure 9. Firewall module and related objects............................................................................................... 131
Figure 10. Address Conservation using NAT ................................................................................................ 170
Figure 11. External access to an FTP server ................................................................................................ 173
Figure 12. Domain Name System ................................................................................................................. 257
Figure 13. PPP is used by Internet Service Providers (ISPs) to allow dial-up users to connect to the Internet.
................................................................................................................................................................ 276
Figure 14. ISDN Basic Access. ..................................................................................................................... 300
Figure 15. VoIP subsystem configuration - basic steps. ............................................................................... 301
Figure 16. Phone --> AT-RG613/RG623 (A) --> AT-RG613/RG623 (B) --> Phone................................ 336
Figure 17. Phone --> AT-RG613/RG623 (A) --> SIP IP Phone................................................................. 337
Figure 18. VoIP subsystem configuration - basic steps. ............................................................................... 338
Figure 19. H.323 Terminals on a Packet Network......................................................................................... 367
Figure 20. Phone --> AT-RG613/RG623 (A) --> AT-RG613/RG623 (B) --> Phone................................ 372
Figure 21. Phone --> AT-RG613/RG623 (A) --> H323 IP Phone.............................................................. 373
Figure 22. VoIP H323 subsystem configuration - basic steps....................................................................... 374
Figure 23. ZTC network architecture. ............................................................................................................ 411
Figure 24. Pull-at-Startup ZTC phase........................................................................................................... 414
Figure 25. Scheduled-pull ZTC phase.......................................................................................................... 415
Figure 26. Access to the Residential Gateway TFTP server......................................................................... 421
Figure 27. The Windows™ Loader................................................................................................................ 422
Figure 28. Normal SwUpdate operation mode. ................................................. Error! Bookmark not defined.
Figure 29. DHCPCONF like SwUpdate operation mode............................................................................... 423
Figure 30. SwUpdate scheduling example 1..................................................... Error! Bookmark not defined.
Figure 4. SwUpdate scheduling example 2....................................................... Error! Bookmark not defined.
AT-RG 600 Residential Gateway – Software Reference Manual
Preface
Intended Audience
This manual is intended for the system administrator, network manager or
communications technician who will configure and maintain AT-RG613, AT-RG623
and AT-RG656, or who manages a network of AT-RG613, AT-RG623 and AT-RG656
Residential Gateways.
It is assumed that the reader is familiar with:
• The topology of the network in which the Residential Gateway is to be used.
• Basic principles of computer networking, protocols and routing, and interfaces.
• Administration and operation of a computer network.
Most of the commands described in this manual require superuser privilege and can
only be entered from a terminal or port, which has been logged with superuser
privilege.
xviii
Group (IESG) of the Internet Engineering Task Force (IETF). For more information
about the IESG and IETF, visit the IETF web site at http://www.ietf.org/.
For more information about RFCs and Internet Drafts (the starting point for RFCs),
visit the RFC Editor web site at http://www.rfc-editor.org/. This site has information
about the RFC standards process, archives of RFCs and current Internet Drafts, links
to RFC indexes and search engines, and a list of other RFC repositories.
RFCs can be obtained electronically from many RFC repositories, mail servers,
World Wide Web (WWW), Gopher or WAIS sites. A good starting point for finding
the nearest RFC repository is to point your Web browser at http://www.isi.edu/in-
notes/rfc-retrieval.txt.
Background Reading
For an introduction to the Internet Protocols refer to:
DDN Protocol Handbook, Elizabeth J. Feinler, 1991, DDN Network Information Center,
SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025, USA. Email:
nic@nic.ddn.mil.
Internetworking with TCP/IP — Volume I: Principles, protocols and architecture
(2nd Edition), Douglas E. Comer, 1991, Prentice-Hall International, Inc., New Jersey.
ISBN 0-13-474321-0.
Internetworking with TCP/IP — Volume II: Design, implementation, and internals,
Douglas E. Comer and David L. Stevens, 1991, Prentice-Hall International, Inc., New
Jersey. ISBN 0-13-472242-6.
Internetworking with TCP/IP — Volume III: Client-server programming and
applications, Douglas E. Comer and David L. Stevens, 1993, Prentice-Hall
International, Inc., New Jersey. ISBN 0-13-474222-2.
For a description of layered protocols refer to:
Computer networks (2nd Edition), Andrew S. Tanenbaum, 1989, Prentice-Hall
International, Inc., New Jersey. ISBN 0-13-162959-0.
For an introduction to PPP refer to:
Using and Managing PPP, Andrew Sun, O’Reilly; ISBN: 1565923219; (March 1999).
For an introduction to network management refer to:
The simple book — An introduction to management of TCP/IP-based Internets,
Marshall T. Rose, 1991, Prentice-Hall International, Inc. ISBN 013812611-9.
For an introduction to VOIP refer to:
Internet Communications Using SIP, Henry Sinnreich, Alan B. Johnston.
SIP: Understanding the Session Initiation Protocol, Alan B. Johnston.
IP Telephony with H.323: Architectures for Unified Networks and Integrated Services,
Vineet Kumar, Markku Korpi, Senthil Sengodan.
Commands are described under Command Reference within the section to which they
apply.
4 Chapter 1 – System Management
Chapter 1
System Management
This chapter provides some basic instructions about how login to the CLI and the
different types of user access.
Serial Connection
It's possible to access the CLI interface through a serial connection using a terminal
emulator program like, for example, Windows Hyper Terminal with the following
default parameters:
• bit rate: 38400 bps
• data bits: 8
• parity: none
• stop bits: 1
• flow control: none
TCP/IP connection
It's possible to access the CLI interface through a TCP/IP connection by opening a
Telnet session with the following default parameters:
• ip address: 192.168.1.1 (factory default)
• telnet port: 23
password: friend
Webserver
The AT-RG613, AT-RG623 and AT-RG656 are designed to provide the ability to
configure the system using a Graphical User Interface (GUI) instead of - or together
with - the Command Line Interface (for future release).
To keep the system design open to these future improvements, all CLI
commands are actually processed by the webserver module that acts like a
parsing and pre-processing layer between the user and the software module the
command refers to.
For this reason, syntax errors due to incorrect CLI commands, typically report
the webserver source as reference for the cause of the error.
Webserver commands are accessible from the Command Line Interface for users
with superuser access permission.
File System
The AT-RG613, AT-RG623 and AT-RG656 application processes require that
configuration information be accessible when they start up, and that configuration
changes are retained for future operation.
To fulfill the above requirements, two processes are provided, namely the ‘In Store
File System’ and the ‘FLASH File System’. These two processes are referred to as isfs
and flashfs, respectively, in this document.
The two file systems provide a standard file interface to application processes.
The isfs provides for volatile, run-time file storage; whereas the flashfs provides non-
volatile file storage.
The critical period for such a system occurs when the flash memory itself is being
updated, as a power failure could result in data corruption and hence an inoperable
system.
In the AT-RG613, AT-RG623 and AT-RG656, flash memory is divided into three
main areas:
BOOT code
System configuration information
Run-time images and their configuration information
Boot code
The Boot ROM program normally resides in flashfs, in a reserved portion of the first
flash device. This code is run when the system is first booted and provides self-test
code as well as the ability to load the main run-time images.
The Boot ROM area is not normally accessible for either reading or writing by flashfs,
so is rarely, if ever, rewritten.
Run-time images
The flashfs file system provides permanent storage of files and is not normally used
other than at start of day or when re-writing the flash. In addition to configuration
files, flashfs stores the software image, which is loaded by the BOOT ROM after
system restart.
After system restart and during system initialization, flashfs files are copied into isfs
so that they are accessible by application processes. Typically, applications use the
isfs files to store their configuration data. Changes made to the configuration can be
written back into isfs, and subsequently flashfs, with the config save command.
AT-RG 600 Residential Gateway – Software Reference Manual 7
During a flashsfs update, all configuration files in isfs are written back to flashfs
irrespective of whether they have changed or not. Normally the software image is
not rewritten.
The flashfs configuration files can be considered the ‘master’ copies, and the isfs files
the runtime copies. If the isfs copies are written back to the flashfs, the current
settings will be will be preserved.
The Command Line Interface doesn't allow access to the flashfs filing system or
to the isfs in store file system because this is not required in typical user
situations.
The Flash file system flashfs, in store file system isfs and special debug functions
can be access through a nested command line called the console.
The console command line can be used only if you have appropriate access
permissions and is typically hidden from the user. It is used only for specific
maintenance purposes.
default user - can use CLI commands. Cannot access to console commands.
engineer user - can use CLI commands. Can access to limited console commands.
super user - can use CLI commands. Can access the full console command set. Can
also set up user login accounts, save backup configuration and restore factory
settings.
To create new user accounts, use the system add user or system add login commands.
The accounts created by these commands default to low privileges.
To change user privileges, use the system set user access or system set login access
commands.
To list the current user or login accounts, use the system list user or system list login
commands, respectively.
8 Chapter 1 – System Management
Description This command adds a user (typically a PPP user) to the system. Only a Super user
can use this command.
AT-RG 600 Residential Gateway – Software Reference Manual 9
Default Setting The default settings in the table below are applied to new accounts that are added
using the system add user command. (A different set of defaults are applied to a new
account added using the SYSTEM ADD LOGIN command.)
Options The following table gives the range of values for each option that can be specified
with this command and a default value (if applicable).
Description This command adds a user to the system. Only a Superuser can use this command.
Default setting The default settings in the table below are applied to new accounts that are added
using the system add login command. (A different set of defaults are applied to a new
account added using the SYSTEM ADD USER command.)
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command saves the current system configuration to a file. To specify the file
that you want to save configuration information in, type //isfs/ or //flashfs/
(depending on which directory the backup file is stored in) followed by a filename
value. If you do not specify a filename, the configuration is saved in the
//isfs/im.conf.backup file by default.
To prevent a user from overwriting the system with their own configuration, only a
Superuser can use this command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example To make a backup copy of the current system configuration with a default flename,
use the following command:
To make a backup copy of the current system configuration with a user defined
flename, use the following command:
Description This command tries to restore all system modules; if you do not have all modules
installed, the CLI will display a message telling you which modules could not be
restored. The following options are available:
• Superusers, Engineers and Default users can restore their backup configuration
from the //isfs/im.conf.backup file.
• Super users can restore their backup configuration from a different file by typing
//isfs/ or //flashfs/ (depending on which directory the backup file is stored in)
followed by a filename value.
• Super users can restore the factory defaults from //isfs/im.conf.factory.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command saves the system configuration in the im.conf file in flashfs. This
allows all users to create their own backup files. Default, Engineer and Super users
can use this command.
-->Saving configuration...
-->Configuration saved.
Description This command deletes a user that has been added to the system using the SYSTEM
ADD LOGIN command. Only a Super user can use this command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes a user that has been added to the system using the SYSTEM
ADD USER command or the SYSTEM ADD LOGIN command. Only a Super user
can use this command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 13
SYSTEM INFO
Syntax SYSTEM INFO
Description This command displays the vendor ID, URL, base MAC address and hardware and
software version details of the current Residential Gateway system.
System Name:
Description This command displays a system error log. The error log contains the following
information:
• the time (in minutes) that an error occured, calculated from the start of your login
session
• the module that was affected by the error
• a brief description of the error itself
Description This command allows you to display low-level debug information about specific
open file handles.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Option Description Default Value
The name of a file which has open file handles
name N/A
associated with it.
Description This command displays a list of users and logins added to the system using the
SYSTEM ADD USER and SYSTEM ADD LOGIN commands. The same information
is displayed by the SYSTEM LIST LOGINS command.
Description This command displays a list of logins and users added to the system using the
SYSTEM ADD LOGIN and SYSTEM ADD USER commands. The same information
is displayed by the SYSTEM LIST USERS command.
The list contains the following information:
• user ID number
• user name
• configuration permissions (enabled or disabled)
• dial in permissions (enabled or disabled)
• access level (default, engineer or super user)
• comment (any comments that were included when the user was added to the
system)
SYSTEM LOG
Syntax SYSTEM LOG {NOTHING|WARNINGS|INFO|TRACE|ENTRYEXIT|ALL}
Description This command sets the level of output that is displayed by the CLI for various
modules. Setting a level also implicitly displays the level(s) below it.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
option.
Detailed trace output is displayed. Also
TRACE displays the values for info and warnings N/A
options.
A message is displayed every time a
function call is entered or left. Also displays
ENTRYEXIT N/A
the values for trace, info and warnings
options.
All output is displayed. Also displays the
ALL values for entryexit, trace, info and warnings N/A
options.
Description This command enables/disables the tracing support output that is displayed by the
CLI for a specific module and module category. The command is used for
debugging purposes. The available values for module and category are displayed
by the SYSTEM LOG LIST command. The current list of supported modules is RIP
and IP.
Each individual module has its own specific module category (see Examples). The
output produced when a particular option is enabled depends on that option, and
on the trace statements in the module which are executed. The general purpose of
this tracing is to:
• show how data packets pass through the system
• demonstrate how packets are processed and what they contain
• display any error conditions that occur
•
For example ip rawip tracing shows that an IP packet has been received, sent or
discarded due to an error. Brief details of the packet are displayed to identify it.
The RIP and IP modules provide separate categories which are enabled and
disabled independently. For example, if you enable ip rawip, it does not affect ip udp,
and so on.
To display a list of modules and categories and their enable/disable status, see
SYSTEM LOG LIST.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 17
Examples RIP
--> system log enable rip rx
enabled logging for the receiving of RIP packets
Description The system log list command displays the tracing options for the modules available
in the current image that you are using. The SYSTEM LOG LIST MODULE
command displays the tracing options for an individual module specified in the
command. Both commands display the current status of the tracing options set
using the command SYSTEM LOG ENABLE|DISABLE.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Option Description Default Value
The name of a module that exists in your
module current image build. This can be either RIP N/A
or IP.
ip arp (disabled)
ip socket (disabled)
SYSTEM NAME
Syntax SYSTEM NAME {NONE | <sys-name>]
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
SYSTEM RESTART
Syntax SYSTEM RESTART
Description This command sets the access permissions of a user who has been added to the
system using the SYSTEM ADD LOGIN command. Only a Super user can use this
command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets configuration permissions for a user who has been added to the
system using the ADD SYSTEM LOGIN or the ADD SYSTEM USER command.
Only a Super user can use this command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets dialin permissions for a user who has been added to the system
using the SYSTEM ADD LOGIN command. Only a Super user can use this
command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the access permissions of a user who has been added to the
system using the SYSTEM ADD USER command. Only a Super user can use this
command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets configuration permissions for a user who has been added to the
system using the ADD SYSTEM USER command. Only a Super user can use this
command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets dial in permissions for a user who has been added to the system
using the SYSTEM ADD USER command. Only a Super user can use this command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Command
USER LOGOUT
USER PASSWORD
USER CHANGE
USER LOGOUT
Syntax USER LOGOUT
Description This command logs you out of the system. Default, Engineer and Super users can
use this command.
Login:
USER PASSWORD
Syntax USER PASSWORD
Description This command allows you to change your user password. Default, Engineer and
Super users can use this command.
USER CHANGE
Syntax USER CHANGE <name>
Description This command allows you to change your login to that of another named user.
Super users can use this command. When you change your login to that of a user
with Default or Engineer access permissions, you lose your Super user privileges
and inherit the access permissions of either the Default or Engineer user.
Options The following table gives the range of values for each option which can be specified
AT-RG 600 Residential Gateway – Software Reference Manual 23
Command
Description This command sets all of the Web Server process counters to 0.
WEBSERVER ENABLE|DISABLE
Syntax WEBSERVER {ENABLE|DISABLE}
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command specifies the name of an IP interface that the system will use for
UPnP (Universal Plug and Play) communication with other devices on the local area
network.
You must save your configuration (see SYSTEM CONFIG SAVE) and restart your
system (see SYSTEM RESTART) to activate the Web Server settings.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command causes connections to the Webserver to be allowed from only one IP
address, (e.g. from an IP address that is used by a management device) or from any
IP address (by setting the IP address to 0.0.0.0).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the HTTP port number that the Web Server process will use for
accepting connections (from a WEB Browser).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the TCP port number that the Web Server process will use for
UPnP communication.
You must save your configuration (see SYSTEM CONFIG SAVE) and restart your
system (see SYSTEM RESTART) to activate the Web Server settings.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays the following information about the Web Server process:
• EmWeb (Embedded Web Server) release details
• Web Server enabled status (true or false)
• Interface set
• HTTP port set
• UPnP port set
• Management IP address
Description This command tells you how many bytes have been transmitted and received by the
Web Server.
Command
CONSOLE ENABLE
CONSOLE PROCESS
CONSOLE ENABLE
Syntax CONSOLE ENABLE
Description This command allows you to enter console mode in order to use the console
commands. Only Super users can use this command.
CONSOLE PROCESS
Syntax CONSOLE PROCESS <console command>
Description This command allows you to enter a single usable console command without
switching to console mode. You cannot enter blacklisted console commands using
this CLI command. Users with Engineer or Super user access can use this command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example The following console process example enters the usable console command, bridge
AT-RG 600 Residential Gateway – Software Reference Manual 29
portfilter:
This console command has not been replaced by a CLI command. This is a
special console command to allow Super users to return to the CLI from the
console.
Syntax EXIT
Description This console command allows you to return to the CLI after you have entered
console mode using the command CONSOLE ENABLE. When you want to exit
console mode and return to the CLI, you need to type exit in the root of the console.
Only Super users can use this command.
Chapter 2
Switch
Introduction
The AT-RG613, AT-RG623 and AT-RG656 residential gateways include an
integrated layer 2 managed switch providing 5 Fast Ethernet transceivers
supporting 10Base-T and 100Base-TX modes, high performance memory bandwidth
(wire speed) and an extensive feature set including tag port based VLAN, QoS
priority, VLAN tagging and MIB counters.
The layer 2 switch uses one 100Base-TX port as an internal port to communicate to
the central processor in order to access layer 3 services such as routing, VoIP
signaling and traffic, firewall and NAT security modules.
The following is the complete set of features available in the switch module:
• IEEE 802.1q tag based VLAN (up to 16 VLANs)
• VLAN ID tag/untag options, per port basis
• Programmable rate limiting, ingress port, egress port, per port basis.
• IGMP v1/v2 snooping for multicast packet filtering
• QoS packet prioritization support: per port, 802.1p and DiffServ based
• Integrated look-up engine with dedicated 1 K unicast MAC addresses
• Automatic address learning, address aging and address migration
• Full duplex IEEE 802.3x & half-duplex back pressure flow control
• Automatic MDI/MDI-X crossover for plug-and-play on all the ports
Address Look-up
The internal look up table stores MAC addreses and their associated information. It
contains a 1K unicast address table plus switching information.
AT-RG 600 Residential Gateway – Software Reference Manual 31
Learning
The internal look up engine updates its table with a new entry in the following
conditions:
• the received packet's Source Address does not exist in the look up table;
• the received packet is good: the packet has no receive errors and is of legal length.
The look up engine inserts the qualified Source Address into the table, along with
the port number and VLAN information (see below). If the table is full, the last entry
of the table is deleted for the new entry.
To see the current look up entries use the SWITCH SHOW FDB command.
Migration
The internal look up engine monitors whether a station has moved. If so, it updates
the table accordingly. Migration happens in the following conditions:
• the received packet Source Address is in the table but the associated source port
information is different;
• the received packet is good; the packet has no receive errors and is of legal length.
In this case the look up engine updates the existing record in the table with the new
source port information.
Aging
The look up engine updates the timestamp information of a record whenever the
corresponding Source Address appears. The time stamp is used in the aging
process. If a record is not updated for a period of time, the look up engine removes
the record from the table.
The look up engine constantly performs the aging process and is continuously
removing expired records.
The aging period can be set to normal (300 seconds) or fast (800 usecs) or can be
disabled.
Use the SWITCH SET AGINGTIMER command to change aging period or use
SWITCH DISABLE AGINGTIMER to disable aging.
Forwarding
If 802.1q VLAN mode is enabled, the switch assign a VID to every ingress packet.
• If the packet is untagged or tagged with a null VID, the packet is assigned to the
default port VID of the ingress port.
• If the packet is tagged with a non-null VID, the VID in the tag will be used.
The look up process will start from the VLAN table look up. The 12 bit VID value is
converted to a 4 bit FID value (an internal value that represents up to 16 VLANs).
• If the VID is not valid, the packet will be dropped and no address learning will
take place.
32 Chapter 2 – Switch
• If the VID is valid, the forwarding FID is retrieved. Both the combinations
FID+DA (Destination Address) and FID+SA (Source Address) are looked for in
the forwarding table. The FID+DA look up determines the forwarding ports.
• If FID+DA lookup fails to find a match, the packet will be broadcasted to all
the members (excluding the ingress port) of the VLAN.
• If FID+SA lookup fails, the FID+SA will be learned (ie added to the
forwarding table).
Switching engine
The integrated layer 2 switch features a high performance switching engine to move
data to and from the MAC's, packet buffers. It operates in store and forward mode
while the efficient switching mechanism reduces overall latency
The integrated layer 2 switch has a 64kB internal frame buffer pool. This is
structured as 512 buffers, with each buffer 128 bytes in size. This resource is shared
between all five ports (4 ports user accessible and one internal reserved for
communication to system main processor).
All the ports are allowed to use any free buffer in the buffer pool.
If the number of frame per seconds that need to be routed to the network processor
are higher than the selected maximu rate, the layer 2 switch discards packets
addressed to the network processor in order to force the average traffic rate to be
below the target rate.
To change the switch Base Priority and port Default Priority use the SWITCH SET
PRIORITY and SWITCH SET PORT commands, respectively.
MACHeader
7 octects PREAMBLE
6 octects DESTINATIONADDRESS
IP Payload
Total Length
flags
fragment offset
TTL
Protocol
Header Checksum
Protocol
Source IP Address
Destination IP Address
Command
Description This command stops the aging timer used by the look up engine to remove expired
fdb entries.
If the ageing timer is disabled, the look up entries in the fdb are kept permanently
until the SWITCH ENABLE AGEINGTIMER command entered or the switch is
reset.
To show the current switch status, use the SWITCH SHOW command.
Description This command stops the learning engine used to update the look up table when
frame are received from new Source Addresses.
To restore the learning process, use the SWITCH ENABLE LEARNING command.
To show the current switch status, use the SWITCH SHOW command.
Description This command disables the selected switch port, or disables a flow control
mechanism on the port.
If jamming is specified, the jamming signal used for flow control on half duplex
ports will be disabled.
To show the current port status, use the SWITCH SHOW PORT command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command restarts the aging timer used by the look up engine to update the
aging of fdb entries.
38 Chapter 2 – Switch
To show the current switch status, use the SWITCH SHOW command.
Description This command restarts the learning process used by the look up engine to update
the fdb when frames from new addresses are received.
To show the current switch status, use the SWITCH SHOW command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
SWITCH RESET
Syntax SWITCH RESET [PORT <port-name> [COUNTERS]]
AT-RG 600 Residential Gateway – Software Reference Manual 39
Description This command completely resets the switch or resets and individual switch port if a
port is specified.
If no port is specified, all internal switch counters are reset and fdb entries removed.
If a port is specified, only the selected port is reset without removing any fdb
entries. It's possible to specify the resetting of just the counters associated with a
port. In this case the physical layer is not reset and no link interruption occurs.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the threshold value of the ageing timer, after which an
unrefreshed dynamic entry in the Forwarding Database is automatically removed.
FAST sets the aging timer to 800 µSec., while NORMAL sets the aging timer to 300 Sec.
Description This command modifies the values of parameters for switch ports.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command maps the priority levels for Quality of Service.
The six bit TOS field in the IP header is decoded as 64 entries and for each one it is
possible to specify the priority.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example To set the high priority for DSCP values 24 and 37, use the command:
--> switch set qos 24,37 priority high
Description This command set the maximum number of frame per seconds that the layer2
switch forward to the Residential Gateway network processor for routing purposes.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> switch set routing-limit 6.0kfps
SWITCH SHOW
Syntax SWITCH SHOW
Switch configuration
------------------------------------------------------------------------
Switch address 10-20-30-40-50-6f
Learning ON
Ageing timer ON
Ageing time 300 Sec. (NORMAL)
UpTime 00:41:28
802.1p Base Priority 4
Routing-limit none
------------------------------------------------------------------------
Description This command displays the contents of the Forwarding Database relevant to the
port or the mac address or the vlan specified.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays general information about the specified switch port.
Port Port reference.
Status The admin status of the port; one of
“ENABLED” or “DISABLED”.
AT-RG 600 Residential Gateway – Software Reference Manual 45
packets size 128 – 255 Number of 128 - 255 octet packets received and
transmitted.
packets size 256 – 511 Number of 256 - 511 octet packets received and
transmitted.
packets size 512 – 1023 Number of 512 - 1023 octet packets received
and transmitted.
packets size 1024 – 1522 Number of 1024 - 1522 octet packets received
and transmitted.
• Receive
Octets The number of octets.
Pkts The number of packets.
FCSerrors The number of frames containing a Frame
Check Sequence error.
MulticastPkts The number of multicast packets.
BroadcastPkts The number of broadcast packets.
PauseMACctlFrms The number of valid PAUSE MAC Control
frames.
OversizePkts The number of oversize packets.
Fragments The number of fragments.
Jabbers The number of jabbers frames.
MACControlFrms The number of MAC Control frames (Pause
and Unsupported).
UnsupportCode The number of MAC Control frames with
unsupported opcode (i.e. not Pause).
AlignmentErrors The number of frames with alignment errors.
SymErDurCarrier The number of frames with invalid data
symbols.
UndersizePkts The number of undersized packets.
• Transmit
Octets The number of octets.
Pkts The number of packets.
MulticastPkts The number of multicast packets.
BroadcastPkts The number of broadcast packets.
PauseMACctlFrms The number of PAUSE MAC Control frames.
FrameWDeferrdTx The number of frames deferred once before
successful transmission.
SingleCollsnFrm The number of frames which experienced
exactlyone collision.
AT-RG 600 Residential Gateway – Software Reference Manual 47
• Miscellaneous Counters
DropEvents The number of packets discarded at ingress
port.
totalPktTxAbort The number of packets aborted during
transmission.
Switch Counter
--------------------------------------------------------------------------
Port: wan
Received packets by size (octets) counters:
64 1668 256 - 511 31
65 - 127 1119 512 - 1023 26
128 - 255 777 1024 - 1522 6
General Counters:
Receive: Transmit:
Octets 377801 Octets 1108
Pkts 3627 Pkts 17
FCSerrors 0 MulticastPkts 0
MulticastPkts 7 BroadcastPkts 0
48 Chapter 2 – Switch
Miscellaneous Counters:
DropEvents 0
totalPktTxAbort 0
--------------------------------------------------------------------------
Description This command displays the current mapping of user priority level to QOS egress
queue for the switch.
AT-RG 600 Residential Gateway – Software Reference Manual 49
Chapter 3
VLAN
INTRODUCTION
VLAN is a networking technology that allows networks to be segmented logically
without having to be physically rewired.
Many Ethernet switches support virtual LAN (VLAN) technologies. By replacing
hubs with VLAN switches, the network administrator can create a virtual network
within existing network. With VLAN, the network logical topology is independent
of the physical topology of the wiring. Each computer can be assigned a VLAN
identification number (ID), and computers with the same VLAN ID can act and
function as though they are all on the same physical network.
So, the traffic on a VLAN is isolated and thus all communications remain within the
VLAN. The assignment of VLAN IDs is done by the switches and can be managed
remotely using network management software.
VLAN switches can function in different ways. They can be switched at the data-
link layer (layer 2 of the Open Systems Interconnection reference model) or the
network layer (layer 3), depending on the type of switching technology used. The
main advantage of using VLAN technologies is that users can be grouped together
according to their need for network communication, regardless of their actual
physical locations. This isolation will help to reduce unnecessary traffic so better
network performance. The disadvantage is that additional configuration is required
to set up and establish the VLANs when implementing these switches.
VLAN TAGGING
VLAN technology introduces the following three basic types of frame:
• Untagged frames
• Priority-tagged frames
• VLAN-tagged frames
50 Chapter 3 – VLAN
An untagged frame or a priority-tagged frame does not carry any identification of the
VLAN to which it belongs. Such frames are classified as belonging to a particular
VLAN based on parameters associated with the receiving port.
This classification mechanism requires the association of a specific VLAN ID, the
Port VLAN Identifier, or PVID, with each of the switch ports.
The PVID for a given port provides the VID for untagged and priority-tagged
frames received through that port. The PVID for each port shall contain a valid VID
value, and shall not contain the value of the null VLAN ID (see Table 3).
A VLAN-tagged frame carries an explicit identification of the VLAN to which it
belongs; i.e., it carries a non-null VID. Such a frame is classified as belonging to a
particular VLAN based on the value of the VID that is included in the tag header.
The presence of a tag header carrying a non-null VID means that some other device,
either the originator of the frame or a VLAN-aware switch, has mapped this frame
into a VLAN and has inserted the appropriate VID.
Tagging of frames is performed for the following purposes:
• To allow user priority information to be added to frames carried on IEEE 802
LAN MAC types that have no inherent ability to signal priority information at the
MAC protocol level;
• To allow a frame to carry a VID;
• To allow the frame to indicate the format of MAC Address information carried in
MAC user data;
• To allow VLANs to be supported across different MAC types.
Tagging a frame requires:
• The addition of a tag header to the frame. This header is inserted immediately
following the destination MAC Address and source MAC Address fields of the
frame to be transmitted;
• Recomputation of the Frame Check Sequence (FCS).
When relaying a tagged frame between 802.3/Ethernet MACs, a switch may adjust
the PAD field such that the minimum size of a transmitted tagged frame is 68 octets.
7 octects PREAMBLE
The tag header carries the following information (see Figure 2):
• The Tag Protocol Identifier (TPID) carrying an Ethernet Type value
(802.1QTagType), which identifies the frame as a tagged frame. The value of
802.1QTagType is 81-00
• Tag Control Information (TCI). The TCI field is two octets in length, and contains
user priority, CFI and VID (VLAN Identifier) fields. Figure ... illustrates the
structure of the TCI field:
• User priority. The user priority field is three bits in length, interpreted as a
binary number. The user priority is therefore capable of representing eight
priority levels, 0 through 7. This field allows the tagged frame to carry user
priority information across Bridged LANs in which individual LAN
segments may be unable to signal priority.
• Canonical Format Indicator (CFI). The Canonical Format Indicator (CFI) is a
single bit flag value. CFI reset indicates that all MAC Address information
that may be present in the MAC data carried by the frame is in Canonical
format.
• The meaning of the CFI when set depends upon the variant of the tag
header in which it appears.
• In an Ethernet-encoded tag header, transmitted using 802.3/Ethernet MAC
methods, CFI has the following meanings:
When set, indicates that the E-RIF field is present in the tag header,
and that the NCFI bit in the RIF determines whether MAC Address
information that may be present in the MAC data carried by the
frame is in Canonical (C) or Non-canonical (N) format;
When reset, indicates that the E-RIF field is not present in the tag
header, and that all MAC Address information that may be present
in the MAC data carried by the frame is in Canonical format (C).
• VLAN Identifier (VID). The twelve-bit VLAN Identifier field uniquely identifies
the VLAN to which the frame belongs. The VID is encoded as an unsigned binary
number. Table 3. Reserved VID values. identifies values of the VID field that have
specific meanings or uses; the remaining values of VID are available for general
use as VLAN identifiers.
A priority-tagged frame is a tagged frame whose tag header contains a VID value
equal to the null VLAN ID.
VID value
Meaning/Use
(hexadecimal)
The null VLAN ID. Indicates that the tag header contains only
0
user priority information; no VLAN identifier is present in the
frame. This VID value shall not be configured as a PVID,
configured in any Filtering Database entry, or used in any
Management operation.
The default PVID value used for classifying frames on ingress
1 through a switch port. The PVID value can be changed by
management on a per-port basis.
52 Chapter 3 – VLAN
IP routing
Transport
VLAN default VLAN <vlanname> VLAN <vlanname>
(VLAN)
Layer 2 switch
Figure 3. VLAN and IP layer architecture (the greyed area surrounds the entities
always available in the system)
Default Configuration
VLAN Ethernet
Transport Adding
IP Interface on VLAN
Command
VLAN ADD PORT
VLAN ADD VID
VLAN DELETE
VLAN SHOW
Description This command adds an Ethernet port to an existing named VLAN that has been
created with the command VLAN ADD VID.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command defines a new VLAN which has the specified VID value.
The VLAN name can be 16 characters length; it cannot start with a digit and cannot
contain dots '.' or the slash symbols '/'.
This command specifies also the priority value of the tagged packets that from the
network processor are sent to the layer2 switch and then to the network.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
VLAN DELETE
Syntax VLAN DELETE <vlanname> [PORT <portname>]
Description This command deletes an existing VLAN created with the VLAN ADD VID
command.
58 Chapter 3 – VLAN
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
VLAN SHOW
Syntax VLAN SHOW
Description This command display the following information about all the VLANs defined in
the system:
• Name The name of the VLAN.
• Identifier The numerical VLAN identifier of the VLAN (VID).
• Status The status of the VLAN (only static VLAN are supported)
• Untagged port(s) A list of untagged ports that belong to the VLAN.
• Tagged port(s) A list of tagged ports that belong to the VLAN.
• 802.1p priority The value of the 802.1.p priority assigned to packets sent
from the Residential Gateway processor.
VLAN information
---------------------------------------------
Name: default
Identifier 1
Status static
802.1p Priority 7
Untagged port(s) lan3, wan
Tagged port(s) cpu
Name: voip
Identifier 10
Status static
AT-RG 600 Residential Gateway – Software Reference Manual 59
802.1p Priority 7
Untagged port(s) lan2
Tagged port(s) lan1
---------------------------------------------
Chapter 4
IP
INTRODUCTION
This chapter describes the main features of the Internet Protocol (IP) and how to
configure and operate the AT-RG613, AT-RG623 and AT-RG656 IP interface.
IP protocols are widely used and available on nearly all hosts and PC systems. They
provide a range of services including remote login, file transfer and Email.
THE INTERNET
The Internet (with a capital “I”) is the name given to the large, worldwide network
of networks based on the original concepts of the ARPAnet. A large number of
government, academic and commercial organizations are connected to the Internet,
and use it to exchange traffic such as Email. The Internet uses the TCP/IP protocols
for all routing. In recent times the term Internet (with a lowercase “i”) has also come
to refer to any network (usually a wide area network), which utilizes the Internet
Protocol. The remainder of this chapter will concentrate on the latter definition, i.e.
that of a generalized network which uses IP as the transport protocol.
The basic unit of data sent through an Internet is a packet or datagram. An IP
network functions by moving packets between routers and/or hosts. A packet
consists of a header followed by the data (see Figure 5 and Table 4). The header
contains the information necessary to move the packet across the Internet. It must be
able to cope with missing and duplicated packets as well as possible fragmentation
(and reassembly) of the original packet.
Packets are sent using a connectionless transport mechanism. A connection is not
maintained between the source and destination addresses; rather, the destination
address is placed in the header and the packet is transmitted on a best effort basis. It
is up to the intermediate systems (routers and gateways) to deliver the packet to the
correct address, using the information in the header.
Successive packets may take different routes through the network to the destination.
There is a strong analogy with the postal delivery system in that letters are placed in
individually addressed envelopes and put into the system in the ‘hope’ that they
AT-RG 600 Residential Gateway – Software Reference Manual 61
will arrive. Like an Internet, the postal system is very reliable. In an Internet, higher
layers (such as TCP and Telnet) are responsible for ensuring that packets are
delivered in a reliable and sequenced way.
In contrast to a connectionless transport mechanism, a connection-oriented
transport mechanism requires a connection to be maintained between the source
and destination for as long as necessary to complete the exchange of packets
between source and destination. X.25 is an example of a connection-oriented
protocol. A good analogy to X.25 would be a telephone call, in which both parties
verify that they are talking to the correct person before exchanging highly
sequenced data (if both talk at once then nothing intelligible results!), and the
connection is maintained until both parties have finished talking. Its not hard to
imagine the chaos if the telephone system delivered words in the wrong order.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Source IP Address
Destination IP Address
User Data
Field Function
ADDRESSING
Internet addresses are fundamental to the operation of the TCP/IP Internet.
Each packet must contain an Internet address to determine where to send the
packet. Most packets also require a source address so that the sender of the packet is
known. Addresses are 32-bit quantities which are logically divided into fields. They
must not be confused with physical addresses (such as an Ethernet address); they
serve only to address Internet Protocol packets.
Addresses are organised into five classes (see Table 5).
Class Maximum number of possible Maximum number of hosts per
networks network
A 127 16,777,216
B 16,384 65,536
C 2,097,152 255
D Reserved Class
E Reserved Class
Table 5. Internet Protocol address classes and limits on numbers of networks and
hosts.
Each class differs in the number of bits assigned to the host and network portions of
the address (Figure 6).
AT-RG 600 Residential Gateway – Software Reference Manual 63
1 7 24
1 1 14 16
1 1 1 21 8
Figure 6. Subdivision of the 32 bits of an Internet address into network and host
fields for class A, B and C networks.
The addressing scheme is designed to allow routers to efficiently extract the host
and network portions of an address. In general a router is only interested in the
network portion of an address.
Class A sets the Most Significant Bit (MSB) to 0 and allocates the next 7 bits to define
the network and the remaining 24 bits to define the host. Class B sets the two MSBs
to 10 and allocates the next 14 bits to designate the network while the remaining 16
refer to the host. Class C sets the three MSBs to ‘110’ and allocates the next 21 bits to
designate the network while the remaining 8 are left to the user to assign as host or
subnet numbers.
The term host refers to any attached device on a subnet, including PCs, mainframes
and routers. Most hosts are connected to only one network. In other words they
have a single IP address. Routers are connected to more than one network and can
have multiple IP addresses. The IP address is expressed in dotted decimal notation
by taking the 32 binary bits and forming 4 groups of 8 bits, each separated by a dot.
For example:
10.4.8.2 is a class A address
10 is the DDN assigned network number
.4.8 are (possibly) user assigned subnet numbers
.2 is the user assigned host number
The value 0.0.0.0 is used to define the default address, while a value of all ones in
any host portion (i.e. 255) is reserved as the broadcast address. Some older versions
of UNIX use a broadcast value of all zeros, therefore both the value ‘0’ and the value
‘255’ are reserved within any user assigned host portion. The address 172.16.0.0
refers to any host (not every host) on any subnet within the class B address 172.16.
64 Chapter 4 – IP
Subnets
Related to the two issues discussed above, the rapid growth of the Internet has
meant a proliferation in the number of addresses which must be handled by the core
routers. More addresses means more loading and tends to slow the system down.
This is overcome by minimising the number of network addresses by sharing the
same IP prefix (the assigned network number) with multiple physical networks.
Generally these would all be within the same organisation, although this is not a
requirement. There are two main ways of achieving this; Proxy ARP and subnetting.
Proxy ARP will be discussed later in this section.
A subnet is formed by taking the host portion of the assigned address and dividing
it into two parts. The first part is the ‘set of subnets’ while the second refers to the
hosts on each subnet. For example the DDN may assign a class B address as
172.16.0.0. The system manager would then assign the lower two octets in some way
which makes sense for this particular network. A common method for class B is to
simply use the higher octet to refer to the subnet. Thus there are 254 subnets (0 and
255 are reserved) each with 254 hosts. These subnets need not be physically on the
same media. Generally they would be allocated geographically with subnet 2 being
one site, subnet 3 another and so on. Some sites may have a requirement for
multiple subnets on the same LAN.
This could be to increase the number of hosts or simply to make administration
easier. In this case it is normal (but not required) that the subnets be assigned
contiguously for this site. This makes the allocation of a subnet mask easier.
This mask is needed by the routers to ascertain which subnets are available at each
site. Bits in the mask are set to ‘1’ if the router is to treat the corresponding bit in the
IP address as belonging to the network portion or set to ‘0’ if it belongs to the host
portion. This allows a simple bit-wise logical AND to determine if the address
should be forwarded or not. Although the standard does not require that the subnet
mask must select contiguous bits, it is normal practice to do so. To do otherwise can
make the allocation of numbers rather difficult and prone to errors.
Some example masks are:
11111111.11111111.11111111.00000000 = 255.255.255.0
<----network----> <subnet> <-host->
AT-RG 600 Residential Gateway – Software Reference Manual 65
This would give 254 subnets on a class B network, each with 254 hosts.
11111111.11111111.11111111.11110000 = 255.255.255.240
<------network--> <- --subnet-><host>
This would give 4094 subnets on a class B network, each with 14 hosts or, 14 subnets
on a class C network each with 14 hosts.
• the destination address of the packet matches any of the IP stack interface
addresses (real or virtual interface, primary or secondary addresses).
• the packet is a broadcast.
• the packet is a multicast to a group that the IP stack belongs to.
• the packet has the Router Alert option set.
The packet is either processed internally within the IP stack (for example, ICMP or
IGMP control messages), or passed up to an application via the appropriate protocol
processing (for example, TCP or UDP data).
For a local application to successfully send a packet back to another host, the IP
stack must be able to find a suitable route to that host.
Forwarding packets
If the IP stack determines that a packet is not destined to be received locally, it will
try to forward the packet. The packet will be forwarded if:
• the destination of the packet can be reached directly via any of the IP stack’s
interfaces.
• a route has been added, either manually or by a routing protocol, specifying a
suitable gateway via which that destination may be reached.
Several address tests are applied before forwarding a packet, for example to prevent
broadcast packets from being forwarded. For more information about these tests,
see RFC1122: Requirements for Internet - Hosts (section 3.2).
If the packet cannot be forwarded, an ICMP “Destination Unreachable” error will be
returned to the sender.
By default, the checksum of forwarded IP packets is not checked. This is for reasons
of efficiency, because calculating the checksum on all packets adds significantly to
the forwarding time and reduces throughput. This default setting is common in
most IP routers. Locally terminated packets always have their checksum checked.
Unconfigured interfaces
An interface with an IP address of 0.0.0.0 is unconfigured. An interface is added as
unconfigured when it is to be configured at a later time, for example, by IPCP or
DHCP.
AT-RG 600 Residential Gateway – Software Reference Manual 67
Unnumbered interfaces
In a routed network, consider two routers that are joining two different subnets via
a point-to-point link. It would usually be necessary to allocate a whole subnet just
for the link between the routers, in addition to the other two subnets.
An unnumbered interface does not have a subnet associated with it and simply
serves as one end of a point-to-point link. An unnumbered link does not have an IP
address, but a router id which is the IP address of one of the router’s other interfaces.
You can have multiple unnumbered interfaces as long as you have at least one
normal (numbered) IP interface in your router so that you can use its IP address as
the router id. The unnumbered interfaces can either use different router id values, or
use the same router id value. Whatever their value, the router id(s) must match the
address of a normal interface.
Creating a route
Because an unnumbered interface does not have a local subnet associated with it, no
packets can be routed to an unnumbered interface until a route is added. Let us just
consider how this is done.
Usually, for ethernet interface, routes are added with a gateway to be used for a
particular destination.
For example:
Virtual Interfaces
Usually, each transport only has one router interface associated with it,and each
router interface has only one IP address and local subnet associated with.
Virtual interfaces allow you to attach more than one IP interface to the same
transport. Secondary IP addresses allow you to associate more than one IP address
with the same IP interface. Together, these features allow many configurations
which would not otherwise be possible.
Virtual interfaces allow you to create multiple router interfaces on the same
transport, for example, on the same Ethernet port. This allows the IP stack to
communicate with and route between multiple subnets existing on the same LAN.
The original interface attached directly to a transport is called the real interface, and
the interface that is attached to the real interface is called the virtual interface.
To configure a virtual interface using the CLI:
(i) Create the real interface, then create an Ethernet transport and attach the IP
interface to the transport:
Like real interfaces, virtual interfaces must have a unique subnet which does not
overlap with other interfaces. In order to have the router respond to more than
one IP address on the same subnet, secondary addresses must be used instead
of virtual interfaces.
Remember that the source address of the packet can be spoofed by the sender,
therefore security-related decisions should not be based on the ability to
distinguish between virtual interfaces on the same transport.
Secondary IP addresses
Secondary IP addresses differ from virtual interfaces because there is no concept of a
separate local subnet associated with a secondary address.
The secondary addresses share the same subnet with the interface.
Secondary addresses therefore allow the IP stack to have more than one address on
the same subnet. After setting the main interface address, one or more additional
addresses on the same subnet can be added to the interface.
Support for adding secondary IP addresses including subnet mask specification will
be withdrawn in a future software release.
AT-RG 600 Residential Gateway – Software Reference Manual 71
IP Quality of Service
The IP stack includes features which enable different levels of service to be provided
to different classes of routed traffic.
Currently, two traffic classes are offered:
Expedited class
The Expedited class differs in two ways from the default level of service:
• Lower packet loss; in overload conditions (where there is more traffic than the IP
stack can route) packets from the default traffic class will be dropped in
preference to packets from the expedited traffic class.
• Lower latency; network traffic tends to arrive in bursts; the IP stack ensures that
the latency of expedited traffic is reduced to a minimum by never queuing
packets in the expedited traffic class behind packets in the default traffic class.
These features are applicable to both forwarded and locally terminated traffic.
• When forwarding traffic between interfaces where one or more interface has a
limited bandwidth, certain classes of traffic can be given priority over other types
of traffic.
The IP stack is routing traffic between a fast Ethernet LAN and a limited-
bandwidth WAN connection. One or more devices on the LAN wish to send
voice over IP (VoIP) traffic over the WAN connection. It is important that the
VoIP traffic has low packet loss and latency, even when other devices are also
sending traffic to the WAN connection at the same time. The IP stack can ensure
that the VoIP traffic is given preference to other types of traffic.
• The architecture of the IP stack can enable specially written local applications to
receive an enhanced level of service compared to other applications, and
compared to other classes or forwarded traffic For example, the Residential
72 Chapter 4 – IP
Packet Classification
When the IP stack first receives a packet, it is passed to the classifier.
The classifier is also known as the Flow Qualifier.
The classifier’s job is to examine certain fields in each IP packet and assign a specific
Quality of Service Class to the packet. As mentioned before, there are currently two
Quality of Service Classes: Expedited and Default.
Packets are assumed to be in the Default class unless they match a specific rule
added to the classifier.
Each rule states that values must be present in fields in order for the packet to be
classified as Expedited. The following fields can be examined:
• the TOS (Type of Service) / DS (Differentiated Services) field in the IP header. This
field may be set by the IP stack originating the packet if the application has
requested it, or by a previous router which has already classified the packets and
marked them using this field.
• The IP Protocol, or the IP Protocol and TCP/UDP source and/or destination port
numbers. In cases where the packets cannot be identified by their TOS/DS field,
rules may be added to identify certain traffic sent to or from certain applications
by the TCP or UDP source and/or destination port numbers, or just by IP
protocols.
• The source IP address. This is usually used in conjunction with the fields
described above. For example, when used in conjunction with checking the
TOS/DS field, this would ensure that only certain hosts could receive expedited
service, other hosts would be ignored even if they set the correct values in the
TOS/DS field.
Rules are added to the classifier separately for each IP Interface. The classifier
configuration on an interface only affects packets arriving on that interface, not
packets forwarded to that interface.
To classify packets based on a specified protocol, use the following command. If the
protocol you specify is TCP or UDP, you can also base the flow qualifier on the
source and destination port of incoming packets:
To classify packets based on the DS (Differentiated Services) field only, use the
command:
CPU prioritization
The CPU resources of the system may be constrained in certain circumstances, for
example:
74 Chapter 4 – IP
• constrained throughput; the speed of the interfaces may be so fast that packets are
sent to the IP stack faster than it can route them. Under heavy traffic, the
throughput of the IP stack may be constrained by the amount of available
processing power.
• application resource requirements; other applications that run on the same processor
as the router may consume a significant amount of CPU (for example, if a user is
retrieving pages from the embedded webserver). Here, there may be enough CPU
to route all packets, but you do not want individual packets to be delayed while
another process is running, because this added latency would be apparent when
making VoIP calls.
To ensure that CPU resources are available to preferentially handle expedited
traffic, the system incorporates the following features:
• Process priorities; these are used to ensure that tasks handling expedited traffic run
at a higher priority than the rest of the system. For example, device drivers and
encapsulation protocols, certain parts of the IP stack, and local VoIP applications
run at a higher priority compared to the rest of the system.
• Division of tasks; The IP stack is split into separate tasks, with a division between:
• the part of the stack that quickly makes the routing decision and forwards
traffic between interfaces
• and the part of the stack which performs more lengthy but less time-critical
tasks (such as TCP, ICMP and ARP protocol processing).
IP Tracing commands
You can carry out tracing in the IP stack using the following system commands:
• SYSTEM LOG ENABLE|DISABLE; enables/disables the tracing support output
for a specific module and category.
• SYSTEM LOG LIST; displays the tracing options for the modules available in the
current image.
IP CLI commands
The table below lists the IP commands provided by the CLI:
Command
IP ADD DEFAULTROUTE GATEWAY
IP ADD DEFAULTROUTE INTERFACE
IP ADD INTERFACE
IP ADD ROUTE
IP ATTACH
IP ATTACH VIRTUAL
IP CLEAR ARPENTRIES
IP CLEAR INTERFACES
IP CLEAR RIPROUTES
IP CLEAR ROUTES
IP DELETE INTERFACE
IP DELETE ROUTE
IP DETACH INTERFACE
IP INTERFACE ADD FQ CODEPOINT
IP INTERFACE ADD FQ PROTOCOL
IP INTERFACE ADD FQ SRCADDR CODEPOINT
IP INTERFACE ADD FQ SRCADDR PROTOCOL
IP INTERFACE ADD PROXYARPENTRY
IP INTERFACE ADD PROXYARPEXCLUSION
IP INTERFACE ADD SECONDARYIPADDRESS
IP INTERFACE CLEAR FQS
IP INTERFACE CLEAR PROXYARPENTRIES
76 Chapter 4 – IP
IP SHOW DEBUGINFO
IP SHOW INTERFACE
IP SHOW ROUTE
Description This command creates a default route. It acts as a shortcut command that can be
used instead of typing the following:
A default route will not be created if a default route has already been created using
the IP ADD ROUTE command or the IP ADD DEFAULTROUTE INTERFACE command.
To have RIP advertise a default route with a default cost metric, see THE IP SET RIP
ADVERTISEDEFAULT and IP SET RIP DEFAULTROUTECOST commands.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable)
Description This command creates a default route. It acts as a shortcut command that can be
used instead of typing the following:
A default route will not be created if a default route has already been created
using the IP ADD ROUTE command or the IP ADD DEFAULTROUTE
INTERFACE command.
78 Chapter 4 – IP
To have RIP advertise a default route with a default cost metric, see the IP SET RIP
ADVERTISEDEFAULT and IP SET RIP DEFAULTROUTECOST commands.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable)
IP ADD INTERFACE
Syntax IP ADD INTERFACE <name> [<ipaddress> <netmask>]
Description This command adds a named interface and optionally sets its IP address. The IP
address is not mandatory at this stage, but if it is not specified in this command, the
interface will be unconfigured. There are three ways that the IP address can be set
later:
• using the ip set interface ipaddress command
• it is possible to set the interface to obtain its configuration via Dynamic Host
Configuration Protocol (DHCP) using the IP SET INTERFACE DHCP ENABLED
command. By default, DHCP is disabled.
• the interface can obtain its IP configuration via PPP IPCP (Internet Protocol
Control Protocol) negotiation. See PPPoE CLI commands
The IP stack automatically creates a loopback interface for address 127.0.0.1 subnet
mask 255.255.255.0. This interface is not displayed by the IP LIST INTERFACES
command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
IP ADD ROUTE
Syntax IP ADD ROUTE <name> <dest_ip> <netmask> {GATEWAY <gateway_ip> | INTERFACE
<interface>}
Description This command creates a static route to a destination network address via a gateway
device or an existing interface. It also allows the creation of a default route.
A default route will not be created if a default route has already been created
using the IP ADD ROUTE command or the IP ADD DEFAULTROUTE
INTERFACE command.
A route specifies a destination network (or single host), together with a mask to
indicate what range of addresses the network covers, and a next-hop gateway
address or interface. If there is a choice of routes for a destination, the route with the
most specific mask is chosen.
Routes are used when sending datagrams as well as forwarding them, so they are
not relevant only to routers. However, a system with a single interface is likely to
have a single route as a default route to the router on the network that it most often
needs to use. Route metric can only be set using the IP SET ROUTE COST
command.
Options The following table gives the range of values for each option which can be specified
80 Chapter 4 – IP
Examples There are two examples in this section. Example 1 routes through a gateway.
Example 2 routes through an existing interface.
Example 1
Example 2
IP ATTACH
Syntax IP ATTACH {<name>|<number>} <transport>
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 81
Example In the example below, voip is the name of an ethernet transport created using the
ETHERNET ADD TRANSPORT command:
IP ATTACHVIRTUAL
Syntax IP ATTACHVIRTUAL {<name>|<number>} <real_interface>
Description This command creates a virtual interface. The virtual interface is associated with a
‘real’ IP interface that has already been attached to a transport using the IP
ATTACH command. You can attach multiple virtual interfaces to one ‘real’ IP
interface.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
IP CLEAR ARPENTRIES
Syntax IP CLEAR ARPENTRIES
Description This command clears all ARP entries listed in the IP ARP table.
IP CLEAR INTERFACES
Syntax IP CLEAR INTERFACES
Description This command clears all IP interfaces that were created using the IP ADD
INTERFACE command.
IP CLEAR RIPROUTES
Syntax IP CLEAR RIPROUTES
Description This command deletes all the existing dynamic routes that have been obtained from
RIP. It does not delete the static routes; see the IP CLEAR ROUTES command.
IP CLEAR ROUTES
Syntax IP CLEAR ROUTES
AT-RG 600 Residential Gateway – Software Reference Manual 83
Description This command clears all static routes that were created using the IP ADD ROUTE
command.
IP DELETE INTERFACE
Syntax IP DELETE INTERFACE {<name>|<number>}
Description This command deletes a single IP interface that was created using the IP ADD
INTERFACE command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
IP DELETE ROUTE
Syntax IP DELETE ROUTE {<name>|<number>}
Description This command deletes a single route that was created using the IP ADD ROUTE
command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
IP DETACH INTERFACE
Syntax IP DETACH {<name>|<number>}
Description This command detaches an IP interface from a transport (i.e. a VLAN) where it was
previously attached using the IP ATTACH INTERFACE command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command adds a flow qualifier rule that classifies IP packets based on the DS
(Differentiated Services) codepoint field of the IP packet header. Incoming packets
that match this rule are given a higher quality of service (qos) value, which allows
them to be handled at a higher priority than other packets that do not match this
rule.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command adds a flow qualifier rule that classifies IP packets based on the
specified protocol. If the protocol specified is TCP or UDP, you can also specify the
protocol source and destination port. Incoming packets that match this rule are
given a higher quality of service (qos) value, which allows them to be handled at a
higher priority than other packets that do not match this rule.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Example
To prioritise TCP packets with source port 50000 and dest port 80
Description This command adds a flow qualifier rule that classifies IP packets based on both the
source IP address of incoming packets, and the DS (Differentiated Services)
codepoint field of each IP packet header.
Incoming packets that match this rule are given a higher quality of service (qos)
value, which allows them to be handled at a higher priority than other packets that
do not match this rule.
AT-RG 600 Residential Gateway – Software Reference Manual 87
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Example --> ip interface ip1 add fq myfq1 srcaddr 192.168.101.2 codepoint 101110
Description This command adds a flow qualifier rule that classifies IP packets based on the
source address and protocol of the packet. If the protocol specified is TCP or UDP,
you can also specify the protocol source and destination port. Incoming packets that
match this rule are given a higher quality of service (qos) value, which allows them
to be handled at a higher priority than other packets that do not match this rule.
88 Chapter 4 – IP
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Example
To prioritise TCP packets from 192.168.101.2, with source port 50000 and destport 80
Description This command configures proxy ARP functionality on an existing IP interface. This
means that an interface responds to ARP requests for both its own address and for
any address that has been configured as a proxy ARP address.
You can configure proxy ARP functionality on a single address or a range of
addresses. Once you have configured a range of proxy ARP interfaces, you can set
one or more addresses in the range to NOT respond to proxy ARP using the IP
INTERFACE ADD PROXYARPEXCLUSION command.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Example The following command adds proxy ARP support to the entire subnet 192.168.100.0:
--> ip interface ip1 add proxyarpentry 192.168.100.0 255.255.255.0
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Example The first command below adds proxy ARP support to the subnet 192.168.100.0 . The
second command excludes proxy ARP support from 192.168.100.10 /
255.255.255.254:
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 91
Description This command deletes all flow qualifiers that have been added to an existing IP
interface using the IP INTERFACE ADD FQ commands.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command clears all proxy arp entries and exclusions that were created using
the IP INTERFACE ADD PROXYARPENTRY and IP INTERFACE ADD
PROXYARPEXCLUSION commands.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command deletes all additional IP addresses that have been added to an
existing IP interface using the IP INTERFACE ADD SECONDARYIPADDRESS
command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
IP INTERFACE DELETE FQ
Syntax IP INTERFACE {<name>|<number>} DELETE FQ <fqname>
Description This command deletes a single flow qualifier that has been added to an existing IP
interface using the IP INTERFACE ADD FQ commands.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes a single proxy arp entry that was created using the IP
INTERFACE ADD PROXYARPENTRY command.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command deletes a single proxy arp exclusion entry that was created using the
IP INTERFACE ADD PROXYARPEXCLUSION command.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command deletes a single secondary IP address that has previously been
added to an existing IP interface using the IP INTERFACE ADD
SECONDARYIPADDRESS command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists all flow qualifiers that have been added to an existing IP
interface using the IP INTERFACE ADD FQS command.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command displays information about proxy arp entries and exclusions that
were created using the IP INTERFACE ADD PROXYARPENTRY and IP
INTERFACE ADD PROXYARPEXCLUSION commands.
The following information are displayed:
• interface ID numbers
• IP address and netmask of proxy ARP entries and exclusions
• Exclusion status; true for exclusions, false for inclusions
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 97
Description This command lists the secondary IP addresses that have been added to an existing
IP interface using the IP INTERFACE ADD SECONDARYIPADDRESS command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example In the example output below, secondary IP addresses without netmasks associated
with them appear as 0.0.0.0 by default.
ID | IP Address | Netmask
-----|-----------------------------------
1 | 192.168.104.6 | 255.255.255.0
2 | 192.168.103.4 | 255.255.255.0
3 | 192.168.103.2 | 255.255.255.0
-----------------------------------------
98 Chapter 4 – IP
IP LIST ARPENTRIES
Syntax IP LIST ARPENTRIES
Description This command displays the ARP table, which lists the following information:
• IP addresses and corresponding MAC addresses obtained by ARP.
• IP interface on which the host is connected
• Static status - `no' for dynamically generated ARP entries; `yes' for static entries
added by the user.
IP LIST CONNECTIONS
Syntax IP LIST CONNECTIONS
Description This command lists the active TCP/UDP connections in use by applications running
on the device. It displays the following information:
• Protocol type (TCP or UDP)
• Local connection address and port number
• Remote connection address and port number
• Connection state for TCP connections
This command does not show raw socket connections or UDP connections opened
internally within the IP stack.
Example The example below shows an active telnet connection, and the listen sockets of the
WebServer, TFTP server and SNMP:
--> ip list connections
----------------------------------------------------------------------
IP LIST INTERFACES
Syntax IP LIST INTERFACES
Description This command lists information about IP interfaces that were added using the ip add
interface command. The following information is displayed:
• interface ID numbers
• interface names
• IP addresses (if previously specified)
• DHCP status
• Whether a transport is attached to the interface, and if so, the name of the
transport
• Whether a virtual interface is attached to a real interface. The name of the
attached virtual interface is displayed in the Transport column in square brackets,
for example [ip2]
IP Interfaces:
ID | Name | IP Address | DHCP | Transport
-----|--------------|------------------|----------|---------------
1 | ppp_device | 192.168.102.2 | disabled | pppoe1
2 | ip0 | 192.168.1.1 | disabled | default
------------------------------------------------------------------
IP LIST RIPROUTES
Syntax IP LIST RIPROUTES
Description This command lists information about the routes that have been obtained from RIP.
It displays the following information:
• destination IP addresses
• destination netmask
• gateway address
• cost - The number of hops counted as the cost of the route.
• timeout - the number of seconds that this RIP route will remain in the routing
table unless updated by RIP.
• source interface - the name of the existing interface that this route uses
IP RIP routes:
Destination | Mask | Gateway | Cost | Time | Source
---------------|---------------|-----------------|------|------|-------
192.168.101.1 | 255.255.255.0 | 10.10.10.10 | 1 | 3000 | ip2
-----------------------------------------------------------------------
IP LIST ROUTES
Syntax IP LIST ROUTES
Description This command lists information about existing routes. It displays the following
information:
• route ID numbers
• route names
• destination IP addresses (if previously specified)
• destination netmask address (if previously specified)
• Either the gateway address or the name of the destination interface (whichever is
set)
IP routes:
IP PING
Syntax IP PING <dest-ip>
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
format (192.168.102.3)
Description This command specifies whether a named interface should obtain its configuration
via DHCP.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
IP LIST INTERFACES
For information on setting DHCP client configuration options, see DHCP Client CLI
commands.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the MTU (Maximum Transmission Unit) for an existing IP
interface.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 103
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command specifies whether or not an existing interface accepts RIP messages.
You can specify what version of RIP messages are accepted by the interface.
When receiving RIP v1 messages, the IP stack tries to use the information it has
available to determine the appropriate subnet mask for the addresses received.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command allows you to enable/disable whether RIP version 2 messages are
sent via multicast.
RIP version 2 messages sent via multicast are only received by the hosts on the
network that are configured to listen to the RIP v2 multicast address. If this
command is disabled, RIP version 2 messages are sent via broadcast and are
received by all the hosts on the network.
You need to set RIP to send v2 messages using the IP SET INTERFACE RIP SEND
command in order for the IP SET INTERFACE RIP MULTICAST ENABLED
command to send version 2 messages via multicast.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command specifies whether or not an existing interface can send RIP messages.
You can specify which version of RIP messages will broadcast routing information
on the interface. Routing information is broadcast every 30 seconds or when the RIP
routing table is changed.
RIP version 1 does not allow specification of subnet masks; a RIP version 1 route
that appears to be to an individual host might in fact be to a subnet, and treating
it as a route to the whole network may be the best way to make use of the
information.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command enables/disables TCP MSS (Maximum Segment Size) Clamp
functionality on an existing IP interface. When TCP MSS Clamp is enabled on an
interface, all TCP traffic routed through that interface will be examined. If a TCP
SYN (synchronize/start) segment is sent with a maximum segment size larger than
AT-RG 600 Residential Gateway – Software Reference Manual 107
the interface MTU (Maximum Transmission Unit), the MSS option will be rewritten
in order to allow TCP traffic to pass through the interface without requiring
fragmentation.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command enables/disables the advertising of a default route via RIP. If you set
this to enabled, then create a default route using the IP ADD DEFAULTROUTE
commands, the route will also be added to those advertised by the RIP protocol.
The cost associated with the route is the value set using the IP SET RIP
DEFAULTROUTECOST command.
You must enable default advertising before you create the default route.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command sets the number of hops counted as the cost of a default route
advertised via RIP.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description Specifies whether IP interfaces will accept RIP routes to specific routes.
RIP version 1 does not allow specification of subnet masks; a RIP version 1 route
that appears to be to an individual host might in fact be to a subnet, and treating
it as a route to the whole network may be the best way to make use of the
information.
To display the current state of rip hostroutes, use the IP SHOW command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets an authentication string that is placed in RIP v2 packets if ip set
rip authentication is enabled.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
110 Chapter 4 – IP
Description Enables or disables the poisoned reverse flag. If this flag is on, the AT-RG613, AT-
RG623 and AT-RG656 performs poisoned reverse as defined in RFC 1058; see that
RFC for discussion of the details.
In short, though, the effect of Poison Reverse is to specifically advertise routes, with
metric set to 16, if those routes are no longer accessible for some reason. Hosts
receiving these advertisements will then mark these routes as unusable. This
process results in a quicker updating of other hosts routing tables. The alternative is
to simply not advertise the inaccessible routes, and let other hosts eventually age
them out.
To display the current state of the poisoned reverse flag, use the IP SHOW command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the number of hops counted as the cost of the route for a route
previously created using the IP ADD ROUTE command.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command sets the destination network address of a route previously created
using the IP ADD ROUTE command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> ip set route route1 destination 192.168.103.3 255.255.255.0
Description This command sets the gateway address of a route previously created using the IP
ADD ROUTE command.
If you want the route to go directly to its destination and not via a gateway, specify
0.0.0.0 as the gateway.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the interface used by a route previously created by the IP ADD
ROUTE command. If you want the existing route to route to an address via a
gateway device, use none so that no interface is set.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
IP SHOW
Syntax IP SHOW
Description Shows current RIP configuration and any other information global to the router.
IP SHOW INTERFACE
Syntax IP SHOW INTERFACE {<name>|<number>}
Description This command displays the following information about a named interface:
• IP address and netmask (if set)
• MTU (Maximum Transmission Unit)
• Status of DHCP and NAT
• Status of TCP MSS Clamp
• Status of RIP send and RIP accept
• Status of RIP multicast
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
IP Interface: ip2
IP address: 192.168.102.3
Netmask: 255.255.255.0
MTU: 1500
DHCP: disabled
IP address: 192.168.50.10
Netmask: 255.255.255.0
MTU: 1500
DHCP: disabled
AT-RG 600 Residential Gateway – Software Reference Manual 115
IP SHOW ROUTE
Syntax IP SHOW ROUTE {<name>|<number>}
Description This command displays the following information about a named route:
• Destination IP address
• Netmask
• Gateway IP address (if applicable)
• Cost: the number of hops counted as the cost of the route
• Interface name (if applicable)
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Chapter 5
Transports
This section describes the commands available on the AT-RG613, AT-RG623 and
AT-RG656 residential Gateway to manage the Transport module.
This module allows you to clear, delete, list and display information about existing
transports that were created using the <transport_module> add transport
commands. To carry out more detailed configuration of transports, see the
corresponding transport module chapter:
• For PPPoE commands, see PPPoE CLI commands
• For Ethernet commands, see Ethernet CLI commands
AT-RG 600 Residential Gateway – Software Reference Manual 117
Command
TRANSPORTS CLEAR
TRANSPORTS DELETE
TRANSPORTS LIST
TRANSPORTS SHOW
TRANSPORTS CLEAR
Syntax TRANSPORTS CLEAR
Description This command deletes all transports that were created using the <transport_module>
ADD TRANSPORT command.
TRANSPORTS DELETE
Syntax TRANSPORTS DELETE {<name>|<number>}
Description This command deletes a single transport that was created using the
<transport_module> ADD TRANSPORT command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value for each option (if applicable).
TRANSPORTS LIST
Syntax TRANSPORTS LIST
Description This command lists all currently existing transports. It displays the following
information about the transports:
• transport identification number
• transport name
• transport type (PPP or Ethernet)
• Number of transmitted/received packets for each transport
Services:
ID | Name | Type
-----|--------------|-----------------------------------------------------
1 | default | Ethernet | TxPkts: 142/0 RxPkts: 10625/0
2 | voip | Ethernet | TxPkts: 0/0 RxPkts: 0/0
--------------------------------------------------------------------------
TRANSPORTS SHOW
Syntax TRANSPORTS SHOW {<name>|<number>}
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Service
Creator : CLI
Description : default
Ethernet
Vlan : default
AT-RG 600 Residential Gateway – Software Reference Manual 119
If In Octets : 953676
If Out Octets : 8962
If In Errors : 0
If Out Errors : 0
Packets Sent : 142
Good Packets Received : 10726
Enabled : true
Ether Channel
Port : ethernet0
Chapter 6
Ethernet
This section describes the commands available on the AT-RG613, AT-RG623 and
AT-RG656 residential Gateway to manage the Ethernet module
Command
ETHERNET ADD TRANSPORT
ETHERNET CLEAR TRANSPORTS
ETHERNET DELETE TRANSPORT
ETHERNET LIST PORTS
ETHERNET LIST TRANSPORTS
ETHERNET SHOW TRANSPORT
Description This command adds a named ethernet transport that will manage traffic related
only to the specified VLAN.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes all ethernet transports that were created using the
ETHERNET ADD TRANSPORT command.
Removing the transport named "default" results in system failure. All the other
IP interfaces will not be able to communicate externally.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists the valid ports that can be used to transport ethernet data.
Description This command lists all ethernet transports that have been created using the
ETHERNET ADD TRANSPORT command. It displays the transport identification
number and name, and the name of the port that it uses to transport ethernet data.
ID | Name | Port
-----|-----------|------------
1 | default | ethernet0
2 | voip | ethernet1
------------------------------
Description This command displays the name and port used by an existing Ethernet transport.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
TRANSPORTS command.
Description: Default
Port: ethernet0
Chapter 7
Introduction
This section describes the AT-RG613, AT-RG623 and AT-RG656 built-in security
facilities, and how to configure and monitor them.
The Internet is a network that allows access to vast amounts of information and
potential customers. However, the Internet is not controlled and certain individuals
use it destructively. These individuals attack other users’ computer systems for
entertainment and/or profit.
The security system is designed to allow safe access to the Internet by enforcing a set
of access rules between the various interfaces of the product. To configure these
rules at least two interfaces have to be defined — one interface is attached to the
public network (e.g., the Internet), and the other interface is attached to an internal
private network (intranet) that requires protection. The security prevents
unrestricted access to the private network and protects the computer systems from
attack.
The security system provides a single link between the private network and the
public network, it is also uniquely positioned to provide a single point where all
traffic entering and leaving the private network can be logged and monitored. This
information is useful for providing a security audit trail.
Currently, two main security technologies are recognized that are briefly explained
in the following.
Application Gateway
This is the traditional approach used to build a firewall, where every connection
between two networks is made via an application program (called a proxy) specific
for that protocol. A session from the private network is terminated by the proxy,
which then creates another separate session to the end destination.
Typically, a proxy is designed with a detailed knowledge of how the protocol works
and what is allowed or not. This approach is very CPU intensive and very
restrictive. Only protocols that have specific proxies configured are allowed through
the security system; all other traffic is rejected. In practice most third-party proxies
AT-RG 600 Residential Gateway – Software Reference Manual 125
are transparent proxies, which pass all traffic between the two sessions without
regard to the data.
Stateful Inspection
A more recent approach to security design uses a method called “stateful inspection”.
Stateful inspection is also referred to as dynamic packet filtering or context-based access
control (CBAC).
In this technology, an inspection module understands data in packets from the
network layer (IP headers) up to the application layer. The inspection module
checks every packet passing through the security system and makes access decisions
based on the source, destination and service requested. The term stateful refers to the
security system’s ability to remember the status of a flow. For example, whether a
packet from the public Internet is returning traffic for a flow originated from the
private intranet. The TCP state of TCP flows is also monitored, allowing
inappropriate traffic to be discarded. The benefit of this approach is that stateful
inspection security systems are generally faster, less demanding on hardware, and
more adaptive to new Internet applications.
Security module
NAT
Firewall module
module
Security Interfaces
On the AT-RG613, AT-RG623 and AT-RG656 it is possible to define three type of
security interfaces interfaces : Internal, External and DMZ (see Figure 8)
• An Internal interface is an IP interface that is attached to a network that needs to
be protected from the network attached to the External interface. For example, an
interface attached to a private LAN is an internal interface.
• The External interface is an IP interface that is attached to a network, for example
the Internet, containing hosts that may pose a security threat to hosts on the
internal interfaces.
• A DMZ (demilitarized zone) is an IP interface serving a small network that acts as
a neutral zone between the inside network and the outside network. A DMZ is a
portion of the local network that is almost completely open to the external
network. There may be some restriction at external access to the DMZ, but much
less than the restriction of access to the internal
To define an existing IP interface as a security interface use the SECURITY ADD
INTERFACE command.
To show the security interfaces currently defined, use the SECURITY LIST
INTERFACES command.
Only one external security interface and one DMZ security interface can be
defined.
AT-RG 600 Residential Gateway – Software Reference Manual 127
External Network
external interface
Internal Network
DMZ Network DMZ interface internal interface
internal interface
Internal Network
sessions. The table entry contains the IP addresses of the devices at each end of the
session.
Subsequently, if an incoming session-establishment packet arrives at the router, the
source and destination addresses of the packet are compared against the entries in
the table of currently open primary sessions.
If there are no matches, the packet is discarded. If there are one or more matches,
then the router carries out a port-probing process.
In the port-probing process, the router runs through the list of matching sessions.
For each session, it sends a packet to the private IP address in the table entry. The
destination port number in this packet is the destination port number in the
incoming packet.
In the case of TCP, the probe packet is a TCP SYN packet. In the case of UDP, the
packet is just a small UDP packet.
Depending on the response that the router gets back from the probe packet, it can
work out whether the local host was expecting to receive an incoming session to that
port number.
If the port probing process does find a local host that was expecting the incoming
session, then the session is established. If a local host is not found, then the packet is
discarded.
This mechanism enables the router to allow in only those incoming secondary
sessions that should be allowed in, and can reject malicious attempts to establish
incoming sessions.
Although FTP is given as an example of a protocol that requires dynamic port
opening, because FTP is such a very common application, the dynamic port opening
for FTP is enabled in the software by default, and does not have to be configured by
the user.
Non-Activity Timeout
The dynamic port opening process opens secondary ports, as described above.
Typically, it will detect when a session using a secondary port is being closed (ie an
exchange of FIN, FIN/ACK packets) and stop passing packets for that session.
However, UDP sessions do not have a specific close-down process. Also, TCP
sessions might be terminated without a proper close-down (for example, the host at
one end of the session might be simply turned off). So, there needs to be a criterion
for deciding when to remove a session in these cases. The method that the router
uses is for the user to configure an inactivity time. If there has been no activity (no
exchange of packets) on the secondary session for the specified period of time, the
session is closed (ie the router will no longer forward any packets for that session).
Session Chaining
There are some applications (Netmeeting is the most well-known of these) in which
the secondary sessions may, themselves, spawn their own secondary sessions. This
process is known as session chaining.
If a dynamic port opening definition is being configured for such an application,
then the user needs to configure this definition to have session chaining on.
AT-RG 600 Residential Gateway – Software Reference Manual 129
Firewall
The AT-RG613, AT-RG623 and AT-RG656 security system implements a stateful
Firewall providing high security by blocking certain incoming traffic based on
stateful information.
Each time outbound packets are sent from an internal host to an external host, the
following information is logged by the Firewall:
• port number
• sequencing information
• additional flags for each connection associated with that particular internal host
All inbound packets are compared against this logged information and only allowed
through the Firewall if it can be determined that they are part of an existing
connection. This makes it very difficult for hackers to break through the stateful
Firewall, because they would need to know addresses, port numbers, sequencing
information and individual connection flags for an existing session to an internal
host.
Firewall behaviour is managed by the firewall module. The firewall module offers
the ablitiy to:
• control what kind of Firewall activity is logged
• protect the internal network using stateful firewall functionality
• create policies
• add validators to policies
• add portfilters to to policies
• enable/disable and configure Intrusion Detection Settings (IDS)
In order to access firewall features, the firewall module must be enabled using the
firewall enable command.
Figure 9 shows the entities involved in the firewall module and their relationships.
130 Chapter 7 – Security & Firewall
Policy
A policy is a relationship between two security interfaces where it is possible to
assign portfilter and validator rules between them.
There are three different security interface combinations that Firewall policies can be
created between:
• the external interface and the internal interface
• the external interface and the DMZ interface
• the DMZ interface and the internal interface
To add a policy between one of the three above interface combinations use the
FIREWALL ADD POLICY command.
Portifilter
A portfilter is a rule that determines how the Firewall should handle packets being
transported between two security interfaces that are defined in an existing policy.
The rules define:
• what protocol type is allowed (specified using the protocol number or the
protocol name)
• the range of source and destination port numbers allowed
• the direction that packets are allowed to travel in (inbound, outbound, neither or
both)
To add a portfilter to an existing policy use the FIREWALL ADD PORTFILTER
command.
More than one portfilter object can be added to the same policy.
Validator
A validator is a rule that determines how the Firewall handles packets based on the
source or destination IP address. The policy that the validator belongs to determines
whether packets to/from the specified IP address are allowed or blocked
To add a validator to an existing policy use the FIREWALL ADD VALIDATOR
command.
AT-RG 600 Residential Gateway – Software Reference Manual 131
Firewall
IDS policies
li t refers to an interface combination
(e.g. external-internal)
policy
#1
policy
#2
policy
#
portfilters
li t could refer to ports and traffic
direction Source/Destination
portfilter
#1
could refer to transport protocol
portfilter
and traffic direction
#2
validators
li t refers to Source/Destination ,IP
address and traffic direction
validator
#1
validator
#2
validator
#
Intrusion Detection
Intrusion Detection is a feature that looks for traffic patterns that correspond to
certain known types of attack from suspicious hosts that attempt to damage the
network or to prevent legitimate users from using it.
The Intrusion Detection protects the system from the following kinds of attacks:
• DOS (Denial of Service) attacks - a DOS attack is an attempt by an attacker to
prevent legitimate hosts from accessing a service.
• Port Scanning - an attacker scans a system in an attempt to identify any open
ports.
• Web Spoofing - an attacker creates a 'shadow' of the World Wide Web on their
own machine, however a legitimate host sees this as the 'real' WWW. The attacker
uses the shadow WWW to monitor the host's activities and send false data to and
from the host's machine.
132 Chapter 7 – Security & Firewall
Once a maximum level is reached, an intrusion attempt is detected and the attacker
is blocked by the Firewall for the time limit specified by the FIREWALL SET IDS
DOSATTACKBLOCK command (default is 30 minutes).
• For Port Scan attacks, once an attacker scanning your system's ports has been
identified, they are blocked by the Firewall for the time limit specified in the
FIREWALL SET IDS SCANATTACKBLOCK command.
• For Web Spoofing attacks, packets destined for the victim of a spoofing attack are
blocked by the Firewall for the time limit specified in the FIREWALL SET IDS
VICTIMPROTECTION command.
AT-RG 600 Residential Gateway – Software Reference Manual 133
Command
SECURITY ADD INTERFACE
SECURITY ADD TRIGGER TCP|UDP
SECURITY ADD TRIGGER NETMEETING
SECURITY CLEAR INTERFACES
SECURITY CLEAR TRIGGERS
SECURITY DELETE INTERFACE
SECURITY DELETE TRIGGER
SECURITY
SECURITY LIST INTERFACES
SECURITY LIST TRIGGERS
SECURITY SET TRIGGER UDPSESSIONCHAINING
SECURITY SET TRIGGER ADDRESSREPLACEMENT
SECURITY SET TRIGGER BINARYADDRESSREPLACEMENT
SECURITY SET TRIGGER ENDPORT
SECURITY SET TRIGGER MAXACTINTERVAL
SECURITY SET TRIGGER MULTIHOST
SECURITY SET TRIGGER SESSIONCHAINING
SECURITY SET TRIGGER STARTPORT
SECURITY SHOW INTERFACE
SECURITY SHOW TRIGGER
SECURITY STATUS
Description This command adds an existing IP interface to the Security package to create a
134 Chapter 7 – Security & Firewall
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example The following example creates an FTP (File Transfer Protocol) trigger:
--> security add trigger t1 tcp 21 21 3000
Description This command allows you to add a trigger to allow Netmeeting to transport data
through the security package.
This application opens a secondary port session. You do not have to set the port
range or maxactinterval for a Netmeeting trigger - the CLI automatically sets this for
you.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command removes all security interfaces that were added to the Security
package using the SECURITY ADD INTERFACE command.
Description This command deletes all triggers that were added to the Security module using the
SECURITY ADD TRIGGER commands.
Description This command removes a single security interface that was added to the Security
package using the SECURITY ADD INTERFACE command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes a single trigger that was added to the Security module using
AT-RG 600 Residential Gateway – Software Reference Manual 137
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
SECURITY
Syntax SECURITY {ENABLE | DISABLE}
Description This command explicitly enables/disables all modules in the Security package
(including the child modules; NAT and Firewall).
You must enable the Security package if you want to use the NAT and/or
Firewall modules to configure security for your system.
If you disable the Security package during a session, any configuration changes
made to the Security, NAT or Firewall modules when the package was enabled
remain in the system, so that you can re-enable them later in the session. If you
need to reboot the Residential Gateway but want to save the security
configuration between sessions, use the system config save command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists the following information about security interfaces that were
added to the Security package using the SECURITY ADD INTERFACE command:
• Interface ID number
• Interface name
• Interface type (external, internal or DMZ)
Description This command lists triggers that were added to the Security module using the
SECURITY ADD TRIGGER command. It displays the following information about
triggers:
• Trigger ID number
• Trigger name
• Trigger transport type (TCP or UDP)
• Port range
• Interval
Description This command determines whether or not a UDP dynamic session can become also
a triggering session.
If UDP session chaining is enabled, both UDP and TCP dynamic sessions also
become triggering sessions, which allows multi-level session triggering.
UDP session chaining can be enabled only if a TCP session chaining is already
enabled on the same trigger using the security set trigger sessionchaining
command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description The settings in this command are only effective if you enable address translation
using the command SECURITY SET TRIGGER BINARYADDRESSREPLACEMENT.
This command allows you to specify what type of address replacement is set on an
trigger. Incoming and outgoing packets are searched in order to find any IP
addresses embedded in the payload. Any IP addresses that are found are then
compared with the public and private addresses being used by NAT. If the
addresses that have been found would have been translated by NAT (had they been
140 Chapter 7 – Security & Firewall
in the packet header), then they are translated and the original addresses in the
payload are replaced by the translated addresses.
You can specify whether you want to carry out address replacement on TCP
packets, on UDP packets or on both TCP and UDP packets.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the end of the port number range for an existing trigger.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the maximum activity interval limit on existing session entries
for an existing trigger.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets whether or not a secondary session can be initiated to/from
different remote hosts or the same remote host on an existing trigger.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command determines whether or not triggering sessions can be chained. If
session chaining is enabled, TCP dynamic sessions also become triggering sessions,
which allows multi-level session triggering.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the start of the port number range for an existing trigger.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays information about a single interface that was added to the
Security package using the SECURITY ADD INTERFACE command. The following
interface information is displayed:
• Interface name
• Interface type (external, internal or DMZ)
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays information about a single trigger that was added to the
Security module using the SECURITY ADD TRIGGER command. The following
trigger information is displayed:
• Trigger name
• Transport type (TCP or UDP)
• Start of the port range
• End of the port range
• Multiple host permission (true/false)
• Maximum activity interval (in milliseconds)
• Session chaining permission (true/false)
• Session chaining on UDP permission (true/false)
• Binary address replacement permission (true/false)
• Address translation type (UDP, TCP, none or both)
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
SECURITY STATUS
Syntax SECURITY STATUS
Description This command displays the following information about the Security package:
• Security status (enabled or disabled)
• Firewall status (enabled or disabled)
• Firewall security level setting (none, high, low, or medium)
AT-RG 600 Residential Gateway – Software Reference Manual 145
Command
Description This command creates a policy between two interface types. There are three types of
policy that you can add to the firewall:
• a policy between the external interface and the internal interface
• a policy between the external interface and the DMZ interface
• a policy between the DMZ interface and the internal interface
A policy is the collective term for the rules that apply to incoming and outgoing
traffic between two interface types. Once a policy is created using the FIREWALL
ADD POLICY command, it's possible to create rules for the policy using the
FIREWALL ADD PORTFILTER command.
The FIREWALL ADD VALIDATOR command allows you to block/allow traffic
based on the source and/or destination IP addresses and masks.
The FIREWALL ADD POLICY command controls whether traffic is
blocked/allowed for all of the validators that belong to a policy. There are two
options:
• allow only traffic to and/or from the IP address(es) set in the FIREWALL ADD
VALIDATOR command. All other traffic is blocked by the Firewall.
• block only traffic to and/or from the IP address(es) set in the FIREWALL ADD
VALIDATOR command. All other traffic is allowed through the Firewall.
It's possible to set a Firewall security level that contains default policies using the
FIREWALL SET SECURITYLEVEL command. Then, it's possible to customize the
Firewall by adding specific portfilters and validators.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
• specify one of the listed protocols, applications or services. These are provided by
the Firewall as popular examples that you can use. You do not need to specify the
portnumber - the Firewall does this for you.
It is VERY IMPORTANT to understand that when portfilters are created for TCP or
UDP, then the effect of the filter is to allow/disallow packets that are starting a
UDP or TCP session. Once a session has been established, the firewall recognizes
subsequent packets in the session as belonging to an established session, and
allows then through. This is because this is a Stateful firewall, and so is aware of
the states of UDP/TCP sessions.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
In order to add validators to a Firewall policy, the policy must have been
previously created, which defines how traffic is allowed/blocked, using the
allowonly-val or blockonly-val options in the FIREWALL ADD POLICY
command:
allowonly-val: only traffic based on the direction setting and the IP address(es)
specified in the FIREWALL ADD VALIDATOR command is allowed. All other
traffic is blocked.
blockonly-val: only traffic based on the direction and the IP address(es) specified
in the FIREWALL ADD VALIDATOR command is blocked. All other traffic is
allowed.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example In the following example, a policy is created, then a validator added to block
inbound and outbound traffic from/to the IP address stated. All other traffic is
allowed.
Description This command deletes all existing policies from the firewall configuration. Any
portfilters associated with the policies are also deleted by this command.
Description This command deletes all portfilters that were added to an existing firewall policy
using the FIREWALL ADD PORTFILTER command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 153
Description This command deletes a single existing policy from the firewall configuration. All
portfilters associated with the policy are also deleted by this command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes a single portfilter that was added to a firewall policy using
the FIREWALL ADD PORTFILTER command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
FIREWALL ENABLE|DISABLE
Syntax FIREWALL {ENABLE | DISABLE}
Description This command enables/disables the entire Firewall module except for the IDS
portion of the module (see the command FIREWALL ENABLE|DISABLE IDS).
When the Firewall is enabled, all IP traffic on existing security interfaces that are
NOT included in a Firewall policy is blocked. For details on setting default
policy security levels on security interfaces, see the FIREWALL SET
SECURITYLEVEL command.
If the system must be rebooted and the Firewall configuration must be saved
between sessions, use the SYSTEM CONFIG SAVE command.
AT-RG 600 Residential Gateway – Software Reference Manual 155
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command enables or disables the IDS (Intrusion Detection Service) portion of
the Firewall.
This module must be enabled in order to activate the settings specified in the
FIREWALL IDS commands.
This module depends on the Security module, which must be enabled before the
enabling of the IDS can take effect.
It's not necessary to enable the Firewall module in order for the IDS to be active.
If the IDS is disabled during a session, any configuration changes made when
IDS was enabled remain, and can be re-enabled later in the session.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command enables/disables whether Firewall session events are logged.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists the following information about policies that were added to the
firewall using the FIREWALL ADD POLICY command:
• Policy ID number
• Policy name
• Interface Type 1 and Interface Type 2 - the two interface types between which a
policy exists (external - internal, external - DMZ or internal - DMZ)
• Validator Allow Only status - true means that allowonly-val was set when the
policy was created. False means that either blockonly-val was set, or no validator
status was set (blockonly-val is the default setting if no status is specified).
Description This command lists portfilters that were added to a firewall policy using the
FIREWALL ADD PORTFILTER command. It displays the following information:
• Portfilter ID number
158 Chapter 7 – Security & Firewall
• Portfilter name
• Type - port number range or specified port number
• Port range used by the specified TCP or UDP protocol (e.g., 53 for DNS, 25 for
SMTP). For non-TCP/UDP protocols, the port range is set to 0-0.
• In - displays the inbound permission setting (true or false)
• Out - displays the outbound permission setting (true or false)
• Raw - displays whether or not the portfilter uses a non-TCP/UDP protocol (true
or false)
• TCP - displays whether or not the portfilter uses a TCP protocol (true or false)
• UDP - displays whether or not the portfilter uses a UDP protocol (true or false)
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists the following information about validators added to a policy
using the FIREWALL ADD VALIDATOR command:
• Validator ID number
• Validator name
• Direction (inbound, outbound or both)
• Host IP address
AT-RG 600 Residential Gateway – Software Reference Manual 159
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets, in the Intrusion Detection Setting (IDS), the duration of the
block that is put in place when a DOS (Denial of Service) is detected. A DOS attack
is an attempt by an attacker to prevent legitimate users from using a service. If a
DOS attack is detected, all hosts that seem to be causing the attack are blocked by
the firewall for a set time limit. This command allows you to specify the duration of
the block.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the maximum number of ICMP packets per second that are
allowed by the Firewall before an ICMP Flood is detected. An ICMP Flood is a DOS
160 Chapter 7 – Security & Firewall
(Denial of Service) attack. An attacker tries to flood the network with ICMP packets
in order to prevent transportation of legitimate network traffic.
Once the maximum number of ICMP packets per second is reached, an attempted
ICMP Flood is detected. The firewall blocks the suspected attacker for the time limit
specified in the FIREWALL SET IDS DOSATTACKBLOCK command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the maximum number of pings per second that are allowed by
firewall before an Echo Storm is detected. Echo Storm is a DOS (Denial of Service)
attack. An attacker sends oversized ICMP datagrams to the system using the `ping'
command. This can cause the system to crash, freeze or reboot, resulting in denial of
service to legitimate users.
Once the maximum number of pings per second is reached, an attempted DOS
attack is detected. The firewall blocks the suspected attacker for the time limit
specified in the FIREWALL SET IDS DOSATTACKBLOCK command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the maximum number of unfinished TCP handshaking sessions
per second that are allowed by firewall before a SYN Flood is detected. SYN Flood
is a DOS (Denial of Service) attack. When establishing normal TCP connections,
three packets are exchanged:
AT-RG 600 Residential Gateway – Software Reference Manual 161
• A SYN (synchronize) packet is sent from the host to the network server
• A SYN/ACK packet is sent from the network server to the host
• An ACK (acknowledge) packet is sent from the host to the network server
If the host sends unreachable source addresses in the SYN packet, the server sends
the SYN/ACK packets to the unreachable addresses and keeps resending them. This
creates a backlog queue of unacknowledged SYN/ACK packets. Once the queue is
full, the system will ignore all incoming SYN requests and no legitimate TCP
connections can be established.
Once the maximum number of unfinished TCP handshaking sessions is reached, an
attempted DOS attack is detected. The firewall blocks the suspected attacker for the
time limit specified in the FIREWALL SET IDS DOSATTACKBLOCK command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command allows you to set, in the Intrusion Detection System (IDS), the
duration of the blaock that is put in place when a scan attack is detected. The
firewall detects when the system is being scanned by a suspicious host attempting
to identify any open ports. If scan activity is detected, all hosts that are seen to be
making attacks are blocked by the firewall for a set time limit. This command allows
you to specify the duration of the block.
This CLI command is case-sensitive. You must type the command attributes
exactly as they appear in the command description on this page. If you do not
use the same case-sensitive syntax, the command fails and the CLI displays a
syntax error message.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the blacklist IDS (Intrusion Detection Setting). Blacklisting
denies an external host access to the system if IDS has detected certain types of
intrusion from that host. Access to the network is denied for ten minutes.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command enables/disables the victim protection Intrusion Detection Setting
(IDS). Enabling this command protects the victim from an attempted spoofing
attack.
Web spoofing allows an attacker to create a `shadow' copy of the World Wide Web.
All access to the shadow Web goes through the attacker's machine, so the attacker
can monitor all of the victim's activities and send false data to or from the victim's
machine.
If victim protection is enabled, packets destined for the victim host of a spoofing
style attack are blocked. The command allows you to specify the duration of the
block.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command allows you to set which security level is used by the Firewall. There
are three default security levels (high, medium and low) that contain different
security configuration information for each interface connection. Once you have
selected a security level, all IP traffic except the default policies specified will be
blocked by the Firewall.
The security level none blocks all IP traffic for every security interface. The
userdefined option allows you to select a security configuration that you have
previously created. There are three types of interface connections:
Options The following tables describes the default policies enabled in the firewall for each of
the high, medium and low security levels. The tables tell you whether a certain
service can be accepted in or allowed out by a specific policy:
HIGH External < > External < > DMZ < >
SECURITY LEVEL Internal DMZ Internal
Service Port In Out In Out In Out
http 80 x ✓ ✓ ✓ ✓ ✓
dns 53 x ✓ x ✓ x ✓
telnet 23 x x x x x x
smtp 25 x ✓ ✓ ✓ ✓ ✓
pop3 110 x ✓ ✓ ✓ ✓ ✓
nntp 119 x x x x x x
real audio/video 7070 x x x x x x
icmp N/A x ✓ x ✓ x ✓
H.323 1720 x x x x x x
T.120 1503 x x x x x x
SSH 22 x x x x x x
164 Chapter 7 – Security & Firewall
MEDIUM External < > External < > DMZ < >
SECURITY LEVEL Internal DMZ Internal
Service Port In Out In Out In Out
http 80 x ✓ ✓ ✓ ✓ ✓
dns 53 x ✓ ✓ ✓ ✓ ✓
telnet 23 x ✓ x ✓ x ✓
smtp 25 x ✓ ✓ ✓ ✓ ✓
pop3 110 x ✓ ✓ ✓ ✓ ✓
nntp 119 x ✓ ✓ ✓ ✓ ✓
real audio/video 7070 ✓ x x ✓ x ✓
icmp N/A x ✓ x ✓ x ✓
H.323 1720 x ✓ x ✓ x ✓
T.120 1503 x ✓ x ✓ x ✓
SSH 22 x ✓ x ✓ x ✓
LOW External < > External < > DMZ < >
SECURITY LEVEL Internal DMZ Internal
Service Port In Out In Out In Out
http 80 x ✓ ✓ ✓ ✓ ✓
dns 53 ✓ ✓ ✓ ✓ ✓ ✓
telnet 23 x ✓ ✓ ✓ ✓ ✓
smtp 25 x ✓ ✓ ✓ ✓ ✓
pop3 110 x ✓ ✓ ✓ ✓ ✓
nntp 119 x ✓ ✓ ✓ ✓ ✓
real audio/video 7070 ✓ x ✓ ✓ ✓ ✓
icmp N/A ✓ ✓ ✓ ✓ ✓ ✓
H.323 1720 ✓ ✓ ✓ ✓ ✓ ✓
T.120 1503 ✓ ✓ ✓ ✓ ✓ ✓
SSH 22 ✓ ✓ ✓ ✓ ✓ ✓
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable):
Description This command displays the following information about the Firewall IDS settings:
• IDS enabled status (true or false)
• Blacklist status (true or false)
• Use Victim Protection status (true or false)
• DOS attack block duration (in seconds)
• Scan attack block duration (in seconds)
• Victim protection block duration (in seconds)
• Maximum TCP open handshaking count allowed (per second)
• Maximum ping count allowed (per second)
• Maximum ICMP count allowed (per second)
Description This command displays information about a single policy that was added to the
firewall using the FIREWALL ADD POLICY command.
A policy exists between two interface types that were set using the FIREWALL ADD
POLICY command. This command displays what these interface types are, and the
allow only validator status; true means that allowonly-val was set when the policy
166 Chapter 7 – Security & Firewall
was created; false means that either blockonly-val was set, or no validator status was
set (blockonly-val is the default setting if no status is specified).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays information about a single portfilter that was added to a
firewall policy using the FIREWALL POLICY ADD PORTFILTER command. The
following portfilter information is displayed:
• Portfilter name
• Transport type used by the protocol (e.g., 6 for SMTP)
• Start of the port range
• End of the port range
• Inbound permission (true or false)
• Outbound permission (true or false)
• Raw IP - whether the portfilter uses a non-TCP/UDP protocol (true or false)
• TCP permission - whether the portfilter uses a TCP protocol (true or false)
• UDP permission - whether the portfilter uses a UDP protocol (true or false)
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Transport type: 6
Port number start: 25
Port number end: 25
Inbound permission: true
Outbound permission: true
Raw IP: false
TCP permission: true
UDP permission: false
Description This command displays information about a single validator that was added to
firewall policy using the FIREWALL ADD VALIDATOR command. The following
validator information is displayed:
• Validator name
• Direction (inbound, outbound or both)
• Base IP address of the range to which the validator applies
• Netmask defining the range of addresses to which the validator applies
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Direction: both
Host IP: 192.168.103.2
Host Mask: 255.255.255.0
168 Chapter 7 – Security & Firewall
FIREWALL STATUS
Syntax FIREWALL STATUS
Description This command displays the following information about the Firewall:
• Firewall status (enabled or disabled)
• Security level setting (none, high, low or medium)
• Firewall logging status:
• session logging (enabled or disabled)
• blocking logging (enabled or disabled)
• intrusion logging (enabled or disabled)
Chapter 8
Address conservation
The most common application of NAT is to make better use of the increasingly scant
resource that is the public IP address. As the number of people connecting to the
Internet has exploded, it has reached the stage where there are just not enough IP
addresses available to give an individual address to every Internet-connected
device. So, a prime purpose of NAT is to enable a whole network to access the
Internet using just a single public IP address (see figure 10).
170 Chapter 8 – Network Address Translation - NAT
10.0.0.3
10.0.0.2 24.2.249.4
Internet
AT-RG6xx
10.0.0.1
10.0.0.4
Security
The security provided by NAT is really a by-product of the address conservation
purpose. The fact is that NAT aims to translate the source addresses of packets
originating from within the local private network; when reply packets come back
from the Internet, they can be passed back to the hosts on the Private network as the
NAT process keeps an internal table that enables it to know which replies are
actually destined to which private hosts.
So, if a packet comes from the Internet that is not a reply to a packet sent from the
inside, then that NAT process does not know who to forward it to, and has to drop
it.
So, this makes it very difficult for devices on the Internet to initiate incoming
sessions to hosts on the private network; when the packet that is trying to initiate
the session arrives at the NAT device, it gets dropped.
In addition, because the NAT process has to process all the packets passing through
it, in order to pass them to the right internal host, it is quite easy to build in an
ability to look for attacks – SYN floods, Pings of Death, IP Spoofing etc are quite
easy to recognize as packets are being examined on the way through the NAT
device.
The particular value of the source port number in a session is not important, so the
NAT device is free to change the source port numbers in packets. This freedom to
change the source port number is the central key to NAT. This enables it to make
AT-RG 600 Residential Gateway – Software Reference Manual 171
sure that every TCP or UDP session that it sends out to the Internet has a UNIQUE
source port number.
Consider the problem that would occur if the NAT device was not free to change the
source port number; only the source address:
If two hosts on the private LAN happened to create sessions using the same source
port number, and same destination address and same destination port number, then
the only thing that would be different between the packets in one session and those
in the other session would be the source IP addresses. However, once the NAT
device had changed the source IP addresses to the global IP address, there would be
nothing to differentiate the packets. The host at the other end of the connection
would think that all the packets were from the same session, which would cause
chaos.
So, it is very important that the NAT device is also able to change the source port
number, so that the problem described above will never happen.
Therefore the NAT device can intercept TCP and UDP sessions coming from Private
hosts, change the source addresses AND source port numbers in the packets, and
store away the original IP address and port number in a table, along with the newly
substituted port number (so that the original values can be restored in the reply
packet when it comes).
So, the process that occurs is:
• the NAT device receives the packet
• changes the source IP address in the packets to the global IP address
• looks up in its table for an entry containing the source port number and original
source address of the packet
• if it finds an entry, it takes the substitution port number in the table entry,
and changes the source port number of the packet to this substitution
number
• if it does not find an entry, it generates a new substitution port number, and
creates a new table entry containing the original source IP address of the
packet, its original source port number, and the newly generated
substitution port number. Changes the source port number of the packet to
this substitution number.
WAN IP
24.10.2.45
Internet
AT-RG6xx
Before enabling NAT, the Security module must be already enabled using
SECURITY ENABLE command.
sessions to make use of the global pool, it is necessary to create a reserved mapping.
See below for more information on reserved mappings.
Reserved Mappings
Reserved mapping is used to support NAT traversal.
NAT traversal is a mechanism that makes a service (listening port) on an internal
computer accessible to external computers. NAT traversal operates by having the
NAT listen for incoming messages on a selected port on its external interface. When
the NAT receives a message, it uses its internal interface to forward the packet to the
same port number on a selected internal computer (And any responses from the
internal computer are forwarded to the requesting external computer).
Reserved mappings can also be used so that different internal hosts can share a
global address by mapping different ports to different hosts.
For example, Host A is an FTP server and Host B is a web server.
By choosing a particular IP address in the global address pool, and mapping the
FTP port on this address to the FTP port on Host A and the HTTP port on the global
address to the HTTP port on Host B, both internal hosts can share the same global
address.
To add a reserved mapping rule to an existing NAT relation, use NAT ADD
RESVMAP INTERFACE command.
With this command it is possible set a mapping rule based on port number or
protocol number.
Setting the protocol number to 255(0xFF) means that the mapping will apply to all
protocols. Setting the port number to 65535(0xFFFF) for TCP or UDP protocols
means that the mapping will apply to all port numbers for that protocol.
Command
Description The nat enable command creates an IP address for the external security interface.
However, you may want to use more than one external IP address. For example, if
your ISP provides multiple IP addresses, you might want to map one external
address to your internal web server, and map another external address to your
internal mail server.
This command creates a pool of external network addresses. A network address
pool is a range of IP addresses that is visible outside your network. NAT translates
packets between the external addresses and the internal addresses that each address
is mapped to.
AT-RG 600 Residential Gateway – Software Reference Manual 177
Before adding a global address pool, the NAT module must be enabled using
the command NAT ENABLE.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example 1 This example creates a network address pool that allows NAT to translate packets
between the external interface and the DMZ interface type.
First, NAT is enabled between the external interface and the DMZ interface type:
Then the global address pool is created, by defining IP address and netmask:
178 Chapter 8 – Network Address Translation - NAT
Example 2 This example creates a network address pool that allows NAT to translate packets
between the external interface and the internal interface type.
First NAT is enabled between the external interface and the internal interface type:
Description This command maps an IP address from a global pool (created using the NAT ADD
GLOBALPOOL command) to an individual IP address inside the network. NAT
translates packets between the external IP address and the individual host based on
the transport information given in this command.
Note: Before you can add a reserved mapping, you must create a NAT
relationship using the command NAT ENABLE.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Note: Before you can add a reserved mapping, you create a NAT relationship
using the command NAT ENABLE.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes all address pools that were added to a specific outside
interface using the NAT ADD GLOBALPOOL command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes all NAT reserved mappings that were added to an outside
security interface using the NAT ADD RESVMAP command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes a single address pool that was added to a specific external
interface using the NAT ADD GLOBALPOOL command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes a single NAT reserved mapping that was added to an
external security interface using the NAT ADD RESVMAP command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
NAT DISABLE
Syntax NAT DISABLE <name>
Description This command disables a NAT relationship that was previously enabled between a
a security interface and another generic interface type, using the NAT ENABLE
command. NAT is disabled between the security interface and all the interfaces that
belong to the chosen interface type.
184 Chapter 8 – Network Address Translation - NAT
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
NAT ENABLE
Syntax NAT ENABLE <name> <interfacename> {INTERNAL|DMZ}
Description This command enables NAT between an existing security interface and a network
interface type. NAT is enabled between the security interface and all the interfaces
that belong to the chosen network interface type.
Note - You must enable the Security package using the command SECURITY
ENABLE if you want to use the NAT module.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
NAT IKETRANSLATION
Syntax NAT IKETRANSLATION {COOKIES | PORTS}
Description This command supports NAT IPSec traversal. It allows you to specify how Internet
Key Exchange (IKE) packets are translated.
IKE establishes a shared security policy and authenticates keys for services that require keys, such as IPSec.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists the following NAT address pool information for a specific
outside interface:
• Address pool identification number
• Address pool name
• Type of inside interface (internal or DMZ)
• Subnet configuration status (true if the network pool was set using a subnet mask,
false if it was set using a range of IP addresses)
• IP address - the outside network IP address or the first address in the range of
network pool addresses
• Mask/End Address - the outside subnet mask of the outside network IP address
or the last address in the range of network pool addresses
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 187
Example
--> nat list globalpools extinterface
NAT global address pool:
Description This command lists the following reserved mapping information for a specific
outside security interface:
• Reserved mapping identification number
• Reserved mapping name
• Global address - the IP address of the outside security interface that is mapped to
the inside IP address
• Internal address - the IP address inside the network that the global IP address is
mapped to
• Transport type (IGMP, IPIP etc.)
• Port - TCP or UDP port used by the transport type. If a non-TCP/UDP protocol is
used, the port is set to 0.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> nat list resvmaps extinterface
NAT reserved mappings:
ID | Name | Global Address | Internal Address | Type | Port
-----------------------------------------------------------------------
1 | rm2 | 192.168.103.2 | 10.10.10.10 | tcp | 25
2 | rm1 | 192.168.103.15 | 20.20.20.20 | udp | 21
-----------------------------------------------------------------------
Description This command displays information about a single network address pool that has
been added to an outside interface:
• Type of inside interface (internal or DMZ)
• Subnet configuration status (true if the network pool was set using a subnet mask,
false if it was set using a range of IP addresses)
• IP address - the outside network IP address or the first address in the range of
addresses
• Subnet Mask or End Address - the subnet mask used to define the global address
range or the last address in the range of addresses
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays the following information about a single reserved mapping
configuration that has been added to an outside security interface:
• Global IP address
• Internal IP address
• Transport type
• Port number
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
NAT STATUS
Syntax NAT STATUS
190 Chapter 8 – Network Address Translation - NAT
Description This command lists the outside security interfaces and inside interface types that
NAT is currently enabled between. It displays the following information:
• NAT object identification number
• NAT object name
• Outside security interface name
• Inside interface type
Chapter 9
Multicasting Overview
Multicasting is a technique developed to send packets from one location in the
Internet to many other locations, without any unnecessary packet duplication. In
multicasting, one packet is sent from a source and is replicated as needed in the
network to reach as many end-users as necessary.
The concept of a group is crucial to multicasting. Every multicast requires a
multicast group; the sender (or source) transmits to the group address, and only
members of the group can receive the multicast data. A group is defined by a Class
D address.
Multicasting is useful because it conserves bandwidth by replicating packets as
needed within the network, thereby not transmitting unnecessary packets.
Multicasting is the most economical technique for sending a packet stream (which
could be audio, video, or data) from one location to many other locations on the
Internet simultaneously.
Of course, multicasting has to be a connectionless process. The server simply sends
out its multicast UDP packets, with no idea who will be receiving them, and
whether they get received. It would be quite impossible for the server to have to
wait for ACKs from all the recipients, and remember to retransmit to those
recipients from whom it does not receive ACKs. Apart from anything else the server
does not know who the recipients are, or how many there are.
Multicasting principles
Group addresses
A multicast stream is a stream of data whose destination address is a multicast
address – ie an IP address with the first byte having a value of 224 to 240. The
destination address used by a stream is referred to as its Group address. These
Group Addresses, like all IP addresses, are a limited resource, and there are all sorts
of rules about who may use addresses from which address ranges.
192 Chapter 9 – IGMP snooping and IGMP proxy
Anyway, a server sends out its stream to a group multicast address but the way it is
routed to the hosts that actually want to receive it is a very different process to
routing unicast packets. With unicast packets, the destination address of the packet
uniquely identifies the host who should receive the packet and all the routers along
the path just need to look in their routing tables to work out which is the correct
route to send the packet down.
However, in the case of multicast, the stream is simply being sent out, with no
particular knowledge of who wants to receive it, and where the recipients are. One
approach would be for every router that receives a multicast stream on one interface
to just retransmit that stream out ALL its other interfaces. In that way it would be
guaranteed to eventually reach every host that might be interesting in receiving it.
However, that would be an inefficient use of bandwidth, as a lot of the time the
routers would sending the streams out along paths that do not contain any hosts
that want to receive them. Given that the main reason for having multicasting is to
make efficient use of bandwidth, this would not be a good approach.
So, a more efficient approach is needed. This is where IGMP comes in.
IGMP
IGMP (Internet Group Management Protocol) is the protocol whereby hosts indicate
that they are interested in receiving a particular multicast stream. When a host
wants to receive a stream (in multicast jargon, this is called ‘joining a group’) it
sends to its local router an IGMP packet containing the address of the group it
wants to join – this is called an IGMP Membership report (sometimes called a Join
packet).
Now, the local router is generally going to be a long way from the server that is
generating the stream. So, having received the IGMP join packet, the router then
knows that it has to forward the multicast stream onto its LAN (if it is not doing so
already). However, if the router is not already receiving the multicast stream from
the server (probably many hops away) what does the router do next in order to
ensure that the multicast stream gets to it? This is achieved by elaborate process
involving multicast routing protocols like PIM, DVMRP, MOSPF
The IGMP packet exchange proceeds as follows:
At a certain period (default is 125 seconds), the router sends an IGMP query
message onto the local LAN. The destination address of the query message is a
special “all multicast groups” address. The purpose of this query is to ask “are there
any hosts on the LAN that wish to remain members of Multicast Groups?”
Hosts on the LAN receive the query, if any given host wishes to remain in a
Multicast group, it sends a new IGMP Membership report (Join message) for that
group (of course some hosts may be members of more than one group – so they will
send join messages for all the groups that they are members of).
The router looks at the responses it receives to its query, and compares these to the
list of Multicast streams that it has currently registered to receive. If there are any
items in that list for which it has not received query responses, it will send a
message upstream, asking to no longer receive that stream – ie to be ‘pruned’ from
the tree through which that stream is flowing.
In IGMP version 2, the IGMP leave message was added. So, a host can now
explicitly inform its router that it wants to leave a particular multicast group. So, the
AT-RG 600 Residential Gateway – Software Reference Manual 193
router keeps a table of how many hosts have joined particular groups, and removes
hosts from the table when it receives leave messages, then it can know straight away
when there are no hosts on its LAN that are still members of a given group. So, it
can ask to be pruned from that tree straight away, rather than having to wait until
the next query interval.
IGMP snooping
IGMP snooping is a filtering process that AT-RG613, AT-RG623 and AT-RG656
residential gateways perform at layer 2 to reduce the amount of multicast traffic on
a LAN.
It is designed to solve the problem when a multicast traffic is received from a layer 2
switch due to join requests performed by hosts connected to some of the switch
ports.
If individual hosts on the LAN (ie hosts connected to ports on the switches) wish to
receive multicast streams, then they will send out IGMP joins, which will get up to
the multicast router; and the router will join into the appropriate multicast trees;
and the multicast flows will then reach the router, and it will forward them into the
LAN.
By default, when a switch receives a multicast packet, it must forward it out all its
ports (except the port upon which it was received). So, considering the example
where only host number 1 actually requests to join a particular multicast group,
what will happen is that all the hosts on the LAN will start receiving the multicast
packets, as all the switches will forward the multicast packets to all their ports.
This is rather a waste of bandwidth, and the purpose of multicasting is to make
efficient use of bandwidth.
The solution to this problem is to make the layer-2 switch aware of the IGMP
packets that are being passed around. That is, although the IGMP packets are
destined for the router, the layer-2 switch needs to ‘snoop’ them as they go past.
194 Chapter 9 – IGMP snooping and IGMP proxy
Then the layer-2 switch can be aware which hosts have asked to join which
multicast groups, and so will only forward the multicast data to the places where it
really needs to go.
Note that multiple VLANs can be present in the system and therefore more than
one multicast router can be present. The command IGMP SNOOPING SHOW
reports the multicast router IP address discovered for each VLAN and the
physical port where it has been detected.
The Residential Gateway forwards the IGMP report on to the multicast router
detected on the VLAN where host is attached. In this way the router will also
receive the IGMP report and will update its multicast routing table accordingly.
Immediately multicast traffic for the requested group address is forwarded only
to the port where the report from Host A has been received.
• Second Scenario: another host, host B, on the same Ethernet segment as host A,
sends an IGMP report to join the same multicast group as host A.
Host B sends an unsolicited IGMP Membership report.
The Residential Gateway intercepts the IGMP membership report sent by Host B.
As a multicast entry for this group already exists, the Residential Gateway simply
adds the port to the already existing entry for that multicast group and resets the
Timeout timer to the Timeout Interval.
The command IGMP SNOOPING SHOW will report only the last host joined the
group and the new value of the Timeout timer.
If another host joins another multicast group or the same multicast group, the same
procedures described in the first and second scenarios are performed, respectively.
A new Group entry will be added whenever a new group has been joined.
Note: In order to maintain group membership, the multicast router sends IGMP
queries periodically. This query is intercepted by the Residential Gateway and
forwarded to all ports on the switch. All hosts that are members of the group
will answer that query. The IGMP protocol was designed in such a way that
only one member of any group on any VLAN would have to respond to any
given query. But, because the Residential Gateway intercepts the reports, the
hosts do not see each other’s reports, and thus, all hosts send a report (instead of
one per group). The Residential Gateway then forwards on to the router only
one report per group from among all received responses.
Leaving a Group
When a host wants to leave group it sends an IGMP Leave message specific for the
group it wants to leave.
The Residential Gateway captures the IGMP Leave message and immediately sends
an IGMP Group Specific Query on the port where it received the Leave message.
The Leave Time value is used in the query message to request a fast response from
other hosts which may be present on the same Ethernet segment.
If no answer is received to the Query, and if no other ports have hosts joined to the
same multicast group, then the leave messages is forwarded to the multicast router.
In this way the multicast traffic the router is asked to stop sending any multicast
data for that particular group.
If other ports have hosts joined to the same multicast group, the IGMP Group
Specific Query is also sent to all those ports.
196 Chapter 9 – IGMP snooping and IGMP proxy
Only if no answers are received on all the ports within the Leave Time period, the
leave message is forwarded to the multicast router.
To change the Leave Time value, use the IGMP SNOOPING SET LEAVETIME
command.
Note: If the Leave Time period is set to 0 secs (see IGMP SNOOPING SET
LEAVETIME command) and only one port has hosts joined the multicast group,
the Residential Gateway immediately forwards the leave message to the
multicast router and removes the multicast membership record without sending
any IGMP Specific Query message.
If more than one port has hosts joined the multicast group and Leave Time
period is set to 0 secs the Residential Gateway removes the port from the
multicast membership record without sending any IGMP Specific Query
message and without forwarding the leave message to the multicast router.
IGMP proxy
Independently of IGMP snooping, the AT-RG613, AT-RG623 and AT-RG656
residential gateways also support IGMP proxy.
IGMP proxy is a layer-3 feature that allows multicast traffic to be routed between
multiple IP interfaces.
As noted in the previous section, by default, multicast traffic is limited to the VLAN
where it is received. If a host joins a multicast group but multicast traffic is received
on another VLAN to which the host is not connected, the multicast traffic will never
reach the host.
IGMP proxy overrides this limitation, with the only constraint that multicast traffic
must be received only on one IP interface called the upstream interface.
In this case, when a host joins a multicast group, the IP interface attached to the
transport (VLAN) where the host is located, becomes a downstream interface. It will
receive all the multicast traffic related to the group that the host has joined.
To define the upstream IP interface use the IGMP PROXY SET
UPSTREAMINTERFACE command.
To show the multicast groups currently registeredwith the IGMP proxy on the
Residential Gateway use the IGMP PROXY SHOW STATUS command.
AT-RG 600 Residential Gateway – Software Reference Manual 197
Description This command disables the layer- 2 IGMP snooping feature previously enabled
with the IGMP SNOOPING ENABLE command.
Description This command sets the duration of the Leave Period timer for the IGMP snooping
process. The timer controls the maximum allowed time before hosts must send a
response to Query message issued by the Residential Gateway.
When IGMP snooping is enabled, by default this value is set to 10 secs.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the time interval, in seconds, at which IGMP Host Membership
Queries are sent. When IGMP snooping is enabled, by default this value is set to 125
secs.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the longest interval, in seconds, for which a group will remain
AT-RG 600 Residential Gateway – Software Reference Manual 199
in the local multicast group database without the Residential Gateway receiving a
Host Membership Report for this multicast group.
When IGMP snooping is enabled, by default this value is set to 270 secs.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command enables the residential gateway's IGMP Proxy, and sets one of the
existing IP interfaces as the upstream interface; all other interfaces are designated
downstream interfaces. The upstream interface implements the Host portion of the
IGMP protocol, and the downstream interfaces implement the Router portion of the
IGMP protocol. The IGMP Proxy may be disabled by setting upstream interface to
none.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays the status of the upstream interface. If an upstream
interface has been set using the IGMP PROXY SET UPSTREAMINTERFACE
command, this command displays the current setting.
Upstream If : ip0
Description This command displays the following information about the status of IGMP proxy:
• IGMP Proxy group membership per interface details
• Interface name and querier status
• Group address
Chapter 10
Introduction
The Dynamic Host Configuration Protocol (DHCP) is defined in RFC 1541 and
provides a mechanism for passing configuration information to hosts on a TCP/IP
network.
DHCP is based on the Bootstrap Protocol (BOOTP) defined in RFC 1542, but adds
automatic allocation of reusable network addresses and additional configuration
options.
DHCP is based on a client–server model, where the server is the host that allocates
network addresses and initialization parameters, and the client is the host that
requests these parameters from the server.
There are a number of parameters that a DHCP server can supply to clients in
addition to assigning IP addresses. They can supply addresses of DNS server, WINS
Server, Cookie server etc… Also, they can supply the gateway address for the LAN.
DHCP supports three mechanisms for IP address allocation
• In the automatic allocation mechanism, DHCP assigns a permanent IP address to a
host.
• In the dynamic allocation mechanism, DHCP assigns an IP address to a host for a
limited period of time, or until the host explicitly relinquishes the address.
• In the manual allocation mechanism, the network administrator assigns a host’s IP
address, and DHCP is used simply to convey the assigned address to the host. A
particular network will use one or more of these mechanisms, depending on the
policies of the network administrator.
Dynamic allocation is the only one of the three mechanisms that allows automatic
reuse of an address that is no longer needed by the host to which it was assigned.
Dynamic allocation is particularly useful for assigning an address to a host that will
be connected to the network only temporarily, or for sharing a limited pool of IP
addresses among a group of hosts that do not need permanent IP addresses.
AT-RG 600 Residential Gateway – Software Reference Manual 203
Dynamic allocation may also be a good choice for assigning an IP address to a new
host being permanently connected to a network where IP addresses are sufficiently
scarce that it is important to reclaim them when old hosts are retired.
DHCP server
The DHCP protocol allows a host which is unknown to the network administrator
to be automatically assigned a new IP address out of a pool of IP addresses for its
network. In order for this to work, the network administrator allocates address
pools for each available subnet and enters them into the dhcpd.conf file.
On startup, the DHCP server software reads the dhcpd.conf file and stores a list of
available addresses on each subnet. When a client requests an address using the
DHCP protocol, the server allocates an address for it.
Each client is assigned a lease, which expires after an amount of time chosen by the
administrator (by default, 12 hours). Some time before the leases expire, the clients
to which leases are assigned are expected to renew them in order to continue to use
the addresses. Once a lease has expired, the client to which that lease was assigned
is no longer permitted to use the leased IP address and must resort back to the
DHCPDISCOVER mechanism ( see RFC 2131) to request a new lease.
In order to keep track of leases across system reboots and server restarts, the server
keeps a list of leases it has assigned in the dhcpd.leases file (stored in ISFS)
Before a lease is granted to a host, it records the lease in this file. Upon startup, after
reading the dhcpd.conf file, the DHCP server reads the dhcpd.leases file to gain
information about which leases had been assigned before reboot.
New leases are appended to the end of the lease file.
In order to prevent the file from becoming arbitrarily large, the server periodically
creates a new dhcp.leases file from its lease database in memory.
If the system crashes in the middle of this process, only the lease file present in flash
memory can be restored. This gives a window of vulnerability whereby leases may
be lost.
BOOTP support is also provided by this server. Unlike DHCP, the BOOTP protocol
does not provide a protocol for recovering dynamically-assigned addresses once
204 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
Example:
This paragraph provides a guide to configuring the DHCP server using commands
available on the CLI.
Let's assuming that in the system there has been defined an internal interface (where
the DHCP Server module will run) with the following IP address and netmask:
192.168.219.1 255.255.255.
The following DHCP server configuration will create a range of 10 available IP
addresses in the 192.168.219.0 subnet:
• Default lease time and maximum lease time are set to 1800 seconds and 86000
seconds, respectively.
• Four DHCP options are configured, in addition to the usual IP address and
subnet mask:
• DNS server address of 192.168.220.30;
• default gateway address of 192.168.221.40;
• IRC server address of 10.5.7.20;
• and the “auto-configure” option, which will allow use of address auto-
configuration by clients on the network.
Note that for DHCP clients using DHCPINFORM, the above declarations mean
that the server would supply the given configuration options to any client that
is on the 192.168.219.x subnet. This even includes clients that are not included in
the available address ranges – this is sensible, since ideally the DHCP server
AT-RG 600 Residential Gateway – Software Reference Manual 205
should not have addresses available to give out that may already belong to
hosts on the same subnet.
The CLI can also be used to define fixed host/IP address mappings. For example, the
command:
Note that you will still need to have a suitable subnet declaration – for example,
a subnet 192.169.219.0 with netmask 255.255.255.0, as shown earlier. Any
configuration options you define in this subnet will also be offered to every
fixed host you have added which is also on the given subnet.
dhcpserver enable
The final step is to tell the system to update the DHCP server software with the new
IP interface and configuration that has been defined. To do this, issue the following
command:
dhcpserver update
NOTE: NO configuration changes that you have made on the DHCP server will
take effect until you enter the DHCPSERVER UPDATE command.
206 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
DHCP client
A DHCP client uses the facilities of the IP stack to transmit and receive DHCP
packets. This information is processed by the client and passed back to the IP stack
to complete interface configuration for the lease duration.
A DHCP client is created on a given interface by using the IP SET INTERFACE
command with the parameter dhcp enabled. After this, the IP settings are discovered
for the interface (It's possible define one or more interfaceconfig rules to customize
the option that must be requested).
This section describes how these settings are discovered.
Firstly, the interface is disabled for all non-DHCP traffic. This will reset the IP
address and subnet mask of each nominated interface to 0.0.0.0.
The DHCP client learns its required configuration details via a DHCPDISCOVER
request.
If configuration details are not successfully obtained using DHCP, the DHCP client
will retry indefinitely in order to learn them, as described in RFC2131 (unless the
interface is disabled). Retry characteristics can be defined using DHCPCLIENT SET
RETRY command.
Once the DHCP client has accepted a suitable configuration for the interface, it has
to configure the IP stack appropriately. This involves allocating the new IP address
to the interface and configuring the subnet for the interface.
Addresses allocated by DHCP expire after the specified lease time runs out. If this
happens, the DHCP client must relearn its configuration by repeating the process
described above. The client will attempt to initiate renewal of a held lease well
before it is due to expire (approximately half way through the total duration of the
lease). This avoids the problem of an active interface being unexpectedly disabled
and dropping normal IP traffic.
The DHCP client on the AT-RG613, AT-RG623 and AT-RG656 DHCP conforms to
most of the specification given in RFC2131. A subset of the DHCP options described
in RFC2132 is supported.
The residential Gateway DHCP client accepts and makes use of the following
information:
• IP address
• Subnet mask
• Default route (one only)
• Domain name servers (up to two can be usefully supported by DNS relay)
• Host name or dhcp-client-identifier. This option can be used to specify a client
identifier in a host declaration, so that a DHCP server can find the host record by
matching against the client identifier. This option can be useful when attempting
to operate the DHCP client with a Microsoft DHCP server.
Note: When attempting to use a DHCP client with a Microsoft DHCP server,
then “send dhcpclient-identifier” is mandatory, and must be specifically set to
AT-RG 600 Residential Gateway – Software Reference Manual 207
the MAC address of the device upon which the client is running; otherwise
DHCP will not work at all.
Example
This paragraph provides a guide to setting up a DHCP client using commands
available in the CLI.
Let's assume that the system has been configured wirh an interface named eth0. The
first step is to enable the dhcp flag on this interface:
Note: For options with string-type values associated with them, the option
value must be in double-quotes ("). Also, the entire string including the double
quotes must be inside single quotes (') to ensure that the CLI treats the double
quotes literally.
These commands create a new DHCP client interface configuration related to the IP
interface you defined earlier. Let us consider, line by line, what the above
configuration does:
• A lease time of one hour is requested.
• A client identifier of 00:20:2b:01:02:03 is specified.
• In the event of a DHCP server being unavailable, the DHCP client will
automatically assign an address using AutoIP.
• Any DNS server addresses received from a server will be passed to the DNS
relay. (There is also an analogous option to pass the addresses to the DNS client).
• For this to occur, the DHCP client must request DNS server addresses from a
server (maps onto the "request" directive).
• The DHCP client will insist that a default gateway parameter is present in any
lease offer (maps onto the "require" directive).
• Finally, the DHCP client will send out "galapagos" as the value of the host name
option – this can be used by some ISPs as part of a simple authentication process
(maps onto the "send" directive).
The final step is to tell the Residential Gateway to update the DHCP client software
with the new IP interface and configuration that has been defined. To do this, issue
the following command:
210 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
dhcpclient update
NOTE: NO configuration changes that you have made on the DHCP client will
take effect until you enter the DHCPCLIENT UPDATE command.
DHCP Relay
A DHCP relay uses the facilities of the IP stack to transmit and receive DHCP
packets.
From a DHCP client’s point of view, the relay acts as a de-facto DHCP server, and
this operation is transparent. This is useful where a network administrator only
wishes to have one DHCP server across several physical and logical sub-networks.
The relay works by forwarding all broadcasted client requests to one or more
known DHCP servers.
Server replies are then either broadcast or unicast back to the client via the DHCP
relay.
Description This command creates a new fixed host mapping in the DHCP server.
The commands informs the DHCP server to assign a specific IP address to a specific
DHCP client based on the client’s MAC address.
If a DHCPDISCOVER or DHCPREQUEST is received from the DHCP client with
that MAC address, it will have the specified fixed IP address assigned to it.
It's necessary to also create a suitable DHCP subnet definition in order for fixed host
mapping to work.
Note: It's not possible to create a fixed host mapping with an IP address that is
already present inside a configured, dynamic IP range on a subnet. The reverse
is also forbidden; it's not possible add addresses into a dynamic IP range that
are already configured as fixed host addresses.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
The example below creates a suitable subnet for the above fixed host mapping. Note
that the IP address used above is within the subnet, but is not within the range of IP
addresses that constitute the server’s dynamic pool (192.168.219.10 – 192.168.219.20):
Description This command defines a subnet that requests will be received from, and a pool of
addresses within that subnet. The DHCP server can allocate IP addresses from this
pool to clients on request.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
-->dhcpserver add subnet sub1 239.252.197.0 255.255.255.0 239.252.197.10
239.252.197.107
Description This command deletes all DHCPserver fixedhosts that were created using the
214 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
Description This command deletes all DHCP server subnets that were created using the
DHCPSERVER ADD SUBNET commands.
Description This command deletes a single fixed host mapping in the DHCP server that was
created using the DHCPSERVER ADD FIXEDHOST command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes a single DHCP server subnet. The pool of IP addresses in the
subnet are also deleted.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 215
DHCPSERVER ENABLE|DISABLE
Syntax DHCPSERVER {enable|disable}
Note: DHCP server must be enabled in order to carry out any DHCP server
configuration.
DHCP server and DHCP relay cannot be enabled at the same time.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists the following information about existing DHCP fixed host
mappings:
• fixed host ID number
• fixed host name
• IP address
• MAC address
216 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
Example
--> dhcpserver list fixedhosts
DHCP server fixed host mappings:
Description This command lists the option data types available for DHCP server.
These options are detailed in RFC2132.
It's possible to configure the DHCP server to use any of the options listed.
Example
--> dhcpserver list options
subnet-mask
time-offset
routers
time-servers
ien116-name-servers
domain-name-servers
log-servers
cookie-servers
lpr-servers
impress-servers
resource-location-servers
host-name
boot-size
merit-dump
domain-name
swap-server
root-path
extensions-path
ip-forwarding
non-local-source-routing
policy-filter
max-dgram-reassembly
default-ip-ttl
path-mtu-aging-timeout
path-mtu-plateau-table
interface-mtu
all-subnets-local
broadcast-address
perform-mask-discovery
mask-supplier
AT-RG 600 Residential Gateway – Software Reference Manual 217
router-discovery
router-solicitation-address
static-routes
trailer-encapsulation
arp-cache-timeout
ieee802-3-encapsulation
default-tcp-ttl
tcp-keepalive-interval
tcp-keepalive-garbage
nis-domain
nis-servers
ntp-servers
vendor-encapsulated-options
netbios-name-servers
netbios-dd-server
netbios-node-type
netbios-scope
font-servers
x-display-manager
dhcp-requested-address
dhcp-lease-time
dhcp-option-overload
dhcp-message-type
dhcp-server-identifier
dhcp-parameter-request-list
dhcp-message
dhcp-max-message-size
dhcp-renewal-time
dhcp-rebinding-time
dhcp-class-identifier
dhcp-client-identifier
option-62
option-63
nisplus-domain
nisplus-servers
tftp-server-name
bootfile-name
mobile-ip-home-agent
smtp-server
pop-server
nntp-server
www-server
finger-server
irc-server
streettalk-server
streettalk-directory-assistance-server
user-class
option-78
option-79
option-80
option-81
option-82
option-83
option-84
nds-servers
nds-tree-name
nds-context
option-88
option-89
...(more options down to)
option-115
218 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
auto-configure
option-117
...(more options down to)
option-254
option-end
Description This command lists the following information about existing DHCP server subnets:
• subnet number
• subnet name
• subnet IP address
• subnet netmask
• default lease time (in seconds)
• maximum lease time (in seconds)
• whether the host is a DNS server (true or false)
Example
--> dhcpserver list subnets
DHCP Server subnets:
Default Max Host is
ID | IP Address | Netmask | Lease time | Lease time | DNS svr
---|----------------|---------------|------------|------------|--------
1 | 192.168.102.0 | 255.255.255.0 | 43200 | 86400 | false
-----------------------------------------------------------------------
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command determines whether or not DHCP server can respond to BOOTP
requests.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the global default lease time for DHCP server. To retrieve the
current DEFAULTLEASETIME value, use the DHCPSERVER SHOW command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the IP address that will be allocated to a DHCP client by the
fixed host mapping. To retrieve the current FIXEDHOST IPADDRESS values, use
the DHCPSERVER LIST FIXEDHOST command.
Note: It's not valid to create a fixed host mapping with an IP address that is
already within a configured, dynamic IP range on a subnet. The reverse is also
forbidden; it's not possible to add addresses into a dynamic IP range that are
already configured as fixed host addresses.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the MAC address for an existing fixed host mapping. To
retrieve the current FIXEDHOST MACADDRESS values, use the DHCPSERVER
LIST FIXEDHOST command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the maximum lease time for an existing fixed host mapping.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the global maximum lease time for DHCP server. To retrieve the
current MAXLEASETIME value, use the DHCPSERVER SHOW command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the default lease time for an existing subnet. This command
setting overrides the global default lease time setting for this particular subnet. To
retrieve the current SUBNET DEFAULTLEASETIME value, use the DHCPSERVER
SHOW command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command tells the DHCP server to give out its own interface IP address (ie the
IP address on the interface via which the DHCP lease is allocated to the client) as
the default gateway address. To retrieve the current settings, use the DHCPSERVER
SHOW command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command tells the DHCP server to give out its own interface IP address (ie the
IP address on the interface via which the DHCP lease is allocated to the client) as
the DNS server address. This is useful when combined with DNS Relay. To retrieve
the current settings, use the DHCPSERVER SHOW command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the maximum lease time for an existing subnet. This command
setting overrides the global maximum lease time setting for this particular subnet.
To retrieve the current settings, use the DHCPSERVER SHOW command.
224 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command allows you to change the IP address and netmask that define the IP
subnet used by an existing DHCP server subnet.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpserver set subnet sub1 subnet 239.252.197.0 255.255.255.0
DHCPSERVER SHOW
Syntax DHCPSERVER SHOW
Description This command displays the following global configuration information about the
DHCP server:
• status of the server (enabled/disabled)
• global default lease time
• global maximum lease time
• allow bootp requests setting (enable/disable)
• allow unknown clients setting (enable/disable)
Status: ENABLED
Description This command displays the following information about an existing subnet:
• subnet name
• subnet IP address
• subnet netmask
• subnet maximum lease time
• subnet default lease time
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Subnet: 192.168.103.0
Netmask: 255.255.255.0
Max. lease time: 70000 seconds
Default lease time: 30000 seconds
Description This command adds a pool of IP addresses to an existing subnet. The DHCP server
can allocate IP addresses from this pool to clients on request.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpserver subnet sub1 add iprange 239.252.197.0 239.252.197.107
Description This command allows you to configure the DHCP server to send options detailed in
RFC2132. To display a list of available options, use the command DHCPSERVER
LIST OPTIONS.
The heading of each option in the list contains the option identifier and the required
value (in italics) for that specific option. The following is an extract from the option
list, given as an example of the nature of the options:
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes all of the IP ranges set for an existing subnet.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes the options set for an existing subnet.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes a single option that was added using the DHCPSERVER
SUBNET ADD OPTION command. Once deleted, the option will no longer be given
out by the DHCP server.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists the IP range(s) for an existing subnet that have been added
using the DHCPSERVER ADD SUBNET command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists the options for an existing subnet that has been added using the
DHCPSERVER ADD SUBNET command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
ID | Identifier | Value
-----|------------------|------------------
1 | ip-forwarding | false
2 | subnet-mask | 255.255.255.0
-------------------------------------------
DHCPSERVER UPDATE
Syntax DHCPSERVER UPDATE
AT-RG 600 Residential Gateway – Software Reference Manual 231
Description This command updates the DHCP server configuration. Changes made to the server
configuration will not take effect until this command has been entered.
Description This command configures DHCP client parameters for negotiation over an existing
IP interface. This command can only be applied to IP interfaces have DHCP enabled
(see IP SET INTERFACE DHCP command).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes all existing DHCP client interface configurations.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command tells the DHCP client on a specific interface to request a specified
option from a DHCP server. The requested option is not compulsory - if the option
is not included in a lease offered by DHCP server, the DHCP client will still accept
the offer.
Options are detailed in RFC 2132.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient interfaceconfig client1 add requested option irc-server
Description This command tells the DHCP client on a particular interface that it requires a
specified option from DHCP server. The required option is compulsory - if the
option is not included in a lease offered by DHCP server, the DHCP client will
ignore the offer.
Options are detailed in RFC 2132.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient interfaceconfig client1 add required option domain-name
Description This command tells the DHCP client on a particular interface to send a value for the
given DHCP configuration option to a DHCP server. The DHCP server’s response
depends on the type of option being sent out
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example To tell the DHCP client to send the DHCP host-name option to the DHCP server
with the value “vancouver” use the following command:
Note: For options with string-type values associated with them, the option
value must be in double-quotes ("). Also, the entire string including the double
quotes must be inside single quotes (') to ensure that the CLI treats the double
quotes literally.
OPTIONS
Description This command deletes all options that were previously added to an interfaceconfig
using the DHCPCLIENT INTERFACECONFIG ADD REQUESTED/REQUIRED
OPTION commands
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes all options that were previously added to an interfaceconfig
using the DHCPCLIENT INTERFACECONFIG ADD SENT OPTION commands
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes a single option that was previously added to an
interfaceconfig using the DHCPCLIENT INTERFACECONFIG ADD OPTION
REQUESTED/REQUIRED commands.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient interfaceconfig client1 delete requested option 1
Description This command deletes a single option that was previously added to an
interfaceconfig using the DHCPCLIENT INTERFACECONFIG ADD SENT
OPTION command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists the options that the DHCP client requests and/or requires from
the DHCP server. These options were set using the DHCPCLIENT
INTERFACECONFIG ADD REQUESTED/REQUIRED OPTION commands.
The following information are displayed:
• Option identification number
240 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient interfaceconfig client1 list requested options
Description This command displays a list of the options that the DHCP client sends to the
DHCP server. These options were set using the DHCPCLIENT
INTERFACECONFIG ADD SENT OPTION command.
The following information are displayed:
• Option identification number
AT-RG 600 Residential Gateway – Software Reference Manual 241
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient interfaceconfig client1 list sent options
Description This command lists the following information about existing DHCP client
interfaces:
• interface identification number
• interface name
• IP interface configured by the client interface
• requested lease time (in seconds)
• client identifier (if set)
• Status of IP address auto-configuration (true or false)
Example
--> dhcpclient list interfaceconfigs
DHCP Client Declarations:
242 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
Requested
ID | Name | Interface | Lease Time | Client ID | AutoIP
-----|------------|------------|------------|-------------------|--------
1 | client1 | ip1 | 9000 | 00:11:22:33:44:5a | true
Description This command sets the global maximum time (in seconds) that a DHCP client
interface will `back off' between issuing individual DHCP requests. This prevents
many clients trying to configure themselves at the same time, and sending too many
requests at once.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Note: Even if Auto-IP has been enabled using this command, IP address auto-
configuration will not be carried out if a DHCP server on the same network
does not allow it. See the DHCPSERVER SUBNET ADD OPTION command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
See also DHCPSERVER SUBNET ADD OPTION (see the specific example given for this
command)
For further information on the RFC standard for DHCP IP address auto-
configuration, see http://www.ietf.org/rfc/rfc2563.txt.
Description This command sets a unique client identifier that the DHCP server uses to identify
the client.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient set interfaceconfig client1 clientid 00:11.22.33.44.5a
Description This command enables/disables whether the DHCP client makes use of default
gateway information received from a DHCP server. If no DHCP interfaceconfigs
have been added to the system, by default the DHCP client will use default gateway
information received from a DHCP server.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient set interfaceconfig client1 defaultroute disabled
AT-RG 600 Residential Gateway – Software Reference Manual 245
Description This command enables/disables whether a DHCP client uses the dhcpinform message
type. This DHCP message type is used whenever a client has obtained an IP address
or subnet mask (for example, the address has been manually configured or obtained
through PPP/IPCP), but wishes to obtain extra configuration parameters (such as
NS servers or default gateway) from a DHCP server.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient set interfaceconfig client1 dhcpinform disabled
Description This command tells a DHCP client to configure a DHCP server on the LAN if the
246 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
given address pool size is set to a number greater than 0. The LAN DHCP server is
configured using parameters received by a DHCP client interface on the WAN.
Information such as DNS server addresses can then be distributed to LAN clients.
The new DHCP server uses its lan IP address as the address to give out as the
default gateway address.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient set interfaceconfig client1 dhcpserverpoolsize 20
Description This command allows the user to specify an existing IP interface on which the
automatically configured DHCP server can be created. If the interface name does
not correspond with an existing IP interface, the DHCP server will be placed on the
first LAN interface that it finds.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient set interfaceconfig client1 dhcpserverinterface ip2
Description This command enables/disables whether a DHCP client passes received DNS server
addresses to the DNS client. If no DHCP interfaceconfigs have been added to the
system, by default the DHCP client will not pass DNS server addresses to the DNS
client.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient set interfaceconfig client1 givednstoclient disabled
Description This command enables/disables whether a DHCP client passes received DNS server
addresses to the DNS relay. If no DHCP interfaceconfigs have been added to the
system, by default the DHCP client will pass DNS server addresses to the DNS
relay.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient set interfaceconfig client1 givednstorelay disabled
AT-RG 600 Residential Gateway – Software Reference Manual 249
Description This command sets the IP interface that will have its configuration set by the DHCP
client interface. The client interface can only set the IP configuration if the IP
interface has DHCP enabled, using the IP SET INTERFACE DHCP command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient set interfaceconfig client1 interface ip2
The DHCP server must have 'allowunknownclients' enabled in order to work with
DHCP clients that are not specifically named in DHCP server configuration or its
lease database.
Options The following table gives the range of values for each option which can be specifie
d with this command and a default value (if applicable).
250 Chapter 10 – Dynamic Host Configuration Protocol - DHCP
Example
--> dhcpclient set interfaceconfig client1 noclientid
Description The DHCP client requests a specific lease time from the DHCP server for the
allocated IP addresses. This command determines the length of lease time
requested. The DHCP server will `cap' a requested lease time if it is too large.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient set interfaceconfig client1 requestedleasetime 70000
Description If DHCPCLIENT SET DHCPINFORM has been set to enabled, this command will
unicast the first DHCPINFORM message to the specific DHCP server at the
specified IP address. If the first unicast fails, the DHCPINFORM will default to
broadcasting its messages.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> dhcpclient set interfaceconfig client1 server 192.168.101.2
Description When the DHCP client is restarted, it tries to reacquire the last address that it had.
This command sets the time for which the client tries to reacquire its last address. At
the expiry of this time, it gives up and tries to discover a new address.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the time that must pass after the client has determined that no
DHCP server is present before it tries again to contact a DHCP server.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
DHCPCLIENT SHOW
Syntax DHCPCLIENT SHOW
Description This command displays the following global configuration information about
DHCP client:
• reboot time
• retry time
• maximum backoff time
Reboot time: 10
Retry time: 300
Max. backoff time: 120
DHCPCLIENT UPDATE
Syntax DHCPCLIENT UPDATE
Description This command updates the DHCP client configuration. Changes made to the client
configuration are not actually applied until this command has been entered.
Description This command adds the IP address of a DHCP server to the DHCP relay's list of
server IP addresses. The relay can store a maximum of 10 DHCP server addresses.
Any new server IP addresses added are not actually used until the DHCPRELAY
UPDATE command has been entered.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes all DHCP server IP addresses stored in DHCP relay's list of
server IP addresses.
Description This command deletes a single DHCP server address stored in the DHCP relay's list
of server IP addresses.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Option Description Default Value
A number that identifies the DHCP server
in the DHCP relay’s list of servers. To
number N/A
display server numbers, use the
DHCPRELAY LIST SERVERS command.
DHCPRELAY ENABLE|DISABLE
Syntax DHCPRELAY {ENABLE|DISABLE}
Note: DHCP relay and DHCP server cannot be enabled at the same time. Trying
to configure DHCP relay when DHCP server is enabled results in CLI warning
message.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays the DHCP relay's list of DHCP server IP addresses with
their identification numbers.
ID | IP Address
-----|------------------
1 | 192.168.102.3
2 | 239.252.197.0
------------------------
DHCPRELAY SHOW
Syntax DHCPRELAY SHOW
Description This command tells you whether DHCP relay is enabled or disabled.
Status: ENABLED
DHCPRELAY UPDATE
Syntax DHCPRELAY UPDATE
Description This command updates the DHCP relay configuration. Changes made to the relay
configuration will not take effect until this command has been entered.
Chapter 11
Introduction
DNS is an abbreviation for Domain Name System, a system for naming computers
and network services that is organized into a hierarchy of domains. DNS naming is
used in TCP/IP networks, such as the Internet, to locate computers and services
through user-friendly names. When a user enters a DNS name in an application,
DNS services can resolve the name to other information associated with the name,
such as an IP address.
For example, most users prefer a friendly name such as “alliedtelesyn.com” to locate
a computer such as a mail or web server on a network. A friendly name can be
easier to learn and remember. However, computers communicate over a network by
using numeric addresses. To make use of network resources easier, name services
such as DNS provide a way to map the user-friendly name for a computer or service
to its numeric address. If you have ever used a Web browser, you have used DNS.
The following graphic shows a basic use of DNS, which is finding the IP address of
a computer based on its name.
In this example, a client computer queries a server, asking for the IP address of a
computer configured to use host.alliedtelesyn.com as its DNS domain name.
Because the server is able to answer the query based on its local database, it replies
with an answer containing the requested information, which is a host (A) resource
record that contains the IP address information for host.alliedtelesyn.com. The
example shows a simple DNS query between a single client and server. In practice,
DNS queries can be more involved than this and include additional steps not shown
here.
DNS Relay
The AT-RG613, AT-RG623 and AT-RG656 can act as a DNS relay. So, DNS packets
which arrive at the Residential Gateway, addressed to the Residential Gateway, will
be relayed on to a known DNS Server.
In this way, devices on the LAN can treat the Residential Gateway as though it were
the DNS Server. Only the Residential Gateway needs to know the address of the real
DNS Server looking into it's internal DNS Relay servers list.
It's possible configure the DHCP server running on the internal Residential
Gateway's IP interface in order to offer the IP address of it's internal IP interface as
DNS server's IP address for the internal hosts DNS requests.
It's also possible write a file named "dnsrelaylandb" with information about host
attributes and a domain name and IP address mask. When DNS relay will receive a
DNS request it will check if the answer to this request is in this file and in this case it
will answer to the question; if it hasn’t enough information it will forward the
request to a DNS server.
It is possible to nominate both a primary and a secondary DNS server to contact.
DNS responses received from the server are then forwarded back to the original
host making the DHCP request.
Both UDP and TCP DNS requests are supported.
The DNS relay does not bind itself to any one specific interface or interface type, but
rather will listen for traffic on all available IP interfaces. It relies on the well-known
UDP and TCP port number for a DNS server (port number 53) for receiving DNS
traffic.
DNS Client
AT-RG613, AT-RG623 and AT-RG656 are provided with an internal DNS client, to
use this function you must add DNS server addresses that will be used by the
Residential Gateway ONLY for its own lookups.
AT-RG 600 Residential Gateway – Software Reference Manual 259
Description This command adds the IP address of a DNS server to DNS relay's list of server IP
addresses. The relay can store a maximum of 10 DNS server addresses.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command clears the DNS relay cache in the current session. DNS relay has a
small local cache of DNS entries to increase performance for lookups of frequently
used destinations.
Description This command clears the DNS relay LAN database that was set using the
DNSRELAY SET LANDATABASEFILE command.
Description This command deletes all DNS server IP addresses stored in DNS relay's list of
server IP addresses.
Description This command deletes a single DNS server address stored in DNS relay's list of
server IP addresses.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays the DNS relay's list of DNS server IP addresses with their
identification numbers.
ID | IP Address
-----|------------------
1 | 239.252.197.0
------------------------
Description This command tells DNS relay which filename it should load its local database
from. The file is an ASCII file that you have created and stored in the ISFS
configuration file.
The landatabase file contains the following:
• information about local host names and IP addresses
• the domain name that the relay should use
• the IP address and netmask that the relay should use
Once the filename is set, DNS relay will load this database and use it to answer
requests for local host names and/or IP addresses. Your LAN then has its own small
DNS relay local database.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays the IP address and subnet mask that the DNS relay uses to
determine if a query is for an element of the local database. These information are in
collected in the LANDATABASEFILENAME file.
Description This command displays the domain name used by the DNS relay to determine if a
host name request is for the local database. These information are in collected in the
LANDATABASEFILENAME file.
Description This command displays the name of the file that was set using the DNSRELAY SET
LANDATABASEFILENAME command. The second example shows the
LANDATABASEFILENAME content.
host_name host1.yourdomain.com.
address 172.39.10.10
host_name host1.yourdomain.com.
address 172.39.10.15
Description This command creates a domain search list. The DNS client uses this list when a
user asks for the IP address of a host, but specifies an incomplete domain name for
the host. The search string specified replaces any previous search strings added
previously using this command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command adds a server IP address to the server list. This enables you to
retrieve a domain name for a given IP address.
264 Chapter 11 – Domain Name System - DNS
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes all domain names from the domain search list.
Description This command deletes all the server IP addresses to the server list.
Description This command deletes a single domain name from the domain search list.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command deletes a single server IP addresses from the server list.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists the domain search strings that you have added to the DNS
client using the DNSCLIENT ADD SEARCHDOMAIN command. The DNS client
uses this list when a user asks for the IP address of a host, but specifies an
incomplete domain name for the host.
Description This command lists the server IP addresses that you have added to the DNS client
using the DNSCLIENT ADD SERVER command. The DNS client uses this list to
retrieve a domain name for a given IP address.
ID | IP Address
----|------------------
1 | 192.168.100.7
2 | 192.168.100.1
------------------------
AT-RG 600 Residential Gateway – Software Reference Manual 267
Chapter 12
SNTP
The SNTP Version 4 client is an OSI Layer 7 application that allows the
synchronization of the AT-RG613, AT-RG623 and AT-RG656 system clock to global
sources of time-based information using UDP.
Its detailed implementation, which is described in RFC 2030, provides a complete
and simplified method to access international timeservers to receive, organize and
adjust the time-synchronization of the local system.
The SNTP client described herein is a scaled down version of the Network Time
Protocol (NTP) which is specified in RFC 1305. The main difference between an
SNTP and an NTP client is the fact that most SNTP clients will interact with, at
most, a single (S)NTP server. Also, SNTP Version 4 clients include an “anycast”
mode in addition to unicast and broadcast access modes not available in past
versions of NTP/SNTP clients
SNTP Features
The following feature are available on then AT-RG613, AT-RG623 and AT-RG656
Residential Gateway:
• Boot time and runtime synchronization of the system clock can both be
configured.
• SNTP in the AT-RG613, AT-RG623 and AT-RG656 system can function in one of
three transfer modes:
o Unicast Mode - The SNTP client sends to a server, located at a
specific previously configured address, a request for time
synchronization and expects a reply only from that particular
server.
o Broadcast /Multicast Mode - A multicast NTP server periodically
transmits a message to the local subnet broadcast address. The
client is configured to listen, and receives the synchronized time-
based information. The client then configures itself based on this
information, but sends no reply
268 Chapter 12 – SNTP
Description This command sets the system clock to a specific time and date. This command can
be used as an alternative to synchronizing the local system clock via internal or
external timeservers.
Example The following command sets the system clock to 11:10:13pm, 2nd November 2001:
Description This command enables/disables a particular access mode for the STNP client. There
are three modes to choose from, and each mode can be separately enabled or
disabled:
• Unicast mode
• Enable - the mode sends unicast messages to the IP address or hostname in
the SNTP server association list. The SNTP client attempts to contact the
specific server in the association in order to receive a timestamp when the
sntpclient sync command is issued.
• Disable - the unicast server is removed from the association list.
270 Chapter 12 – SNTP
• Broadcast mode
• Enable - allows the SNTP client to accept time synchronization broadcast
packets from an SNTP server located on the network, and updates the local
system time accordingly.
• Disable - stops synchronization via broadcast mode.
• Anycast mode
• Enable - the SNTP client sends time synchronized broadcast packets to the
network and subsequently expects a reply from a valid timeserver. The
client then uses the first reply it receives to establish a link for future sync
operations in unicast mode. This server will then be added to the server
association list. The client ignores any later replies from other servers after
the first one is received. The server learnt by the anycast process takes
precedence over any entries currently in the associations list when the
sntpclient sync command is issued.
• Disable - stops synchronization via anycast mode.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the SNTP client to automatically send a time synchronization
request (specific to the mode) to the network at a specific interval. If the poll-
interval is set to 0, the polling mechanism will be disabled.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 271
Description This command sets the number of retry attempts that will be made when no
response is received from a timeserver. If the client receives no reply to its sync
requests, it willcontinue sending request packets at a fixed interval (set by the
SNTPCLIENT SET TIMEOUT command), up to the number of retries specified in
this command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the dedicated unicast server with which the SNTP client can
synchronize its time. You can set the server by specifying either the IP address or
the hostname.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Examples IP address
--> sntpclient set server ipaddress 129.6.15.28
hostname
--> sntpclient set server hostname time-a.nist.gov
Description This command sets the received packet response timeout value (in seconds) upon
sync request initiation. If a response is not received within the time specified by this
command, the client will resend the request. This cycle will continue until either a
reply is received, or the cycle has been repeated for the number of times specified in
the SNTPCLIENT SET RETRIES command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the local time zone. The timezone is represented by one of the
abbreviations given in a table below. Setting the timeszonecan configure the local
system to be up to + 13 hours different from Universal Time Coordinate (UTC).
64 of the worlds most prominent time zones are represented (including both
standard times and summer/daylight saving times).
Options The following table gives the 64 time zone abbreviations that you can use in this
command.
The table also contains the difference in time (in hours and minutes) from the UTC,
and a description of the area of the world (from west to east) where the time
difference is calculated from:
Example In the example below, the time zone is set to Unites States Eastern Standard Time,
which is five hours earlier than UTC (-0500):
Description This command lists the server being used by the SNTP client and displays whether
or not the client is currently synchronized with this server.
AT-RG 600 Residential Gateway – Software Reference Manual 275
Examples IP address
--> sntpclient show association
Time Reference Server IP address: 129.6.15.28
** Local clock synchronized with this server.
hostname
--> sntpclient show association
Time Reference Server Hostname: time-a.nist.gov
** Local clock synchronized with this server.
SNTPCLIENT SYNC
Syntax SNTPCLIENT SYNC
Description This command forces the SNTP client to immediately synchronize the local time
with the server located in the association list (if unicast) or, if anycast is enabled,
initiate an anycast sequence.
Chapter 13
PPPoE
Figure 13. PPP is used by Internet Service Providers (ISPs) to allow dial-up users
to connect to the Internet.
PPP has now been adapted to Ethernet, and is appropriately called PPP over
Ethernet (PPPoE). Since PPP was designed to do things that were either impossible
or unnecessary with Ethernet, users are often confused as to why one would want to
use PPP over Ethernet at all.
AT-RG 600 Residential Gateway – Software Reference Manual 277
If we were to compare TCP/IP traffic to vehicle traffic, the basic TCP/IP protocol
would be comparable to a network of city streets. Streets can serve many access
points. It is easy to get on to and off the street.
Additional access points can be added with little disruption. It is hard to tell how
many cars are actually using each street. PPP, on the other hand, would be
comparable to a railway. Travel is generally between two well-defined points. You
can't get on and off anywhere. It is relatively easy to count and monitor passengers.
You need a ticket to board.
If this is true, then is not PPPoE like running railway tracks down Main Street? In
fact, yes, it is. That is what tramways do. Without disturbing main street traffic, they
bring the advantages of railways. They offer speedy access between two well-
defined points and allow you to count passengers. And you need a ticket to board.
PPPoE allows ISPs to monitor the volume of traffic that their users generate.
PPP over Ethernet brings this sort of functionality to ISPs that do not use serial links
to connect their users. Serial ISPs already use PPP over modem communications.
DSL providers, on the other hand, use Ethernet, not serial communications. Because
of this, many require the added functionality of PPP over Ethernet, which allows
them to secure communications through the use of user logins and have the ability
to measure the volume of traffic each user generates.
Typically PPPoE is the “way” to connect the internal device with the external
world. Each PPPoE instance must have a unique subnet and belong to a unique
VLAN.
• Create an IP interface and attach the IP interface to the PPPoE using the following
command:
After the completion of the authentication phase of the PPP negotiation, the PPPoE
client negotiates with the Server the IP parameters for the connection:
• IP address for client and server ends of the link
• Primary DNS Server IP address
• Secondary DNS Server IP address
280 Chapter 13 – PPPoE
Description This command creates a PPPoE transport that performs dialout over Ethernet. It
allows you to specify the following parameters for the PPPoE client:
• the vlan used to receive and send packets belonging to the PPP interface
• the internal port that will transport data
• access concentrator (optional
• service name (optional)
Options The following table gives the range of values for each option which can be specified
with this command and a default value for each option (if applicable).
Example
--> pppoe add transport pppoe1 default 1
Description This command deletes all PPPoE transports that were created using the PPPoE
ADD TRANSPORT command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value for each option (if applicable).
Description This command lists PPPoE transports that have been created using the PPPOE ADD
TRANSPORT command. It displays the following information about the transports:
• transport identification number
• transport name
AT-RG 600 Residential Gateway – Software Reference Manual 283
ID | Name | Port
-----|------------|-----------
1 | default | ethernet2
2 | vlan21 | ethernet2
------------------------------
Description This command specifies the access concentrator that you want PPPoE to connect to.
If an access concentrator has been defined, to remove it, it's necessary remove
the pppoe transport where the access concentrator refers.
You can also specify a service name using the SET TRANSPORT SERVICENAME
command so that PPPoE will only accept a specific service via a specific access
concentrator.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
It's possible specify one or more filters to block the autoconnect function when a
UDP or TCP connection is requested to a particular port. See PPPOE SET
TRANSPORT AUTOCONNECT ADD FILTER command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command disables the PPPoE autoconnect function when a TCP/UDP session
is requested for a specific address port.
AT-RG 600 Residential Gateway – Software Reference Manual 285
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example --> pppoe set transport pppoe1 autoconnect filter add tcpport
23
Description This command removes a PPPoE filter previously added with the command PPPOE
SET TRANSPORT AUTOCONNECT FILTER ADD.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value for each option (if applicable).
Description This command controls whether the PPP Internet Protocol Control Protocol (IPCP)
can request a DNS server IP address for a remote PPP peer. Once IPCP has
discovered the DNS server IP address, it gives the address to the local DNS client so
that it can be used for DNS lookups initiated from the Residential Gateway itself.
You must have the DNS client process included in your image build in order to use
this feature.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 287
Description This command controls whether the PPP Internet Protocol Control Protocol (IPCP)
can request the DNS server IP address for a remote PPP peer. Once IPCP has
discovered the DNS server IP address, it gives the address to the local DNS relay so
it can be used for relayed DNS lookups.
You must have the DNS relay process included in your image build in order to use
this feature.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command tells a specified PPP transport to send an LCP (Link Control
Protocol) echo request frame at specified intervals (in seconds). If no reply is
received, the PPP connection is turned down. This functionality is also known as
`keep-alive'.
If you do not want to send LCP echo frames, specify zero (0) in the <interval>
attribute.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the maximum number of Link Control Protocol (LCP)
configure requests that will be sent by an existing PPPoE transport before it decides
that the PPP peer is not responding. Upon having decided that the peer is not
responding, the transport changes from the REQ SENT state back to the STARTING
state; ie it stops trying to negotiate the link.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the Link Control Protocol (LCP) maximum fail number.This is
the number of configure-nak packets sent without receiving a valid configure ack
before assuming the configuration is not converging.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
290 Chapter 13 – PPPoE
Description This command sets the Link Control Protocol (LCP) maximum terminate number
for an existing PPPoE transport. When the transport has sent this number of
consecutive LCP terminate requests without receiving a reply, it will assume that
the PPP peer is unable to reply, and will simply terminate the link.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command tells the PPP process the local IP address to be used on this PPP
interface or sets the PPP interface to get the IP address dynamically.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command specifies the service name that is acceptable to the PPPoE client.
You can also set the access concentrator using the SET TRANSPORT
ACCESSCONCENTRATOR command so that PPPoE will only accept a specific
service via a specific access concentrator.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 293
Description This command sets a (dialout) username on a named transport. The username is
required when PPP negotiation takes place and is supplied to the remote PPP server
for authentication. To apply a positive authentication you must use not only this
command but moreover you also must use PPPOE SET TRANSPORT PASSWORD
and PPPOE SET TRANSPORT WELOGIN.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the authentication protocol used to connect to external PPP
servers (dialout).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays the following information about an existing PPPoE
transport:
• Description
• Interface number
• Server - dialin status
• Headers - the data format that the transport can accept or receive
• SVC status (false)
• Local IP address
• Subnet mask
• Remote IP address
• Remote DNS
• Propagate DNS to client (true or false)
• Propagate DNS to relay (true or false)
• Dialout Username
• Dialout Password
• Dialout Authentication method
• Dialin Authentication method
• Access concentrator
• Service name
• Port name
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description: pppoe2
Interface ID: 1 Server: false
Headers: learn SVC: false
Local IP: 0.0.0.0
Subnet mask: 0.0.0.0
Remote IP: 0.0.0.0
Remote DNS: 0.0.0.0
Propogate DNS to client: true To relay: true
Dialout username:
Dialout password:
Dialout auth.: none
Dialin auth.: none
Autoconnect: true
User Idle Timeout: 30
Access Conc.:
Service name: y
Chapter 14
Introduction
This chapter describes the telephony services available on the Residential Gateway
and the support for analog voice ports (FXS) and digital ISDN interfaces (Basic
Rate).
The AT-RG613TX(J) supports two FXS ports to connect up to 2 standard DTMF
analogue telephones. A further PSTN port (AT-RG613TXJ model only) is available
to connect the Residential Gateway to a Central Office or to an analog PBX.
The PSTN port (also named FXO port) allows a VoIP end-point to reach an external
phone connected to the PSTN network. In the opposite direction, the FXO port
allows an incoming PSTN call to reach a VoIP end-point.
The same FXO port acts like lifeline when the unit is powered off (or when no local
user is registered to a SIP server or Gatekeeper), connecting the local phones to the
PSTN operator.
The AT-RG623TX supports two ISDN Basic Rate ports to connect up to 8 ISDN
terminals to the residential gateway. In this case the two ports use the same S/T bus
and ISDN terminals can use one port or the other one independently. Up to 2
simultaneous calls can be made on the S/T bus (the limitation is due to the Basic
Rate service that support only two bearer channels of 64Kbps each).
The access port module controls both analog and digital ports:
• on FXS models it detects hardware events like off-hook and DTMF key press and
controls hardware functions like tone generation and ringing.
• on the ISDN models it implements the ISDN protocol conforming to Euro ISDN
standards (ETSI).
The access port module also performs the voiceband processing required to
interface analog or PCM voice, fax with data networks incorporating packet-based
protocols such as Internet protocol (IP).
This system incorporates a voiceband processor (VoIP DSP) that operates in
conjunction with analog interface circuitry and with the unit main processor (CPU).
AT-RG 600 Residential Gateway – Software Reference Manual 299
The unit main processor implements packet network protocol stacks and system
control, while the voice-band processor primarily performs mathematically
intensive DSP algorithms.
The following are the features available on the Voice system:
Voice Encoding/Decoding
• G.711 A-/µ-law 64 Kbps PCM Speech CODEC
• G.729A/B CS-ACELP Speech CODEC with VAD
• G.726-16Kbps, G.726-24Kbps, G.726-32Kbps and G.726-40Kbps
• T.38 support for transmission of T.30 fax signals into T.30 Intenet Fax Protocol
(IFP) packets.
Analog Ports
On the AT-RG613TX model two FXS ports are provided.
On the AT-RG613TXJ model two FXS ports are provided plus one FXO port.
Connection from the unit to standard DTMF analogue telephones is made via two
RJ11 8-pin connectors.
The analog front-end circuit is designed to support 5REN (Ring Equivalent
Number) load on each FXS port.
An additional RJ11 connector is available as pass-through PSTN port when the unit
is not powered. In this case an internal relay connects the first FXS port to the PSTN
port, allowing the user to make external calls to a Central Office or to analog PBX.
Analog ports are able to reproduce telecom tones similar to the tones provided from
a regional central office or local exchange, simply by selecting the desired country
via the VOIP EP SET COUNTRY command.
Digital Ports
The AT-RG623TX supports two ISDN Basic Rate (BRI) ports.
300 Chapter 14 – VoIP Analogue and Digital Access Ports
A block diagram of a typical Basic Rate Access circuit is shown in Figure 14.
Analogue
Phone/FAX
TA
Digital Digital
Phone/FAX Phone/FAX
The S/T loop may be shared by a number of TEIs and TAs communicating with a
single Network Termination (NT). The U loop may be several kilometres in length and
runs between the NT and the Line Termination (LT) on the ISDN service provider's
premises. The letters S, T and U refer to reference points in the ITU-T
Recommendations defining ISDN.
With respect to a standard ISDN Basic Rate Access, the AT-RG623TX is designed to
operate like an NT (LT-S) termination offering access to a VoIP network instead of
an ISDN network.
The Basic Rate access available on the AT-RG623TX consists of 2 data channels
(called B1 and B2) of 64Kbps each; plus one signaling channel (called the D channel)
of 16Kbps. This allows two simultaneous calls (outgoing or/and incoming) to be in
operation at the same time.
See ETS 300 012-1 Annex A - A.2.1 Point-to-multipoint - A.2.1.1 Short passive bus for
more technical details..
Common
Port creation and configuration (if necessary) are part of the VoIP system
configuration steps required in order to receive or make calls, as illustrated in Figure
15.
Default Configuration
Signalling Protocol
Config. (SIP/H323)
Users Binding
Incoming/
Outgoing Calls
By default, analog or digital access ports are not configured in the system when the
unit starts from a factory default configuration.
302 Chapter 14 – VoIP Analogue and Digital Access Ports
If a port is not defined, no users can be added to the port and therefore no incoming
calls can be received and no outgoing calls can be made.
On the AT-RG623, attempting to make an outgoing call through an undefined
digital port will result in a DISCONNECT message from the unit. A busy tone may
be reproduced locally on the ISDN telephone depending on phone model (typically
the busy tone is generated for few seconds and then the user is invited to replace the
handset).
On the AT-RG613, attempting to make a call through an undefined analogue port
will result in absence of any tone provided by the unit.
To create a port, use the command VOIP EP CREATE and to enable a port use the
command VOIP EP ENABLE.
Each access port has a unique identifier used during the VOIP EP CREATE
command. Depending on the model, the following ports and port identifiers can be
used:
Port configuration
Port configuration is managed through the VOIP EP SET command.
It is used to configure the following subsections:
• Digit Map/Dial Mask
• Voice Coder/Decoder
• Voice Quality Management
• Telecom Tones Management
Digit Map
The Digit Map is a rule used by the access port to understand when dialing is is to
be considered completed and the dialed number is ready to be processed by the call
control layer. It works for outgoing calls (in the direction from user to VoIP
network).
A digit map is defined either by a (case insensitive) "string" or by a list of strings.
Each string in the list is an alternative numbering scheme, specified either as a set of
digits or timers, or as an expression over which the port will attempt to find a
shortest possible match. The following constructs can be used in each digit map:
DTMF: A digit from '0' to '9' or one of the symbols "A", "B", "C", "D", "#", or "*".
AT-RG 600 Residential Gateway – Software Reference Manual 303
Timer: The symbol 'T' matching the timer expiry. The symbol 'T' at the end of Digit
Map indicates that if user has not dialed a digit for a time longer than the value of
the inter-digit time, the dialed number shall be considered complete. If the symbol T
appearsi in the middle of digit map expression is not considered and skipped
during expression evaluation.
Wildcard: The symbol "x", which matches any digit ("0" to "9").
Range: One or more DTMF symbols enclosed between square brackets ("[" and "]").
Subrange: Two digits separated by a hyphen ("-") which matches any digit
between and including the two. The subrange construct can only be used inside a
range construct, i.e., between "[" and "]".
Position: A period ("."), which matches an arbitrary number, including zero,
of occurrences of the preceding construct.
Also, note that the whole Digit Map shall not exceed 128 characters.
Let’s consider an example where the user in an office wants to call a co-worker’s 3-
digit extension. The Digit Map is defined in such a way that after the user has
entered 3 digits, the called number is processed.
The command to set the Digit Map could look as follows:
Let’s consider the case of a choice: the Digit Map must check if the number is
internal (an extension), or external (a local call). Assuming that dialling “9” makes
an external call, the Digit Map could be defined with the command:
The “#” or “*” character could indicate users must dial the “#” or “*” character at the
end of their number to indicate it is complete.
When processing the outgoing call the call control layer removes any '#'', '*' and 'T'
symbols from the dialed number.
Dial Mask
The Dial Mask specifies the number of digits that must be removed from the dialed
number before checking the dialed number against the Digit Map.
When a user digits the called party number, the number of digits specified by the
dial mask parameter are removed from the selection This feature is available both
on AT-RG613TX and AT-RG623TX models.
On AT-RG613TXJ model, dial mask acts both on fxs ports and on the fxo port.
On the fxo port dial mask works only far calls in the direction PSTN to VoIP thus
only on incoming calls on fxo port.
Voice Coder/Decoder
The Voice system makes use of a specific DSP with an embedded sigma-delta
Coder/Decoder to process voice and data from/to access ports.
Different codec types are available in order to satisfy the requirements of different
environments.
It's possible to specify more than one codec type for each port using the command
VOIP EP SET CODECS.
The codec specified at the leftdmost ens of the codec list has precedence over the
other codecs.
The signaling protocol (SIP or H323) will negotiate the active codec based on the
capabilities supported by the other peer involved in the VoIP connection.
In the case of local calls, codec negotiation is performed locally by the call control
layer.
The following codecs are available on the AT-RG613, AT-RG623 and AT-RG656
units:
• g711a (G.711 A law)
• g711u (G.711 µ law)
• g729 (G.729)
• g726-16 (G.726 16kbps)
• g726-24 (G.726 24kbps)
• g726-32 (G.726 32kbps)
• g726-40 (G.726 40kbps)
• T.38
AT-RG 600 Residential Gateway – Software Reference Manual 305
A brief description of each codec is provided below, with some notes about quality
and performance.
and 5 bits, respectively. At 32kbps ADPCM has a low delay and is considered "toll-
quality", i.e. virtually indistinguishable from A-law and u-law for a single encoding.
At lower bit rates, especially below 24kbps, speech quality is dramatically reduced.
T.38 support
AT-RG613, AT-RG623 and AT-RG656 are designed to support the transmission of
T.30 fax signals using T.38 Internet Fax Protocol (IFP) packets.
Even if T.38 is reported under the codec supported list in AT-RG600 family, T.38 is
not properly a codec but is a technical solution to map FAX signals into a dedicated
IP protocol that overrides the limitations (e.g. signal distortion) that are present
when faxes are sent using codec designed for speech applications.
When T.38 support is enabled and a fax must be sent or received, the Residential
Gateway tries firstly to negotiate T.38 support with the called or calling end-point
respectively. If this fails, automatically the Residential Gateway switches to a non
compressed codec like G711u or G711a.
Jitter Buffer
Voice-over-packet systems require a “jitter” buffer to compensate for delay variation
due to packet queuing, network congestion, or other network phenomena.
This delay results when a complete voice packet ready for transmission cannot be
immediately transmitted. This may be because packets from other equal priority
voice channels are also ready to be transmitted or because a lower priority data
packet has started transmission and must be allowed to complete.
This delay is dependent on a number of factors including the minimum size data
packet, the number of other voice channels, which could simultaneously produce a
packet, and the willingness to reduce network packet efficiency by transmitting a
partially filled packet.
The jitter buffer is designed to prevent data starvation on the packet-receiving end,
and may dynamically adjust its buffer depth depending on network performance
characteristics.
The voice DSP make use of one shared output buffer in the encode direction. The
system is designed to zeroing the process latency for ports using the same codec
algorithm.
In the case that access ports are not using the same codec, this optimization is less
effective and some channel data could suffer a variable delay (jitter).
AT-RG 600 Residential Gateway – Software Reference Manual 307
On the decoding path (from VoIP network to access port), voice/data packets are
managed in separate jitter buffers (one for each access port) to compensate
efficiently for jitter injected by the network.
The command VOIP EP SET JITTERDELAY is used to specify the jitter delay. The
delay parameter represents the delay in milliseconds that the jitter buffer waits
before it transmits the data samples that are collected from the VoIP network.
DTMF Relay
DTMF Relay is a protocol dependent solution used to transfer DTMF tones when in
a call a low compressed codec is used. In this case, if tone is managed similarly to
voice, the tone may be distorted during compression and decompression phase and
therefore a specific application must be used to support DTMF transfer.
• DTMF Relay under SIP protocol
To prevent tone distortion, during call establishment, the endpoints negotiate a
specific RTP packet payload (Named Telephone Event) used only to tranfer DTMF
tones as specified in RFC 2833 (section 3).
When the Residential Gateway attempts to establish a call, it adds to the capabilities
list the RTP packet Named Telephone Event only if a compressed codec (g726 or
g729ab) has been configured for the Voice access port involved in the call.
- Then if the call is established using an uncompressed codec (i.e. g711u or
g711a), the Residential Gateway will send DTMF tone in-band (independently
if the called endpint supports or not RTP packet Named Telephone Event) on
the same path used for voice.
- If the call is established using a compressed codec, the Residential Gateway will
send DTMF tones using RTP packet Named Telephone Event only if the called
end-point supports it, otherwise it switches to the same path used for voice
(accepting DTMF distorsion).
When the Residential Gateway is going to accept a call, it adds to the capabilities list
the RTP packet Named Telephone Event only if a compressed codec (g726 or
g729ab) has been configured for the Voice access port involved in the call.
- Then if the call is established using an uncompressed codec (i.e. g711u or
g711a), the Residential Gateway will send DTMF tone in-band (independently
if the caller endpint supports or not RTP packet Named Telephone Event) on
the same path used for voice.
- If the call is established using a compressed codec, the Residential Gateway will
send DTMF tones using RTP packet Named Telephone Event only if the caller
end-point supports it, otherwise it switches to the same path used for voice
(accepting DTMF distorsion).
The Inter-digit time is the maximum acceptable time between the dialing of one
digit and the next. If a time greater than the inter-digit time elapses after the dialing
of a digit, dialling is considered complete.
The Inter-digit time value is used by the timer 'T' in the digit map expression.
To change the value of the inter-digit time use the VOIP EP SET IDT-PARTIAL
command
The Inter-digit critical time is the maximum acceptable time between the off-hook
event and the dialing of the first digit. If a time greater than this has elapsed since
off-hook and dialing has not yet started, then the connection is closed and a busy
tone is generated.
To change the value of the inter-digit critical time use the VOIP EP SET IDT-
CRITICAL command
Port enable/disable
It's possible to temporarily disable a port by using the VOIP EP
ANALOGUE/DIGITAL DISABLE command.
Any call originated from, or sent to, a user attached to a disabled access port is
discharged.
On the AT-RG613, no dial tone is provided through a disabled analogue port.
On the AT-RG623, attempting to make an outgoing call through a disabled digital
port will result in a DISCONNECT message from the unit. A busy tone may be
reproduced locally on the ISDN telephone depending on phone model (typically the
busy tone is generated for few seconds and then the user is invited to replace the
handset).
When a port is disabled, each user added to the port starts to un-register from the
Location Server (SIP signaling protocol) or Gatekeeper (H323 signaling protocol).
To change the port status from disabled to enabled, use the VOIP EP
ANALOGUE/DIGITAL ENABLE command.
As soon the port is enabled all the users attached to the port automatically restart
the process of registration with the location server or gatekeeper.
To show the users attached to a port, use the VOIP EP ANALOGUE/DIGITAL
SHOW command.
To show the user registration status, use the VOIP USER SHOW command.
AT-RG 600 Residential Gateway – Software Reference Manual 311
VOIP EP CREATE
Syntax VOIP EP ANALOGUE CREATE <name> TYPE <port-type> PHYSICAL-PORT <phy-
port-id>
Description This command adds a named access port and binds it to a physical access port.
If the physical resource is already assigned to another named port, an error is raised
and the command fails.
On AT-RG623TX model, only one digital port can be created with TYPE dl-bri-
lt-s and PHYSICAL-PORT tel. On AT-RG623TX model, only one digital port can
be created with TYPE dl-bri-lt-s and PHYSICAL-PORT tel.
Options The following table gives the range of values for each option that can be specified
with this command and a default value (if applicable).
Example
--> voip ep analogue create prt0 type al-fxs-del physical-port tel1
--> voip ep digital create prt0 type dl-bri-lt-s physical-port tel1
VOIP EP DELETE
Syntax VOIP EP ANALOGUE DELETE <name>
VOIP EP DIGITAL DELETE <name>
Description This command deletes the named access port created previously using the VOIP EP
CREATE command.
Deleting an access port where one or more users are attached, causes a
deregistration procedure to be invoked for the users attached to the removed
port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
VOIP EP SHOW
VOIP EP DISABLE
Syntax VOIP EP ANALOGUE DISABLE <name>
Description This command disables the physical port referred to by the named access port.
Use the VOIP EP SHOW command to retrieve the Operational Status of a specific
port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
VOIP EP ENABLE
Syntax VOIP EP ANALOGUE ENABLE <name>
Description This command enables the physical port referred to by the named access port.
Use the VOIP EP SHOW command to retrieve the Operational Status of a specific
port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
VOIP EP LIST
Syntax VOIP EP ANALOGUE LIST
Description This command lists the named access port defined in the system using the VOIP EP
CREATE command.
The following information is displayed:
• end-point (analogue or digital) ID value
• end-point (analogue or digital) name
• physical port index
• physical port typology
CFWD on-busy
CFWD on-no-answer
Description Call ForWarDing (CFWD) enables to forward incoming calls to another destination
previously decided in a static way. The feature must be enabled on the RG6xx via
the command line, and can be set for following cases:
• CFWD for all incoming calls
• CFWD in case of busy state of the receiver of the call
• CFWD in case of no answer. In this case a timer can be set. The timer allows users
to decide a time threshold after which the call is considered not answered.
In order to have all rules set at the same time, you need to digit on the phone
keyboard the "on-prefix + <the number> + on-suffix". You can see changes on the
RG6xx by typing the following command:
voip ep <digital/analogue> show <port-name> cfwd <all-calls/on-busy/on-no-
answer>
Then, to disable it on the phone, you need to digit the "off-prefix". If you want to
disable it on the RG600, type the following command:
voip ep <digital/analogue> disable <port-name> cfwd <all-calls/on-busy/on-no-
answer>
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
number
The sequence to be composed by the user
off-suffix on his phone keyboard to disable the call N/A
forwarding.
The time threshold after which the call is
secs N/A
considered not answered
Example --> voip ep analogue set tel1 cfwd enable all-calls on-prefix *123* on-suffix # off-
prefix **
--> voip ep analogue set tel1 cfwd enable on-no-answer on-prefix *123* on-suffix
# off-prefix **
voip ep analogue set tel1 cfwd on-no-answer timeout 10
Description This command enables or disables the comfort noise generation feature.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
VOIP EP LIST
VOIP EP SHOW
Description This command sets the codec capability list for an existing access port.
T38 support must always be selected together with another speech codec
(G711a/u or G726 or G729ab).
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command sets dial tone, busy tone and ring back tone frequencies and
cadences on the physical port referred to by the named access port, appropriately
for the selected country.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command sets the dial mask value (number of chars to be removed from the
dialed number) on the physical port referred to by the named access port.
On AT-RG613 TXJ FXO port, dial mask works only in the direction PSTN to
FXO port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command sets the dial mode used by analogue ports. On the fxo port, if
DIALMODE is set to AUTO, the Residential Gateway examines the type of
signalling mode supported on the PSTN line and set the port signalling to the same
mode automatically. On fxs ports, if DIALMODE is set to AUTO, the Residential
Gateway uses the same signalling mode selected for fxo port.
If PULSE mode is selected, it's also necessary select the pulse rate: 10pps or 20pps.
VOIP EP ENABLE
VOIP EP LIST
VOIP EP SHOW
Description This command sets the digit map rule on the physical port referred to by the named
access port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command set the Inter-digit critical time on the physical port referred to by the
named access port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command sets the Inter-digit time on the physical port referred to by the
named access port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
VOIP EP DISABLE
VOIP EP DELETE
VOIP EP ENABLE
VOIP EP LIST
VOIP EP SHOW
Description This command sets the jitter delay value on the port referred to by the named access
port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command sets the line echo cancellation length on the port referred to by the
named access port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
324 Chapter 14 – VoIP Analogue and Digital Access Ports
Description This command set the off-hook time on the port referred to by the named access
port.
Only analog access ports accept off-hook time settings.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command set the on-hook time on the port referred to by the named access
port.
Only analog access ports accept on-hook time settings.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command sets the input gain (in the direction from AT-RG600/VoIP network to
phone/user) of the port referred to by the named access port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command sets the output gain (in the direction from phone/user to AT-
RG600/VoIP network) of the port referred to by the named access port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command enables or disables the voice activity detection feature on the port
referred to by the named access port.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 327
VOIP EP SHOW
Syntax VOIP EP ANALOGUE SHOW <name>
Description This command displays the following information about a named access port:
• Physical Port
• Typology
• Operational status
• Comfort Noise Generation (CNG)
• Codec Capabilities
• Country
• Critical-digit time
• Inter-digit time
• Dialing Mode (AT-RG613TX and AT-RG613TXJ models)
• Digit map
• Dial mask
• Line Echo Cancellation (AT-RG613TX and AT-RG613TXJ models)
• Jitter Delay
• Voice Activity Detection (VAD)
• Off-hook time (AT-RG613TX and AT-RG613TXJ models)
328 Chapter 14 – VoIP Analogue and Digital Access Ports
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Attached users:
Description This command disable the lifeline feature and in this case the fxo port is used to
offer gateway service.
Outgoing call is forwarded to it on dial selection base, while incoming call may be
forwarded to any internal and external user allowing destination re-dialling. A user,
calling from PSTN, needs two phases to reach the destination; the first dialled
number allows to gain the access to VoIP network and next selection have to be
dialled to reach the final destinationadds a named access port and binds it to a
physical access port.
Example
--> voip lifeline disable
Example
--> voip lifeline enable
Chapter 15
VoIP SIP
Introduction
This chapter describes the main features of the SIP standard, the protocols
supported, the implementation of the call processes in the AT-RG613, AT-RG623
and AT-RG656 and how to configure and operate the AT-RG613, AT-RG623 and
AT-RG656 to provide, or connect to, a VoIP Network.
SIP Protocol
SIP (Session Initiation Protocol) is a protocol developed to assist in providing
advanced telephony services across the Internet. Internet telephony is evolving from
its use as a "cheap" (but low quality) way to make international phone calls to a
serious business telephony capability. SIP is one of a group of protocols required to
ensure that this evolution can occur.
SIP is part of the IETF standards process and is modeled upon other Internet
protocols such as SMTP (Simple Mail Transfer Protocol) and HTTP (Hypertext
Transfer Protocol.).
It is used to establish, change and tear down (end) calls between one or more users
in an IP-based network.
In order to provide telephony services there is a need for a number of different
standards and protocols to come together - specifically to ensure transport (RTP),
signalling inter-working with today’s telephony network, to be able to guarantee
voice quality (RSVP, YESSIR), to be able to provide directories (LDAP), to
authenticate users (RADIUS, DIAMETER), and to scale to meet the anticipated
growth curves.
SIP is described as a control protocol for creating, modifying and terminating
sessions with one or more participants. These sessions include Internet multimedia
conferences, Internet (or any IP Network) telephone calls and multimedia
distribution. Members in a session can communicate via multicast or via a mesh of
unicast relations, or via a combination of these.
332 Chapter 15 – VoIP SIP
Protocol Components
There are two components within SIP. The SIP User Agent and the SIP Network
Server. The User Agent is effectively the end system component for the call and the
SIP Server is the network device that handles the signaling associated with multiple
calls.
The User agent itself has a client element, the User Agent Client (UAC) and a server
element, the User Agent Server (UAS.) The client element initiates the calls and the
server element answers the calls. This allows peer-to-peer calls to be made using a
client-server protocol.
The SIP Server element also provides for more than one type of server. There are
effectively three forms of server that can exist in the network - the SIP stateful proxy
server, the SIP stateless proxy server and the SIP re-direct server. The main function
of the SIP servers is to provide name resolution and user location, since the caller is
unlikely to know the IP address or host name of the called party. What will be
available is perhaps an email-like address or a telephone number associated with
the called party. Using this information, the caller’s user agent can identify with a
specific server to "resolve" the address information – it is likely that this will involve
many servers in the network.
AT-RG 600 Residential Gateway – Software Reference Manual 333
A SIP proxy server receives requests, determines where to send these, and passes
them onto the next server (using next hop routing principals). There can be many
server hops in the network.
The difference between a stateful and stateless proxy server is that a stateful proxy
server remembers the incoming requests it receives, along with the responses it
sends back and the outgoing requests it sends on.
A stateless proxy server forgets all information once it has sent on a request. This
allows a stateful proxy server to fork requests to try multiple possible user locations
in parallel and only send the best responses back. Stateless Proxy servers are most
likely to be the fast, backbone of the SIP infrastructure.
Stateful proxy servers are then most likely to be the local devices close to the User
Agents, controlling domains of users and becoming the prime platform for the
application services.
A re-direct server receives requests, but rather than passing these onto the next
server it sends a response to the caller indicating the address for the called user. This
provides the address for the caller to contact the called party at the next server
directly.
SIP addresses users by an email-like address. Each user is identified through a
hierarchical URL that is built around elements such as a user’s phone number or
host name (for example, SIP:user@company.com). Because of this similarity, SIP
URLs are easy to associate with a user’s e-mail address.
SIP provides its own reliability mechanism and is therefore independent of the
packet layer and only requires an unreliable datagram service.
SIP is typically used over UDP or TCP.
SIP provides the necessary protocol mechanisms so that end systems and proxy
servers can provide services:
• User location
• User capabilities
• User availability
• Call set-up
• Call handling
• Call forwarding, including
• The equivalent of 700-, 800- and 900- type calls
• Call-forwarding no answer
• Call-forwarding busy
• Call-forwarding unconditional
• Other address-translation services
• Callee and calling "number" delivery, where numbers can be any (preferably
unique) naming scheme
• Personal mobility, i.e., the ability to reach a called party under a single, location-
independent address even when the user changes terminals
334 Chapter 15 – VoIP SIP
SIP Messages
A SIP request message consists of three elements:
• Request Line
• Header
AT-RG 600 Residential Gateway – Software Reference Manual 335
• Message Body
A SIP response message consists of three elements:
• Status Line
• Header
• Message Body
The Request line and header field define the nature of the call in terms of services,
addresses and protocol features. The message body is independent of the SIP
protocol and can contain anything.
SIP defines the following methods (SIP uses the term ‘method’ to describe the
specification areas):
• Invite invites a user to join a call.
• Bye terminates the call between two of the users on a call
• Options requests information on the capabilities of a server
• Ack confirms that a client has received a final response to an INVITE
• Register provides the map for address resolution, letting a server know the
location of other users.
• Cancel ends a pending request, but does not end the call
• The INFO method, for mid-session signalling, is also being added Related
Standards Activity.
SIP IP Phone
VoIP Network
AT-RG613 AT-RG613
(or AT-RG623) (or AT-RG623)
SIP Server
Figure 16. Phone --> AT-RG613/RG623 (A) --> AT-RG613/RG623 (B) --> Phone
SIP IP Phone
VoIP Network
AT-RG613 AT-RG613
(or AT-RG623) (or AT-RG623)
SIP Server
Introduction
The VoIP SIP subsystem on AT-RG613, AT-RG623 and AT-RG656 residential
gateways is based on the concept of SIP servers, local users, call forwarding rules
and access ports.
The following section describe SIP servers, local users and forwarding database.
• SIP servers are servers where local users register themselves (Location Servers)
and where calls are routed (Proxy Servers) when an outgoing call is going to be
set up.
• Users are entities uniquely identified in the system by a name with an associated
phone number. The User's phone number represents the user's address on the
local system.
• Forwarding rules are local call routing rules used to forward an incoming call on
a local user to a remote system or to a remote user. Forwarding rules are also
used for locally originated calls when the called party is not a local user and the
call must be routed to a specific contact that typically is different from the proxy
server.
Definition of SIP servers, users, and optionally forwarding database rules, are three
basic steps in correctly configuring the VoIP SIP subsystem (see Figure 18).
338 Chapter 15 – VoIP SIP
Default Configuration
Users Binding
Incoming/
Outgoing Calls
SIP Servers
Location Servers
The SIP module needs to know where locally defined users attempt to register their
contact in the network.
The VOIP SIP LOCATIONSERVER CREATE command is used to set the location
servers used to register users.
It's possible to define more that one location server in order to increase system
reliability in case the first location server doesn't work or cannot be reached.
The system will attempt to register the local users on all the location servers
available in the location server list (see VOIP SIP LOCATIONSERVER LIST
command) until the first registration phase achieves a positive result. Once a
successful registration with a server has been achieved no further registration
requests will be performed even if other location servers are defined.
In the case that more than one location server is defined in the system, it's possible
to set a location server as Master: all the registration requests will start from the
master location server independently of the position of the server in the location
servers list. In the case of registration failure on the Master server, the Location
Server list will be used as server address table where registration requests will be
sent.
If no location servers are defined, the system starts trying to use the server
addresses defined in the Proxy Server list as a location server.
AT-RG 600 Residential Gateway – Software Reference Manual 339
If users are defined without specify the user domain (see VOIP SIP USER
CREATE command), the user domain will be automatically associated to the
location server address where the user has been registered.
Proxy Servers
The SIP module needs to know which proxy server must be used when an outgoing
call cannot be processed by a local number or by a well defined forwarding rule but
must resolved by an external proxy server.
The VOIP SIP PROXYSERVER CREATE command is used to inform the system
about the proxy servers that can be contacted when an outgoing call is going to be
established.
Similarly to location servers, it's possible to define more that one proxy server in
order to increase system reliability in case the first proxy server doesn't work or
cannot be reached.
The system will attempt to contact all the proxy servers available in the proxy server
list (see VOIP SIP PROXYSERVER LIST command) until the first server answers to
the INVITE request. In that case no further INVITE requests are sent to the other
proxy servers even if the called user cannot be reached.
In the case that more than one proxy server is defined in the system, it's possible to
set a proxy server as Master: all the INVITE requests will start from the master
proxy server independently of the position of the server in the proxy servers list. In
the case that the Master proxy server cannot be reached, the Proxy Server list will be
used as server address table where INVITE requests will be sent.
The Proxy Server is also used as registration server if no location servers are
defined.
If users are defined without specify the user domain (see VOIP SIP USER
CREATE command) and no Location Servers are defined, the user domain will
be automatically associated with the proxy server where the user has been
registered.
Users
The system is designed to support up to 100 entries, shared between users and
forwarding rules.
Users are defined by the VOIP SIP USER CREATE command.
Each user must have an associated user number, composed of an address number
and, optionally, an area code number if a complete E.164 number must be defined.
340 Chapter 15 – VoIP SIP
Note: In any given system there cannot exist two or more users with the same
area code and address.
In any given system it is allowable to have two or more users with the same
address but different area code or no area code at all.
Users may inform the VoIP network about the location (IP address) where they can
be contacted by registering themselves on the location server defined in the VOIP
SIP LOCATIONSERVER CREATE command. In this way, other endpoints on the
VoIP network can contact each user by simply using the user address.
The domain where users are members is the domain defined in the VOIP SIP USER
CREATE command. If the DOMAIN is not defined, users will get as domain the
address of the Location Server (or Proxy Server if no location servers are defined)
where they are registered.
To know the user's registration status use the VOIP SIP USER SHOW command.
The user number used in the location registration messages is the complete user
number: area code + address number.
Note that physical access ports don’t have their own fixed phone number. They
inherit the phone number from the user number of attached users.
More than one user may be attached to the same physical access port and therefore
more than one phone number can be associated to the same physical access port.
If a user receives a call but the physical line where the user is attached is already
involved in another communication (because it is used by another user), the call is
rejected.
When an outgoing call (in the direction user to VoIP network) is made and more
than one user is attached on the access port being used to make the call, the identity
of calling user is deemed to be the first user defined in the list of users attached to
that port.
To know which users are attached to a physical port, use the VOIP EP SHOW
command. All the local users belong to the same domain.
AT-RG 600 Residential Gateway – Software Reference Manual 341
When an access port is deleted from the system, all the users previously attached are
removed from the port.
Removing a user from a port, by using the VOIP SIP USER REMOVE command or
by deleting the access port, results in an un-registration process from the location
server defined during user creation phase.
• When the signaling end-point layer receives a call it retrieves the called end-point
address (called number).
o Typically the called number is defined in the call signaling messages
received from the network (in the To header).
o If the call is originated locally, the called number address is equal the dialed
number (unless the anologue/digital endpoint as the dialmask set to a value
different from 0).
• The Called end-point address is searched for among the local user addresses to
check if the recipient of the call is a user on the local system.
• If the called end-point matches the address of a local user, the physical resource
(analog or digital port) associated with the called user starts ringing (if the
resource is available)
• If the called number cannot be found among the local users, the forwarding
database is scanned to look for all the entries matching the called number.
The forwarding algorithm acts differently if the call is originated locally or the
call is an incoming call:
If the fdb entry has defined the FWADDRESS field, the called number is
changed from the dialed number to the number defined in the fdb entry
FWADDRESS field. In this way it's possible to dial short numbers that will
be replaced by full qualified numbers in the outgoing calls.
By default, the calling user is the first user defined in the system that is
attached to the outgoing physical port.
o If no match is found in the forwarding database, the INVITE message is
routed to the first available proxy server (starting from the Master proxy
server if defined) using as called endpoint domain the same domain as the
calling user.
By default, the calling user is the first user defined in the system that is
attached to the outgoing physical port.
Incoming calls
o If a match is found, a MOVED TEMPORARY message is sent back to the
call originator reporting the contact address defined by the CONTACT field
in the matched fdb entry.
If the fdb entry has defined the FWADDRESS field, the called number is
changed from the dialed number to the number defined in the fdb entry
FWADDRESS field.
o If no match is found in the forwarding database, the call is discharged.
In this case, using digit map expressions, it is possible to define a generic rule in
such a way that all the calls are routed to a specific contact (e.g. the proxy server)
that will be in charge of proceeding with the call routing.
Digit map expressions are also useful for designing a small network without making
use of any location servers or proxy servers or gatekeepers.
344 Chapter 15 – VoIP SIP
Description This command stops the VoIP SIP signalling protocol and releases all the resources
associated to it.:
• any analogue or digital port defined in the system is removed.
• any user defined in the system is deleted.
• any forwarding entry in the fdb is deleted.
• any SIP server reference (location and proxy) is removed.
This command is typically used when it's necessary to change the VoIP signalling
protocol, i.e. from SIP to H323.
To simply restart the SIP module, use the VOIP SIP PROTOCOL RESTART
command. It doesn't remove any resources defined under the voip main module.
To enable the SIP module, use the VOIP SIP PROTOCOL ENABLE command.
Binding the SIP module to a specific IP interface defines the value of the
source IP address for signallng and voice packets. SIP URLs with local
reference offer the hostname and the IP address belonging the provisioned
interface.
Example
--> voip sip protocol enable
Description This command restarts the VoIP SIP signaling protocol module.
Any pending and active calls are released.
Users previously registered to location servers start to unregister themselves and
then re-register. on the same location servers.
This command doesn't release any resources (users, physical ports and fdb entries)
previously created during module configuration.
Description This command sets the default listening/sending port used for SIP signaling
346 Chapter 15 – VoIP SIP
messages.
By default, when the SIP module is attached to an IP interface using theVOIP SIP
PROTOCOL SET NETINTERFACE command, the following default value is used:
• defaultport: 5060
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the protocol features extended by the protocol.
100rel and Session Timer are always supported when requested; setting
“session-timer” the user agent explicitly requires this keep-alive
mechanism. Info method overlaps the event transfer supported by RTP
sessions.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the NAT host reference. Any SIP URLs with local reference is
hidden by the NAT address value.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the IP interface used to access the VoIP network.
• Signaling and voice packets will use the Source IP address defined for the
selected interface.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the maximum time between the trasmission of a packet and the
reception of the response. If the time expires, protocol primitives are retransmitted.
Retransmission of protocol primitives are useful in case of unreliable transports like
UDP to recover errors in transactions.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the largest amount of time that can occur between session
refresh in dialog before the session will be considered timed out..
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays basic SIP module configuration parameters set by the VOIP
AT-RG 600 Residential Gateway – Software Reference Manual 349
Description This command creates a new entry in the location servers list. Each location server
must have a different <name>. If the location server already exists, an error message
is raised.
This command is accepted only if the SIP module is already running. See the VOIP
SIP PROTOCOL ENABLE command to turn on the SIP module.
This command doesn’t set the master location server. To define a location server as
master use the VOIP SIP LOCATIONSERVER SET MASTER command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> voip sip locationserver create default contact 192.168.102.3
Description This command deletes a single location server created using the VOIP SIP
LOCATIONSERVER CREATE command.
To show the list of existing location servers, use the VOIP SIP LOCATIONSERVER
LIST command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists information about location servers that were added using the
VOIP SIP LOCATIONSERVERS CREATE command. The following information is
displayed:
352 Chapter 15 – VoIP SIP
• server ID numbers
• server names
• Master: whether the server has been set as Master or not. A star symbol
in the field identifies the server as the current location server where local user are
registered.
• Contact: the IP address (IPv4 or hostname format) of the location server
Note: If a name is longer than 32 chars, the name is shown in a short format
(only the initial part of the name is displayed). To show the full name use the
VOIP SIP LOCATIONSERVER SHOW command, specifying the server ID
instead of server name.
Example
--> voip sip location list
Description This command sets a location server as Master. If another location server was set
Master previously, the flag Master is removed from the old one.
To show the list of existing location servers, use the VOIP SIP LOCATIONSERVER
LIST command.
Description This command creates a new entry in the proxy servers list. Each proxy server must
have a different <name>. If the proxy server already exists, an error message is
raised.
This command is accepted only if the SIP module is already running. See the VOIP
SIP PROTOCOL ENABLE command to turn on the SIP module.
This command doesn’t set the master proxy server. To define a proxy server as
master use the VOIP SIP PROXYSERVER SET MASTER command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> voip sip proxy create default contact 192.168.102.3
Description This command deletes a single proxy server created using the VOIP SIP
PROXYSERVER CREATE command.
To show the list of existing proxy servers, use the VOIP SIP PROXYSERVER LIST
command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists information about proxy servers that were added using the
VOIP SIP PROXYSERVER CREATE command. The following information is
displayed:
• server ID numbers
AT-RG 600 Residential Gateway – Software Reference Manual 355
• server names
• Master: whether the server has been set as Master or not. A star symbol in the
field identifies the server as the currect proxy server used by outgoing calls.
• Contact: the IP address (IPv4 or hostname format) of the proxy server
Note: If a name is longer than 32 chars, the name is shown in a short format
(only the initial part of the name is displayed). To show the full name use the
VOIP SIP PROXYSERVER SHOW command, specifying the server ID instead of
server name.
Example
--> voip sip proxyserver list
Description This command sets a proxy server as Master. If another proxy server was set Master
previously, the flag Master is removed from the old one.
To show the list of existing proxy servers, use the VOIP SIP PROXYSERVER LIST
command.
Description This command attaches a user created with the command VOIP SIP USER CREATE
to a named port created with the command VOIP EP CREATE.
As soon as this command is entered, the registration phase starts.
The system tries to register the user with the location server specified by
the VOIP SIP LOCATIONSERVER CREATE command. If no location
servers are defined, the system tries to register the user with the proxy
server specified by the VOIP SIP PROXYSERVER CREATE command. If no
proxy server are defined, registration phase is not performed until a
location server or proxy server is added to the SIP module.
To display the user's registration status and port association use the VOIP SIP USER
SHOW command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command creates a new entry in the users list. Each user must have a different
<username>. If the user already exists, an error message is raised.
This command is accepted only if the SIP module is already running. See the VOIP
SIP PROTOCOL ENABLE command to turn on the SIP module.
This command doesn’t bind the user to a physical access port. In order to inform the
system that the user is attached to a specific physical port, the VOIP SIP USER ADD
command must be used.
If the DOMAIN parameter is not specified, the user domain is set equal to
the location server address (if defined) or proxyserver address (if location
server is not defined).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> voip sip user create MrBrown address 12345 locationserver 192.168.102.3
Description This command deletes a single user created using the VOIP SIP USER CREATE
command.
To show the list of existing users, use the VOIP SIP USER LIST command.
As soon this command is entered, the deregistration phase starts (REGISTER
request) to the location server (registar) removing the user from the user list on the
server.
Options The following table gives the range of values for each option which can be specified
AT-RG 600 Residential Gateway – Software Reference Manual 359
Description This command lists information about users that were added using the VOIP SIP
USER CREATE command. The following information is displayed:
• user ID numbers
• user names
• Area Codes
• Addresses
Note: If a user name is longer than 32 chars, the name is shown in a short format
(only the initial part of the name is displayed). To show the full name use the
VOIP SIP USER SHOW command, specifying the user ID instead of user name.
Example
--> voip sip user list
Description This command remove a single user from the port where it was added with the
VOIP SIP USER ADD command.
Removing a user from a port results in an un-registration request to the location
server.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays the following information about a named user:
• Address
• Area Code
• Domain
• Authetication (login:password)
• Transport
• Attached ports
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
AT-RG 600 Residential Gateway – Software Reference Manual 361
Command
Description This command creates a new entry in the forwarding database (FDB).
ADDRESS is the called address expected to be received from the calling end-point in
order to forward the call to the CONTACT.
CONTACT is the host reference where the call is forwarded. The contact-host part is
the default to form the URL domain (Request-URI, From and To fields).
The flag proxy modifies the rule to make the Request-URI: if it is present then the
Request-URI domain gets the value from the contact-host part of CONTACT
parameter otherwise the current call domain will be used.
The DOMAIN assigns the call domain and it is used to format the "To" and "From"
headers. It is optional and the contact host part is used if it is not set.
The FWADDRESS replaces the destination address of the call. It is optional and it is
used to make a short selection rule (e.g. dialed number 01 corresponds to
00390224141121)
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> voip sip fdb create default address 9x. contact 192.168.1.10 domain
voip.atkk.com
Description This command deletes a single fdb entry created using the VOIP SIP FDB CREATE
command.
To show the list of existing FDB entries, use the VOIP SIP FDB LIST command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
364 Chapter 15 – VoIP SIP
Description This command lists information about FDB entries added using the VOIP SIP FDB
CREATE command.
The following information is displayed:
• FDB entry ID numbers
• FDB entry names
• FDB entry Address
Note: If an fdb name is longer than 32 chars, the name is shown in a short
format (only the initial part of the name is displayed). To show the full name use
the VOIP SIP FDB SHOW command, specifying the user ID instead of user
name.
ID | Name | Address
----|------------|---------------------
1 | pstn | 9x.
---------------------------------------
Description This command lists information about a named FDB entry added to the forwarding
data base using the VOIP SIP FDB CREATE command. The following information is
displayed:
• Address
AT-RG 600 Residential Gateway – Software Reference Manual 365
• Domain
• Contact
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Chapter 16
VoIP H323
Introduction
This chapter describes the main features of H.323 standard, the protocols supported,
the implementation of the call processes in the AT-RG613, AT-RG623 and AT-
RG656 and how to configure and operate the AT-RG613, AT-RG623 and AT-RG656
to provide, or connect to, a VoIP Network.
H.323 Protocols
H.323 is a standard that specifies the components, protocols and procedures that
provide multimedia communication services, real-time audio, video, and data
communications over packet networks (see Figure 19), including Internet protocol
(IP) based networks. H.323 is part of a family of ITU–T recommendations called
H.32x that provides multimedia communication services over a variety of networks.
Packet-based networks include IP based (including the Internet) or Internet packet
exchange (IPX) based local-area networks (LANs), enterprise networks (ENs),
metropolitan-area networks (MANs), and wide area networks (WANs). H.323 can
be applied in a variety of mechanisms audio only (IP telephony); audio and video
(video telephony); audio and data; and audio, video and data. H.323 can also be
applied to multipoint-multimedia communications. H.323 provides myriad services
and, therefore, can be applied in a wide variety of areas consumer, business, and
entertainment applications.
H323
H.323 Components
The H.323 standard specifies four kinds of components, which, when networked
together, provide the point-to-point and point-to-multipoint multimedia-
communication services:
• terminals
• gateways
• gatekeepers
• multipoint control units (MCUs)
Terminals
Used for real-time bi-directional multimedia communications, an H.323 terminal
can either be a personal computer (PC) or a stand-alone device, running an H.323
and the multimedia applications. It supports audio communications and can
optionally support video or data communications.
Because the basic service provided by an H.323 terminal is audio communications,
an H.323 terminal plays a key role in IP–telephony services. An H.323 terminal can
either be a PC or a stand-alone device, running an H.323 stack and multimedia
applications.
The primary goal of H.323 is to interwork with other multimedia terminals. H.323
terminals are compatible with H.324 terminals on SCN and wireless networks,
H.310 terminals on B–ISDN, H.320 terminals on ISDN, H.321 terminals on B– ISDN,
and H.322 terminals on guaranteed QoS LANs. H.323 terminals may be used in
multipoint conferences.
Gateways
A gateway connects two dissimilar networks. An H.323 gateway provides
connectivity between an H.323 network and a non–H.323 network.
For example, a gateway can connect and provide communication between an H.323
terminal and SCN networks (SCN networks include all switched telephony
networks, e.g., public switched telephone network PSTN. This connectivity of
dissimilar networks is achieved by translating protocols for call setup and release,
converting media formats between different networks, and transferring information
between the networks connected by the gateway.
A gateway is not required, however, for communication between two terminals on
an H.323 network.
Gatekeepers
A gatekeeper can be considered the brain of the H.323 network. It is the focal point
for all calls within the H.323 network.
Although they are not required, gatekeepers provide important services such as
addressing, authorization and authentication of terminals and gateways; bandwidth
management and accounting. Gatekeepers may also provide call-routing services.
368 Chapter 16 – VoIP H323
Audio CODEC
An audio CODEC encodes the audio signal from the microphone for transmission
on the transmitting H.323 terminal and decodes the received audio code that is sent
to the speaker on the receiving H.323 terminal.
Because audio is the minimum service provided by the H.323 standard, all H.323
terminals must have at least one audio CODEC support, as specified in the ITU–T
G.711 recommendation (audio coding at 64 kbps).
Additional audio CODEC recommendations such as G.722 (64, 56, and 48 kbps),
G.723.1 (5.3 and 6.3 kbps), G.728 (16 kbps), and G.729 (8 kbps) may also be
supported.
Video CODEC
A video CODEC encodes video from the camera for transmission on the
transmitting H.323 terminal and decodes the received video code that is sent to the
video display on the receiving H.323 terminal.
Because H.323 specifies support of video as optional, the support of video CODECs
is optional as well. However, any H.323 terminal providing video communications
must support video encoding and decoding as specified in the ITU–T H.261
recommendation.
AT-RG 600 Residential Gateway – Software Reference Manual 369
Terminal Characteristics
H.323 terminals must support the following:
• H.245 for exchanging terminal capabilities and creation of media channels
• H.225 for call signaling and call setup
• RAS for registration and other admission control with a gatekeeper
• RTP/RTCP for sequencing audio and video packets
H.323 terminals must also support the G.711 audio CODEC.
Optional components in an H.323 terminal are video CODECs, T.120 data-
conferencing protocols, and MCU capabilities.
Gateway Characteristics
A gateway provides translation of protocols for call setup and release, conversion of
media formats between different networks, and the transfer of information between
H.323 and non H.323 networks An application of the H.323 gateway is in IP
telephony, where the H.323 gateway connects an IP network and SCN network (e.g.,
ISDN network).
On the H.323 side, a gateway runs H.245 control signaling for exchanging
capabilities, H.225 call signaling for call setup and release, and H.225 registration,
admissions, and status (RAS) for registration with the gatekeeper.
On the SCN side, a gateway runs SCN–specific protocols (e.g., ISDN and SS7
protocols). Terminals communicate with gateways using the H.245 control-
signaling protocol and H.225 call-signaling protocol. The gateway translates these
protocols in a transparent fashion to the respective counterparts on the non H.323
network and vice versa. The gateway also performs call setup and clearing on both
the H.323–network side and the non–H.323–network side. Translation between
audio, video, and data formats may also be performed by the gateway.
Audio and video translation may not be required if both terminal types find a
common communications mode. For example, in the case of a gateway to H.320
terminals on the ISDN, both terminal types require G.711 audio and H.261 video, so
a common mode always exists. The gateway has the characteristics of both an H.323
terminal on the H.323 network and the other terminal on the non–H.323 network it
connects.
Gatekeepers are aware of which endpoints are gateways because this is indicated
when the terminals and gateways register with the gatekeeper. A gateway may be
able to support several simultaneous calls between the H.323 and non–H.323
networks. In addition, a gateway may connect an H.323 network to a non–H.323
network. A gateway is a logical component of H.323 and can be implemented as
part of a gatekeeper or an MCU.
AT-RG 600 Residential Gateway – Software Reference Manual 371
Gatekeeper Characteristics
Gatekeepers provide call-control services for H.323 endpoints, such as address
translation and bandwidth management as defined within RAS. If they are present
in a network, however, terminals and gateways must use their services.
The H.323 standards both define mandatory services that the gatekeeper must
provide and specify other optional functionality that it can provide.
An optional feature of a gatekeeper is call-signaling routing. Endpoints send call-
signaling messages to the gatekeeper, which the gatekeeper routes to the destination
endpoints. Alternately, endpoints can send call-signaling messages directly to the
peer endpoints. This feature of the gatekeeper is valuable, as monitoring of the calls
by the gatekeeper provides better control of the calls in the network. Routing calls
through gatekeepers provides better performance in the network, as the gatekeeper
can make routing decisions based on a variety of factors, for example, load
balancing among gateways.
The services offered by a gatekeeper are defined by RAS and include address
translation, admissions control, bandwidth control, and zone management. H.323
networks that do not have gatekeepers may not have these capabilities, but H.323
networks that contain IP telephony gateways should also contain a gatekeeper to
translate incoming E.164 telephone addresses into transport addresses. A gatekeeper
is a logical component of H.323 but can be implemented as part of a gateway or
MCU.
• A PSTN phone or fax. However, the AT-RG613, AT-RG623 and AT-RG656 would
need to contact a PSTN gateway
H323 IP Phone
VoIP Network
AT-RG613 AT-RG613
(or AT-RG623) (or AT-RG623)
H323 Gatekeeper
Figure 20. Phone --> AT-RG613/RG623 (A) --> AT-RG613/RG623 (B) --> Phone
H323 IP Phone
VoIP Network
AT-RG613 AT-RG613
(or AT-RG623) (or AT-RG623)
H323 Gatekeeper
Introduction
The VoIP H323 subsystem on the AT-RG613, AT-RG623 and AT-RG656 Residential
gateways is based on the concept of users and access ports.
The following section describe users while Error! Reference source not found.
describes access ports.
Users are entities uniquely identified in the system by a name with an associated
phone number. A user's phone number represents the user's address on the local
system.
User definition is a mandatory step in the correct configuration of the VoIP H323
subsystem (see Figure 22).
374 Chapter 16 – VoIP H323
Default Configuration
Users Binding
Incoming/
Outgoing Calls
Users
The system is designed to support up to 100 users.
Users are defined by the VOIP H323 USER CREATE command.
Each user must have an associated a user number composed of an address number
and, optionally, an area code number if a complete E.164 number must be defined.
Note 1: In any given system there cannot exist two or more users with the same
area code and address.
In the any given it is valid to have two ore more users with the same address
but different area code or no area code at all.
Note 2: Users may inform the VoIP network about the location (IP address)
where they can be contacted by registering themselves on the gatekeeper
defined in the VOIP H323 USER CREATE command. In this way other
endpoints on the VoIP network can contact each user by simply using the user
address.
Note 3: All the users must use the same gatekeeper, i.e.it is not possible manage
simultaneously registrations on multiple gatekeepers.
The user number used in the registration messages is the complete user number:
area code + address number.
Command
VOIP H323 PROTOCOL DISABLE
VOIP H323 PROTOCOL ENABLE
VOIP H323 PROTOCOL SET MEDIAPORT
VOIP H323 PROTOCOL SET ALIAS
VOIP H323 PROTOCOL SET CONNECT
VOIP H323 PROTOCOL SET GATEKEEPER
VOIP H323 PROTOCOL SET NETINTERFACE
VOIP H323 PROTOCOL SET Q931PORT
VOIP H323 PROTOCOL SET RASPORT
VOIP H323 PROTOCOL SET REGISTRATION
VOIP H323 PROTOCOL SET RESPONSE
VOIP H323 PROTOCOL SET SECONDARYGATEKEEPER
VOIP H323 PROTOCOL SHOW
Description This command stops the VoIP H323 signaling protocol and releases all the resources
associated with it.:
• any analogue or digital port defined in the system is removed.
• any user defined in the system is deleted.
This command is typically used when it's necessary to change the VoIP signaling
protocol, i.e. from H323 to SIP.
To simply restart the H323 module, use the VOIP H323 PROTOCOL RESTART
command. It doesn't remove any resources defined under the voip main module.
To enable the H323 module, use the VOIP H323 PROTOCOL ENABLE command.
Binding the H323 module to a specific IP interface defines the value of the
source IP address for signallng and voice packets.
By default, when the H323 module is started the following default values are used:
• q931port: 1720
• rasport: 1719
Example
--> voip h323 protocol enable
Options The following table gives the range of values for each option which can be specified
with this command, and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command, and a default value (if applicable).
Description This command sets the IP interface used to access the VoIP network.
Signaling and voice packets will use the Source IP address defined for the selected
interface.
Options The following table gives the range of values for each option which can be specified
with this command, and a default value (if applicable).
Description This command sets the UDP/TCP port on the Residential Gateway used to send and
receive signalling messages.
Options The following table gives the range of values for each option which can be specified
with this command, and a default value (if applicable).
Description This command sets the UDP/TCP port on the Residential Gateway used to send and
receive registration messages.
Options The following table gives the range of values for each option which can be specified
with this command, and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command, and a default value (if applicable).
Description This command displays basic H323 module configuration parameters set by the
VOIP H323 PROTOCOL ENABLE command.
Description This command attaches a user created with the command VOIP H323 USER
CREATE to a named port created with the command VOIP EP CREATE.
H323 protocol:
As soon this command is entered, the registration phase starts to the Gatekeeper
specified in the VOIP H323 USER CREATE command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command creates a new entry in the users list. Each user must have a different
<username>. If the user already exists, an error message is raised.
This command is accepted only if the H323 module is already running. See the
VOIP H323 PROTOCOL ENABLE command to turn on the H323 module.
The username can be 16 characters in length; cannot start with a digit and cannot
contain dots '.' or slash symbols '/'.
This command doesn’t bind the user to a physical access port. In order to inform the
system that the user is attached to a specific physical port, the VOIP H323 USER
ADD command must be used.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Example
--> voip h323 user create MrBrown address 12345
Description This command deletes a single user created using the VOIP H323 USER CREATE
command.
To show the list of existing users, use the VOIP H323 USER LIST command.
As soon this command is entered, the deregistration phase starts to the Gatekeeper;
removing the user from the user list on the server.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists information about users that were added using the VOIP H323
USER CREATE command. The following information is displayed:
• user ID numbers
• user names
• Area Codes
• Addresses
Note: If the user name is longer than 32 chars, the name is shown in a short
format (only the initial part of the name is displayed). To show the full name use
the VOIP EP USER SHOW command, specifying the user ID instead of user
name.
386 Chapter 16 – VoIP H323
Example
--> voip h323 user list
Description This command remove a single user from the port where it was added with the
VOIP H323 USER ADD command.
Removing a user from a port results in an deregistration request to the Gatekeeper
specified in the VOIP H323 USER CREATE command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays the following information about a named user:
• Address
• Area Code
• State
• Attached ports
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Command
Description This command creates a new entry in the forwarding database (FDB).
ADDRESS is the called address expected to be received from the calling end-point in
order to forward the call to the CONTACT. It can be also a digit-map if an address
pool must be forwarded to a specific host address.
CONTACT is the host reference where the call is forwarded.
The FWADDRESS replaces the destination address of the call. It is optional and it is
used to make a short selection rule (e.g. dialed number 01 corresponds to
00390224141121)
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> voip h323 fdb create default address 9x. contact 192.168.1.10
Description This command deletes a single fdb entry created using the VOIP H323 FDB
CREATE command.
To show the list of existing FDB entries, use the VOIP H323 FDB LIST command.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command lists information about FDB entries added using the VOIP H323 FDB
CREATE command.
The following information is displayed:
• FDB entry ID numbers
• FDB entry names
390 Chapter 16 – VoIP H323
Note: If an fdb name is longer than 32 chars, the name is shown in a short
format (only the initial part of the name is displayed). To show the full name use
the VOIP H323 FDB SHOW command, specifying the user ID instead of user
name.
ID | Name | Address
----|------------|---------------------
1 | pstn | 9x.
---------------------------------------
Description This command lists information about a named FDB entry added to the forwarding
data base using the VOIP H323 FDB CREATE command. The following information
is displayed:
• Address
• Contact
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Chapter 17
VoIP MGCP
Introduction
The MGCP (Media Gateway Control Protocol) is a protocol that assumes a call
control architecture where the call control "intelligence" is outside the gateways and
handled by external call control elements, the call agent. MGCP assumes that the
gateways have limited storage and functionality.
So, two are the MGCP entities: Call Agent (Media Gateway Controller MGC) which
handles the call control “intelligence”, that means the call signaling and the call
processing functions; and the Media Gateway (MG) that provides conversion
between the audio signals carried on telephone circuits and data packets carried
over Internet or packets networks and expects to execute command sent by the Call
Agent.
MGCP is a master/slave protocol; while the call agent is mandatory and manages
the calls and conferences and supports the services provided, the endpoint is
unaware of the calls and conferences and does not maintain call states, it’s simply
expected to execute commands sent by the call agent.
Endpoints are sources or sinks of data and can be physical or virtual. Physical
endpoint creation requires hardware installation while software is sufficient for
creating a virtual endpoint. An interface on a gateway that terminates a trunk
392 Chapter 17 – VoIP MGCP
• DTMF Package
• Trunk package
• Link package
• Handset package
AT-RG 600 Residential Gateway – Software Reference Manual 393
• RTP package
NotificationRequest
The NotificationRequest command is used by the call agent for requesting from a
gateway to be notified upon the occurrence of specified events in an endpoint. For
example, a notification may be requested for the event that a gateway detects that an
endpoint is going off hook. A list of potential events includes: off hook transition, on
hook transition, flash-hook, MF incoming seizure detected, continuity tone detected
etc.
The call agent can also request that the gateway collect the dialed digits. The
NotificationRequest allows the call agent to download a specific dialing plan to the
gateway to be used for collecting the digits.
A call agent also includes a unique identifier in the NotificationRequest that will be
included by the gateway in the gateway’s Notify message when the requested event
actually occurs. This identifier is used for tying the NotificationRequest to the
Notify message that will be sent by the gateway.
Notify
Notifications are sent by the gateway via the Notify command in response to a
NotificationRequest sent by the call agent to the gateway. The gateway includes in
the Notify command a list of the events it observed. The Notify command includes
the unique identifier that was sent by the call agent to the gateway in the
NotificationRequest command.
CreateConnection
The call agent uses the CreateConnection command for binding an endpoint to a
specific IP address and UDP port. Another CreateConnection request for the remote
endpoint is necessary for creating an end-to-end connection with two endpoints.
The CreateConnection request specifies a CallId that will be used for identifying the
call or session to which this connection belongs. More than one connection may
actually share the same CallId. The CreateConnection request also specifies the
endpoint to be used for this connection and the parameters to be used for the
connection. These parameters may include for example voice encoding, and
394 Chapter 17 – VoIP MGCP
compression parameters. The call agent also specifies the mode of the connection.
The mode may be "send," "receive," send/receive," "conference," "inactive," "data,"
"loopback," continuity test," "network loopback" or "network continuity test."
The CreateConnection request from the call agent may include a description of the
remote side of the connection on the IP network i.e. parameters of the connection
like encoding, but also IP address UDP port. The remote connection description may
be unspecified in some CreateConnection requests. This occurs because the call
agent needs to send two CreateConnection requests for creating an end-to-end
connection. When the first CreateConnection request is sent the call agent doesn’t
yet know the remote connection descriptor. This information may be provided later
via a ModifyConection request.
A CreateConnection request may also include the parameters normally included in
a NotificationRequest. This allows the call agent to send a CreateConnection and a
NotificationRequest combined in one CreateConnection message. This improves the
performance of the protocol.
When the gateway acknowledges the CreateConnection request it also sends to the
call agent a ConnectionId that uniquely identifies the connection with in an
endpoint and local connection information about the IP address and UDP port it
selected. The call agent can potentially select those but the gateway may be sharing
those resources for other functions and it is preferable that the gateway does the
selection.
ModifyConnection
The Call Agent uses the ModifyConnection command for changing the parameters
associated with a previously established connection. The parameters in the
ModifyConnection command are the same as in a CreateConnection request. The
ConnectionId is provided by the call agent to the gateway in a ModifyConnection
request.
The ModifyConnection can be used for:
• Providing information about the other end of the connection through the
remote connection descriptor
• Activating or deactivating a connection
• Changing the parameters of a connection.
DeleteConnection
The call agent can use the DeleteConnection command to delete an existing
connection. When the gateway acknowledges a DeleteConnection request, it
includes a list of parameters about the status of the connection in the response.
These parameters include: numbers of packets and octets sent, number of packets
and octets received, number of packets lost, inter-arrival jitter and average
transmission delay.
The DeleteConnection command may also be sent by a gateway to the call agent for
indicating that a connection can no longer be sustained.
AT-RG 600 Residential Gateway – Software Reference Manual 395
AuditEndpoint
The AuditEndpoint command can be used by the call agent for getting details about
the status of an endpoint or a list of endpoints. The information that can be audited
by the Call Agent includes: requested events, dialing plan and connection
identifiers. The response of the gateway includes all the requested information.
AuditConnection
The AuditConnection can be used by the call agent for retrieving information
related to a specific connection of an endpoint identified by a ConnectionId. The
information that can be retrieved includes: call id, local and remote connection
descriptors, local connection parameters and the mode of the connection. The
response of the gateway to the AuditConnection request includes all the requested
information.
RestartInProgress
The RestartInProgress command is used by the gateway to signal that an endpoint,
or a group of endpoints, is taken in or out of service. The parameters of the
RestartInProgress message indicate the group of endpoints that the message applies
to. The RestartInProgress method also includes a parameter that specifies the type of
restart:
o Graceful restart indicates that the endpoints will be taken out of service after
a specified delay
o Forced restart indicates that the endpoints are taken immediately out of
service
o Restart indicates that the service will be restored after the specified delay
396 Chapter 17 – VoIP MGCP
MGCP commands
The table below lists the mgcp commands provided by the CLI:
Command
VOIP MGCP PROTOCOL DISABLE
VOIP MGCP PROTOCOL ENABLE
VOIP MGCP PROTOCOL RESTART
VOIP MGCP PROTOCOL SET DEFAULTPORT
VOIP MGCP PROTOCOL SET MAXRETRANSMITIONTIME
VOIP MGCP PROTOCOL SET NAT
VOIP MGCP PROTOCOL SET NETINTERFACE
VOIP MGCP PROTOCOL SET PIGGYBACK
VOIP MGCP PROTOCOL SET PROFILE
VOIP MGCP PROTOCOL SET ROUNDTRIPTIME
VOIP MGCP PROTOCOL SHOW
VOIP MGCP CALLAGENT CREATE
VOIP MGCP CALLAGENT DELETE
VOIP MGCP CALLAGENT LIST
Description This command stops the VoIP MGCP signalling protocol and releases all the
resources associated to it.:
This command is typically used when it's necessary to change the VoIP signalling
protocol, i.e. from MGCP to SIP to H323.
To simply restart the MGCP module, use the VOIP MGCP PROTOCOL RESTART
command. It doesn't remove any resources defined for the protocol.
To enable the MGCP module, use the VOIP MGCP PROTOCOL ENABLE
command.
Example
--> voip mgcp protocol enable
Description This command restarts the VoIP MGCP signaling protocol module.
Any pending and active calls are released.
This command doesn't release any resources previously created during module
configuration.
Description This command sets the default listening/sending port used for MGCP signaling
messages.
By default, when the MGCP module is attached to an IP interface using theVOIP
MGCP PROTOCOL SET NETINTERFACE command, the following default value is
used:
• defaultport: 2427
398 Chapter 17 – VoIP MGCP
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the NAT host reference. Any MGCP message with local
reference is hidden by the NAT address value.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the IP interface used to access the VoIP network.
AT-RG 600 Residential Gateway – Software Reference Manual 399
• Signaling and voice packets will use the Source IP address defined for the
selected interface.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets specific customer MGCP call agent profile. This command is
used to fix interoperability constraints when the MGCP module has to work with
call agent that could differer from a standard implementation.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command displays basic MGCP module configuration parameters set by the
VOIP MGCP PROTOCOL ENABLE command.
Description This command set the call agent address. More than one call agent can be defined to
increas system robustness in case of server failure.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Example
--> voip mgcp callagent create default contact 192.168.102.3
Description This command deletes a previously defined call agent created using the VOIP
MGCP CALLAGENT CREATE command.
To show the list of existing CALLAGENT entries, use the VOIP MGCP
CALLAGENT LIST command.
Options The following table gives the range of values for each option which can be specified
AT-RG 600 Residential Gateway – Software Reference Manual 401
Description This command lists information about CALLAGENT entries added using the VOIP
MGCP CALLAGENT CREATE command.
The following information is displayed:
• Call agent ID numbers
• Call agent names
Note: If a call agent name is longer than 32 chars, the name is shown in a short
format (only the initial part of the name is displayed).
Gateway call-agents:
Chapter 18
Introduction
SIP and H323 VoIP signalling protocols typically make use of unreliable transport
protocols like UDP to transfer media information as voice packets. This
transportwasn’t originally designed to transport data for real time applications.
In a multiapplication network environment were traffic typology can be very
variable, real time applications can suffer packet delay and latency due to
overloading of network devices. This candegrade the voice quality (and video)
received from the end user.
On the AT-RG613, AT-RG623 and AT-RG656 Residential Gateway it's possible to
assign to the voice/video media packets a high Quality Of Service value in order to
force routers and switches to forward these packets with higher priority compared
to the other type of packets simultaneously passing through the same network
devices.
QoS
To assign a specific priority to the originated voice packets, it's possible to specify
the DSCP field value or TOS field value inside the UDP packets used to tranport
voice streams and voice signalling.
The command VOIP QOS SET DSCP is used to set the DSCP value while the VOIP
QOS SET TOS command is used to set the TOS value.
DSCP and TOS are mutually esclusive because they refers to the same IP Header
field using only a different number of bits (3 bits in case of TOS, 6 bits in case of
DSCP) and assigning different packet classification accordingly to the TOS or DSCP
value.
AT-RG 600 Residential Gateway – Software Reference Manual 403
Media
AT-RG613, AT-RG623 and AT-RG656 can be configured to use a specific pool of
ports for media transport.
In this way it is always well known which ports are being used by the system,
making it possible to open the correct firewall ports when media packets must cross
security interfaces.
To configure the RTP pool ports, set the starting port number and the port range
using VOIP MEDIA SET PORTRANGE command. The ports specified by this
command are the RTP ports used as Source Port for outgoing packets and also they
are the ports where incoming RTP packets are expected to be received.
RTCP is also supported as a configurable parameter used to control RTP session.
It's also possible set the Residential Gateway to detect if an incoming RTP flow is
still present or not (e.g. the other end-point was abruptly disconnected or network
has critical problems) forcing the call release if no RTP packet flow has been
detected for the current call for a time longer than the specified observation period.
404 Chapter 18 – VoIP Media and QoS
Command
Description This command sets the value of the dscp field in the IP header of RTP voice packets.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the value of the tos field in the IP header of RTP voice packets.
AT-RG 600 Residential Gateway – Software Reference Manual 405
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command shows the value of DSCP and TOS fields used in the IP header of
RTP voice packets.
Command
Description This command sets the port pool available for media transport. Ports are
dynamically allocated in pairs to support new connections; the odd-numbered port
is reserved for RTCP. If the port pool is sold out, new sessions will be refused for
lack of available resource.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command sets the maximum timeout interval used to detect a fail in the
incoming RTP speech packets. If no RTP packet is received on the UDP port used by
the active call for a time longer than the SESSIONTIMEOUT value, the other
endpoint is considered disconnected and the active call is released.
Options The following table gives the range of values for each option which can be specified
with this command and a default value (if applicable).
Description This command shows the media values defined by the VOIP MEDIA SET
PORTRANGE or VOIP MEDIA SET RTCP commands.
Gateway Media:
----------------------------------------------
Port range: 50600/32
RTCP enable: on
408 Chapter 18 – VoIP Media and QoS
Chapter 19
ZTC
Introduction
Wide Area Networks consist of a lot of components (hubs, switches, routers,
residential gateways, set top boxes, PCs) that need to be configured.
The number of components can be very high and often the configuration of these
devices to get them up and running requires a lot of work for network
administrators.
As a result, network administrator operations can be very expensive and in-field
configuration takes a lot of time.
The Zero Touch Configurator (ZTC) is a tool designed to enable a network
administrator to configure and manage network devices remotely and automatically
without end-user intervention.
The Zero Touch Configuration is able to update image software and unit
configuration on multiple devices simultaneously, so administrators can avoid
having to connect to each device separately and repeat the same sequence of actions
for each of them.
Functional blocks
The ZTC is a component-based application, which consists of different logical blocks
that can be distributed on independent runtime environments or machines (see
Figure 23).
AT-RG 600 Residential Gateway – Software Reference Manual 411
RMI
ZTC Shell
RMI
WEB Browser
TFTP
TFTP Server
ZTC Client
• The ZTC WEB Interface. This application lest users interact with the ZTC Server.
Through this interface they can view or update existing configurations, or add
new ones.
• The ZTC Embedded Client. This client is installed on the devices to communicate
with the ZTC Server. Typically, the devices connect to ZTC Server to perform the
following operations:
• Communicate their actual configuration to ZTC Server
• Download, if existing, new configurations from ZTC Server
• The ZTC Shell can be created for testing, not for operational use. Through the
ZTC-Shell, all the main operations can be performed (read, write, user
management). It’s possible to access the ZTC-Server from the ZTC-Shell.
The components of ZTC are independent, and they can run on different machines
and platforms, in a three-tiered architecture fashion.
412 Chapter 19 - ZTC
The core of the application is the ZTC Server. It manages the dialogue with the
directory service backend and performs all operations on data. The ZTC WEB
Interface, used to interact with the ZTC Server, is decoupled from the ZTC server,
and can run on different machines.
ZTC Client
The ZTC Embedded Client, or, shortly, the ZTC Client, is the module running on
the Residential Gateway in charge to communicate with the ZTC server.
ZTC client works accordingly to the so-called "Configuration PULL" method. ZTC
Client is in charge to contact the ZTC server passing the current configuration, the
unit identifier and retrieves the new configuration if necessary. ZTC server has the
responsibility to allow the download only of the correct configuration file
depending on the unit identifier (the unit MAC address) and on the configuration
rules defined inside the ZTC Server.
The following three ZTC Client – ZTC Server communication phases are possible:
• Pull-at-startup – This phase is executed when the unit startup.
• Scheduled-pull. - This phase is executed every time the ztcclient polling timeout
expires.
ZTC Client and ZTC Server communicate through TFTP protocol.
The ZTC server IP address con be configured in the ZTC client module in two ways:
statically or dynamically.
• When a static configuration is used, the ZTC Server IPv4 address is defined
explicitly using the ztcclient enable static ztcserveraddr command. This command
set the server IP address that will be used by all the next queries and also turns on
the ztcclient module forcing the module to query the server to retrieve the unit
configuration file.
• When a dynamic configuration is used, the ZTC client module is bind to an
existing IP interface using the ztcclient enable dynamic listeninterface command.
In this way the ZTC client module uses the facilities offered by the dhcpclient
module to force the IP interface to ask to an external DHCP server the ZTC Server
address. When the ZTC client needs to know the ZTC Server address, a DHCP
request is generated by the IP interface requesting a value for option 67 "bootfile-
name". The ZTC Client module as ZTC Server IP address uses the value returned
by the DHCP server for option 67.
Similarly to the static configuration, ztcclient enable dynamic listeninterface
command turns on the ztcclient module forcing the module to query the server to
retrieve the unit configuration file.
When ZTC client is enabled, the CLI is locked. To unlock it, press the "+"
key. Unlocking the CLI stops the ZTC client module.
Pull-at-startup
Figure 24 shows the Pull-at-startup phase executed by the ZTC client module when
the Residential Gateway boostraps.
• Considering a scenario where ZTC Client is bind to a dynamic IP interface,
during the bootstrap process, the Residential Gateway uses the facilities provided
by the DHCP client module to setup the IP interface configuration.
• The dynamic IP interface receives the new network configuration and the ZTC
server address in the "bootfile-name" DHCP option.
• As soon the network is configured, the ZTC Client runs.
• The ZTC Client contacts the ZTC server, passing in the parameters list the
Residential Gateway's MAC address, the application filename and a value
derived from the current running configuration (that, at boostrap, it is null).
These information define the current device status.
• The ZTC server checks if there is a configuration for the Residential Gateway
looking for the device MAC address into the LDAP server, and if necessary, it
returns the configuration file to the device.
• The device executes the configuration file and starts the ZTC client timeout. The
timeout defines the polling period before ZTC Server will be contacted.
• When the timeout expires the Scheduled-pull phase is executed.
414 Chapter 19 - ZTC
NULL
Unit
Bootstrap
Setup Dyn
Interface
DHCP Request
DHCP Ack
(ZTC Server address)
Configuration File
TFTP Data Packets
(unit configuration commands list)
Start ZTC
timeout
ZTC idle
Scheduled-pull
Figure 25 shows the Scheduled-pull phase executed by the ZTC client module when
the ztcclient polling timeout expires.
• The ZTC Client contacts the ZTC server, passing in the parameters list the
Residential gateway MAC address, the application filename and the hash key
derived from the current running configuration. These information define the
actual state of the device.
• The ZTC server checks if there is a configuration for the Residential Gateway
looking for the device MAC address into the LDAP server, and if necessary, it
returns the configuration file to the device.
• When the device receives the new configuration, it reboots in order to execute the
new configuration starting from a "well known" status: the boostrap
configuration.
AT-RG 600 Residential Gateway – Software Reference Manual 415
Residential LDAP
ZTC Server
Gateway Database
ZTC idle
ZTC Timeout
expires
Configuration File
compare Client
config with
LDAP config
Yes No
Is it the
ABORT TFTP
same?
Unit
restart
Configuration File
TFTP Data Packets
(unit configuration commands list)
Start ZTC
timeout
ZTC idle
ZtcClient commands
The table below lists the ztcclient commands provided by the CLI:
Command
Description This command enables the ztcclient and bind it on an existing dynamic IP interface.
This command automatically creates a specific configuration rule that applies to the
IP interface in order to force the dhcpclient module to request the ZTC server
address inside the option list of the DHCP discover request sent to the external
DHCP server.
To apply changes to the ZTC client module and turn on it, use the ztcclient update
command.
Options The following table gives the range of values for each option, which can be specified
with this command, and a default value (if applicable).
Description This command enables the ztcclient, and set the ZTC Server IP address.
To apply changes to the ZTC client module and turn on it, use the ztcclient update
command.
Options The following table gives the range of values for each option which can be specified
with this command, and a default value (if applicable).
ZTCCLIENT DISABLE
Syntax ZTCCLIENT DISABLE
ZTCCLIENT SHOW
Syntax ZTCCLIENT SHOW
Example The following example shows the ZTC client parameters when a dynamic
configuration is set.
- GENERAL PARAMETERS
enabled: false
dynamic: true
configuration timeout: 60 seconds
server address in use: 192.168.1.10
- DYNAMIC CONFIGURATION
418 Chapter 19 - ZTC
interface: ip0
- STATIC CONFIGURATION
server address for static configuration: 0.0.0.0
ZTCCLIENT SET
Syntax ZTCCLIENT SET CONFIGTIMEOUT <configtimeout>
Description This command changes the value of the configtimeout, which is the polling time
interval before the ZTC client contacts the ZTC Server to check if a new
configuration is available.
Options The following table gives the range of values for each option which can be specified
with this command, and a default value (if applicable).
ZTCCLIENT UPDATE
Syntax ZTCCLIENT UPDATE
Description This command saves the changes made with ZTCCLIENT SET CONFIGTIMEOUT
and ZTCCLIENT ENABLE DYNAMIC or ZTCCLIENT ENABLE DYNAMIC
commands and turn on the polling timeout.
Chapter 20
Software Update
Introduction
AT-RG600 Residential Gateway software consists of the system application file
(named image) plus additional support files.
All these files are stored permanently into the system flashfs file system and loaded
during the unit bootstrap.
During normal operation mode, to prevent file system corruption, the flashfs file
system is never access directly. Programs that access (read or write) files stored into
flashfs file system, use a copy of the flashfs file system, named isfs (see chapter 1),
running into RAM.
If the unit is powered off, all the changes made into the isfs file system are lost. To
save permanently the contents of the isfs file system into flashfs file system, use the
system configuration save command.
To upgrade the AT-RG600 software, upload a new file or download an existing file,
it's possible use one of the following solutions depending on the type of upgrade
requested:
• using FTP
• using TFTP
• using the Windows™ based Loader application
• using the SwUpdate client module
420 Chapter 20 – Software Update
FTP server
AT-RG600 Residential Gateway implements an internal FTP server that provides
access to the isfs file system.
FTP connection is used typically to download into the Residential Gateway a new
image file but can be used also to retrieve or to download configuration and support
files too.
To connect the FTP module, simply use a FTP client application and login with the
same username and password used for telnet access.
When connected, it's possible browse the isfs file system with the ftp LIST
command.
When the ftp connection is closed, the content of isfs is copied back into flashfs
and the unit is forced to reboot in order to restart from the new application
code (or with the new configuration files).
TFTP server
Similarly to FTP, AT-RG600 Residential Gateway support also an internal TFTP
server that provide access both to flashfs and isfs file system.
TFTP is a file transfer protocol that is based on UDP transport protocol and
therefore it less reliable than ftp. There is no connection control, but only packets
acknowledge and packet retransmission.
TFTP connection is used typically to download or retrieve configuration and
support files. Differently for FTP, when a file is loaded into the Residential Gateway
using the tftp facility, it doesn't result in a system restart when the connection is
closed. Each TFTP connection is protected against uncontrolled access, using the
same name defined for SNMP community write.
To retrieve or download a file from/to the Residential gateway it's necessary unlock
the TFTP server sending (TFTP write request command) a special command file
having filename "tftplock.key". This file is a simple ASCII file that includes the TFTP
password without any encryption.
Then, it's possible request or sends the configuration file.
AT-RG 600 Residential Gateway – Software Reference Manual 421
TFTP Client
TFTP Data
or
TFTP Data
The maximum file size that can be downloaded into the Residential Gateway
is 8kbyte. To download files larger than 8kbyte use the FTP service.
Windows™ Loader
To upgrade the AT-RG600 Residential Gateway a special Windows™ based
application has been developed: the Loader.
The loader uses the TFTP services provided by the Residential Gateway to
download on the unit the application file plus all the other support files avoiding
the user to download each file separately.
The loader can be used to upgrade an existing software version or can be used to
download a new complete software release if the Residential Gateway is running in
recovery mode.
When the Loader is used to upgrade the Residential Gateway from a previous
software release, all the existing configuration files are kept.
When using the Loader, the IP address of the residential Gateway must be selected
and the SNMP community write name is requested as session password (see Figure
27).
422 Chapter 20 – Software Update
SwUpdate module
FTP, TFTP and Windows™ Loader are three upgrade solutions based on external
client applications that typically require user manual operation or the development
of dedicated script files.
SwUpdate module is a basic FTP client module running on the Residential Gateway
that contacts periodically a TFTP server and retrieves from it the required software
or support files.
In order to maintain backward compatibility with existing upgrade solutions,
SwUpdate is able to manage software upgrades similarly to the DHCPCONF
feature available on AT-RG200 Residential Gateway family.
SwUpdate retrieves the TFTP Server address from a specific option (option 66 tftp-
server-name) passed by the external DHCP server to the Residential Gateway IP
interface.
It then uses the path passed as filename string to navigate into the TFTP server.
In order to distinguish the correct DHCP Offer (in case more than one DHCP server
is present in the network), the Residential Gateway will consider only DHCP Offers
that include the option 60 (dhcp-class-identifier) with one of the following possible
values depending on the product code:
"RG603"
AT-RG 600 Residential Gateway – Software Reference Manual 423
"RG613TX"
"RG613TXJ"
"RG613SH"
"RG613LH"
"RG613BD"
"RG623TX"
"RG623SH"
"RG623LH"
"RG623BD"
"RG656TX"
"RG656BD"
"RG656LH"
"RG656SH"
SwUpdate is designed to download only the files that differ or are not present into
the Residential Gateway file-system.
NULL
Unit
Bootstrap DHCP Request:
option 66 tftp-server-name
option 60 dhcp-class-identifier
DHCP Offer:
filename: <tftp path>
option 66: <tftp server address>
option 60: dhcp-class-identifier = "rg6xx"
Unit
restart
In order to inform the SwUpdate module about which files it must download from
the TFTP server, a special file named MD5SUM must be created on the TFTP server.
424 Chapter 20 – Software Update
When the SwUpdate module connects to the TFTP server, it retrieves immediately
this file and then it download each file reported by this list.
The MD5SUM file is a list of filename where each file name has associated the MD5
value.
To create the MD5SUM file it's possible use the md5sum command available under
standard Linux platforms (free md5sum applications are available also under
Windows™ Operating System).
If a file reported into the MD5SUM list is already present into the Residential
Gateway file-system with the same MD5 value, the SwUpdate skip this download,
otherwise it will download it.
Example:
Assuming the all the files included in the current directory must be downloaded
into the Residential Gateway, the following command must be used to generate the
MD5SUM file:
96643c6e3af928990ed42a42dda2c554 cleanup
7cf32ce7ba89ab67f977a71ae5b205cd cliconsole
6d3dabc798da4ec9267615f12d1d2a43 consoleinit
810fd9bbababa67844e75e6846805e65 derived_data.dat
fb32c37e1457fcc1304d9cf74cd19bad dnsrelaylandb
444aa423a8d8a2d74640953ff6537948 image
6400dc3f72433a674f99c5b98aa5dae3 im.conf
026238c689022c21468df407a5daaef6 im.conf.factory
b87817d7b9a6c81cc8570deb9e270f34 im.conf.ztc_enabled_dynamic
24ae0c8518b7a98a5aa1c34563032c42 im.descriptions
1d0c14e81301cb630912790d077b79c0 initbun
08d016fe02cc6bde27110dc453e2b7b5 initbun.eg1004
4634050e6bf5e91d5a5872c3eb08d56a initbun.rg603
1b5498efa91b0d901a1235347b15e407 initbun.rg613
fd1fb4825195c080206104ac0443427f initbun.rg613txj
147e3239ce2f712340fa786f0a55a088 initbun.rg623
d55d9bd33ae47f4ea3acb39ae950a952 initbun.rg656
5ed6d58a9482d7aa0b44ff28a1e8ca7e NPimage
6927f315890f4209b8a406a1ee75595a services
0a48b795c03a4a012d1ba77dd647c307 snmpd.cnf
47abd829e3ccf727f9e8b29cbf52ed1e snmpinit
f9ae2f9ec26a5af37418be160fe67339 translate.tab
5318c5d07deb1c00dd42628b0d6f7af6 version
ea8fd2f8c81724291d1b0bcdb8e93df6 xgate_initbun
AT-RG 600 Residential Gateway – Software Reference Manual 425
Plug-and-play
If the Residential Gateway is set with dynamic IP interface and the DHCP server
sends the option 66 tftp-file-name togheter with option 60 (dhcp-class-identifier)
equal to same product code of the Residential Gateway, SwUpdate module sets the
server address to the address specified by the tftp-file-name option and will uses the
TFTP protocol to retrieve the MD5SUM file instead of the FTP protocol.
SwUpdate will change the remote directory on the TFTP server accordingly to the
filename option passed in the DHCP Offer message.
/home/manager
at-rg600-software-xxx
/home/manager/at-rg600-software-xxx